Rapido: A Layer2 Payment System for Decentralized Currencies

08/05/2018 ∙ by Changting Lin, et al. ∙ Zhejiang Gongshang University Zhejiang University 0

Bitcoin blockchain faces the bitcoin scalability problem, for which bitcoin's blocks contain the transactions on the bitcoin network. The on-chain transaction processing capacity of the bitcoin network is limited by the average block creation time of 10 minutes and the block size limit. These jointly constrain the network's throughput. The transaction processing capacity maximum is estimated between 3.3 and 7 transactions per second (TPS). A Layer2 Network, named Lightning Network, is proposed and activated solutions to address this problem. LN operates on top of the bitcoin network as a cache to allow payments to be affected that are not immediately put on the blockchain. However, it also brings some drawbacks. In this paper, we observe a specific payment issue among current LN, which requires additional claims to blockchain and is time-consuming. We call the issue as shares issue. Therefore, we propose Rapido to explicitly address the shares issue. Furthermore, a new smart contract, D-HTLC, is equipped with Rapido as the payment protocol. We finally provide a proof of concept implementation and simulation for both Rapido and LN, in which Rapdio not only mitigates the shares issue but also mitigates the skewness issue thus is proved to be more applicable for various transactions than LN.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 8

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Bitcoin is firstly issued by a blockchain [1] and the most widely used valuable decentralized digital currency [2]. However, it faces a serious issue, i.e., the scalability problem. To solve this problem, a Layer2 system named Lightning Network (LN) [3] is introduced, which is an off-chain payment solution for performing decentralized digital currency payment on top of a blockchain. Specifically, LN is something like the Virtual Private Network (VPN) which establishes a virtual peer-to-peer connection over the Internet. LN theoretically enables fast and secure mircopayments between participating nodes, which features an overlay system for making payments through a network without delegating custody of funds [3]. LN is constituted of numerous payment channels that allow the two-party connect by a payment channel securely maintain and update its own ledger by RSMC (Recoverable Sequence Maturity Contract) [3]. To leverage the existing payment channels to perform end-to-end payments, the payment channel network is introduced. Furthermore, HTLCs (Hashed Timelock Contracts) [3] is designed, which enables a payment acrosses two or more payment channels with security.

Benefiting from LN, any transaction between the two nodes among LN can be performed and updated rapidly (an payment takes about ms [4]) instead of confirming by blocks (a on-chain payment should be confirmed by blocks and take about minutes on July 2018 [5]). As the scale of LN is growing, some limitations have been highlighted, such as sensitive information leakage issue [4, 6], payments concurrency issue [4], skewness issue [7], route scalability issue [8, 9] and so on. Meanwhile, several works have studied on these limitations [4, 6, 7, 8, 9, 10]. In addition, similar payment systems such as credit networks [11, 12] also offer some solutions for these analogous issues [13, 14, 15].

Fig. 1: An Illustrative Example. The black bold numbers represent the deposits in each payment channel, which is the initial state of the payment channel network. For example, 5(2,3) between Alice and Dani represents that this payment channel has total deposits 5 bitcoins including Alice has 2 bitcoins and Dani has 3 bitcoins, respectively. Suppose that Alice is willing to pay Bob bitcoins and Alice has and only has the payment channels. One naive way that Alice needs close the other channels and withdraws the deposits and then set up a new payment channel to Bob, which is time-consuming and money-consuming. The blue dash lines represent a simple instance of Rapido to resolve the shares issue.

In LN, we observe a payment issue where a node has enough deposits to pay another node while there is no payment channel available to perform this payment. We call this shares issue, which appears commonly in the current Layer2 Network. In particular, the shares issue is illustrated in Fig. 1. Alice is willing to pay Bob bitcoin while Alice cannot find an available routing path to fulfill this payment. One naive solution is that Alice requires to close the three channels and withdraw all her deposits and then sets up a new payment channel to Bob to fulfill this payment, where the close and set up operations must be claimed to the blockchain for confirming. A node which sets up and closes a payment channel need pay extra fees [3]. In addition, the naive solution might also introduce a skewness issue [7] and payment value privacy issue [4]. Therefore, the shares issue not only consumes an extra time and consumes an extra money but also might introduce the other issue such as the skewness and privacy issues.

In this paper, we propose Rapido to address the shares issue, which is general and applicable to all payments among the Layer2 Network. Different from LN, a new routing algorithm that incents the nodes always online is proposed in Rapido. Besides, as a transaction is generated, the payment value can be split into several shares by the Value Distributing Problem (VDP) program and then respectively distributed to the other node through these discovered routing paths. With the VDP program, Rapido not only mitigates the skewness of nodes but also preserves the privacy of payment value through splitting the value into shares. In addition, we design D-HTLC (Distributed-HTLC) to guarantee these payments with security. The blue dash lines in Fig. 1 represent one instance of Rapido to resolve the shares issue.

To summarize, the contributions of our paper include the following.

