Boomerang: Redundancy Improves Latency and Throughput in Payment-Channel Networks

Abstract

In multi-path routing schemes for payment-channel networks, Alice transfers funds to Bob by splitting them into partial payments and routing them along multiple paths. Undisclosed channel balances and mismatched transaction fees cause delays and failures on some payment paths. For atomic transfer schemes, these straggling paths stall the whole transfer. We show that the latency of transfers reduces when redundant payment paths are added. This frees up liquidity in payment channels and hence increases the throughput of the network. We devise Boomerang, a generic technique to be used on top of multi-path routing schemes to construct redundant payment paths free of counterparty risk. In our experiments, applying Boomerang to a baseline routing scheme leads to 40% latency reduction and 2\({\times }\) throughput increase. We build on ideas from publicly verifiable secret sharing, such that Alice learns a secret of Bob iff Bob overdraws funds from the redundant paths. Funds are forwarded using Boomerang contracts, which allow Alice to revert the transfer iff she has learned Bob’s secret. We implement the Boomerang contract in Bitcoin Script.

V. Bagaria and J. Neu—Contributed equally and listed alphabetically.

Appendices

A Cryptographic Preliminaries

Let \({\mathbb {G}}\) be a cyclic multiplicative group of prime order \(q \ge 2^{2\lambda }\) with a generator \(g \in {\mathbb {G}}\), where \(\lambda \) is a security parameter. Let \(H:{\mathbb {Z}}_q \rightarrow {\mathbb {G}}\) with \(H(x) \triangleq g^x\), where \({\mathbb {Z}}_q\) is the finite field of size q (i.e., integers modulo q). We require that H be difficult to invert, which is formalized in the following two definitions:

Definition 1 (Negligible Function)

A function \(\varepsilon :{\mathbb {N}}\rightarrow {\mathbb {R}}^{+}\) is negligible if

$$\begin{aligned} \forall c> 0:\exists k_0:\forall k > k_0:\qquad \varepsilon (k) < \frac{1}{k^c}. \end{aligned}$$

(8)

In other words, negligible is what decays faster than every polynomial.

Definition 2 (Discrete Logarithm (DL) Assumption)

Given a generator g of a group \({\mathbb {G}}\), and an \(x \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\) chosen uniformly at random in \({\mathbb {Z}}_q\), for every probabilistic polynomial time (with respect to \(\lambda \)) algorithm \(\mathcal A_{\mathrm {DL}}\),

$$\begin{aligned} {\text {Pr}}\left[ \mathcal A_{\mathrm {DL}}(g, g^x) = x \right] = \varepsilon (\lambda ). \end{aligned}$$

(9)

The discrete logarithm problem (DLP) is said to be hard for generator g in group \({\mathbb {G}}\), if the DL assumption holds for g and \({\mathbb {G}}\), i.e., no computationally bounded adversary can compute \(\log _g(g^x)\) with non-negligible probability. It is commonly assumed that the DLP is hard in certain elliptic curves (ECs), which are hence widely used in cryptographic applications, e.g., in Bitcoin. The DL assumption makes H a one-way function.

B Implementation of Boomerang Contract in Bitcoin Script via Elliptic Curve Scalar Multiplication

See Figs. 8 and 11 for Bitcoin Script implementations of Fig. 5.

Fig. 11.

Bitcoin Script implementation of the output concerning \(\delta \) TX fee (cf. Fig. 5(b)), and witness stacks for redemption in favor of \(P_1\) and \(P_2\), respectively: l. 2 enforces revelation of \(\hat{p}_i\) such that \(H(\hat{p}_i) = H(p_i)\), l. 3 requires a signature of \(P_2\), l. 5 enforces the timelock until \(T_0 + \varDelta _{\mathrm {fwd}}\), l. 6 requires a signature of \(P_1\).

C Background on Adaptor Signatures

We briefly summarize Schnorr signatures [20]. Let \(\tilde{H}\) be a cryptographic hash function (modeled as a random oracle), and \(x \Vert y\) denote the concatenation of x and y. We continue to assume that \({\mathbb {G}}\) is a multiplicative group with group operation ‘\(\cdot \)’. For Schnorr signatures, every identity is composed of a secret key x and a public key \(P \triangleq g^x\). To sign a message m, draw \(r \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\), then compute \(R \triangleq g^r\) and \(s = r + \tilde{H}(P \Vert R \Vert m) x\). The signature is \(\sigma \triangleq (s, R)\). To verify a signature \(\sigma \triangleq (s, R)\) for m by P, check

$$\begin{aligned} g^s \overset{?}{=} R \cdot P^{\tilde{H}(P \Vert R \Vert m)}. \end{aligned}$$

(10)

An adaptor signature \(\sigma '\) has the property that given \(\sigma '\), knowledge of a proper signature \(\sigma \) is equivalent to knowledge of a precommitted value t [27]. Consider parties \(P_1\) and \(P_2\) with secret keys \(x_i\) and public keys \(P_i \triangleq g^{x_i}\). Both know a commitment \(T \triangleq g^t\) to a (potentially unknown) value t. To create an adaptor signature \(\sigma '\) for m, both draw \(r_i \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\), compute \(R_i \triangleq g^{r_i}\), and exchange \((P_i, R_i)\). Then, they compute and exchange

$$\begin{aligned} s_i' = r_i + \tilde{H}(P_1 \cdot P_2 \Vert R_1 \cdot R_2 \cdot T \Vert m) x_i. \end{aligned}$$

(11)

The adaptor signature is \(\sigma ' = (R_1 \cdot R_2 \cdot T, s_1' + s_2')\). If either \(P_i\) gets to know t, they can produce a valid total signature \(\sigma = (R_1 \cdot R_2 \cdot T, s_1' + s_2' + t)\). Vice versa, if either \(P_i\) learns a valid total signature \(\sigma = (R_1 \cdot R_2 \cdot T, s)\), they can compute \(t = s - s_1' - s_2'\). For instance, suppose m is a transaction that benefits \(P_2\) and requires a signature from \(P_1 \cdot P_2\) with nonce \(R_1 \cdot R_2 \cdot T\). Furthermore, suppose \(P_2\) obtains t. Then it can use the adaptor signature \(\sigma '\) to produce a valid total signature \(\sigma \) and claim its funds. In this case, \(P_1\) can recover t from \(\sigma \) and \(\sigma '\).

D Pseudo Code of Evaluated Routing Schemes

See Algorithms 1, 2, 3 and 4.