Towards Secure and Efficient Payment Channels

11/30/2018 ∙ by Georgia Avarikioti, et al. ∙ ETH Zurich 0

Micropayment channels are the most prominent solution to the limitation on transaction throughput in current blockchain systems. However, in practice channels are risky because participants have to be online constantly to avoid fraud, and inefficient because participants have to open multiple channels and lock funds in them. To address the security issue, we propose a novel mechanism that involves watchtowers incentivized to watch the channels and reveal a fraud. Our protocol does not require participants to be online constantly watching the blockchain. The protocol is secure, incentive compatible and lightweight in communication. Furthermore, we present an adaptation of our protocol implementable on the Lightning protocol. Towards efficiency, we examine specific topological structures in the blockchain transaction graph and generalize the construction of channels to enable topologies better suited to specific real-world needs. In these cases, our construction reduces the required amount of signatures for a transaction and the total amount of locked funds in the system.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Increasing the transaction throughput of blockchain protocols without sacrificing security is arguably the biggest challenge for cryptocurrencies. So-called “layer two” protocols provide an elegant solution especially for payment transactions. Early versions [1] supported only unidirectional payments, but allowed these transactions to be confirmed instantly and off-chain, reducing the load of on-chain transactions. Duplex channels [7] allow for bidirectional transactions between two parties. More recent work [6] has improved the efficiency and usability of channels. Channels can be used to build a channel network using Hashed Timelock Contracts (HTLCs), as discussed in [7, 14, 9, 11]. A payment channel network supports off-chain payments between users that do not share a direct channel. The Lightning network [14] on Bitcoin [13] and the Raiden network [4] on Ethereum [2] are implementations of such channel networks. Perun [8] supposes a new network structure, building around payment hubs in order to make channel networks more efficient. The authors of [8] also introduce a new model of channels that decrease the involvement of intermediaries for payments between parties that don’t share a direct channel.

The security of channels relies on participants being responsive and running a full node. The main problem is that one party might try to settle on an old state of the channel, in which case the other party needs to publish a newer state during a specific time period. Thus, fraud can be proven and punished, as long as both parties are constantly online watching the blockchain. However, this is a major drawback for payment channels; being constantly online is not efficient and furthermore a risky assumption. One party could always launch a DDOS attack against the other party to prevent a new update transaction from being published in the blockchain. To address this problem, the Bitcoin community has proposed using watchtowers [3] as third parties to watch channels, but to the best of our knowledge, incentivizing watchtowers remains an open problem. This is the first problem we examine in this work.

In a simple watchtower solution, miners could act as watchtowers to keep track of all channels off-chain and publish a proof of fraud to collect fees. Such an approach faces various problems. Firstly, throughput; having all miners receive, store and send all off-chain payments leads to network congestion which in turn leads to lower throughput and recentralization as more powerful hardware is required to become a miner. Secondly, it is difficult to predict the miners’ behavior in such a system since miners are not incentivized to propagate the proofs of fraud. On the contrary, it might be in the miner’s best interest to keep the proofs to himself to increase his probability to collect the fees if he publishes a block. Our approach builds a network of watchtowers around each participant of the payment channel network. Watchtowers increase their expected payoff by faithfully executing the protocol, watching the blockchain and forwarding channel updates to other watchtowers. We prove that our protocol is secure and incentive-compatible. Furthermore, we present an adaptation of our protocol implementable on the Lightning network.

Although the construction of two-party payment channels is a simple and elegant solution, it fails to capture more complex topological structures in the blockchain transaction graph. Typical payment channels are funded by two people who lock their funds in a transaction in the blockchain to open the channel. For each update transaction both parties must sign to make it valid, thus two signatures are required. In an attempt to generalize the construction of channels and allow funds to be transferred freely between multiple parties, Burchert et al. [5] proposed the construction of channel factories. A channel factory is a multi-party channel. Channel factories reduce the number of open channels on the blockchain and also the total amount of locked funds since they allow money to be transfered off-chain between the participants of the channel factory. However, every valid transaction requires the signature of every party of the channel factory. This is highly non-practical.