  1. We observe a payment issue, the shares issue, which might appear in the Layer2 Network and causes time-consuming and money-costs.

  2. We design Rapido to mitigate the shares issue, which is equipped with D-HTLC and inherently preserves the privacy of total payment value.

  3. We prove that the VDP is NP-hard.

  4. The simulation demonstrates that Rapido not only mitigates the shares issue but also mitigates the skewness of nodes.

Ii Background AND PRELIMINARIES

In this section, we demonstrate the necessary background of our paper including the blockchain and LN.

Ii-a Blockchain

A blockchain is a growing list of records, calls blocks, which are linked using cryptography [1]. Blockchains which serve as the public transaction ledger of cryptocurrencies and are readable by the public of these cryptocurrencies, such as bitcoin [1] and ethereum [16]. Each block contains a cryptographic hash of the previous block, a timestamp and transaction data. By design, a blockchain is resistant to modification of the data. It is “an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way”. To use as a distributed ledger, a blockchain is typically managed by a peer-to-peer network collectively adhering to a protocol for inter-node communication and validating new blocks. Once recorded, the data in any given block cannot be altered retroactively, which requires a consensus of the network majority.

Bitcoin is a widely used cryptocurrency, a form of electronic cash [1]. Bitcoins can be paid among the peer-to-peer bitcoin network directly, without the need for intermediaries, though most transactions are made through a cryptocurrency exchange market. Transactions are verified by nodes through cryptography and recorded in a public distributed ledger (blockchain). However, it brings some serious issues, such as the bitcoin scalability problem. In the real world, the on-chain transaction processing capacity maximum is estimated TPS, which is limited by the average block creation time (about minutes) and the block size limit (MB) [17].

Ii-B Lightning Network

To mitigate the bitcoin scalability problem, various solutions are proposed, such as forks (hard fork and soft fork) [18] and the Layer2 systems (LN [3] and Sprites [8]). fork means the protocol changes and divides the blockchain into two distinct entities, which is typically conducted in order to add new features to a blockchain to reverse the effects of hacking or catastrophic bugs [18]. Different from fork, the Layer2 Network is implemented on top of the blockchain (most commonly bitcoin network) as a cache to allow payments to be performed while does not immediately claim on the blockchain [3]. LN is a Layer2 Network, which is constituted of a mass of bi-directional payment channels111For simplicity, in following payment channel of this paper means bi-directional payment channel. and theoretically enables fast transactions between participants.

Ii-B1 Payment Channels

LN, which constitutes of numerous payment channels, is a technique designed to allow two participants to make multiple transactions (e.g., bitcoin) without committing all of the transactions to the blockchain. Each payment channel has two parties, who deposit their own bitcoins and make many secure payments between each other in exchange for making only a few events (e.g., open a new payment channel) on the blockchain. Consequently, the payment channel improves the transaction throughput and eliminates the transfer fee between the two participants. Furthermore, Revocable Sequence Maturity Contract (RSMC) [3] must be leveraged one each payment channel, which guarantees the transactions’ safety between two-party.

Ii-B2 Payment Channel Network

A payment channel only permits secure transfer of funds inside a channel while it cannot perform a payment between an indirect-linked two-party. The payment channel network is hence introduced, which is able to perform a secure payment using a series of payment channels by Hashed Timelock Contracts (HTLCs) [3]. HTLC leverages hashlocks and timelocks and can allow payments to be securely routed across multiple payment channels without any risk of intermediate nodes stealing the payment in transit.

Fig. 2: An Example to Elucidate HTLCs. Alice wants to pay Bob through Carol by HTLCs. The icons of locks represent the hashtime lock in different status. The blue solid line represents that the is transferred from Bob to Alice by a secure way; the red dash lines represent all participates have HTLCs and the deposits are locked in payment channels; the green dash lines represent the is transferred.

In a nutshell, suppose that Alice wants to pay Bob bitcoin through Carol. As an intermediary, Carol earns transfer fees from this payment. The brief steps are shown in Fig. 2 and represented as follows.

  1. Bob generates a random number and calculates its SHA-256 hash .

  2. Bob gives to Alice by secure ways (out of the scope of our paper). Carol will earn bitcoin as transfer fees.

  3. Alice uses her payment channel to pay Carol bitcoin, but she adds a hashlock that Carol gives her to the bitcoin along with an extra condition: in order for Carol to withdraw the bitcoin, she must provide which was used to produce in days222We use days here as in the original description [3]. Instead, the height of blocks is used for description in the real world.. Carol uses her payment channel to pay Bob bitcoin, but she also adds a same hashlock that Bob gives her to the payment along with an extra condition: in order for Bob to withdraw the bitcoin, she must provide which was used to produce in days.

  4. Bob has which is used to generate , so Bob can use it to unlock the hashlock and fully receive the bitcoin from Carol; Carol also uses the to unlock the hashlock from Alice. Finally, Bob receives bitcoin from Alice. In addition, Carol earns bitcoin as transfer fees.

