Cross-Chain Payment Protocols with Success Guarantees

In this paper, we consider the problem of cross-chain payment whereby customers of different escrows -- implemented by a bank or a blockchain smart contract -- successfully transfer digital assets without trusting each other. Prior to this work, cross-chain payment problems did not require this success or any form of progress. We introduce a new specification formalism called Asynchronous Networks of Timed Automata (ANTA) to formalise such protocols. We present the first cross-chain payment protocol that ensures termination in a bounded amount of time and works correctly in the presence of clock skew. We then demonstrate that it is impossible to solve this problem without assuming synchrony, in the sense that each message is guaranteed to arrive within a known amount of time. We also offer a protocol that solves an eventually terminating variant of this cross-chain payment problem without synchrony, and even in the presence of Byzantine failures.


Introduction
With the advent of various payment protocols comes the problem of interoperability between them.A simple way for users of different protocols to interact is to do a cross-chain payment whereby intermediaries can help customer Alice transfer digital assets to Bob even though Alice and Bob own accounts in different banks or blockchains.
A payment between two customers of the same bank is simple.Alice just informs the bank that she wants to transfer a certain amount from her account to the account of the receiving party Bob; and then the bank carries out this request.Alice and Bob do not need to trust each other but need to trust the bank to not withdraw the money from Alice's account and never deposit it on Bob's.As Bob trusts the bank, he can issue a signed certificate assuring Alice that if the bank says that he has been paid, then Alice is of the hook, and any further disputes about possible non-payment to Bob are between Bob and the bank.To prevent litigation against her, Alice simply needs this statement from Bob as well as a statement that Bob has been paid.As Alice does not trust Bob this second statement must come from the bank.
To generalise this protocol to payments between customers of different banks, it helps if the two banks have ways to transfer assets to each other, and moreover trust each other.A sound protocol becomes: (i) Bob provides Alice with a signed statement that all he requires for her to have satisfied her payment obligation, is a statement from his own bank saying that he has been paid.(ii) Alice's bank promises Alice that if she transfers money to Bob, she will get a statement from Bob's bank that the transfer has been carried out. 1. Alice orders her bank to initiate the transfer to Bob. 2. Alice's bank withdraws the money from her account, and sends it to Bob's bank.3a.Bob's bank places the money in Bob's account 3b. and notifies Alice's bank of this.
4. Alice's bank forwards to Alice the statement by Bob's bank saying that Bob has been paid.This is roughly how payments between customers of different banks happen in the world of banking.
Step (ii) is part of general banking agreements, not specific to Alice and Bob.
Step (i) is typically left implicit in negotiations between Alice and Bob.All that Alice needs is the combination of steps (i), (ii) and 4 above.Once step (i) and (ii) have been made, she confidently takes step 1, knowing that this will be followed by Step 4. Alice's bank is willing to take step (ii) because it trusts Bob's bank, in the sense that step 2 will be followed by Step 3b.In fact, when the two banks trust each other, and have ways to transfer assets to each other, they can abstractly be seen as one bigger bank, and the problem becomes similar to the problem of payments between customers of the same bank.The problem becomes more interesting when the banks cannot transfer assets to each other and the only trust is the one of customers to their own bank.Typical solutions consist of considering banks as escrows and having intermediaries, like Chloe, that play the role of connectors between these escrows.Figure 1 depicts the relations of trust between three customers and two escrows and where the flow of money is from left to right.Thomas and Schwartz [19] proposed two interledger protocols: (i) the universal protocol requires synchrony [5] in that every message between participants is received within a known upper bound and the clock skew between participants is bounded; (ii) the atomic protocol coordinates transfers using an ad-hoc group of notaries, selected by the participants.Herlihy, Liskov and Shrira [11] represent a cross-chain payment as a deal matrix M where M i,j characterises a transfer of some asset from participant i to participant j.They offer a timelock1 commit protocol that requires synchrony, and a certified blockchain commit protocol that requires partial synchrony and a certified blockchain.The correctness proofs of these algorithms consist of observing reasonable properties that sum up to a correctness argument.But, as far as we know, there is no formal treatment of a cross-chain payment protocol in the presence of (multiplicative) clock skew.
In this paper, we introduce a new specification formalism for cross-chain payment protocols, called Asynchronous Networks of Timed Automata (ANTA).ANTA simplify the representation of cross-chain payment to a customer automaton and an escrow automaton that describe states from which outgoing transitions are immediately enabled and states from which outgoing transitions are conditional upon some predicates.These automata allow us to reason formally about the liveness and safety of cross-chain payment protocols.ANTA differ from Alur and Dill's timed automata [1], their networks [3] and I/O automata [13] in subtle ways, tuned to the problem at hand.We illustrate ANTA by specifying the interledger universal protocol and proving that it solves the time-bounded variant of the cross-chain payment problem.Moreover, we fine-tune the protocol to work correctly even in the presence of clock skew.
We also show that there exist no algorithm that can solve the time-bounded cross-chain payment problem without synchrony even if all participants either behave correctly or simply crash.This impossibility result relies on classic indistinguishability arguments from the distributed computing literature and highlights an interesting relation between the the cross-chain payment problem and the well-known transaction commit problem [7,9,8].Inspired by this earlier work on the transaction commit, we define a weaker variant of our problem called the eventual cross-chain payment problem that relaxes the liveness guarantees to be solvable with partial synchrony.This new problem differs from the transaction commit problem and its variants like the non-blocking weak atomic commit problem [8] by tolerating Byzantine failures.It is also different from the interledger problem solved in [19], and from the problem solved by the certified blockchain commit protocol of [11] in a partially synchronous setting, by requiring some liveness.In particular, a protocol where all participants always abort is not permitted by our problem specification.We propose an algorithm that solves the eventual cross-chain payment problem only assuming partial synchrony, and in the presence of Byzantine failures, using the ANTA formalism.
Interestingly, the classical notion of atomicity, meaning that the entire transaction goes through, or is rolled back completely, is not appropriate for this kind of protocols.In the words of [11], "This notion of atomicity cannot be guaranteed when parties are potentially malicious: the best one can do is to ensure that honest parties cannot be cheated."

