outpost: a lightweight responsive watchtower€¦ · blockchain. no, not really 😎 channels i...
TRANSCRIPT
![Page 1: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/1.jpg)
Outpost: A Lightweight
Tejaswi Nadahalli (ETH Zürich)Majid Khabazzian (Univ. of Alberta)
Roger Wattenhofer (ETH Zürich)eth = Eidgenössische Technische Hochschule (Federal Institute of Technology)
WatchtowerResponsive
![Page 2: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/2.jpg)
What’s happening?
7 tps!
Blockchain. No, not really 😎
Channels
I will go offline!
Watchtowers
Storage?!?!?
stick figures: XKCD
![Page 3: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/3.jpg)
Lightning Channel
UTXO_a UTXO_b
UTXO_a
(a+t)OR
(b+sb)
UTXO_b
(b+t)OR
(a+sa)
UTXO_ab
topen
ctx_a ctx_b
UTXO_a
topen
UTXO_ab
ctx_a
(a+t)OR
(b+sb)
UTXO controlled by Alice
Opening Transaction
UTXO controlled by Alice and Bob
Commitment Transaction broadcastable by Alice
UTXO controlled by Alice and a timelock OR Bob with a secretA
lice
Bob
![Page 4: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/4.jpg)
Lightning Channel
UTXO_a UTXO_b
UTXO_a
(a+t)OR
(b+sb)
UTXO_b
(b+t)OR
(a+sa)
UTXO_ab
topen
ctx_a ctx_b
Bilateral Closure
UTXO_ab
closure
UTXO_a UTXO_b
![Page 5: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/5.jpg)
Lightning Channel
UTXO_a UTXO_b
UTXO_a
(a+t)OR
(b+sb)
UTXO_b
(b+t)OR
(a+sa)
UTXO_ab
topen
ctx_a ctx_b
Unilateral Closure
UTXO_ab
ctx_acurrent
(a+t)OR
(b+sb)
UTXO_b
UTXO_a
sweep_a
after time “t”
![Page 6: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/6.jpg)
Lightning Channel
UTXO_a UTXO_b
UTXO_a
(a+t)OR
(b+sb)
UTXO_b
(b+t)OR
(a+sa)
UTXO_ab
topen
ctx_a ctx_b
Cheating Closure
UTXO_ab
ctx_aprevious
(a+t)OR
(b+sb)
UTXO_b
UTXO_a
sweep_a
after time “t”
![Page 7: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/7.jpg)
Lightning Channel
UTXO_a UTXO_b
UTXO_a
(a+t)OR
(b+sb)
UTXO_b
(b+t)OR
(a+sa)
UTXO_ab
topen
ctx_a ctx_b
Justice Transaction
UTXO_ab
ctx_aprevious
(a+t)OR
(b+sb)
UTXO_b
UTXO_b
sb + sweep_b
![Page 8: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/8.jpg)
Offline… Watchtower
![Page 9: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/9.jpg)
Justice Kit
b’s mirror
(a+t)OR
(b+sb)
UTXO_b
sb+ sweep_b
eJTX (🔒🔒🔒🔒🔒🔒🔒🔒🔒)
AES-128ctx_a_TXID_suffix
ctx_a_TXID_prefix
ctx_aprevious
![Page 10: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/10.jpg)
Watchtower
e3b0c44298... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
6e340b9cff... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
96a296d224... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
709e80c884... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
df3f619804... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
8855508aad... 🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒🔒
... ...
... ...
... ...
![Page 11: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/11.jpg)
Cheater has to store cheating CTX(s)
Every CTX has a corresponding JTX
CTX has to be published on the blockchain
Store the corresponding JTX inside this CTX?
Observations
![Page 12: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/12.jpg)
Can we store JTX inside CTX?
UTXO_ab
ctx_aprevious
(a+t)OR
(b+sb)
UTXO_b
UTXO_b
sb + sweep_b b
(a+t)OR
(b+sb)
UTXO_b
sb+ sweep_b
OP_RETURN
![Page 13: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/13.jpg)
UTXO_ab
ctx_aprevious
(a+t)OR
(b+sb)
UTXO_b
b
(a+t)OR
(b+sb)
UTXO_b
sb+ sweep_b
OP_RETURN
double - SHA256
TXID
TXID
![Page 14: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/14.jpg)
TXID makes it self-referential
UTXO_ab
ctx_aprevious
(a+t)OR
(b+sb)
UTXO_b
b
(a+t)OR
(b+sb)
UTXO_b
sb+ sweep_b
OP_RETURN
double - SHA256
TXID
![Page 15: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/15.jpg)
OP_RETURN alternatives
P2SH Data Drop
● vulnerable to scriptSig malleability
P2SH Data Hash
● vulnerable to self-loop in the redeem_script hash
SIGHASH_NOINPUT
● If Eltoo, why Lightning?
