Abstract
In multi-path routing schemes for payment-channel networks, Alice transfers funds to Bob by splitting them into partial payments and routing them along multiple paths. Undisclosed channel balances and mismatched transaction fees cause delays and failures on some payment paths. For atomic transfer schemes, these straggling paths stall the whole transfer. We show that the latency of transfers reduces when redundant payment paths are added. This frees up liquidity in payment channels and hence increases the throughput of the network. We devise Boomerang, a generic technique to be used on top of multi-path routing schemes to construct redundant payment paths free of counterparty risk. In our experiments, applying Boomerang to a baseline routing scheme leads to 40% latency reduction and 2\({\times }\) throughput increase. We build on ideas from publicly verifiable secret sharing, such that Alice learns a secret of Bob iff Bob overdraws funds from the redundant paths. Funds are forwarded using Boomerang contracts, which allow Alice to revert the transfer iff she has learned Bob’s secret. We implement the Boomerang contract in Bitcoin Script.
V. Bagaria and J. Neu—Contributed equally and listed alphabetically.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
https://bitcoin.stackexchange.com/q/89475 (Jul 2019).
- 3.
The source code is available on: https://github.com/tse-group/boomerang.
References
Aktas, M.F., Soljanin, E.: Straggler mitigation at scale (2019). http://arxiv.org/abs/1906.10664
Bagaria, V., Neu, J., Tse, D.: Boomerang: redundancy improves latency and throughput in payment-channel networks (2019). http://arxiv.org/abs/1910.01834
Benaloh, J.C.: Secret sharing homomorphisms: keeping shares of a secret secret (extended abstract). In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 251–260. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_19
Byers, J.W., Luby, M., Mitzenmacher, M., Rege, A.: A digital fountain approach to reliable distribution of bulk data. In: Proceedings of ACM SIGCOMM, Vancouver, B.C., Canada, pp. 56–67 (1998). https://doi.org/10.1145/285237.285258
Dean, J., Barroso, L.A.: The tail at scale. Commun. ACM 56(2), 74–80 (2013). https://doi.org/10.1145/2408776.2408794
Decker, C., Russell, R., Osuntokun, O.: eltoo: a simple layer2 protocol for Bitcoin. Technical report (2018). https://blockstream.com/2018/04/30/en-eltoo-next-lightning/
Decker, C., Wattenhofer, R.: A fast and scalable payment network with Bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21741-3_1
Di Stasi, G., Avallone, S., Canonico, R., Ventre, G.: Routing payments on the Lightning network. In: Proceedings of IEEE iThings/GreenCom/CPSCom/SmartData, pp. 1161–1170 (2018). https://doi.org/10.1109/Cybermatics_2018.2018.00209
Dziembowski, S., Eckey, L., Faust, S., Malinowski, D.: Perun: virtual payment hubs over cryptocurrencies (2017). https://eprint.iacr.org/2017/635
Dziembowski, S., Faust, S., Hostáková, K.: General state channel networks. In: Proceedings of ACM SIGSAC, pp. 949–966, Toronto, Canada (2018). https://doi.org/10.1145/3243734.3243856
Elias, P.: Coding for two noisy channels. In: Information Theory, pp. 61–74. Academic Press (1956)
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th Annual Symposium on Foundations of Computer Science (SFCS 1987), pp. 427–438, October 1987. https://doi.org/10.1109/SFCS.1987.4
Gudgeon, L., Moreno-Sanchez, P., Roos, S., McCorry, P., Gervais, A.: SoK: off the chain transactions (2019). https://eprint.iacr.org/2019/360
Hoenisch, P., Weber, I.: AODV–based routing for payment channel networks. In: Chen, S., Wang, H., Zhang, L.-J. (eds.) ICBC 2018. LNCS, vol. 10974, pp. 107–124. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94478-4_8
Jourenko, M., Kurazumi, K., Larangeira, M., Tanaka, K.: SoK: a taxonomy for layer-2 scalability related protocols for cryptocurrencies (2019). https://eprint.iacr.org/2019/352