Related work
The Interledger protocol.In [19] a protocol is presented for payments across payment systems.Here a payment system can be thought of as an independent bank, where people can have accounts.The intended application is in digital payment systems, such as Bitcoin [16].In [19] the payment systems, or rather the functionality they offer, are loosely referred to as ledgers, and payments between customers of different ledgers as interledger payments.Following popular terminology, we here speak of escrows and cross-chain payments.
The protocol from [19] generalises to the situation of a longer zigzag than indicated in Figure 1, involving n escrows and n−1 intermediaries Chloe i .It comes in two variants: an atomic mode, in which transfers are coordinated using an ad-hoc group of notaries, selected by the participants, and a universal mode, not requiring external coordination.The atomic mode relies on more than two-third of the notaries to be reliable, although it may be unknown which ones.
The correctness proof by Thomas and Schwartz [19] of the universal mode of the protocol requires the assumption of bounded synchrony on the communication between the parties in the protocol, simply called synchrony by Dwork et al. [5].This assumption says that any message sent by one of the parties, is guaranteed to be received by the intended recipient(s).Moreover, there is a known upper bound on the time a message is underway.Additionally, there needs to be a known upper bound on the clock skew between participants.
Here we point out that this assumption is necessary, in the sense that without this assumption, and without the help of mostly reliable notaries, no correct cross-chain payment protocol exists.
To make such a statement, we need to define when we consider a cross-chain payment protocol correct.The correctness proof by Thomas and Schwartz [19] consists of reasonable properties that are shown to hold for the chosen protocol.These properties are stated in terms of that specific protocol, and the reader can infer that they sum up to a correctness argument.But no formal statement occurs of what it means for a general cross-chain payment protocol to be correct, and this is what we need to make any negative statement about it.
Other cross-chain technologies.In the lightning network, Poon and Dryja [17] can relay payment outside the blockchain or "offchain" through connected intermediaries, but they require synchrony and do not consider clock skew.Gazi, Kiayias and Zindros [6] propose a rigorous formalisation of ledger and crosschain transfers, but focus on proof-of-stake (in particular Cardano Ouroboros).The assumption of "semisynchronous communications", which in practice corresponds to synchrony as defined by Dwork, Lynch and Stockmeyer [5], make their results not extensible to partial synchrony.They do not consider clock skew.Herlihy proposes atomic cross-chain swaps [10] to exchange assets between distinct blockchains, but only in a synchronous environment without clock skew.Ron van der Meyden [14] verifies a cross-chain swap protocol by modelling a timelock predicate as a Boolean variable indicating whether the asset is transferred.This approach also requires synchrony, and does not consider clock skew.In XClaim [21] Zamyatin et al. propose a solution to swap blockchain-backed assets.Their protocol assumes that adversaries are behaving rationally, and requires synchrony.
Lind et al. [12] relax the synchrony assumption but require a trusted execution environment (TEE).Such a solution cannot be used to solve our problem as it would require trusting a third-party, often represented as the manufacturer of this TEE.
Other approaches [20,18,11] rely on a separate blockchain that plays the same role as our transaction manager (cf.Section 6.2).However, [20] and [18] do not aim at ensuring liveness, and [11] aims at ensuring liveness only in periods where communication proceeds synchronously.Wood [20] proposes a multi-chain solution that aims at combining heterogeneous blockchains together without trust.As far as we know, it has not been proved that the protocol terminates.Ranchal-Pedrosa and Gramoli [18] relax the synchrony assumption using an alternative 'child' blockchain to the so-called 'parent' blockchain in order to execute a series of transfers outside the parent blockchain.This protocol does not guarantee that the set of intermediary transfers on the child blockchain eventually take effect.Herlihy, Liskov and Shrira [11] model cross-chain deals as a matrix M where M i,j characterises a transfer of some asset from participant i to participant j, and offer a timelock-based solution under the synchrony assumption, without clock skew, and a certified blockchain commit protocol that requires partial synchrony and a certified blockchain.As remarked in [11], a strong liveness guarantee is not feasible when merely assuming partial synchrony.In this context the targeted crosschain deal problem admits solutions where all correct processes simply abort.Our corresponding problem differs by requiring a weaker liveness guarantee in that it formulates conditions under which a successful transfer is ensured.We present a more detailed comparison between our work and that of [11] in Section 7.
Crash fault tolerant solutions.The transaction commit problem is a classical problem from the database literature, tackled for instance by Gray & Lamport [7], Guerraoui [8] and Hadzilacos [9].It consists of ensuring that either all the processes commit a given transaction or all the processes abort this transaction.
The Non-Blocking Atomic Commitment problem has been formally defined by Guerraoui, for asynchronous systems with unreliable failure detectors (encapsulating partial synchrony) in a crash (fail-stop) model [8] but not in a Byzantine model.Guerraoui proved an impossibility result when the problem requires that "If all participants vote yes, and there is no failure, then every correct participant eventually decides commit".He then proposes a weaker variant of the problem where the above requirement is replaced by "If all participants vote yes, and no participant is ever suspected, then every correct participant eventually decides commit".The two problems we consider in this paper present a similar distinction; however, our problems target Byzantine fault tolerance, not crash fault tolerance.
Anta, Georgiou and Nicolaou [2] propose a general and rigorous definition of a ledger in which they consider the atomic append problem in an asynchronous model.Similarly, their model considers exclusively crash failures.
3 Model and definitions
Escrows.An escrow is a specific type of process that can handle values for other parties in a predefined manner.
Customers.Customer c 0 is Alice and c n is Bob.The customers c 1 , . . ., c n−1 are intermediaries in the interaction between Alice and Bob; we call them connectors, named Chloe i .
Trust.Customers c i−1 and c i have accounts at escrow e i−1 , and trust this escrow (i = 1, . . ., n).We do not assume any other relations of trust.Topology.Not every customer can send value to any other.Here we assume that value can be transferred directly only between customers of the same escrow.Moreover, any transfer between two customers of an escrow can be modelled as two transfers: one from the originating customer to the escrow, and one from the escrow to the receiving customer.Thus, the connections from Figure 2 describe both the relations of trust and the possible transfers of value.The case n = 2 was depicted in Figure 1.
We can talk of the customers of an escrow to designate the customers that are connected to this escrow.We also talk of the escrows of a customer to designate the escrows that are connected to this customer-only one escrow for Alice and Bob, and two escrows for a connector.
Placing value in escrow.Customers can send a specific type of message to ask their escrow to put money aside for them.In particular, two customers may make a deal with an escrow to place value originating from the first customer "in escrow", and, after a predefined period, depending on which conditions are met, either complete the transfer to the second customer, or return the value to the first one.
Abstracting the transfer of value.There are many ways of transferring value from one party to another: one could give a physical object, such as cash or gold, to someone else.One could also send a transaction to transfer cryptocurrency or tokens on a distributed ledger, or send a specific message on some banking application.We do not care of how this process is implemented, and we suppose that the participants have already agreed upon the value they expect to be transferred.
We use therefore a unified notation: s(p, $) to say "send a message to trigger the transfer of some previously agreed-upon value to participant p".
Chloe's fee.As Chloe helps out transferring value from Alice to Bob, it is only reasonable that she is paid a small commission.Hence the value transferred from Alice to Chloe might be larger than the value transferred from Chloe to Bob.Additionally, these values may be expressed in different currencies, with possibly fluctuating exchange rates, or they may be objects such as bags of flour that have a qualitydependent value.Deciding which values to transfer may thus be an interesting problem.However, it is entirely orthogonal to the matter discussed in this paper, and hence we shall not consider it any further.