Ii-B3 Routing

In LN, the source should find a routing path to the destination while a payment is generated. The LN routing discovering implements a modified version of Dijkstra’s algorithm to find the shortest path between the them [19]. If the available routing path is found by the source, it returns a series of intermediate nodes which encoded the chosen path from the destination to the source.

Iii Motivation and Overview

In the following, we first describe an example to illustrate that the payment performed on the LN causes time-consuming and money-costs. Then, we discuss the motivation of this paper. Lastly, we propose the overview for Rapido.

Iii-a An Illustrative Example and Motivation

Although LN enables fast payments between participating nodes and has been touted as a solution to the bitcoin scalability problem, drawbacks are also obvious. For example, some payments might not be performed through LN directly.

Fig. 1 describes a simple payment case to elucidate the above-mentioned drawbacks. Suppose that the simple topology is a part of LN. Moreover, we suppose that Alice has and only has routing paths to Bob. However, the naive solution not only cannot resolve the shares issue but also brings some issues (privacy, skewness issue, an extra time-consuming and an extra money-costs) , which has been discussed in Section I. These issues endows LN with a poor efficiency, which goes against the original intention of LN.

Some existing works focus on LN [4, 7, 8], such as a skewed network issue [7] and the payment value’s privacy issue [4]. For executing a rebalance process, all participants of rebalance process need to negotiate a better ratio with each other before a rebalance is proceed. A rebalance process might be aborted if the negotiation process fails. Moreover, the participants must be in a loop [7]. Furthermore, REVIVE cannot resolve the shares issue which is shown in Fig. 1. For the privacy of payment value, the authors suppose that all intermediate nodes among a payment path are honest and then a trust function is revealed to all of them. By this way, any intermediary of this payment path has the knowledge of the payment value. However, no one can guarantee that all the intermediary are honest [4].

We propose an idea to resolve the shares issue by multiple path payments. As shown in Fig. 1, in an alternative case, Alice splits bitcoins into shares, such as , and , and respectively sends the shares to Bob through Dani, Carol and Eva, which does not require to close any existing payment channel or set up a new one. We hereby propose a new scheme, named Rapido, that a customer can perform a payment by splitting the payment value into shares and then respectively performs the payments to the merchant. Rapido can mitigate the above-mentioned issues, such as shares, skewness, payment value privacy time-consuming and money-costs issues, and then perform payments more efficiently among the Layer2 Network.

Iii-B Challenges

To realize Rapido, there are some challenges to be solved..

  • How can a customer find available routing paths to the merchant effectively and efficiently.

  • How to design a split strategy of payment value for customers and avoid serious skewness.

  • How to design a smart contract to fulfill the payment effectively and securely.

For the first challenge, we implement a routing discovering algorithm with a proactive and a reactive part. For the second challenge, we propose a VDP program. For the third challenge, we design a new smart contract named D-HTLC, which enables the customer to perform a payment successfully.

Iii-C Overview and Goals

Iii-C1 Overview

The overview of Rapdio is shown in Fig. 3. What is more, simplified steps of a payment from Client to Client through a Layer2 Network are represented as follows.

  1. Through Beacon Election Module, several nodes are randomly elected as beacons in one period.

  2. Each Client finds routing paths to all beacons by the Proactive Module.

  3. The information of routing paths (e.g., the deposits distribution among the payment channel) is gathered by Reactive Module of Client 1 when a transaction from Client 1 to Client 2 is generated.

  4. According to the gathered information, Client 1 leverages Value Distributing Module to calculate then select several available routing paths and splits the payment value into several shares.

  5. The Client 1 distributes these shares to Client 2 by D-HTLCs among the selected paths, respectively.

Fig. 3: An Overview of Rapido. A payment is performed from the Rapido Client to the Rapido Client by D-HTLC among a Layer2 Network.

Iii-C2 Goals

Rapido further reaches the following properties.

  • High-respond. Rapido mitigates the shares issue and reaches a high success rate for numerous mircopayments.

  • Less-skewed. Rapido mitigates the skewed issue and the congestion issue, such as a skewed node [7], after performing lots of payments.

  • Privacy. Rapido can preserve payment value privacy, which is a private issue of customer and merchant.

  • Generality. Rather than implementing a solution for issue, Rapido is general and applicable to all payments among the Layer2 Network.

Iv The Rapido Construction

In this section, we discuss Rapido construction in detail, which includes 1) Beacons Election, 2) Routing, 3) Value Distributing, and 4) D-HTLC. Further, the difference between Rapido and current LN is disscussed in 5) Remark.

Iv-a Beacon Election

In Rapido, each node not only can be a normal status but also can be beacon status, which can coexist in one node. Hence, each node has a fixed probability to be elected as a beacon in Rapido. To elect beacons, the network topology is split into

portions. Then, the nodes in a portion elect a beacon for this portion. The election follows uniform distribution and rotates in a period (e.g.,

hours). By this way, each node has a chance to be elected as a beacon and can earn transfer fees, which incents all nodes always online as well as improve the entire topology and transaction capabilities of Rapido.