In this work, we examine specific topologies where multi-party channels do not require multiple signatures. Inspired by real life hierarchical situations, such as customers paying a supermarket or citizens paying their taxes, we introduce a new type of channel construction that can capture such topologies. Our solution increases the efficiency of channels, when every node of the transaction graph has only one outgoing edge. Only two signatures are required for each transaction while the amount of locked funds is minimized.

Our contribution is summarized as follows: In Section 2, we present a novel protocol to secure channels by incentivizing watchtowers. We prove our protocol is secure and incentive compatible in Section 3, and present an alternative version implementable in Bitcoin’s Lightning network in Section 4. Additionally, in Section 5 we generalize the construction of channels to enable them to capture different topological structures of the blockchain transactions graph, thus improving efficiency. We discuss related work in Section 6 and conclude with future work in Section 7. The omitted proofs can be found in the appendices.

2 The DCWC (Disclose Cascade Watch Commit) Protocol

There are many different models and implementations of channels such as [6, 7]. While the implementations (e.g., Raiden, Lightning) differ, the concept remains mostly the same. A channel protocol typically consist of three phases: setup, negotiation and settlement.

More specifically, two parties create on-chain funding transactions to start a channel, blocking parts of their stake on the blockchain. After this setup phase, both parties sign subsequent off-chain update transactions representing the current distribution of stake between them. Money can flow in either direction, as long as the paying party still has funds in the channel. This is the negotiation phase. Either party can create a settlement transaction to close the channel. The problem is if party fraudulently issues an old settlement transaction, and party can prove it is old by presenting a transaction signed by with a higher sequence number. We have a proof-of-fraud, and party is awarded all stake in the channel.

Whenever an update transaction is issued, the party who receives a payment wants to be sure that some part of the network knows about this update. A simple solution is to spread the newest update transaction to as many nodes as possible and offer a reward for whomever sends a proof of fraud to the miners in case of misuse. Such a protocol could accidentally or purposefully cause congestion at block miners, providing the possibility to launch cheap DDOS attacks. Nobody knows how many nodes have seen the update and are willing to send it to the miners. Also nodes have no real incentive to spread the contract as it would only increase the competition, and decrease their chances of getting paid.

Our protocol requires participating watchtowers to store only messages as the message with the highest sequence number is a proof for all others. In terms of privacy watchtowers know which channel they are watching but they don’t need to learn anything about the payments except for the sequence number. It consist of rounds. During each round a group of watchtowers gets the chance to send a proof-of-fraud and collect fees. Once a proof-of-fraud has been included on the blockchain or rounds have passed, the protocol terminates. Each round consists of some predetermined number of blocks . If no proof of fraud was published after rounds, the settlement transaction will be accepted as the final state of the channel and the funds will be unlocked. The protocol terminates after , where is the timelock off settlement transactions in current solutions [14, 7]. We improve the time that funds are locked after a channel is closed one sided, compared to state-of-the-art solutions. Intuitively, our protocol can terminate much earlier since many more entities are online and watching the channel. Note that the channel can be closed instantly if both involved parties are cooperative and online.

When a new channel is opened, both parties provide a fund on-chain for paying transaction fees for a proof of fraud and paying the watchtower that published it. The protocol consist of two phases. The first phase is executed once for every newly issued update transaction. It is responsible for spreading the update in the network. The second phase ensures that a proof of fraud will be published, when an old update transaction is published as a settlement transaction. The second phase consists of rounds, where is specified on the funding transaction and should depend on the amount of funds locked in the channel.

2.1 Phase 1: Disclose & Cascade

The first phase is entered after the funding transaction has been included in the blockchain and terminates when a settlement transaction is included in a block. This phase ensures that a sufficient amount of watchtowers receive an update message, and also that these messages are correct. Essentially, participants send new update messages to their neighbours for a few iterations. These messages are cryptographically designed to capture the travelled path in order to reward watchtowers that forwarded messages. Disclose of Phase 1 is invoked by a party , involved in the channel, anytime he or she receives a new update transaction with sequence number . Cascade of Phase 1 is invoked by any node receiving a message generated from Disclose or Cascade. The parameter limits the number of neighbors to whom a message can be sent. The value determines the number of hops that a message has traveled. Let denote that is encrypted with private key .