Khalil, R., Gervais, A.: Revive: rebalancing off-blockchain payment networks (2017). https://eprint.iacr.org/2017/823
Lee, K., Lam, M., Pedarsani, R., Papailiopoulos, D., Ramchandran, K.: Speeding up distributed machine learning using codes. IEEE Trans. Inf. Theory 64(3), 1514–1529 (2018). https://doi.org/10.1109/TIT.2017.2736066
Luby, M., Shokrollahi, A., Watson, M., Stockhammer, T., Minder, L.: RaptorQ forward error correction scheme for object delivery. RFC 6330 (2011). https://doi.org/10.17487/RFC6330
Malavolta, G., Moreno-Sanchez, P., Kate, A., Maffei, M.: SilentWhispers: enforcing security and privacy in decentralized credit networks (2016). https://eprint.iacr.org/2016/1054
Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to Bitcoin (2018). https://eprint.iacr.org/2018/068
Miller, A., Bentov, I., Kumaresan, R., Cordi, C., McCorry, P.: Sprites and state channels: payment networks that go faster than Lightning (2017). http://arxiv.org/abs/1702.05812
Moreno-Sanchez, P., Kate, A.: Scriptless scripts with ECDSA (2018). https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-April/001221.html
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Technical report (2008). https://bitcoin.org/bitcoin.pdf
Osuntokun, O.: AMP: atomic multi-path payments over Lightning (2018). https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-February/000993.html
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Piatkivskyi, D., Nowostawski, M.: Split payments in payment networks. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Livraga, G., Rios, R. (eds.) DPM/CBT -2018. LNCS, vol. 11025, pp. 67–75. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00305-0_5
Poelstra, A.: Scriptless scripts (2018). https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2018-05-18-l2/slides.pdf
Poon, J., Dryja, T.: The Bitcoin Lightning network: scalable off-chain instant payments. Technical report (2016). https://lightning.network/docs/
Prihodko, P., Zhigulin, S., Sahno, M., Ostrovskiy, A., Osuntokun, O.: Flare: an approach to routing in Lightning network (2016)
Roos, S., Moreno-Sanchez, P., Kate, A., Goldberg, I.: Settling payments fast and private: efficient decentralized routing for path-based transactions (2017). http://arxiv.org/abs/1709.05748
Schoenmakers, B.: A simple publicly verifiable secret sharing scheme and its application to electronic voting. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 148–164. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_10
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). https://doi.org/10.1145/359168.359176
Sivaraman, V., Venkatakrishnan, S.B., Alizadeh, M., Fanti, G., Viswanath, P.: Routing cryptocurrency with the Spider network (2018). http://arxiv.org/abs/1809.05088
Wang, P., Xu, H., Jin, X., Wang, T.: Flash: efficient dynamic routing for offchain networks (2019). http://arxiv.org/abs/1902.05260
Acknowledgments
We thank Giulia Fanti and Lei Yang for fruitful discussions. VB and DT are supported by the Center for Science of Information, an NSF Science and Technology Center, under grant agreement CCF-0939370. JN is supported by the Reed-Hodgson Stanford Graduate Fellowship. Icons from ‘Twemoji v12.0’ (https://github.com/twitter/twemoji) by Twitter, Inc and other contributors, licensed under CC BY 4.0.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Cryptographic Preliminaries
Let \({\mathbb {G}}\) be a cyclic multiplicative group of prime order \(q \ge 2^{2\lambda }\) with a generator \(g \in {\mathbb {G}}\), where \(\lambda \) is a security parameter. Let \(H:{\mathbb {Z}}_q \rightarrow {\mathbb {G}}\) with \(H(x) \triangleq g^x\), where \({\mathbb {Z}}_q\) is the finite field of size q (i.e., integers modulo q). We require that H be difficult to invert, which is formalized in the following two definitions:
Definition 1 (Negligible Function)
A function \(\varepsilon :{\mathbb {N}}\rightarrow {\mathbb {R}}^{+}\) is negligible if
In other words, negligible is what decays faster than every polynomial.