Communication and computation model
The following model holds for the rest of the paper.When necessary, we will mention explicitly if we have to add some assumptions, such as synchrony of communication.
Communication.We assume that the network does not lose, duplicate, modify or create messages.However messages can be delayed for arbitrarily long: by default we assume asynchronous communication.
Authentication.We assume that each customer can sign a message with his unique identifier, thanks to an idealised public key infrastructure.No other process can forge its signature, and any process (including escrows) can verify it.An escrow is not necessarily able to sign a message.
Certificates.As a consequence, any customer can issue a certificate by signing an appropriate message.For example, Bob can issue a receipt certificate to Alice by signing a received message.By combining several signatures, one can define threshold certificates, for instance requiring the signature of a commit message by strictly more than n/3 customers or notaries.A correct implementation of certificates should take care of preventing replay attacks.
Faults.We do not make any assumption on the behaviour of the processes a priori.Later we will define a protocol, and processes will either follow the protocol or deviate from the protocol.

Synchronous versus asynchronous communication
In the literature five levels of synchrony in communication can be distinguished.As indicated in the table below, terminology is not uniform between the concurrency and the distributed systems communities.

concurrency distributed systems synchronous communication rendezvous I/O automata asynchronous communication synchronous communication partially synchronous communication asynchronous communication
In the concurrency community, communication is called synchronous if sendingand receiving occur simultane-ously, and the sender cannot proceed before receipt of the message is complete.This is the typical paradigm in process algebras such as CCS [15].Communication is called asynchronous if sending occurs strictly before receipt, and the sender can proceed after sending regardless of the state of the recipient(s).An intermediate form is modelled by I/O automata [13]; here sending and receipt is assumed to occur simultaneously, yet the sender proceeds after sending regardless of the state of possible receivers.
In the distributed systems community all communication is by default assumed to be asynchronous in the sense above; synchronous communication as defined above is sometimes called a rendezvous.Following [5], communication is called synchronous when there is a known upperbound on the time messages can be in transit, and moreover there is a known upperbound on the relative clock skew between parallel processes.It is partially synchronous when these upperbounds exist but are not known, or when it is known that after a finite but unknown amount of time these upperbounds will come into effect.If these conditions are not met, communication is deemed asynchronous.
The present paper follows the latter terminology; we speak of fully synchronised communication when referring to synchronous communication from concurrency theory.

Informal description of the syntax and semantics of ANTA
Although strongly inspired by the timed automata of Alur and Dill [1] and their networks [3], our ANTA differs from those models in subtle ways, tuned to the problem at hand.The first A refers to asynchronous communication in the concurrency-theoretic sense, and contrasts with the fully synchronised communication that is assumed in NTA [3].
In Figure 3 our time-bounded cross-chain protocol-essentially the universal mode of the interledger protocol from [19]-is depicted as an ANTA.There is one automaton for each participant in the protocol, that is, for each escrow e i (i = 1, . . ., n−1) and each customer c i (i = 1, . . ., n).Each automaton is equipped with a unique identifier, in this case e i and c i .Each automaton has a finite number of states, depicted as circles, one of which is marked as the initial state, indicated by a short incoming arrow.The states are partitioned into termination states, indicated by a double circle, input states, coloured white, and output states, coloured grey or black.Furthermore there are finitely many transitions, indicated as arrows between states.The transitions are partitioned into input transitions, labelled r(id, m), output transitions, labelled s(id, m), and time-out transitions, labelled by arithmetical formulas ψ featuring the variable now .Here id must be the identifier of another automaton in the network, and m a message, taken from a set MSG of allowed messages.Whereas each input and time-out transition has a unique label r(id, m) and ψ, respectively, an output transition may have multiple labels s(id, m).All transitions may have additional labels of the form x := now for some variable x.A termination state has no outgoing transitions.An output state has exactly one outgoing transition, which much be an output transition.An input state may have any number of outgoing input and time-out transitions, and no outgoing output transitions.
Each automaton keeps an internal clock, whose value, a real number, is stored in the variable now .The value of now increases monotonically as time goes on.All variables maintained by an automaton are local to that automata, and not accessible by other automata in the network.Each transition is assumed to occur instantaneously, at a particular point in time.In case a transition occurs that is labelled by an assignment x := now , the variable x will remember the point in time when the transition took place.Such a variable may be used later in time-out formulas.When (or shortly before, see below) an output transition with label s(id, m) occurs, the automaton sends the message m to the automaton with identifier id.A time-out transition labelled ψ is enabled at a time now when the formula ψ evaluates to true.An input transition labelled r(id, m) is enabled only at a time when the automaton receives the message m from the automaton id in the network.Whereas an output transition may be scheduled to occur by the automata at any time, an input or time-out transition can occur only when enabled.
When an automaton is not performing a transition, it must be in exactly one of its states.It starts at the initial state, where its clock is initialised with an arbitrary value.When the automaton is in an input state, it stays there (possibly forever) until one of its outgoing transitions becomes enabled; in that case that transition will be taken immediately.In case multiple transitions become enabled simultaneously, the choice is non-deterministic.When the automaton reaches a termination state, it halts.
In general, an output state is labelled with a positive time-out value to ∈ R ∪ {∞}.It constitutes a strict upperbound on the time the automaton will stay in that state.In case the automaton enters an output state at time now , it will take its outgoing transition between times now and now + to.In case its output transition has multiple labels s(id, m), the corresponding transmissions need not occur simultaneously; they can occur in any order between now and now + to.The output transition is considered to be taken when the last of these actions occurs.In this paper time-out values are indicated by colouring: for the grey states it is the constant ε from Section 4.1, while for the black state it is ∞.

Cross-chain payment protocol
A cross-chain payment protocol prescribes a behaviour for each of the participants in the protocol, the escrows and the customers.Let χ be a certificate signed by Bob saying that Alice's obligation to pay him has been met.
Definition 1 (Time-bounded cross-chain payment protocol).A cross-chain payment protocol is a timebounded cross-chain payment protocol if it satisfies the following properties: C Consistency.For each participant in the protocol it is possible to abide by the protocol.
T Time-bounded termination.Each customer that abides by the protocol, and either makes a payment or issues a certificate, terminates within an a priori known period, provided her escrows abide by the protocol.
ES Escrow security.Each escrow that abides by the protocol does not loose money.
CS Customer security.
CS1 Upon termination, if Alice and her escrow abide by the protocol, Alice has either got her money back or received the statement χ.
CS2 Upon termination, if Bob and his escrow abide by the protocol, Bob has either received the money or not issued certificate χ.
CS3 Upon termination, each connector that abides by the protocol has got her money back, provided her escrows abide by the protocol.
L Strong liveness.If all parties abide by the protocol, Bob is paid eventually.
Requirement C (consistency of the protocol) is essential.In the absence of this requirement, any protocol that prescribes an impossible task for each participant would be a correct cross-chain payment protocol (since it trivially meets T, ES, CS and L).
Requirements ES and CS (the safety properties) say that if a participant abides by the protocol, nothing really bad can happen to her.These requirements do not assume that any other participant abides by the protocol, and should hold no matter how malicious the other participants turn out to be.The only exception to that is that the safety properties for a customer (CS) are guaranteed only when the escrow(s) of this customer abide by the protocol.
Property L, saying that the protocol serves its intended purpose, is the only one that is contingent on all parties abiding by the protocol.