1:procedure Disclose
3:     for (do
6:         send() to      
7:procedure Cascade
10:     if  then return      
12:     for (do
15:         send() to      
Algorithm 1 Phase 1: Disclose & Cascade



2.2 Phase 2: Watch & Commit

The second phase of the protocol ensures that in case of fraud, i.e. or publish an old update transaction, a proof of fraud will be published. Throughout the lifespan of the channel all watchtowers that are involved in the protocol watch the blockchain for such an update message (watch process). After a settlement transaction of a channel, signed by one of the parties involved in the channel, is published in a block the watchtowers start the commit process. It consists of a fixed number of rounds

, specified in the channel. For simplicity, we assume a round corresponds to a single block. However, the number of blocks that determine a round can be adapted without affecting the protocol. We note that block frequency and propagation time should be considered to estimate the reaction time of the watchtowers, and thus the number of blocks per round. The actors in this phase are the watchtowers.

Let denote the newest update transaction that watchtower has seen. Let denote the message as created in the Disclose & Cascade phase through which learned about the newest update transaction . Watchtower stores only this message and can discard any other message concerning channel thus reducing his storage costs. After blocks trail the settlement transaction and and no proof of fraud has been published yet, signs and sends to the blockchain network. With , also sends all information that contains in plaintext. This information includes the path that the message has travelled, and the at each hop of the path. The plaintext information will not be included on the blockchain, but helps the network to reduce the number of invalid messages that are send around. If the plaintext of the message does not match the encrypted information, then the network nodes will discard the message.

2.3 Payoffs

After rounds have passed, the channel is closed. At this stage the funds of and are unlocked and the watchtowers are paid.

Ideally, all watchtowers would get pay their marginal contribution for participating in the protocol. However, a protocol that implements such a payment mechanism would require many on-chain payments to pay all involved watchtowers. Thus, we propose a payment mechanism that pays only the watchtowers that participated in forwarding and publishing the update message that has been included on-chain. When the channel is created, both parties involved in the channel reserve some value for paying transaction fees and rewards for a proof-of-fraud. When a proof-of-fraud has been included in the blockchain, all watchtowers included in forwarding that proof-of-fraud get an equal share of , reserved by the cheating party, after the transaction fee has been deducted. In the following section, we show that this payment mechanism ensures sufficient expected payoff to incentivize the watchtowers.

2.4 Transaction validation

The miner of the next block checks whether the messages were generated according to the protocol. Out of the set of valid messages he or she selects one uniformly at random and publishes it in the new block. The miners perform the following checks to determine the correctness of a message containing the update transaction :

  • No proof of fraud for transaction has been published.

  • The update transaction was generated according to underlying channel protocol.

  • .

  • .

  • No other message in the same level following the same path has the same .

  • The level of the watchtower that propagates the message, determined through the number of signatures, is equal to the number of rounds passed since the settlement transaction was included in the blockchain.

  • For every message in the same path as : the of the previous message corresponds to the secret key signing the current message.

If any of the points above are violated the network will reject .

2.4.1 Payoff for Miners.

The miner including the settlement transaction is paid as in any other transaction. The miner including a valid proof of fraud is paid by the watchtower whose message he included. The reward for the watchtower should thus be high enough to cover the transaction fees.

3 Incentive & Security Analysis

In this section we show that watchtowers maximize their profit if they follow the DCWC protocol. Hence, executing the protocol is a dominant strategy and thus the protocol is incentive compatible.

