Aumayr, L., Thyagarajan, S. A., Malavolta, G., Moreno-Sanchez, P., & Maffei, M. (2022). Sleepy Channels: Bi-directional Payment Channels without Watchtowers. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 179–192). Association for Computing Machinery.
DOI: 10.1145/3548606.3559370 Metadata
Abstract: Payment channels (PC) are a promising solution to the scalability issue of cryptocurrencies, allowing users to perform the bulk of the transactions off-chain without needing to post everything on the blockchain. Many PC proposals however, suffer from a severe limitation: Both parties need to constantly monitor the blockchain to ensure that the other party did not post an outdated transaction. If this event happens, the honest party needs to react promptly and engage in a punishment procedure. This means that prolonged absence periods (e.g., a power outage) may be exploited by malicious users. As a mitigation, the community has introduced watchtowers, a third-party monitoring the blockchain on behalf of off-line users. Unfortunately, watchtowers are either trusted, which is critical from a security perspective, or they have to lock a certain amount of coins, called collateral, for each monitored PC in order to be held accountable, which is financially infeasible for a large network. We present Sleepy Channels, the first bi-directional PC protocol without watchtowers (or any other third party) that supports an unbounded number of payments and does not require parties to be persistently online. The key idea is to confine the period in which PC updates can be validated on-chain to a short, pre-determined time window, which is when the PC parties have to be online. This behavior is incentivized by letting the parties lock a collateral in the PC, which can be adjusted depending on their mutual trust and which they get back much sooner if they are online during this time window. Our protocol is compatible with any blockchain that is capable of verifying digital signatures (e.g., Bitcoin), as shown by our proof of concept. Moreover, our experimental results show that Sleepy Channels impose a communication and computation overhead similar to state-of-the-art PC protocols while removing watchtower's collateral and fees for the monitoring service.

Aumayr, L., Abbaszadeh, K., & Maffei, M. (2022). Thora: Atomic and Privacy-Preserving Multi-Channel Updates. In CCS ’22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 165–178). Association for Computing Machinery.
DOI: 10.1145/3548606.3560556 Metadata
Abstract: Most blockchain-based cryptocurrencies suffer from a heavily limited transaction throughput, which is a barrier to their growing adoption. Payment channel networks (PCNs) are one of the promising solutions to this problem. PCNs reduce the on-chain load of transactions and increase the throughput by processing many payments off-chain. In fact, any two users connected via a path of payment channels (i.e., joint addresses between the two channel end-points) can perform payments, and the underlying blockchain is used only when there is a dispute between users. Unfortunately, payments in PCNs can only be conducted securely along a path, which prevents the design of many interesting applications. Moreover, the most widely used implementation, the Lightning Network in Bitcoin, suffers from a collateral lock time linear in the path length, it is affected by security issues, and it relies on specific scripting features called Hash Timelock Contracts that hinders the applicability of the underlying protocol in other blockchains. In this work, we present Thora, the first Bitcoin-compatible off-chain protocol that enables the atomic update of arbitrary channels (i.e., not necessarily forming a path). This enables the design of a number of new off-chain applications, such as payments across different PCNs sharing the same blockchain, secure and trustless crowdfunding, and channel rebalancing. Our construction requires no specific scripting functionalities other than digital signatures and timelocks, thereby being applicable to a wider range of blockchains. We formally define security and privacy in the Universal Composability framework and show that our cryptographic protocol is a realization thereof. In our performance evaluation, we show that our construction requires only constant collateral, independently from the number of channels, and has only a moderate off-chain communication as well as computation overhead.

Aumayr, L., Oguzhan Ersoy, Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2022, August 30). Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2022, August 31). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Conference Presentation]. The Science of Blockchain Conference 2022, Stanford, United States of America (the).
Metadata

Aumayr, L., Kasra Abbaszadeh, & Maffei, M. (2022, October 31). Thora: Atomic And Privacy-Preserving Multi-Channel Updates [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
Metadata

Aumayr, L., Sri AravindaKrishnan Thyagarajan, Giulio Malavolta, Moreno-Sanchez, P., & Maffei, M. (2022, October 31). Sleepy Channels: Bi-directional Payment Channels without Watchtowers [Poster Presentation]. Crypto Economics Security Conference, Berkeley, United States of America (the).
Metadata