A time-bounded cross-chain payment protocol 4.1 Assumptions
Synchrony.The assumption of synchrony considered e.g. by [5], and called bounded synchrony by [19], says 'that there is a fixed upper bound ∆ on the time for messages to be delivered (communication is synchronous) and a fixed upper bound Φ on the rate at which one processor's clock can run faster then another's (processors are synchronous), and that these bounds are known a priori and can be "built into" the protocol.'[5] A consequence of this assumption is that if participant p 1 sends at its local time t 0 a message to participant p 2 , and participant p 2 takes t units of its local time to send an answer back to p 2 , then p 1 can count on arrival of that reply no later than time t 0 + Φ • t + 2 • ∆.
Bounded reaction speed.When a participant in the protocol receives a message, it will take some time to calculate the right response and then to transmit that response.Here it will be essential that that amount of time is bounded.So we assume a reaction time ε > 0 such that any received message can be answered within time ε.

A cross-chain payment protocol formalised as an ANTA
In this section we formally model the universal mode of the interledger protocol from [19] as an ANTA.Moreover, we replace the timing constants employed in [19] by parameters, and then calculate the optimal value of these parameters to unsure correctness of the protocol in the presence of clock skew.
To interpret Figure 3, all that is left to do is specify the messages that are exchanged between escrows and their customers.We consider 4 kinds of messages.One is the certificate χ, signed by Bob, saying that Alice's obligation to pay him has been met.Another is the value $ that is transmitted from one participant to another.The remaining messages are promises made by escrow e i to its customers c i and c i+1 , respectively: to its (upstream) customer c i .Here "upstream" refers to the flow of money.The precise values of d i will be determined later; here they are simply parameters in the design of the protocol.Then it awaits receipt of the money/value from customer c i .If the money does arrive, the escrow issues promise P (a i ) to its downstream customer c i+1 as soon as it can.It remembers the time this promise was issued as u.Then it awaits receipt of the certificate χ from customer c i+1 .If the certificate does not arrive by time u + a i , a time-out occurs, and the escrow refunds the money to customer c i .If the money does arrive in time, the escrow reacts by forwarding the certificate to customer c i , and forwarding the money to customer c i+1 .
A connector Chloe i starts by awaiting promises G(d i ) from her downstream escrow e i , and P (a i−1 ) from her upstream escrow e i−1 .Then she proceeds by sending the money to escrow e i .After sending the money, Chloe i waits for escrow e i to send her either the certificate χ or the money back.In the latter case, her work is done; in the former, she forwards the certificate to escrow e i−1 and awaits for the money to be send by escrow e i−1 .
The automata for Alice and Bob are both simplifications of the one for Chloe i .Alice awaits promise G(d 0 ) from her escrow, and then sends the escrow the money.The protocol allows her to wait arbitrary long before taking that step.Subsequently, she patiently await for either the return of her money, or certificate χ. Bob awaits promise P (a n−1 ) from his escrow, and then issues certificate χ and sends it to his escrow.He then awaits the money.

Running the protocol
The protocol consists of two parts.The set-up involves the sending and receiving of the promises G(d i ).As these promises are not time-sensitive, they can be exchanged months before the active part of the protocol is ran, consisting of all other actions.Here an action is an entity act@p, with act a transition label, and p the identifier of the participant taking that transition.The active part has essentially only one successful run, i.e., when never taking a time-out transition, consisting of the following actions, executed in the following order.Actions separated by commas can be executed in either order.

Initialisation
There is a scenario where Chloe i will never send money to escrow i, namely when she receives promise P (a i−1 ) from escrow e i−1 before she receives promise G(d i ) from escrow e i .In that case the receipt of P (a i−1 ) does not trigger a transition, and Chloe i will remain stuck in her second state.We now modify the protocol in such a way that that scenario can not occur.This can be done in three ways; it does not matter which of the three modifications we take.
1.One solution is to make Alice wait before starting the active part of the protocol (by leaving the black state) until a point in time when she is sure that all parties Chloe i already have received promise G(d i ).
If we assume that all parties start at the same time, using the reasoning of Section 4.1, Alice has to wait at most Φ • ε + ∆ before this point has been reached.The only drawback of this solution is that it may be hard to realise that all parties start at the same time.
2. Another approach is to assume that the set-up phase occurred long before Alice actually wants to send money to Bob.It may be part of a general banking agreement.Possibly each escrow always offers promises G(d) for different values of d, and when sending money to escrow i, Chloe i simply tags it as taking advantage of promise G(d i ).In this approach, the protocol does not feature the transitions labelled s(c i , G(d i )) and r(e i , G(d i )), with the initial states shifted accordingly.Still, the promise G(d i ) counts as having been made to customer c i by escrow e i .
3. A final solution is to introduce to the protocol a message "We are ready", sent by Chloe n−1 to escrow e n−2 , and forwarded, via Chloe i and escrow e i−1 all the way to Alice.Each Chloe i forwards the "We are ready" message only after receiving promise G(d i ) from escrow e i , so when Alice receives the "We are ready" message she can safely initiate the transfer.

Correctness of the protocol
Now we show that the protocol from Figure 3 is correct, in the sense that it satisfies the properties of Definition 1, when making the assumptions of Section 4.1.In doing so, we also calculate the values of the parameters d i and a i .
Consistency.To check that the protocol is consistent, in the sense that each participant can abide by it, we first of all invoke the assumption of bounded reaction speed, described in Section 4.1, and use that the constant ε assumed to exist in Section 4.1 is in fact the time-out value associated to most output states.This ensures that it is always possible to send messages in a timely manner.The only remaining potential failure of consistency is when the protocol prescribes the transmission of a resource that it is not available.Assuming that the sending of promises and money is not an obstacle (Chloe has been selected, in part, for having this kind of money available), the only issue could be the sending of the certificate signed by Bob.For anyone but Bob this can only be done after receiving it first.However, a simple inspection of the automata of the escrows, Chloe i and Alice shows that any transition sending the certificate is preceded by a transition receiving it.This establishes requirement C.
Escrow security.That escrows cannot loose money (requirement ES) follows immediately from the observation that an escrow spends the money only after receiving it.This follows from the order of the transitions in the automaton for the escrows.