Iv-B Routing in Rapido

Routing path from a customer to a merchant is prerequisite for a payment to succeed. The routing discovering algorithm implemented in Rapido includes a proactive part as well as a reactive part. The proactive part gathers information that is static or changes slowly, such as payment channels between nodes, whereas the reactive part mainly focuses on dynamic information such as the distribution of deposits among payment channels.

  • Proactive Part. Number of nodes in a topology are randomly elected as beacons for a pre-defined period. Then, all nodes attempt to find routing paths to all beacons through Breadth-First-Search (BFS) algorithm. Detailed information of routing paths to each beacon is stored in each node’s routing table. The routing paths information tends to remain unchanged except a new node joins the Layer2 Network or a new payment channel is set up. In next period, the election process is executed once again. The proactive routing process then is executed repeatedly, and new information is hence stored in each node instead of the elder one.

  • Reactive Part. There are some dynamic information in the Layer2 Network, such as the distribution of deposits in each payment channel which consumes lots of computing resources (e.g. CPU) if gathered in real time. In Rapido, instead of gathering all information in real time, the customer and the merchant only gather the dynamic information of each payment channel among the pre-stored routing paths. Moreover, the customer and merchant request the dynamic information of the routing paths to all intermediate nodes. As intermediate nodes, they response the requests by the reactive part of routing. Finally, the gathered information is sent back to the customer. Although the nodes among these routing paths can response the request from the customer and merchant by Tor [19, 20], the Tor achieves a low performance, such as about seconds to complete kb data request to onion sever [21]. This issue will be discussed in V-B2.

Iv-C Value Distributing

The customer gathers the information of the available routing paths when a transaction is generated, such as the distribution of deposits on these routing paths. Once information gathering process is finished, the customer can split the payment value into

shares by Linear Program and pay to the merchant through each routing path, respectively.

In this part, we proceed to formulate the criterion for congestion that represents the state of a node’s deposit in a payment channel. Inspired by the congestion factors [22, 23], we introduce a metric channel congestion factor , where represents the th share is transferred through and represents the deposit owns to the th intermediate node deposits in th payment channel over , and . In addition, a channel congestion factor can predict the skewness of a node after a payment is performed. According to [22] and [23], we introduce another metric network congestion factor which indicates the bottleneck of the whole network. For the value distributing issue, it can be equivalent to the well-known Maximum Flow Problem [24] iff there are no other restrictions on the routing paths. Therefore, one can find a solution that minimizes the network congestion factor in polynomial time through a standard max-flow algorithm [24]. However, the cumulative transfer fees in a routing path is one of essential metrics for the customer, which should be considered in the value distributing process.

For this problem, we aim at minimizing the network congestion factor which subjects to a restriction on a transfer fees according to the chosen paths. It is formulated as follows.

VDP (Value Distributing Problem). Given a Layer2 Network , a source-destination pair (), each participant within a transaction sends their transfer fees information and the deposits to . Besides, a payment has a transfer fee restriction . Finally, we find a feasible solution to distribute shares that minimize the network congestion factor.

Theorem 1

VDP is NP-hard.

Proof IV.1

Consider the following Partition Problem [25]. Given a set . Moreover, the size of can be represented as . Then, we can find a subset such that . We transform the Partition Problem to a simple VDP as follows.

  1. Given an element with size . In a Layer2 Network, we suppose a transaction between and the , where would be transferred and the set constitute all intermediate nodes. We define a transfer fee of node as .

  2. Suppose that is split into two parts ( and ) for transferring through each routing path, respectively. Suppose that is transferred from to through a routing path and is transferred through another routing path . Besides, we assume that each channel’s capacity is .

We shall prove that it is possible to transfer and through each routing path, that the total of transfer fees are not exceed and each payment channel’s channel congestion factor is not exceed to iff there exits a subset and exits .

Note that if variables satisfy and , it follows that and in addition . We hence conclude that and , it follows that and in addition . In this issue, can be split into two parts as and that the channel congestion factor is not be violated. We hereby find two part that the total fees restrict to . The simple VDP hereby can be reduced to a Partition Problem such that the positive integer can be seem as a transfer fee of the node .

The Partition Problem is known as strongly NP-hard [25]. We note that the VDP has more restrictions than the simple VDP such that a payment value could be split into shares and transferred through routing paths from a customer to a merchant after a transaction is generated in the Layer2 Network. The VDP hereby can be considered as a k-Partition Problem [25] which is known as strongly NP-hard [25]. Consequently, the VDP is NP-hard.

Owing to the VDP is NP-hard without polynomial time algorithm. To resolve VDP, it should be relaxed to a non-integer linear programming to obtain a approximate solution. The first step towards obtaining a solution to Problem VDP is to define it as a linear programming. To that end, we need some additional notations.