3.1 Expected Payoff

In order to show incentive compatibility we need to calculate the expected payoff and analyze changes in the expected payoff when a node decides to deviate from the protocol. The expected payoff of watchtower watching channel is


where is the set of messages signed by such that , including those messages forwarded by . Then denotes the probability that one of those messages will be included in the blockchain. The equally shared payoff is split between all watchtowers that forwarded , paid if gets included on the blockchain. is the probability that update message will eventually be included in the blockchain. To calculate this probability for a message sent in the Disclose step of Phase 1, we sum the probabilities of being chosen for all possible subsets of non-failing watchtowers. For messages generated in during Cascade to be included in the blockchain, all watchtowers holding messages that travelled fewer hops must have failed. If we assume all nodes follow the protocol and nodes fail independently with probability , then the probability that message will be included in the blockchain is:


Where is the total number of valid send messages with depth i. If the protocol is executed faithfully by all parties, then .

Lemma 1

A watchtower cannot increase his expected payoff by deviating from the protocol unless he can decrease for any of his messages, increase the probability that one of his messages will be included by decreasing the number of valid messages not signed by him or increase the number of messages signed by him for any .


Lemma 1 follows directly from equations 2 and 3.

Lemmas 2, 3, 4 complete our argument by showing that no watchtower can decrease or increase or . We prove this for Phase 1 and Phase 2 of the protocol independently.

3.2 Analysis of Phase 1: Generating Messages

The first phase of DCWC handles the creation of update messages and how they are forwarded to the watchtowers. We show that during the first phase of DCWC, watchtower can not influence the execution of the protocol in a way that decreases the number of messages that do not pay him nor in a way that increases the number of valid messages that do pay him.

Lemma 2 ()

A watchtower can not decrease nor increase by deviating from executing Phase 1 of DCWC.

Furthermore we show that he can not manipulate the number of signatures on any of his messages.

Lemma 3 ()

A watchtower can not Decrease by deviating from executing Phase 1 of DCWC.

3.3 Analysis of Phase 2: Committing Messages

The second phase of the protocol handles the spreading of a valid proof-of-fraud through a update message . Watchtowers might want to withhold proof of frauds, publish them early or deviate in other ways to increase their expected payoff.

Note that there is no need to show that is not able to decrease in this phase, as we assume that Phase 1 has been completed and all update messages have been created accordingly. It is also easy to see that can’t decrease as we assume that Phase 1 has already completed and has no control over the choices that the owners of take.

Lemma 4 ()

A watchtower can not increase by deviating from executing Phase 2 of DCWC.

Theorem 3.1

DCWC is incentive compatible.


Theorem 3.1 follows directly from Lemmas 1, 2, 3, 4.

3.3.1 Mining Nodes

Mining nodes might also deviate from the protocol to improve their payoffs. Their set of actions is a bit more limited as any block containing invalid update messages would be rejected by other nodes. The analysis thus far has assumed that the set of watchtowers is disjoint from the set of mining nodes. A node which is mining a new block and is holding a valid update message, can give himself an advantage of receiving the payoff by not randomly including a proof-of-fraud but rather including his own. This behavior does not influence the outcome of the protocol as it leads to a proof-of-fraud being published either way. The mining node can only include a valid proof-of-fraud in his block without invalidating the block. Thus mining nodes have an additional incentive to participate as watchtowers in our protocol.

4 Adaption for Compatibility with Lightning: The DCWC* Protocol

So far, we described the protocol to incentivize watchtowers to watch the channels in high level. An implementation of the protocol depends on the underlying channel protocol and the underlying blockchain protocol. An implementation in Turing complete blockchains can be done as is. An implementation for blockchain protocols that support more limited scripting languages, such as Bitcoins’ Script, would require changes to the protocol. Most prominently limiting the number of forwarded messages at each step is, to the best of our knowledge, not possible to be implemented for Lightning due to the limitations of Script. Furthermore, determining how to pay the watchtowers without explicitly naming them in the funding or update messages is not trivial. The protocol depends not only on the scripting language, but also on the channel implementation. We propose a simplified version of our protocol that leaves unspent transaction outputs to be claimed by watchtowers, designed for the current Lightning implementation [14]. DCWC* can be implemented without requiring changes to the channel protocol.