Honesty.
Although not part of Definition 1, we show that an escrow that issues a promise always keeps that promise, when abiding by the protocol.This property (H) will be be used below to establish CS.
To show H, suppose the escrow e i issues promise P (a i ), and subsequently receives the certificate χ from customer c i+i at a time v < u + a i , where u refers to the time promise P (a i , ε) was issued.Then it is too soon for the time-out transition, so the transition labelled r(c i+1 , χ) in the automaton of e i will be taken, at time v.The automaton shows that s(c i+1 , χ) will occur by time v + ε, thus fulfilling the promise.
To show that an escrow that issues promise G always keeps it, when abiding by the protocol, suppose the escrow e i receives the money at a time w.Then the transition labelled r(c i , $) in the automaton of e i will be taken, at time w.The automaton shows that either s(c i , $) will occur by time w + ε + a i + ε, or s(c i , χ) will occur by time w + ε + a i + ε.Thus, to guarantee that promise G is met, we need to choose d i and a i in such a way that for i = 0, . . .n−1.In fact, making the promise as strong as possible yields d i := a i + 2ε.When this condition is met, we have established requirement H.
Customer security and time-bounded termination.We will check time-bounded termination (T) together with customer security (CS).To check requirement CS1, suppose that Alice will make the payment s(e 0 , $), at time t.Then earlier she has received promise G(d 0 ) from escrow e 0 .This promise ensures Alice that escrow e 0 will send her either $ or χ by its local time w + d 0 , where w is the time Alice's payment is received.Consequently, by the reasoning of Section 4.1, using the assumption of bounded synchrony, Alice will receive either certificate χ or her money back by time t To check requirement CS2, suppose that Bob issues certificate χ, at time x.Then earlier, at time t, he has received promise P (a n−1 ) from escrow e n−1 .Moreover, x < t + ε.For the promise to be meaningful, his certificate needs to arrive at e n−1 before time u + a n−1 , where u refers to the local time at e n−1 when the promise was issued.By the reasoning of Section 4.1, using the assumption of bounded synchrony, Bob's certificate will arrive at escrow e n−1 before time u + Φ • ε + 2 • ∆.Hence, we need to choose a n−1 in such a way that When this requirement is met, the promise ensures Bob that escrow e n−1 will send him the money by its local time v + ε, where v is the time Bob's certificate is received by e n−1 .Consequently, Bob will receive payment by time To check requirement CS3, suppose that Chloe i will make the payment s(e i , $), at time t 0 .Then earlier, she has received promise G(d i ) from escrow e i and promise P (a i−1 ) from escrow e i−1 , the latter at time t.Moreover, t 0 < t + ε.Promise G(d i ) ensures Chloe i that escrow e i will send her either $ or χ by its local time w + d i , where w is the time Chloe i 's payment is received.Consequently, c i will receive either certificate χ or her money back by time Continuing with the case that she receives χ rather then her money back, she will forward χ to escrow e i−1 by time where u is the time promise P (a i−1 ) was issued.Here we use that ∆ is a valid upperbound on transition times by anyone's clock, and that there is no need to square Φ in Φ • d i , as also the clock skew between escrows e i and e i−1 is bounded by Φ.This calculation is illustrated by the message sequence diagram above.Since χ needs to arrive at e i−1 before time u + a i−1 in order for promise P (a i−1 ) to be meaningful, we need to pick for i = 1, . . ., n−1.When (3) holds, promise P (a i−1 ) ensures Chloe i that escrow e i−1 will send her the money by its local time v + ε, where v is the time the certificate is received by e i−1 .Consequently, c i will receive $ by time , CS3 is guaranteed.Choosing = for ≥ in (1)-(3), we ensure requirement CS by solving these equations.In particular, for i = 0, . . ., n−1, For i = n−1 this follows by (2).Assume we have it for i+1.Then

Now, applying (1) and (3), multiply by Φ and add 4 •
Liveness.It remains to check property L. Suppose that all parties abide by the protocol.By the reasoning in Section 4.4 we may assume that the action s(e 0 , $)@c o (using the terminology of Section 4.3) of Alice sending money to her escrow will not take place until all actions s(c i , G(d i ))@e i and r(e i , G(d i ))@c i have occurred.In terms of Section 4.3 we show that in the remaining active phase of the protocol at least the prefix of the displayed sequence of actions until and including s(c n , $)@e n−1 will take place, in that order, and not interleaved with any other actions.When this happens, Bob must be in his third state, and the required action r(e n−1 , $)@c n will follow surely.
Towards a contradiction, let the initial behaviour of the active part of the protocol be a strict prefix of this sequence, where a is the first action in the sequence that does not occur as scheduled.A simple case analysis shows that when a is scheduled, in fact no action other than a is possible.
The action a cannot be of the form s(e i , $)@c i , because when this action is due, customer c i is in a state where this action must be taken within time ε.An exception is the case n = 0, but also here the action must be taken in within a finite amount of time (or there is nothing to verify).
The action a cannot be r(c i , $)@e i either, because each message sent must arrive eventually, and the receiving party e i is in its second state, and thus able to perform the receive action.
Similarly, a cannot be s(c i+1 , P (a i ))@e i , as here the sender e i must be in its third state.Since all actions r(e i , G(d i ))@c i have already occurred, a cannot be of the form r(e i−1 , P (a i−1 ))@c i .
The case a = s(e n−1 , χ)@c n can be excluded, as here Bob must be in his second state.
If a = r(c n , χ)@e n−1 , then the recipient e n−1 must be in its fourth state and, due to the careful choice of a n1 (see ( 2)), the time-out transition can not intervene.So that choice of a is excluded as well.
The argument against a = s(c n , $)@e n−1 is trivial.

Impossibility under partial synchrony of communications
When communications can experience arbitrarily long delays, it is not possible to expect from a protocol to terminate in an a priori known amount of time.If we want to perform cross-chain payments in a partially synchronous setting, it is therefore necessary to define a different class of cross-chain payment protocols.The obvious idea is to remove any time bound in the definition.But as we will show, this is not enough to make the problem solvable.