Definition 2 (Discrete Logarithm (DL) Assumption)
Given a generator g of a group \({\mathbb {G}}\), and an \(x \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\) chosen uniformly at random in \({\mathbb {Z}}_q\), for every probabilistic polynomial time (with respect to \(\lambda \)) algorithm \(\mathcal A_{\mathrm {DL}}\),
The discrete logarithm problem (DLP) is said to be hard for generator g in group \({\mathbb {G}}\), if the DL assumption holds for g and \({\mathbb {G}}\), i.e., no computationally bounded adversary can compute \(\log _g(g^x)\) with non-negligible probability. It is commonly assumed that the DLP is hard in certain elliptic curves (ECs), which are hence widely used in cryptographic applications, e.g., in Bitcoin. The DL assumption makes H a one-way function.
B Implementation of Boomerang Contract in Bitcoin Script via Elliptic Curve Scalar Multiplication
See Figs. 8 and 11 for Bitcoin Script implementations of Fig. 5.
C Background on Adaptor Signatures
We briefly summarize Schnorr signatures [20]. Let \(\tilde{H}\) be a cryptographic hash function (modeled as a random oracle), and \(x \Vert y\) denote the concatenation of x and y. We continue to assume that \({\mathbb {G}}\) is a multiplicative group with group operation ‘\(\cdot \)’. For Schnorr signatures, every identity is composed of a secret key x and a public key \(P \triangleq g^x\). To sign a message m, draw \(r \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\), then compute \(R \triangleq g^r\) and \(s = r + \tilde{H}(P \Vert R \Vert m) x\). The signature is \(\sigma \triangleq (s, R)\). To verify a signature \(\sigma \triangleq (s, R)\) for m by P, check
An adaptor signature \(\sigma '\) has the property that given \(\sigma '\), knowledge of a proper signature \(\sigma \) is equivalent to knowledge of a precommitted value t [27]. Consider parties \(P_1\) and \(P_2\) with secret keys \(x_i\) and public keys \(P_i \triangleq g^{x_i}\). Both know a commitment \(T \triangleq g^t\) to a (potentially unknown) value t. To create an adaptor signature \(\sigma '\) for m, both draw \(r_i \xleftarrow {\mathrm {R}}{\mathbb {Z}}_q\), compute \(R_i \triangleq g^{r_i}\), and exchange \((P_i, R_i)\). Then, they compute and exchange
The adaptor signature is \(\sigma ' = (R_1 \cdot R_2 \cdot T, s_1' + s_2')\). If either \(P_i\) gets to know t, they can produce a valid total signature \(\sigma = (R_1 \cdot R_2 \cdot T, s_1' + s_2' + t)\). Vice versa, if either \(P_i\) learns a valid total signature \(\sigma = (R_1 \cdot R_2 \cdot T, s)\), they can compute \(t = s - s_1' - s_2'\). For instance, suppose m is a transaction that benefits \(P_2\) and requires a signature from \(P_1 \cdot P_2\) with nonce \(R_1 \cdot R_2 \cdot T\). Furthermore, suppose \(P_2\) obtains t. Then it can use the adaptor signature \(\sigma '\) to produce a valid total signature \(\sigma \) and claim its funds. In this case, \(P_1\) can recover t from \(\sigma \) and \(\sigma '\).
D Pseudo Code of Evaluated Routing Schemes
See Algorithms 1, 2, 3 and 4.
Rights and permissions
Copyright information
© 2020 International Financial Cryptography Association
About this paper
Cite this paper
Bagaria, V., Neu, J., Tse, D. (2020). Boomerang: Redundancy Improves Latency and Throughput in Payment-Channel Networks. In: Bonneau, J., Heninger, N. (eds) Financial Cryptography and Data Security. FC 2020. Lecture Notes in Computer Science(), vol 12059. Springer, Cham. https://doi.org/10.1007/978-3-030-51280-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-51280-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-51279-8
Online ISBN: 978-3-030-51280-4
eBook Packages: Computer ScienceComputer Science (R0)