Just as in DCWC, DCWC* creates layers of watchtowers. The -th layer of watchtowers is allowed to issue a proof of fraud after rounds trail the occurrence of a fraudulent settlement transaction, also similar to the DCWC protocol. The protocol terminates after a predetermined number of blocks trail the settlement transaction, making funds and rewards spendable. Rewards are granted for the watchtower that submitted the published proof of fraud to the miners and the watchtowers that forwarded that proof of fraud.

The first phase, disclose & cascade*, is executed once for every off-chain update of the channel. This phase is responsible for spreading the update in the network of watchtowers.

4.1 Phase 1: Disclose & Cascade*

This phase initiates after the channel is opened and ends when a settlement transaction has been published in the blockchain. Spread ensures that a certain amount of watchtowers receive update messages, and that the messages are constructed such that watchtowers receive a payoff for storing and forwarding the messages.

Whenever receives an update transaction from , he also receives a transaction that invalidates the previous transaction, rewarding with all of the channels funds, if the previous state is published on-chain by . We refer to this transaction, invalidating update transaction as invalidation transaction , which corresponds to a proof-of-fraud in DCWC. wants to be certain that some watchtowers are aware of this invalidation transaction. Thus, sends to watchtowers, claiming most of the funds for himself but leaving some unspent. When a watchtower receives such a message, he claims some of the unspent transaction outputs (UTXOs) for himself but leaves some unspent and forwards the message. timelocks the transaction which he added to the message. This way, he will always get a chance to publish a proof of fraud before whomever he sends it to and thus has no incentive not to forward the update. Note that if later gets the chance to publish a proof of fraud he can still claim all UTXOs for himself. Only if the recipient of his message publishes the proof, receives the part he claimed before forwarding the message. If the unclaimed UTXO is too small, the receiver will possible discard the message; thus a market of self regulation evolves to determine the appropriate amount for the watchtowers’ fee.

The construction of these update messages is depicted in Figure 1. If and agree on a new update of the channel they provide each other with the invalidation transaction of the previous transaction. Then each party can create one transaction, giving himself all of the funds in the channel and another transaction with a transaction-level relative timelock (nSequence) to all his neighbours, leaving them in control of parts of the output. This can be repeated recursively by his neighbours until the sum of relative timelocks exceeds the timelock of the channel, or until it is reasonable to assume that adding another level makes the participation of more watchtowers unprofitable.

Figure 1: Participant in the channel disclosing the newest invalidation message to Watchtowers after and agreed on a new update . cascades the message to with a transaction level relative timelock .

4.2 Phase 2: Watch & Commit*

The second phase of the protocol ensures that the fraud will be detected and proven, if it occurs. This phase initiates after the a settlement transaction is published on the blockchain by one of the involved parties. Since all are timelocked, the commit phase consists of a fixed number of rounds. Any watchtower holding can now send it to the blockchain network. Then they can, round after round, append the transactions leading to their payoff.

4.3 Implementation

Our protocol has only one type of no-trivial transaction. Namely, the transaction that is forwarded to a watchtower (depicted as a circle in fig. 1).It consists of two outputs, one going to the sender of the message and one that is locked by the script shown in figure 2. The forwarded transaction has the purpose of paying the sender of the transaction and the watchtower receiving it, if the sender is offline when the message is included on-chain. The output script is constructed as follows:

       <W’s public key>
       <B’s public key>

Figure 2: Caption

Recall that the funding transaction, and are part of the channel protocol and not further discussed here.

4.4 Discussion of DCWC*

  • Abolishing rounds. In a practical setting it would make sense to abolish rounds, and with that the cascade process all together. This would lead to a higher workload for the participants of the channel as they have to create more messages, but reduces the number of transactions that have to be included on-chain.

