Breaking and Fixing Virtual Channels: Domino Attack and Donner

—Payment channel networks (PCNs) mitigate the scalability issues of current decentralized cryptocurrencies. They allow for arbitrarily many payments between users connected through a path of intermediate payment channels, while requiring interacting with the blockchain only to open and close the chan- nels. Unfortunately, PCNs are (i) tailored to payments, excluding more complex smart contract functionalities, such as the oracle- enabling Discreet Log Contracts and (ii) their need for active participation from intermediaries may make payments unreliable, slower, expensive, and privacy-invasive. Virtual channels are among the most promising techniques to mitigate these issues, allowing two endpoints of a path to create a direct channel over the intermediaries without any interaction with the blockchain. After such a virtual channel is constructed, (i) the endpoints can use this direct channel for applications other than payments and (ii) the intermediaries are no longer involved in updates. In this work, we first introduce the Domino attack, a new DoS/griefing style attack that leverages virtual channels to destruct the PCN itself and is inherent to the design adopted by the existing Bitcoin-compatible virtual channels. We then demonstrate its severity by a quantitative analysis on a snapshot of the Lightning Network (LN), the most widely deployed PCN at present. We finally discuss other serious drawbacks of existing virtual channel designs, such as the support for only a single intermediary, a latency and blockchain overhead linear in the path length, or a non-constant storage overhead per user. We then present Donner, the first virtual channel construction that overcomes the shortcomings above, by relying on a novel design paradigm. We formally define and prove security and privacy properties in the Universal Composability framework. Our evaluation shows that Donner is efficient, reduces the on- chain number of transactions for disputes from linear in the path length to a single one, which is the key to prevent Domino attacks, and reduces the storage overhead from logarithmic in the path length to constant. Donner is Bitcoin-compatible and can be easily integrated in the LN

[1]  Pedro Moreno-Sanchez,et al.  Bitcoin-Compatible Virtual Channels , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[2]  Stefan Schmid,et al.  Route Hijacking and DoS in Off-Chain Networks , 2020, AFT.

[3]  Pedro Moreno-Sanchez,et al.  Cross-Layer Deanonymization Methods in the Lightning Protocol , 2020, Financial Cryptography.

[4]  Aviv Zohar,et al.  Flood & Loot: A Systemic Attack on The Lightning Network , 2020, AFT.

[5]  Sarah Meiklejohn,et al.  An Empirical Analysis of Privacy in the Lightning Network , 2020, Financial Cryptography.

[6]  Manuel M. T. Chakravarty,et al.  The Extended UTXO Model , 2020, Financial Cryptography Workshops.

[7]  Pedro Moreno-Sanchez,et al.  Atomic Multi-Channel Updates with Constant Collateral in Bitcoin-Compatible Payment-Channel Networks , 2019, IACR Cryptol. ePrint Arch..

[8]  Christiane Kuhn,et al.  Breaking and (Partially) Fixing Provably Secure Onion Routing , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[9]  Stefan Dziembowski,et al.  Multi-party Virtual State Channels , 2019, EUROCRYPT.

[10]  Stefan Dziembowski,et al.  Perun: Virtual Payment Hubs over Cryptocurrencies , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[11]  Stefan Dziembowski,et al.  General State Channel Networks , 2018, CCS.

[12]  G. Fanti,et al.  High Throughput Cryptocurrency Routing in Payment Channel Networks , 2018, NSDI.

[13]  Conrad Burchert,et al.  Scalable funding of Bitcoin micropayment channel networks , 2017, Royal Society Open Science.

[14]  Giulio Malavolta,et al.  Concurrency and Privacy with Payment-Channel Networks , 2017, IACR Cryptol. ePrint Arch..

[15]  Ian Goldberg,et al.  Settling Payments Fast and Private: Efficient Decentralized Routing for Path-Based Transactions , 2017, NDSS.

[16]  Ueli Maurer,et al.  Bitcoin as a Transaction Ledger: A Composable Treatment , 2017, CRYPTO.

[17]  Andrew Miller,et al.  Sprites: Payment Channels that Go Faster than Lightning , 2017, ArXiv.

[18]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.

[19]  Ueli Maurer,et al.  Universally Composable Synchronous Computation , 2013, TCC.

[20]  George Danezis,et al.  Sphinx: A Compact and Provably Secure Mix Format , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[21]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[22]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.

[23]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24]  Aggelos Kiayias,et al.  Elmo: Recursive Virtual Payment Channels for Bitcoin , 2021, IACR Cryptol. ePrint Arch..

[25]  Pedro Moreno-Sanchez,et al.  Blitz: Secure Multi-Hop Payments Without Two-Phase Commits , 2021, IACR Cryptol. ePrint Arch..

[26]  Pedro A. Moreno-Sanchez,et al.  Generalized Channels from Limited Blockchain Scripts and Adaptor Signatures , 2021, ASIACRYPT.

[27]  Keisuke Tanaka,et al.  Lightweight Virtual Payment Channels , 2020, IACR Cryptol. ePrint Arch..

[28]  Giulio Malavolta,et al.  Anonymous Multi-Hop Locks for Blockchain Scalability and Interoperability , 2019, NDSS.

[29]  T. Dryja Discreet Log Contracts , 2017 .