Definition 2 (Eventually terminating cross-chain payment protocol with strong liveness guarantees).
A cross-chain payment protocol is an eventually terminating cross-chain payment protocol with strong liveness guarantees it satisfies all the properties of Definition 1 except Property T which is replaced by the following: T' Eventual termination.Each customer that abides by the protocol, and either makes a payment or issues a certificate, terminates eventually, provided her escrows abide by the protocol.
Theorem 1.If communications are partially synchronous (assuming that customers may crash), then there is no eventually terminating cross-chain payment protocol with strong liveness guarantees.
Proof.Assume an eventually terminating cross-chain payment protocol with strong liveness guarantees.Consider a run r in which all participants abide by the protocol.It exists by property C. By property L Bob will be paid in this run, and by property T' all customers terminate.Since by properties ES and CS no participant makes a loss, Alice will not get her money back.Hence by property CS1 Alice will end up with the certificate χ.Let c i be the last customer that holds the certificate before it reaches Alice.This must be either Bob or one of the connectors.Let s be the state in which c i is about the send on χ.
The protocol may not prescribe that c i has already received the money in state s.For then customer c i could decide to keep the money as well as the certificate, while all other participants keep abiding by the protocol, which would violate properties T', ES or CS.Now consider the following two runs of the system, that are the same until state s.In run r 1 customer c i never lets go of the certificate, nor sends out any other message past state s, while all other participants abide by the protocol; in run r 2 all participants abide by the protocol, but c i 's message with the certificate, and all subsequent messages from c i , experience an extreme delay.
First assume that c i is in fact Bob.By property T' run r 1 reaches a state s in which all customers other than Bob are terminated.Using properties ES and CS, in this state Alice ends up without the certificate, and thus with the money, and all customers Chloe j play even.If follows that Bob never receives his money.Yet for all participants other than Bob, runs r 1 and r 2 are indistinguishable, so r 2 will reach a similar state.This violates property CS2.Now assume customer c i is not Bob.So Bob has already issued the certificate.By property T' run r 1 reaches a state s in which all customers other than c i are terminated.Using properties ES and CS, in this state Alice as well as Bob end up with the money, and all customers Chloe j with j = i play even.If follows that Chloe i looses her money.Yet for all participants other than Chloe i , runs r 1 and r 2 are indistinguishable, and the delayed certificate sent by Chloe i may arrive only after the system has reached state s .This violates property CS3.
6 Solution to a variant under partial synchrony

Eventually terminating cross-chain payment protocol with weak liveness guarantees
Weak liveness guarantees.Since it is impossible to design an eventually terminating cross-chain payment protocol with strong liveness guarantees under partial synchrony, we are going to define what is an eventually terminating cross-chain payment protocol with weak liveness guarantees, and show that it is possible to implement such a protocol.In view of the impossibility proof given above, the strong liveness condition (L) is too strong.We would like to weaken it, and replace it by a (realistic and still desirable) property called weak liveness such that the problem becomes solvable.A similar situation exists in the atomic commit problem literature, for instance weak non-triviality defined by Guerraoui in [8] or condition AC4 for atomic commit defined by Hadzilacos in [9]: If all existing failures are repaired and no new failures occur for a sufficiently long period of time, then all processes will reach a decision.
Abort certificate.In the synchronous solution, we used timelocks to ensure that the money will not get stuck forever in escrow.Under partial synchrony, it is no longer pertinent to use timelocks.We need to replace them by a safe way to unlock the funds stored in an escrow.We therefore modify the definition of the certificate χ.Instead of having a single certificate simply signed by Bob, we have two more general certificates called commit certificate χ c and abort certificate χ a , that can never exist simultaneously.
New definition of the problem.When we take into account the two previous tweaks, we reach the following definition.We highlight in italics the difference with our previous definition of a time-bounded cross-chain payment protocol.In particular, we replace "Bob will not issue χ" by "Bob will receive χ a ", and "Alive will receive χ" by "Alice will receive χ c ".

Definition 3 (Eventually terminating cross-chain payment protocol with weak liveness guarantees).
A cross-chain payment protocol is an eventually terminating cross-chain payment protocol with weak liveness guarantees if it satisfies the following properties: C Consistency.For each participant in the protocol it is possible to abide by the protocol.CC Certificate consistency.An abort and a commit certificate can never be issued both.
T' Eventual termination.Each customer that abides by the protocol terminates eventually, provided her escrows abide by the protocol.
ES Escrow security.Each escrow that abides by the protocol does not loose money.
CS' Customer security.
CS1' Upon termination, if Alice and her escrow abide by the protocol, Alice has either got her money back or received the commit certificate χ c .
CS2' Upon termination, if Bob and his escrow abide by the protocol, Bob has either received the money or the abort certificate χ a .
CS3' Upon termination, each connector that abides by the protocol has got her money back, provided her escrows abide by the protocol.
L' Weak liveness.If all parties abide by the protocol, and if the customers wait sufficiently long before and after sending money, then Bob is eventually paid.

Transaction manager abstraction
The previous impossibility result shows that when there is no synchrony, it is hard for processes to agree on a uniform commitment decision (abort or commit).We are going to leverage the existing solutions to the classical consensus problem, and embed them in an abstraction called "transaction manager", defined as follows: Definition 4 (Transaction manager).A transaction manager, called TM, is a process that can receive binary values from the set {commit, abort} from a customer, and that can send certificates drawn from {χ c , χ a } to customers.A transaction manager must verify the following properties: • TM-Termination.If a customer proposes to abort, or if Bob proposes to commit, then TM sends eventually a certificate χ c or χ a to every customer.If a customer proposes abort or commit after TM has issued a certificate, TM will send a copy of that certificate to that customer.
• TM-Consistency.TM does not issue two different certificates.
• TM-Commit-Validity.TM can issue χ c only if Bob proposed commit.
• TM-Abort-Validity.TM can issue χ a only if some customer proposed abort.
There are several ways of implementing a transaction manager.
• Centralised transaction manager.The transaction manager can be a centralised actor trusted by every customer.
• Distributed transaction manager.The transaction manager could be a collection of k parties ("validators") appointed by the participants in the protocol.These validators could run the consensus algorithm for partial synchrony from Dwork, Lynch & Stockmeyer [5], or any equivalent algorithm.
This works when less than one third of these validators are unreliable.In this case, "sending a message to the TM" means sending it to each of these validators, and "the TM sending a decision" means strictly more than one third of the validators sending the jointly taken decision.
• External decentralised transaction manager.The transaction manager can be a decentralised data structure.For example, a smart contract running on a permissionless blockchain shared by every customer can be programmed to be a transaction manager.
In the following, we assume that we have such a transaction manager.Even if it is run by the customers, we do not specify the messages exchanged to run it: the transaction manager is a black-box embedding a consensus algorithm that is running off-protocol.Section 6.5 provides an example implementation.Description of the protocol.In this version of the protocol Chloe i awaits the two promises of her escrows, just like in the protocol of Figure 3, and then sends the money to her downstream escrow.Subsequently she awaits an abort or commit certificate from the transaction manager.If she gets a commit certificate, she cashes it in at her upstream escrow to obtain the money.If she gets an abort certificate instead, she cashes it in at her downstream escrow for a refund of the money she paid earlier.In case she looses patience before she gets the second promise, which happens at a time T i specific for Chloe i , she simply quits.In case she looses patience after she has invested the money but before she gets any certificate, the timeout transition occurs, and she sends an abort proposal to the transaction manager.The latter replies on this with either an abort or a commit certificate, and she cashes those in as above.