  • eltoo.It remains to be seen how a version of DCWC* would work with eltoo [6] channels. While the DCWC protocol requires watchtowers to store only messages, DCWC* requires watchtowers to store messages, where is the number of channel updates. Possibly the proposed SIGHASH_NOINPUT could be used to improve the implementation of DCWC* to require storing only messages.

  • privacy. In DCWC* watchtowers receive a transaction , which does not leak more information than the id of the input transaction of . Thus, the watchtowers do not learn the distribution of funds until the settlement transaction is included on-chain.

5 Generalizing Payment Channels

In this section we study extended domain channels, or xD-channels for short, a protocol permitting new types of payment channels. The xD-channels can be custom-designed, depending on intended use, to optimize their functionality, such as the amount of locked funds or the number of signatures required to authorize a transaction.

The premise of traditional two-party channels is that payments can be executed off-chain in a restricted form to avoid double-spending; funds are locked to the channel in the funding transaction, and thus channel participants can only pay each other. We recognize that bi-directional, two-party functionality is rarely optimal, and relax the protocol by allowing each party to freely choose whom to pay within the channel. Note that double spending is not possible as long as each channel participant specifies upfront only one party eligible to be paid by the participant. Therefore, guarantees similar to those of traditional two-party channels are preserved.

5.1 xD-channels

Definition 1 (xD-channel graph)

An xD-channel is described by a directed graph , where is a user (a set of public keys), and is a directed edge such that each vertex has at most one outgoing edge.

Definition 2 (xD-channel state)

The xD-channel state is a tuple , where:

  • is the xD-channel graph.

  • is the initial assignment of funds to public keys in each constituent xD-channel.

  • is a natural number.

  • are signatures of all public keys specified in , signing .

  • is a set that for every vertex of contains the amount of funds that has paid along its’ outgoing edge, together with a signature authorizing that payment, .

An xD-channel is established by a funding transaction of the amount to the channel .

Similarly to traditional payment channels, an xD-channel is closed by publishing its state. Given some xD-channel states published during the settlement period, only states with the maximal sequence number have effect. For , let be such states. Then, the effect of publishing those states is equivalent to publishing only , where contains for each vertex the maximal amount has signed as paid: .

Suppose only one channel state is published during the settlement period. Then, for each vertex in , the number of funds paid along

’s outgoing edge in the resulting state is determined by the solution to the following linear program:

Note that the linear program determines the highest amount that has agreed to pay that does not result with a negative balance for .

Participants ensure security of transactions in a similar, but generalized way to traditional two-party channels. Whenever a participant wants to transact funds to another participant along an edge , they send an updated element of , where is increased by the funds paid, together with an authorizing signature . proves to that the current state of the channel assigns enough funds to them to execute the transaction, by presenting with commitments by other participants to pay : , such that (where ), along with commitments funding those payments and so on. In turn, can pass over these elements of to prove its’ ability to pay, and so on. Crucially, because each vertex has at most one outgoing edge, there can be no attempt to double spend within the channel. Moreover, changes that are not merely commitments to pay more along participant’s outgoing edge, such as changing the channel’s topology , require the signature of everybody involved.

Note that when the channel participants decide to close the channel, they might issue a final channel state where the resulting fund division is concisely described by , to minimize the blockchain space required to publish it.

Corollary 1

A traditional, bi-directional two-party channel is equivalent to an xD-channel with .

Example 1

Consider a scenario in which many parties , the clients, are interested in periodically paying a party , the supermarket. The supermarket expects to never need to transfer funds to the clients, but there is another party , the tax office, to which the supermarket wants to periodically make payments. The tax office expects to pay often.

One solution involving traditional two-party channels might be to establish a channel between each client and the supermarket and channels between the supermarket, tax office and the client. Note, that funds in each channel are locked to either party in the channel, e.g. the funds paid by the clients to the supermarket cannot be passed on to the tax office. Note, that each client-supermarket channel allows payments from the supermarket to the client, but this functionality is superfluous.

Consider a single xD-channel, where is illustrated in Figure 3. Note that clients can make payments to the supermarket identically as before. However, the supermarket can pass the funds on to the tax office providing the proofs of clients’ payments along with its signature.