![Page 16: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/16.jpg)
Outpost
![Page 17: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/17.jpg)
Outpost
UTXO_a UTXO_b
UTXO_ab(balance)
UTXO_b
UTXO_ab
topen
ctx1_a
UTXO_ab (ε)
b’s mirror
![Page 18: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/18.jpg)
Outpost
UTXO_a UTXO_b
UTXO_ab(balance_a)
UTXO_b
UTXO_ab
topen
ctx1_a
UTXO_ab (ε)
b’s mirror
Justice Transaction
UTXO_ab(balance_a)
UTXO_b
jtx_b
![Page 19: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/19.jpg)
Outpost
UTXO_a UTXO_b
UTXO_ab(balance_a)
UTXO_b
UTXO_ab
topen
ctx1_a
UTXO_ab (ε)
b’s mirror
Encrypted Justice Transaction
b’s mirror
UTXO_ab(balance_a)
UTXO_b
jtx_b
eJTX
AES-128
![Page 20: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/20.jpg)
Outpost
UTXO_a UTXO_b
UTXO_ab(balance_a)
UTXO_b
UTXO_ab
topen
ctx1_a
UTXO_ab (ε)
b’s mirror
Auxiliary Transaction
UTXO_ab(ε)
aux_ctx_a
UTXO_ab(ε)
OP_RETURNeJTX
eJTX
![Page 21: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/21.jpg)
Outpost
UTXO_a UTXO_b
UTXO_ab(balance_a)
UTXO_b
UTXO_ab
topen
ctx1_a
UTXO_ab (ε)
b’s mirror
Commitment Transaction-2
UTXO_ab(balance_a)
ctx2_a
UTXO_a
UTXO_ab(ε)
aux_ctx_a
UTXO_ab(ε)
OP_RETURNeJTX
UTXO(ε) after time “t”
![Page 22: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/22.jpg)
The money slide
Per channel, with N updates 20k channels, 1M updates
Known Channel N·size(ejtx) + 1·size(txid) 7.00 TB
Unknown Channel N·size(ejtx) + N·size(txid)) 7.65 TB
Classic Lightning
Known Channel size(key) + size(txid) 0.96 MB (WTF)
Unknown Channel N·size(key) + N·size(txid) 0.96 TB
Outpost
Note: size(key) << size(ejtx) i.e. 16 << 350
![Page 23: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/23.jpg)
Outpost keeps Lightning’s key features
● Unilateral closure: broadcaster has to wait
○ Not cheating
○ Cheating
● Exchange revocation keys vs. AES-128 decryption keys
![Page 24: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/24.jpg)
Cheating (Alice wants to profit)
Alice broadcasts older ctx1_a, aux_ctx_a Bob is watching the blockchain
Wait Bob sees aux_ctx_a
Wait Bob has key to decrypt eJTX & get JTX_b
Wait Bob broadcasts JTX_b
Wait JTX_b is confirmed on the blockchain 😎
Wait ctx2_a is now invalid
Alice can broadcast ctx2_a - but…
Time
![Page 25: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/25.jpg)
Unilateral Closure(Bob has disappeared)
Alice broadcasts latest ctx1_a, aux_ctx_a Bob is secretly watching the blockchain
Wait Bob sees aux_ctx_a
Wait Bob cannot decrypt eJTX
Wait ctx2_a is still valid
Alice can broadcast ctx2_a - 😎
Time
![Page 26: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/26.jpg)
Griefing ¯\_(ツ)_/¯
Alice broadcasts ctx1_a Bob is watching the blockchain
Wait Bob sees ctx1_a confirmed
Wait Bob’s own ctx1_b is now invalid 😠
Wait Bob’s JTX_b is valid, if he has it
Gone...
Time
Can we have ctx1_a
send all its balance to Bob? Much later.
![Page 27: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/27.jpg)
Profit
Outpost
● CTX and eJTX on the blockchain
● eJTX’s key in the node (16 bytes)
Classic Lightning
● CTX on the blockchain
● JTX in the node (~350 bytes)
Cost
Outpost
● 3 txns
● ε
Classic Lightning
● 1 txn
● No ε
![Page 28: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/28.jpg)
Limitations
● OP_RETURN limited to 80 bytes.
○ IsStandard ಠ_ಠ○ Split aux_ctx into 2; P2SH Data-hash across them
● Bloat
○ Not on the blockchain (happy case)
○ On the blockchain, 3 txns vs 1 txn
● But
○ No changes to Bitcoin, whatsover.
![Page 29: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/29.jpg)
Optimize!!
SHACHAIN
K1000 K999 K998 K2 K1sha256 sha256
decrypt
RSA-CHAIN
Pre-compute
Use* K1 K2 K3 K999 K1000
Pre-compute
Use* K1 K2 K3 K999 K1000
sha256
decrypt decrypt decrypt
No
*Key derivation function
(Slow)
(Fast)
![Page 30: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/30.jpg)
Size estimates
Per channel, with N updates 20k channels, 1M updates
Known Channel N·size(ejtx) + 1·size(txid) 7.00 TB
Unknown Channel N·size(ejtx) + N·size(txid)) 7.65 TB
Classic Lightning
Known Channel size(key) + size(txid) 0.96 MB (WTF)
Unknown Channel N·size(key) + N·size(txid) 0.96 TB
Outpost
Note: size(key) << size(ejtx) i.e. 16 << 350
![Page 31: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/31.jpg)
What’s next?
● HTLC
● Implementation
![Page 32: Outpost: A Lightweight Responsive Watchtower€¦ · Blockchain. No, not really 😎 Channels I will go offline! Watchtowers Storage?!?!? stick figures: XKCD. Lightning Channel UTXO_a](https://reader035.vdocuments.net/reader035/viewer/2022070113/605c83d3d25371238d645991/html5/thumbnails/32.jpg)
Thanks
● Store justice transactions inside commitment transactions