A protocol responding to the problem
The tags G and P can thus be understood as promises that would tell: • G: "I guarantee that if I receive $ from you, then if you send me χ a I will send you $".
• P ."I promise that if you send me χ c I will send $ to you".
The automaton for Alice is just a simplified version of the one for Chloe, and the one for the escrows is trivial.For Bob, the important modification is that he alerts the TM with a commit message when the protocol is ready for this.Moreover, in case Bob looses patience before receiving any promise, he send a abort message to the TM, so that he receives the abort certificate in response.

Proof of correctness
Let us call P the protocol defined by the above ANTA.Section 4.4 (Initialisation) applies to P as well, and we assume that the appropriate modifications are made.
Theorem 2. Protocol P is an eventually terminating cross-chain payment protocol with weak liveness guarantees.
Proof.The properties to prove are close to the time-bounded cross-chain payment protocol, and the proof is similar.We split the proof in the following lemmas: Lemma 1, 2, 3, 4, 5 and 6.
Lemma 1 (Consistency).For each participant in P it is possible to abide by P .
Proof.We have to ensure that each participant will be able to follow the transitions after a grey or black state.The only way this would not be possible would be when the protocol asks to transmit a resource that is not available.It is always possible to send tags and money, but we need to verify that any sending of a certificate is preceded by the receipt of this certificate-except for the issuer of the certificate.Such a property is clear after inspection of the automata of escrows and customers.
Lemma 2 (Certificate consistency).An abort and a commit certificate can never be issued both.
Proof.This is a consequence of Property TM-Consistency of Definition 4.
Lemma 3 (Eventual termination).Each customer that abides by P will terminate eventually, provided her escrows abide by the protocol.
Proof.Thanks to Lemma 1, in order to show that a terminating state will be reached, it is sufficient to prove that every input state will be left eventually.We thus establish Lemma 3 by showing that Chloe i and Alice cannot get stuck in states 1, 2, 5, 9, 10 and 12, and Bob cannot get stuck in states 1, 4, 5 and 10.Since her downstream escrow will surely leave state 1, and thus send the message G, it follows that Chloe i , and Alice, will receive this message, and thereby leave state 1.
Chloe i will leave state 2 at time T i at the latest, or immediately when reaching this state after time T i .By the same reasoning, Bob will not get stuck in state 1.
Chloe i and Alice will leave state 5 at time T i at the latest, or immediately when reaching this state after time T i .She will send an abort message to TM to reach state 9, and by the property TM-Termination of Definition 4, TM will eventually reply to her with χ a or χ a .Hence she will leave state 9.By the same reasoning, Bob will not get stuck in state 5.
To reach state 4, Bob sends an abort message to TM. Lemma 4 (Escrow-security).Each escrow that abides by P will not loose money.
Proof.The result is immediate: any transition where an escrow sends money has been preceded by a transition where it receives the money.An escrow's balance cannot become negative if it follows the protocol.
Lemma 5 (Customer-security).Lemma 6 (Weak liveness).If all participants abide by P , and if the customers wait sufficiently long before and after sending money, then Bob will be paid.
Proof.Let us suppose that all the participants abide by P .Suppose that for all i ∈ 0, n−1 , T i is large enough for Alice, Bob and every connector to never take any time-out transition.Instead, Bob will be the first customer to call the transaction manager in his transition from state 3 to 5. Using the notation of Section 4.3, the active part of the protocol-after the exchange of the tags G-must start with the following sequence of actions, executed in this order: s(e 0 , $)@c 0 r(c 0 , $)@e 0 s(c 1 , P )@e 0 r(e 0 , P )@c 1 s(e 1 , $)@c 1 r(c 1 , $)@e 1 s(c 2 , P )@e 1 r(e 1 , P )@c 2 . . .s(e n−1 , $)@c n−1 r(c n−1 , $)@e n−1 s(c n , P )@e n−1 r(e n−1 , P )@c n s(TM, com.)@c n By the TM-Abort-Validity property of Definition 4, since the only proposal was commit, TM will issue the certificate χ c .In particular, Bob will give it to e n−1 and receive the payment in exchange.Interestingly, nothing in the above proofs depends in any way on the assumption of partially synchronous communication.The only place where this is needed is for the implementation of the transaction manager TM-see Section 6.5.In case one is content with a centralised transaction manager as described in Section 6.2, our protocol works correctly also when assuming communication to be asynchronous.

