Tremendous growth in cryptocurrency usage is exposing the inherent scalability issues with permissionless blockchain technology. Payment-channel networks (PCNs) have emerged as the most widely deployed solution to mitigate the scalability issues, allowing the bulk of payments between two users to be carried out off-chain. Unfortunately, as reported in the literature and further demonstrated in this paper, current PCNs do not provide meaningful security and privacy guarantees [30], [40].
In this work, we study and design secure and privacy-preserving PCNs. We start with a security analysis of existing PCNs, reporting a new attack that applies to all major PCNs, including the Lightning Network, and allows an attacker to steal the fees from honest intermediaries in the same payment path. We then formally define anonymous multi-hop locks (AMHLs), a novel cryptographic primitive that serves as a cornerstone for the design of secure and privacy-preserving PCNs. We present several provably secure cryptographic instantiations that make AMHLs compatible with the vast majority of cryptocurrencies. In particular, we show that (linear) homomorphic one-way functions suffice to construct AMHLs for PCNs supporting a script language (e.g., Ethereum). We also propose a construction based on ECDSA signatures that does not require scripts, thus solving a prominent open problem in the field.
AMHLs constitute a generic primitive whose usefulness goes beyond multi-hop payments in a single PCN and we show how to realize atomic swaps and interoperable PCNs from this primitive. Finally, our performance evaluation on a commodity machine finds that AMHL operations can be performed in less than 100 milliseconds and require less than 500 bytes of communication overhead, even in the worst case. In fact, after acknowledging our attack, the Lightning Network developers have implemented our ECDSA-based AMHLs into their PCN. This demonstrates the practicality of our approach and its impact on the security, privacy, interoperability, and scalability of today’s cryptocurrencies.
more »
« less
Breaking and Fixing Virtual Channels: Domino Attack and Donner
Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the channels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle-enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates.
In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user.
We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on-chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN.
more »
« less
- Award ID(s):
- 1846316
- NSF-PAR ID:
- 10438582
- Date Published:
- Journal Name:
- Network and Distributed System Security (NDSS) Symposium
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Bitcoin, Ethereum and other blockchain-based cryptocurrencies, as deployed today, cannot support more than several transactions per second. Off-chain payment channels, a “layer 2” solution, are a leading approach for cryptocurrency scaling. They enable two mutually distrustful parties to rapidly send payments between each other and can be linked together to form a payment network, such that payments between any two parties can be routed through the network along a path that connects them. We propose a novel payment channel protocol, called Sprites. The main advantage of Sprites compared with earlier protocols is a reduced “collateral cost,” meaning the amount of money × time that must be locked up before disputes are settled. In the Lightning Network and Raiden, a payment across a path of ` channels requires locking up collateral for Θ(`∆) time, where ∆ is the time to commit an on-chain transaction; every additional node on the path forces an increase in lock time. The Sprites construction provides a constant lock time, reducing the overall collateral cost to Θ(` + ∆). Our presentation of the Sprites protocol is also modular, making use of a generic state channel abstraction. Finally, Sprites improves on prior payment channel constructions by supporting partial withdrawals and deposits without any on-chain transactions.more » « less
-
Monero has emerged as one of the leading cryptocurrencies with privacy by design. However, this comes at the price of reduced expressiveness and interoperability as well as severe scalability issues. First, Monero is restricted to coin exchanges among individual addresses and no further functionality is supported. Second, transactions are authorized by linkable ring signatures, a digital signature scheme used in Monero, hindering thereby the interoperability with virtually all the rest of cryptocurrencies that support different digital signature schemes. Third, Monero transactions require an on-chain footprint larger than other cryptocurrencies, leading to rapid ledger growth and thus scalability issues. This work extends Monero expressiveness and interoperability while mitigating its scalability issues. We present Dual Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (DLSAG), a linkable ring signature scheme that enables for the first time non-interactive refund transactions natively in Monero: DLSAG can seamlessly be implemented along with other cryptographic tools already available in Monero such as commitments and range proofs. We formally prove that DLSAG provides the same security and privacy notions introduced in the original linkable ring signature [31] namely, unforgeability, signer ambiguity, and linkability. We have evaluated DLSAG and showed that it imposes even slightly lower computation and similar communication overhead than the current digital signature scheme in Monero, demonstrating its practicality. We further show how to leverage DLSAG to enable off-chain scalability solutions in Monero such as payment channels and payment-channel networks as well as atomic swaps and interoperable payments with virtually all cryptocurrencies available today. DLSAG is currently being discussed within the Monero community as an option for adoption as a key building block for expressiveness, interoperability, and scalability.more » « less
-
Near-field communication (NFC) is one of the essential technologies in the Internet of Things (IoT) that has facilitated mobile payment across different services. The technology has become increasingly popular, as cryptocurrencies like Bitcoin have revolutionized how payment systems can be designed. However, this technology is subject to security problems, such as man-in-the-middle attacks, double-spending, and replay attacks, raising the need to incorporate other solutions such as blockchain technology. Concerns about the security and privacy of payments using NFC technology raise the need to adopt blockchain-based cryptocurrency payment. For instance, NFC payment has been criticized for a lack of measures to counter potential attacks, such as brute force or double-spending. Thus, incorporating blockchain technology is expected to improve the security features of the NFC mobile payment protocol and improve user experience. Blockchain technology has been praised for enabling fair payment, as it permits direct transactions without engaging a third party. Therefore, integrating blockchain cryptocurrency in IoT devices will revolutionize the NFC payment method and provide value transfer using IoT devices. Combining NFC with blockchain technology and cryptocurrencies is necessary to address security and privacy problems. The purpose of this paper is to explore the potential behind incorporating blockchain technology and cryptocurrencies like Bitcoin in the NFC payment protocol.more » « less
-
Near field communication (NFC), which emerged only a decade ago, has been rapidly adopted in business services including point-of-sale (POS) systems, payments, identification, ticketing, and various other types of services. NFC offers great and varied promise in providing secure and implicit paired communication capability in smartphones. As a short-range wireless communication technology, the level of "secure" is contributed by the short-range nature. Compared with other competitive technologies, NFC achieves physical-level security but sacrifices convenience. For example, NFC cannot achieve device-free or hands-free payment transactions like the service provided by PayPal called PayPal beacon which utilizes Bluetooth-low-energy (BLE) technology. In this paper, we propose a low-cost wearable device that can achieve better physical-level security than NFC provides. This system is compatible with existing NFC-based POS systems and can help users realize a convenient hands-free payment transaction. Specifically, a custom NFC wristband was designed to channel its magnetic field through the human arm. By confining the magnetic field in NFC to the area around the body, we could minimize energy radiation, reduce the possibility of communication sniffing and hijackings, and improve security. To evaluate this approach, we conducted various experiments via different configurations. The results showed that the communication range for the human body channel was greater than that of the air and water channels. In addition, through this study we demonstrated that the human body is a naturally secure channel, and hacking and nearby interference are minimized during such communication. Our system also defines a new way of communication, for example, people can share confidential information with a simple handshake without pulling out and touching, or tapping smartphones.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