Figure 3: xD-channel from Example 1. Vertices represent actors, and edges represent the ability to pay.

5.2 Discussion

Similarly to traditional two-party channels, xD-channels allow payments to be executed off-chain while preserving the security guarantees of the blockchain, i.e. the parties cannot double spend. To that end, multi-party channels typically require the signature of every party involved. Towards this direction, we can extend the functionality of xD-channels even further. So far, we require each xD-channel participant to choose only one other participant as the recipient of payments, so that the set of parties reachable from in the xD-channel graph is protected against potential double spending from . We note that can be allowed to make a payment to a party as long as each party in confirm, by providing a signature, they are not being cheated by such payment. In the presence of channel topology, this approach can be more efficient, i.e. provide a better ratio of functionality to the number of required signatures, than typical multi-party channel approaches.

6 Related Work

Off-chain payment channels have been extensively studied by the research community as they are the most prominent solution to the blockchain’s scalability problem. Multiple versions of channels can be found in literature . Duplex micropayment channels [7] use timelocks, while lightning channels [14] depend on punishing the party that misbehaves.

Payment networks can be build using any version of payment channels. Most payment networks use Hashed Timelock Contracts (HTLC) to execute transactions over multiple hops, such as the Lightning network [14] which relies on Bitcoin [13], and the Raiden network [4] which relies on Ethereum [2]. However, there are different approaches on constructing payment channels and building payment networks. In a recent work, Miller et al. present Sprites [12] to reduce the time for which the funds are locked in a multi-hop transaction. Sprites also supports partial withdraws and deposits without interrupting the channels’ functionality. On the other hand, Perun [8] introduces “virtual payment channels”, which are payment channels on top of the payment channels, to abolish intermediaries in multi-hop transactions in the payment network. Our work is complementary to all these channel construction and payment networks, since we address a problem they all share: all parties involved in channels must be constantly online to ensure security.

A concurrent work, addresses the same problem. McCorry et al. propose Pisa [10], a protocol that introduces third parties, called custodians, to watch the channels. Their approach focuses on state channels; they set up service contracts between channel parties and custodians. They also address the incentives for participation and propose custodians depositing security funds when setting up the service contract. Although our protocol does not examine this issue, it is very simple and easily implementable, even on Bictoin, in contrast with the Pisa protocol.

7 Conclusion & Future Work

In this work, we presented a mechanism to secure channels by incentivizing third parties, called watchtowers, to actively monitor channels and report fraud to the blockchain. The mechanism is incentive compatible, i.e. following the protocol is a dominant strategy for every watchtower, and allows the parties involved in the channel to go offline. The proposed protocol is lightweight in communication and watchtowers do not learn the distribution of funds in the channel. In addition, we suggested an adaptation of the protocol implementable on the Bitcoin’s Lightning network.

Furthermore, we explored channels efficiency. We generalized the construction of channels to allow specific topological structures of the blockchain transaction graph to influence the multi-channel construction. This way, we improve the efficiency of channels in some specific cases, which are often met in practice in monetary systems. In particular, when each party has only one outgoing edge, each transaction in the multi-party channel requires only one signature. Moreover, the proposed construction enables transfering the money from one channel to the next, similarly to how IOUs work, thus reducing the amount of locked funds in the channel.

For future work, an interesting open topic is to study participation incentives for the watchtowers. Although our protocol is incentive compatible in the sense that if watchtowers decide to participate they cannot gain more by deviating from the protocol, we do not guarantee that they actually profit by participating in the protocol, particularly when no fraud occurs. Another line of future work would be to examine the new channels construction. The first open question would be whether parties can be added or removed efficiently without going to the blockchain. Another direction would be to study different topologies for which the construction greatly improves channels’ efficiency, either regarding the amount of locked funds or the number of required signatures.