Program VDP:

minimize (1)
s.t. (2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)

Recall that we are given a network , and , source-destination pair , a payment is performed between and and go through nodes, a transfer fee for each node , and a node’s deposit in its former channel (i.e., the th node’s deposit of the th channel in ) for each payment channel , total of transfer fees restriction for a payment. Let be the network congestion factor. Denote by the flow along that has been routed from to through paths with a total fees . Finally, for each , denote by the set of channels that out from , and by the set of channels that input node . To mitigate a congestion issue and skewed node issue, a payment is performed iff where is pre-defined. Therefore, the VDP can be formulated as a linear program, as specified in Program VDP.

The objective function of Program VDP minimizes the network congestion factor . The constraint equations , and denote that the conservation constraint of the payments and transfer fees through each node. Equation states that the cumulative fees of a payment out of node has to be equal to the cumulative fees before this payment inputs node and the transfer fees for node . For the equations and , any payment from a to a , in which the transfer fees do not need to pay a or a . The inequation states that the constraint of a payment’s total of transfer fees. Equation states that the sum of the shares must be equal to the payment value. For the inequation , the deposits in the th payment channel owns to the th node which is in the must larger than the th share. To mitigate the skewness and congestion issue, the inequation states that the payment channel congestion must be not less than a pre-defined threshold . Finally, the inequation and restrict the variables to be nonnegative.

According to the result of Program VDP, the customer can splits the payment value into shares. However, there might exist some intermediate nodes disapprove of this payments. Therefore, we introduce a request mechanism which is executed before distributing these shares. In request mechanism, the customer proposes a proposal and requests each node among these selected routing paths such that, whether participating this payment as an intermediate node. The customer is going to perform this payment iff each node agrees this proposal with the customer. Otherwise, the customer aborts these selected routing paths and reduplicate the Routing process. The request mechanism can mitigate some extra costs that an intermediate node might abort his share payment when a payment is performing.

Iv-D D-Htlc

D-HTLC is a smart contract which is based on HTLC [3]. In D-HTLC, we introduce a punish mechanism to avoid some traps.For example, nodes on routing paths might maliciously abort before payment, resulting in the reset of D-HTLC and, unavoidably, the waste of extra costs. To solve this problem, we lock a certain amount of for each node until a D-HTLC is set up for this payment.

Iv-D1 Notation

Input a network , suppose that a customer attempts to transfer coins to a merchant . Then, has been spilt into shares by Program VDP, that each share has its own routing path to , such as the th share is paid to through . For each routing path, generates a SHA-256. Besides, the means that the th node is on . The D-HTLC is deployed between and , which is composed of sender , receiver , the th value , transfer fee , hashlock and timelock . In addition, should prepare a according its own transfer (base fee and fee rate). We represent as the list of all s.

Iv-D2 Definition of Operations

D-HTLC has main operations: openPunish, newContract, getBack, withdraw, refund and punish. We briefly describe these operations as follows.

  • openPunish When a client attempts to initialize a payment, the openPunish is called. Nodes that responses request from are listed in . This function is responsible for locking a certain amount of cash which are listed in from every involved nodes. It returns iff all nodes in have locked the corresponding amount of ; otherwise, it returns 0.

  • newContract This operation constructs a new D-HTLC from from the to the . It returns ; otherwise, it returns . Note that sequence between several newContracts should be consist with the sequence of nodes on the path.

  • getBack This operation is called when is trying to retrieve its locked after newContract succeeds and is returned.

  • withdraw This operation is called when attempts to withdraw from the previous within . It succeeds iff is able to reveal the correct to .

  • refund If there was no withdraw until is expired, refund is called to refund to .

  • punish As previously mentioned, we have a punish mechanism to penalize dishonest nodes. Thus, this punish function is called once a new D-HTLC aborts because of , then would get . For the latter nodes, the remaining locked s are unlocked.

Iv-E Remark

We design a Layer2 system, Rapido, which is different from the current LN. At the first, we design a new routing discovering algorithm for Rapido, which incents nodes always online. Secondly, Rapido splits the payment value into several shares and distributes these shares to a node by D-HTLC. Thirdly, D-HTLC is designed based on HTLC while D-HTLC inherently preserves the privacy of payment value.

V System Discussion

In this part, we discuss the scenario where Rapido can be used as well as its limitations..

V-a Usability

V-A1 Context

Employing the Layer2 Network makes transactions more rapid and convenient than the transactions are performed on-chain. As summarized in the above discussion, LN has some issues while Rapido can mitigate them. In particular, for the shares issue, the naive solution introduces an extra time and money costs whereas Rapido can eliminate these costs, which is not require to claim in blockchain.