Aumayr, L. (2022, July 27). Evolution of Payment Channels [Presentation]. DFINITY Foundation - research talks, Austria.
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2021, September 7). Donner: UTXO-Based Virtual Channels Across Multiple Hops [Presentation]. Bitcoin Sydney Socratic Seminar, Australia.
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2021, April 27). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Presentation]. Bitcoin Sydney Socratic Seminar, Australia.
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2021, February 24). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Presentation]. Decrypto Seminar, International.
Metadata

Aumayr, L. (2021, November 16). Designing Secure Payment Channel Schemes [Presentation]. Singapore Management University - Online Topic, Singapore.
Metadata

Aumayr, L. (2021, November 16). Beyond Payments in Payment Channel Networks [Presentation]. Software Seminar Series (S3), Spain.
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2021, May 26). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits [Conference Presentation]. Theory and Practice of Blockchains, International.
Metadata

Aumayr, L. (2021, December 9). Off-chain Scaling of Cryptocurrencies [Presentation]. VISP blockchain research meetup, Austria.
Metadata

Aumayr, L., Moreno-Sanchez, P., Kate, A., & Maffei, M. (2021). Blitz: Secure Multi-Hop Payments Without Two-Phase Commits. In 30th USENIX Security Symposium (pp. 4043–4060). USENIX: The Advanced Computing Systems Association.
Metadata ⯈Fulltext (preprint)
Abstract: Payment-channel networks (PCN) are the most prominent approach to tackle the scalability issues of current permissionless blockchains. A PCN reduces the load on-chain by allowing arbitrarily many off-chain multi-hop payments (MHPs) between any two users connected through a path of payment channels. Unfortunately, current MHP protocols are far from satisfactory. One-round MHPs (e.g., Interledger) are insecure as a malicious intermediary can steal the payment funds. Two-round MHPs (e.g., Lightning Network (LN)) follow the 2-phase-commit paradigm as in databases to overcome this issue. However, when tied with economical incentives, 2-phase-commit brings other security threats (i.e., wormhole attacks), staggered collateral (i.e., funds are locked for a time proportional to the payment path length) and dependency on specific scripting language functionality (e.g., Hash Time-Lock Contracts) that hinders a wider deployment in practice. We present Blitz, a novel MHP protocol that demonstrates for the first time that we can achieve the best of the two worlds: a single round MHP where no malicious intermediary can steal coins. Moreover, Blitz provides the same privacy for sender and receiver as current MHP protocols do, is not prone to the wormhole attack and requires only constant collateral. Additionally, we construct MHPs using only digital signatures and a timelock functionality, both available at the core of virtually every cryptocurrency today. We provide the cryptographic details of Blitz and we formally prove its security. Furthermore, our experimental evaluation on a LN snapshot shows that (i) staggered collateral in LN leads to in between 4x and 33x more unsuccessful payments than the constant collateral in Blitz; (ii) Blitz reduces the size of the payment contract by 26%; and (iii) Blitz prevents up to 0.3 BTC (3397 USD in October 2020) in fees being stolen over a three day period as it avoids wormhole attacks by design.

Aumayr, L., Ersoy, O., Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2021). Bitcoin-Compatible Virtual Channels. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE Symposium on Security and Privacy, Oakland, USA, Non-EU. IEEE Computer Society.
DOI: 10.1109/sp40001.2021.00097 Metadata ⯈Fulltext (preprint)
Abstract: Current permissionless cryptocurrencies such as Bitcoin suffer from a limited transaction rate and slow confirmation time, which hinders their large scale adoption. Payment channels are one of the most promising solutions to address these problems, as they allow two end-points of the channel to perform arbitrarily many payments in a peer-to-peer fashion while uploading only two transactions on the blockchain. This concept has been generalized into payment-channel networks where a path of payment channels is used to settle the payment between two users that might not share a channel between them. However, this approach requires the active involvement of each user in the path, making the system less reliable (they might be offline), more expensive (they charge fees per payment) and slower (intermediaries need to be actively involved in the payment). To mitigate this issue, recent work has introduced the concept of virtual channels, which involve intermediaries only in the initial creation of a bridge between payer and payee, who can later on independently perform arbitrarily many off-chain transactions. Unfortunately, existing constructions are only available for Ethereum, as they rely on its account model and Turing-complete scripting language. The realization of virtual channels in other blockchain technologies with limited scripting capabilities, like Bitcoin, was considered so far an open challenge. In this work, we present the first virtual channel protocols that are built on the UTXO-model and require a script language supporting only a digital signature scheme and a timelock functionality, being thus backwards compatible with virtually every cryptocurrency, including Bitcoin. We formalize the security properties of virtual channels as an ideal functionality in the Universal Composability framework, and prove that our protocol constitutes a secure realization thereof. We have prototyped and evaluated our protocol on the Bitcoin blockchain, demonstrating its efficiency: for n sequential payments, they require an off-chain exchange of 11+2⋅(n−1) transactions or a total of 4219+695⋅(n−1) bytes, with no on-chain footprint in the optimistic case.