Implementation of a decentralised transaction manager
As an example, in this section we provide an explicit implementation of a transaction manager.It is a wrapper, expressed in pseudo-code, around a binary Byzantine consensus algorithm, such as the one from [5], which is treated as a black box.It follows that we do not need a shared blockchain to achieve our cross-chain payment protocol.
Suppose that we have m validators, which are agents running a consensus algorithm.The validators communicate which each other by exchanging messages.We suppose that a certain number f of validators can be faulty, in the sense that we allow arbitrary (Byzantine) behaviour.All other validators are assumed to abide by the protocol defining a consensus algorithm.
Definition 5 (Binary Byzantine Consensus).A binary Byzantine consensus algorithm is an algorithm in which every validator can propose a binary value (i.e. in {0, 1}) and decide a binary value.Assuming that every non-faulty validator proposes a binary value, the following properties must be ensured: • BBC-Termination.Every non-faulty process eventually decides on a binary value.
• BBC-Agreement.No two non-faulty processes decide on different binary values.
• BBC-Validity.If all non-faulty processes propose the same value, no other value can be decided.
Using such an algorithm as a black box, we now implement a TM.Our validators can either be customers, like Alice, Chloe and Bob, or external parties.If the set of validators is included in or equal to the set of customers, we can talk of an internal decentralised transaction manager.Our TM implementation is only valid when assuming partially synchronous communication, and f < m/3.Each customer can communicate with every validator.
Reliable broadcast call.To call the transaction manager, a customer reliably broadcasts a message to all validators.Here a reliable broadcast is a protocol described by Bracha in [4].It is guaranteed to terminate, even in a setting with asynchronous communication, provided less than one-third of all the broadcast recipients is faulty -the rest abiding by the protocol.It guarantees that if the sender abides by the protocol, all recipients will receive the message sent.Moreover, even if the sender is faulty, either all correct recipients agree on the same value sent, or none of them accepts any value as having been sent [4].
If a faulty customer sends a call with different values to different validators, or sends something to some validators and nothing to others, the reliable broadcast primitive will filter these messages out.In particular, if a validator receives a call from a customer then eventually every validator will receive this call from this customer.7 Cross-chain deals versus cross-chain payments In a preprint by Herlihy, Liskov and Shrira [11], a cross-chain deal is given by a matrix M where M i,j is listing an asset to be transferred from party i to party j.A cross-chain deal can also be represented as a directed graph, where each vertex represents a party, and each arc a transfer; there is an arc from i to j labelled v iff M i,j = v and v = 0.They present two solutions to the problem of implementing such a deal, while aiming to ensure: • Safety.For every protocol execution, every compliant party ends up with an acceptable payoff.
• Weak liveness.No asset belonging to a compliant party is escrowed forever.
• Strong liveness.If all parties are compliant and willing to accept their proposed payoffs, then all transfers happen.
Here a payoff is deemed acceptable to a party i in the deal if party i either receives all assets M j,i while parting with all assets M i,j , or if party i looses nothing at all; moreover, any outcome where she looses less and/or gains more then an acceptable outcome is also acceptable.Each entry M i,j contains a type of asset and a magnitude-for instance "5 bitcoins".For each type of asset a separate blockchain is assumed that acts as escrow.The programming of these blockchains is assumed to be open source, so that all parties can convince themselves that all escrows abide by the protocol.Unlike in our problem statements, this condition is taken for granted and not stated explicitly in the problem description.With this in mind, Weak liveness corresponds with our Eventual termination of Definition 3, while Safety is the counterpart of our Customer security.Our requirement of Escrow security is left implicit in [11]; since blockchains do not possess any assets to start with, they surely cannot loose them.Finally, Strong liveness is the counterpart of our Strong liveness property of Definition 1.
Herlihy, Liskov and Shrira [11] offer a timelock commit protocol that requires synchrony, and assures all three of the above correctness properties.They also offer a certified blockchain commit protocol that requires partial synchrony and a certified blockchain, and ensures Safety and Weak liveness; no protocol can offer Strong liveness in a partially synchronous environment.For both protocols the correctness is proven for so-called well-formed cross-chain deals: those whose associated directed graph is strongly connected.
The cross-chain payment cannot be seen as a special kind of cross-chain deal.In first approximation, a cross-chain payment looks like a non-well-formed deal of the form However, these solutions presume a shared blockchain between Alice and Bob for the transfer of the certificate; this runs counter to the problem description of cross-chain payments.Conversely, neither is there a reduction from the cross-chain deal problem to the cross-chain payment problem.A deal presented by a cyclic graph can be represented as a cross-chain payment where Alice and Bob are identified.For instance, an atomic swap between two customers A and C can be expressed as a cross-chain payment with three customers: However, this idea does not generalise to well-formed cross-chain deals in general.Since every strongly connected graph can be represented as a single cycle with repeated elements, there is an obvious candidate reduction of such deals to cross-chain payments, simply by identifying suitable intermediaries Chloe i and Chloe j .However, this reduction does not preserve the safety property of cross-chain deals; for when the deal goes through for Chloe j but is aborted for Chloe i , the resulting outcome is not (necessarily) acceptable for the unified participant Chloe {i.j} .

Conclusion
We formalised the problem of cross-chain payment with success guarantees.We show that there is no solution to the existing variant of this problem without assuming synchrony, and offer such a solution-one that works even in the presence of clock skew.We then relax the liveness guarantee of this problem in order to propose a solution that works in a partially synchronous setting.This new problem differs from existing ones in that it prevents all participants from always aborting, hence guaranteeing success when possible.Besides the new problem statements and our impossibility result, an interesting aspect of our work is to relate recent blockchain problems, like interledger payments, to the classic problem of transaction commit, and to offer Byzantine fault tolerant solutions to these.

G
(d) := "I guarantee that if I receive $ from you at my local time w, then I will send you either $ or χ by my local time w + d." P (a) := "I promise that if I receive χ from you at my local time v, with v < now + a, then I will send you $ by my local time v + ε."The automata of Figure 3 can be informally described as follows: A escrow e i first send promise G(d i )

Figure 4 :Figure 5 :Figure 6 :Figure 7 :
Figure 4: Automaton for escrow e i n .However, this representation abstracts from the certificate χ that plays an essential role in the statement of the time-bounded cross-chain payment problem.Factoring in χ, an alternative representation would be By properties TM-Termination and TM-Commit-Validity of Definition 4, TM will eventually reply to him with χ a .Hence he will leave state 4. Now assume Customer c i+1 (Chloe or Bob) reaches state 10.Then Customer c i+1 has already received promise P from Escrow i, and thus Escrow i must have send this promise, thereby reaching state 4. To reach state 10, Customer c i+1 sends certificate χ c to Escrow i.By Lemma 2, the TM never issues certificate χ a , so Customer c i cannot send it to Escrow i.It follows that Escrow i will reach state 5, and send the money to Customer c i+1 .Hence Customer c i+1 will leave state 10 and reach the terminating state 11.Finally assume Customer c i (Alice or Chloe) reaches state 12. Then Customer c i has already received promise G from Escrow i, and thus Escrow i must have send this promise, thereby reaching state 2. After receiving promise G, Customer c i has send the money to Escrow i, so Escrow i will have reached state 3, and hence also state 4. To reach state 12, Customer c i sends certificate χ a to Escrow i.By Lemma 2, the TM never issues certificate χ c , so Customer c i+1 cannot send it to Escrow i.It follows that Escrow i will reach state 6, and send the money to Customer c i .Hence Customer c i will leave state 12 and reach the terminating state 13.

1 .
Upon termination, if Alice and her escrow abide by P , Alice has either got her money back or received the commit certificate χ c . 2. Upon termination, if Bob and his escrow abide by P , Bob has either received the money or the abort certificate χ a .3. Upon termination, each connector that abides by P has got her money back, provided her escrows abide by P .Proof. 1.If Alice terminates in state 13, she has got her money back in the last transition.If she terminates in state 6, she has got the certificate χ c in the last transition.2. The result is similar for Bob: if he terminates in state 7, he has received χ a .Otherwise, he terminates in state 11 and has been paid correctly.3. To reach termination, Chloe i , i ∈ {1..n − 1} has either never spend the money (termination state 3), or received $ either from e i−1 (termination state 11) or from e i (termination state 13).In both these cases, she has got her money back.

3 .
TM-Commit-Validity.TM-Commit-Validity says that if Bob does not propose commit, then TM cannot issue χ c .If Bob does not propose commit, then no correct validator will ever propose 1 because of lines 1−5 of BFT-TM.Now BBC-Validity implies that no correct validator can decide 1, and consequently the commit certificate cannot be issued by TM. 4. TM-Abort-Validity.TM-Abort-Validity says that if no customer proposes to abort, then TM cannot issue χ a .If no customer proposes to abort, then no correct validator will ever propose 0 because of lines 1 − 5 of BFT-TM.The final argument is the same as above.