Different from HTLC, a payment is performed by D-HTLC should be split into several shares and distributed to the merchant through selected routing paths. In other words, a payment is performed by D-HTLC requires more participants. According to the statics of LN from [26], nodes that each node has payment channels on average. Hence, the condition provides a suitable context for Rapido. Moreover, the Layer2 Network such that LN’s scale is increasing from its birth to the present. The Layer2 Network with its growth, the future context is also suitable for Rapido.

V-A2 Scalability

With the scale expansion of the Layer2 Network, more and more nodes and channels would be generated. For the proactive part of routing, it is . Moreover, the beacon election is only executed once in each period, which is not always consumed computing resource. Moreover, the pre-defined period of election is not short. In reactive part, for performing a payment, the customer calculates and selects available routing paths through several beacons and then pay the split payment shares to the merchant. Considering the number of beacons is always much less than the total number of nodes, the process of routing path selection is rapid unless the number of beacons grows clipping.

V-B Security Analysis

V-B1 Threat Model

We suppose that an adversary would be willing to intercept some information from a transaction between a customer and a merchant among the Layer2 Network. A transaction over the Layer2 Network might go through serval intermediate nodes, whereas security flaws of some nodes can be found and may be leveraged by an adversary. Therefore, a payment value can be intercepted if one of intermediate nodes is compromised. An adversary in our paper targets the privacy of payment value, which is crucial as the other security issues (e.g., anonymity of customer/merchant) when a payment is performing on the Layer2 Network.

V-B2 Guarantees for privacy

Under the previous LN discussion and adversarial assumption, an adversary can easily intercept the payment value if one of intermediate nodes is compromised. In Rapido, the adversary cannot intercept the total payment value unless it at least compromises one intermediate node on each routing path. This is because the payment value is split into several shares and distributed to the merchant through numerous paths by the customer while the adversary can only intercept a part of payment value. Moreover, a payment based on D-HTLC includes more routing paths as improving difficulty level to compromise all intermediate nodes. Hence, it is difficult that an adversary could intercept a complete information of payment value. In addition, the Rapido also could confuse the adversary, which only leaks a part of information. Rather than Fulgor and Rayo [4], Rapido need not introduce an extra trust function to preserve the privacy of payment value and make a assumption that all participates are honest.

In addition, any node can requests information of payment channel to perform the payment in reactive part. Although the privacy of information can be transmitted and protected by optional Tor [19, 20], it achieves a low performance [19, 21]. We note that it might cause some information leakage in Rapido, if the Tor is turnoff. Considering that lots of nodes are elected as beacons, there are a majority of nodes would be as intermediate nodes when a payment is performed. Moreover, lots of payments might be generated on the Layer2 Network in a short time. Therefore, the information, e.g., the node’s deposits on each payment channel, is rapidly changing and out date quickly. Consequently, Rpaido theoretically enables information leakage with a low probability.

Vi Simulation

In this section, we present extensive experiments to evaluate Rapido. To be more convincing, we provide a working proof of concept (POC) implemented in Python with a real dataset of LN.

Vi-a Dataset and Setup

The experiments were conducted on machines with Intel i K and GB RAM. For simulating a Layer2 Network, we crawled a dataset with nodes and payment channels from LN of Recksplorer [26] on July . Besides, detailed information of each node and payment channel are also demonstrated, such as capacity, base transfer fee, rate of transfer fee and so on. In common, the % people always own % of all wealth [27], which also can be analogous to LN. Based on the fact that there usually exits some super “huge” nodes which owns lots of payment channels () and thus deposits (e.g., “tady je slushovo” [26]), we assume that the distribution of deposits on each channel follows the Pareto distribution [27]. Under this assumption, we suppose that two nodes among a payment channel, where the node who own more channels has % deposits. We simulate a simple blockchain by golang, which has links open on our Layer2 Network. Based on these statics, assumptions and setup, we derive datasets for our simulation which are represented as following.

Vi-B Beacon Election and Average Routing Hops

In our work, the routing algorithm includes proactive part and reactive part. In proactive part, some beacons are elected, and then each node finds a routing path to each beacon. The left half of Fig. 4 represents that the average hops between any two nodes among the Layer2 network topology. The label of X-axis (, , and ) represents numbers of beacon nodes. We can find that the , , and labeled bars are of about the same height, with the average hops of about . However, the more beacons are elected, the more routing information should be stored in routing table each node. To avoid routing table overhead and meanwhile incent more nodes to be online, we empirically elect beacons in topology.

On the other hand, the right half of Fig. 4 represents the routing algorithm of current LN. We notice that the average hops between any two nodes of current LN is about , which is less compared with our approach. This stems from that the route discovering algorithm of current LN does not need go through any beacons. Under some circumstances, a shares issue might appear, which cannot be fulfilled by current LN whereas it might be fulfilled by Rapido. In addition, each node has a chance to be elected as a beacon, which makes all nodes possible to earn transfer fees and thus incents them to be online more often. Furthermore, Rapido can preserve the privacy of payment value without any trust function. Under estimating a transfer fee, the customer extra pays about Satoshis (sato)333 bitcoin = Satoshis, Satoshi $ [5]. fees to a node in general when a value of satos payment goes through a node, which is extremely small. Therefore, the quantitative difference of average hops is acceptable.