Aumayr, L., Ersoy, O., Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2021). Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures. In Lecture Notes in Computer Science (pp. 635–664). Springer.
DOI: 10.1007/978-3-030-92075-3_22 Metadata
Abstract: Decentralized and permissionless ledgers offer an inherently low transaction rate, as a result of their consensus protocol demanding the storage of each transaction on-chain. A prominent proposal to tackle this scalability issue is to utilize off-chain protocols, where parties only need to post a limited number of transactions on-chain. Existing solutions can roughly be categorized into: (i) application-specific channels (e.g., payment channels), offering strictly weaker functionality than the underlying blockchain; and (ii) state channels, supporting arbitrary smart contracts at the cost of being compatible only with the few blockchains having Turing-complete scripting languages (e.g., Ethereum). In this work, we introduce and formalize the notion of generalized channels allowing users to perform any operation supported by the underlying blockchain in an off-chain manner. Generalized channels thus extend the functionality of payment channels and relax the definition of state channels. We present a concrete construction compatible with any blockchain supporting transaction authorization, time-locks and constant number of Boolean ∧ and ∨ operations -- requirements fulfilled by many (non-Turing-complete) blockchains including the popular Bitcoin. To this end, we leverage adaptor signatures -- a cryptographic primitive already used in the cryptocurrency literature but formalized as a standalone primitive in this work for the first time. We formally prove the security of our generalized channel construction in the Universal Composability framework. As an important practical contribution, our generalized channel construction outperforms the state-of-the-art payment channel construction, the Lightning Network, in efficiency. Concretely, it halves the off-chain communication complexity and reduces the on-chain footprint in case of disputes from linear to constant in the number of off-chain applications funded by the channel. Finally, we evaluate the practicality of our construction via a prototype implementation and discuss various applications including financially secured fair two-party computation.

Aumayr, L., Ersoy, O., Erwig, A., Faust, S., Hostáková, K., Maffei, M., Moreno-Sanchez, P., & Riahi, S. (2020). Generalized Bitcoin-Compatible Channels (2020/476).
Metadata
Abstract: The widespread adoption of decentralized cryptocurrencies, such as Bitcoin or Ethereum, is currently hindered by their inherently limited transaction rate. One of the most prominent proposals to tackle this scalability issue are payment channels which allow mutually distrusted parties to exchange an arbitrary number of payments in the form of off-chain authenticated messages while posting only a limited number of transactions onto the blockchain. Specifically, two transactions suffice, unless a dispute between these parties occurs, in which case more on-chain transactions are required to restore the correct balance. Unfortunately, popular constructions, such as the Lightning network for Bitcoin, suffer from heavy communication complexity both off-chain and on-chain in case of dispute. Concretely, the communication overhead grows exponentially and linearly, respectively, in the number of applications that run in the channel. In this work, we introduce and formalize the notion of generalized channels for Bitcoin-like cryptocurrencies. Generalized channels significantly extend the concept of payment channels so as to perform off-chain any operation supported by the underlying blockchain. Besides the gain in expressiveness, generalized channels outperform state-of-the-art payment channel constructions in efficiency, reducing the communication complexity and the on-chain footprint in case of disputes to linear and constant, respectively. We provide a cryptographic instantiation of generalized channels that is compatible with Bitcoin, leveraging adaptor signatures -- a cryptographic primitive already used in the cryptocurrency literature but formalized as a standalone primitive in this work for the first time. We formally prove the security of our construction in the Universal Composability framework. Furthermore, we conduct an experimental evaluation, demonstrating the expressiveness and performance of generalized channels when used as building blocks for popular off-chain applications, such as channel splitting and payment-channel networks.