Fig. 4: Average hops statics between any two nodes, which is simulated on Rapdio and LN, respectively.

Vi-C Transaction Scenarios

Vi-C1 Scenario 1

We investigate the success rate of micropayments on LN and Rapido respectively through simulation. According to the above mentioned statics and assumptions, a series of micropayments are generated between randomly selected customer-merchant pairs (the selected customer owns enough deposits in all his payment channels to perform the payments). Considering that in a LN with nodes [26], the probability of concurrent payment is pretty low, thus we does not take concurrent payments into account in our simulation.

Fig. 5 shows average transfer fees under different payment value (we empirically choose , , and satos according to the nature of micropyment) and different systems (yellow and green bars denote for Rapido, blue ones denote for LN). We attribute large error bars to the randomness of nodes selection strategy, in which the routing paths between selected nodes vary a lot. More than one group of fee restrictions were set for Rapido, and the results showed that adaptive restrictions (, , , ) can achieve a lower average transfer fee compared with the fixed one (, , , ), and achieves almost the same average transfer fee with which in LN. Fig. 6 shows the corresponding success rate. With similar transfer fees, Rapido always achieves a high success rate than LN. For LN, the customer require to find the available shortest routing path when a transaction is generated. Additionally, there is no guarantee that an available routing path should exit for a payment. For Rapido, benefiting from the VDP program, the payment value by Rapido can be split into shares and pay to the merchant respectively.

Furthermore, we note that Rapido can achieve a higher success rate if the restriction of transfer fee is relaxed (as the yellow bars in histogram compared with the green ones). However, we observe that % success rate is not achieved, due to the fact that once all nodes attempt to connect with all beacons, then the beacons might not enough deposits to perform the payment. In addition, combined with Fig. 5, we can note that not large transfer fee increment (about satos $) could bring a large improvement on success rate. Therefore, to achieve a higher success rate, the transfer fee restriction can be relaxed.

Fig. 5:

The average and standard deviation of transfer fees based on Rapdio and LN, respectively.

Fig. 6: The success rate of payments which are based on Rapdio and LN, respectively.

Vi-C2 Scenario 2

In this scenario, we randomly select customer-merchant pairs, each of which independently generates payments of , , and satos respectively for times. Note that the payments can only be initiated by customers and then received by merchants. In addition, we assume that the selected customers has enough deposits to fulfill the payments. Under this assumption, both customers and merchants should be huge nodes which both have payment channels

To better describe a skewed node, we introduce a metric to denote the skewness of a node in a certain direction. Concretely, a payment of value attempts to go through a node with an input channel and an output channel that the deposit named and respectively. Thus the skewness on the direction from input to output is . Since the node earns a transfer fee of , then becomes until the payment is done. Apparently, if several payments with large value goes through this node, its could decrease badly, which means that the node tends to be “very skewed”. In this paper, we call a node is seriously skewed if its is less than . Furthermore, if there are nodes seriously skewed among all nodes which involved in a payment, we say that the ratio of serious skewed is .

Fig. 7 shows the ratio of serious skewed node after rounds of above mentioned payments from customers to merchants. We find out that there exit skewed nodes even when both sides of payments are huge nodes, and the ratio of seriously skewed nodes tends to be higher in LN than in our Rapido implementation. Our experiment proves that Rapido is capable of mitigating the skewness of nodes and congestion after several payments.

Fig. 7: The ratio of serious skewed nodes based on Rapdio and LN, respectively.

Vii Related Work

There are some limitations on LN and some prior research works have studied on them. Most of the works mainly focus on customer/merchant anonymity. Heilman proposed TumbleBit which allows parties to make fast, anonymous, off-blockchain payments through an untrusted intermediary called the Tumbler [10]. Green and Miers represented Bolt that allows for secure, instantaneous and private payments that substantially reduce the storage burden on the LN [6]. Malavolta et al. proposed Fulgor and Rayo [4] that Fulgor and Rayo are payment protocols for LN that can protect the balance security, payment value privacy and customer/merchant anonymity based on a trust function. Fulgor is a blocking protocol and therefore prone to deadlocks of concurrent payments, whereas Rayo is a protocol that enforces non-blocking progress (i.e., at least one of the concurrent payments terminates). In addition, some research works studied on the applicability of LN such that a skewed LN might be generated after multiple transactions. Khalil and Gervais proposed REVIVE that allows an arbitrary set of user in LN to rebalance their nodes, according to the preferences of the nodes [7]. REVIVE can only be leveraged to solve a skewed loop network, in which might cause an increased collateral cost on payment routing path.

Viii Conclusion

The idea of the Layer2 Network is proposed to resolve the bitcoin scalability problem, which theoretically enables fast transactions between participates. However, there exists some drawbacks. In this paper, we obeserve a new issue, shares issue, which might bring some unnecessary costs. To mitigate shares issue, we propose Rapido which is equipped with D-HTLC. Furthermore, Rapido also mitigates the skewness issue. In addition, Rapido inherently preserves the privacy of total payment value, for which the payment value is split into shares that an intermediate node cannot intercept the whole information. We have conducted extensive experiments to evaluate Rapido, which demonstrate that the proposed system outperforms the state-of-the-arts.

References

  • [1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.
  • [2] “Cryptocurrency market capitalizations,” [Online].https://coinmarketcap.com/, July 2018.
  • [3] J. Poon and T. Dryja, “The bitcoin lightning network: Scalable off-chain instant payments,” Online:https://lightning.network/lightning-network-paper.pdf, 2016.
  • [4] G. Malavolta, P. Moreno-Sanchez, A. Kate, M. Maffei, and S. Ravi, “Concurrency and privacy with payment-channel networks,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2017, pp. 455–471.
  • [5] “Statics,” [Online].Available:https://www.blockchain.com, July 2018.
  • [6] M. Green and I. Miers, “Bolt: Anonymous payment channels for decentralized currencies,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2017, pp. 473–489.
  • [7] R. Khalil and A. Gervais, “Revive: Rebalancing off-blockchain payment networks,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2017, pp. 439–453.
  • [8] A. Miller, I. Bentov, R. Kumaresan, C. Cordi, and P. McCorry, “Sprites and state channels: Payment networks that go faster than lightning,” arXiv preprint arXiv:1702.05812, 2017.
  • [9] P. Prihodko, S. Zhigulin, M. Sahno, A. Ostrovskiy, and O. Osuntokun, “Flare: An approach to routing in lightning network,” WhitePaper(https://bitfury.com/content/5-white-papers-research/whitepaper_flare_an_approach_to_routing_in_lightning_network_7_7_2016.pdf), 2016.
  • [10] E. Heilman, L. AlShenibr, F. Baldimtsi, A. Scafuro, and S. Goldberg, “TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub,” in NDSS.   Reston, VA: Internet Society, 2017.
  • [11] “Stella,” [Online].https://www.stellar.org/.
  • [12] “Ripple,” [Online].https://ripple.com/.
  • [13] G. Malavolta, P. Moreno-Sanchez, A. Kate, and M. Maffei, “SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks,” in NDSS.   Reston, VA: Internet Society, 2017.
  • [14] P. Moreno-Sanchez, M. B. Zafar, and A. Kate, “Listening to whispers of ripple: Linking wallets and deanonymizing transactions in the ripple network,” Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 4, pp. 436–453, 2016.
  • [15] P. Moreno-Sanchez, A. Kate, M. Maffei, and K. Pecina, “Privacy preserving payments in credit networks,” in Network and Distributed Security Symposium, 2015.
  • [16] G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
  • [17] K. Croman, C. Decker, I. Eyal, A. E. Gencer, A. Juels, A. Kosba, A. Miller, P. Saxena, E. Shi, E. G. Sirer et al., “On scaling decentralized blockchains,” in International Conference on Financial Cryptography and Data Security.   Springer, 2016, pp. 106–125.
  • [18] F. Tschorsch and B. Scheuermann, “Bitcoin and beyond: A technical survey on decentralized digital currencies,” IEEE Communications Surveys & Tutorials, vol. 18, no. 3, pp. 2084–2123, 2016.
  • [19] “Lightning network daemon,” [Online].Available:https://github.com/lightningnetwork/lnd, July 2018.
  • [20] R. Dingledine, N. Mathewson, and P. F. Syverson, “Tor: the second-generation onion router,” in Proceedings of the 13th conference on USENIX Security Symposium, 2004, pp. 21–21.
  • [21] “Tor metrics,” [Online].https://metrics.torproject.org/torperf.html.
  • [22] S. Iyer, S. Bhattacharyya, N. Taft, N. McKeoen, and C. Diot, “A measurement based study of load balancing in an ip backbone,” SprintATL Technical Repport. TR02-ATL-051027, 2002.
  • [23] D. O. Awduche and J. Agogbua, “Requirements for traffic engineering over mpls,” IETF RFC 2702, 1999.
  • [24] D. K. Smith, “Network flows: Theory, algorithms, and applications,” Journal of the Operational Research Society, vol. 45, no. 11, pp. 1340–1340, 1994.
  • [25] M. R. Garey, D. S. Johnson, and L. Stockmeyer, “Some simplified np-complete graph problems,” Theoretical computer science, vol. 1, no. 3, pp. 237–267, 1976.
  • [26] “Lightning network explorer,” [Online].https://github.com/chemicstry/recksplorer, July 2018.
  • [27] M. E. J. Newman, “Power laws, pareto distributions and zipf’s law,” Contemporary Physics, vol. 46, no. 5, pp. 323–351, 2005.