  • [1] Bitcoin contracts., accessed: 2018-09-18
  • [2] Ethereum white paper
  • [3] Merge blocks., accessed: 2018-06-29
  • [4] Raiden network (2017),
  • [5] Burchert, C., Decker, C., Wattenhofer, R.: Scalable Funding of Bitcoin Micropayment Channel Networks. In: 19th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS), Boston, Massachusetts, USA (November 2017)
  • [6] Decker, C., Russell, R., Osuntokun, O.: eltoo: A simple layer2 protocol for bitcoin
  • [7] Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) Stabilization, Safety, and Security of Distributed Systems. pp. 3–18. Springer International Publishing, Cham (2015)
  • [8] Dziembowski, S., Eckey, L., Faust, S., Malinowski, D.: Perun: Virtual payment hubs over cryptographic currencies. Tech. rep., IACR Cryptology ePrint Archive 2017 (2017)
  • [9] Malavolta, G., Moreno-Sanchez, P., Kate, A., Maffei, M., Ravi, S.: Concurrency and privacy with payment-channel networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. pp. 455–471. ACM (2017)
  • [10] McCorry, P., Bakshi, S., Bentov, I., Miller, A., Meiklejohn, S.: Pisa: Arbitration outsourcing for state channels. IACR Cryptology ePrint Archive 2018,  582 (2018)
  • [11] McCorry, P., Möser, M., Shahandasti, S.F., Hao, F.: Towards bitcoin payment networks. In: Liu, J.K., Steinfeld, R. (eds.) Information Security and Privacy. pp. 57–76. Springer International Publishing, Cham (2016)
  • [12] Miller, A., Bentov, I., Kumaresan, R., McCorry, P.: Sprites: Payment channels that go faster than lightning. CoRR abs/1702.05812 (2017),
  • [13] Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)
  • [14] Poon, J., Dryja, T.: The bitcoin lightning network: Scalable off-chain instant payments (2015),

Appendix 0.A Proof of Lemma 2

See 2


Picture the Disclose & Cascade algorithm as a tree. can increase by increasing the number of valid messages with his signature. This is true because, whenever a message from a node in his subtree is published and in all other cases . Note that maximizing the number of messages in any layer bears no effect on the probability of messages of earlier levels to be included; thus doesn’t decrease his chances of a larger payoff by maximizing the number of valid messages in any level of his subtree. Therefor we can analyze each level individually.

It still remains to be shown that can neither decrease nor increase . Let denote the set of all update messages. The protocol could only be exploited in one of two ways:

1. Decrease : Decreasing the number of update messages that are not in his subtree would increase the chance that one of s messages gets included.

has no knowledge of the identities of watchtowers that are not in his subtree. Additionally their success does not depend on any action of . Thus, decreasing is not feasible for .

2. Increase : We show that can’t increase the number of nodes in his subtree.

For each depth the number of messages that can be send is restricted by . If tries to forge more messages, then according to the pigeonhole principle either two must be the same, or at least one must be larger than . In the second case, all descendant messages will be rejected. The first case is a bit trickier. Sending two different messages with the same sequence number to disjoint set of miners is clearly not more beneficial than just sending one message to all. However if the failure probability of nodes is high, creating two messages with the same increases the chances of one of them to get through. This is true when:


However this behavior doesn’t scale arbitrarily and whenever this behavior increases the security of the protocol.

Appendix 0.B Proof of Lemma 3

See 3


In Phase 1, is only required to store the message that is last signed by him at this point. The only way to deviate from the protocol would be to forge a message s.t. . We show that won’t be able to construct such a message. If doesn’t control any nodes in the tree which have a shorter path to the root, then he can not create a valid , due to the layered construction of update messages. If does control a watchtower in the tree which is closer to the root, receiving messages after hops. Then is in which means that we can apply lemma 2, as creating would be equivalent to creating more than messages at level .

Appendix 0.C Proof of Lemma 4

See 4


can take three different actions to try increasing the probability that his message will be included in the next block. We show that none of them in fact increase that probability. Firstly, could send too early, e.g. in round . In this case the transaction is invalid, the network will reject the message and might disconnect from . Secondly, could send in a later round. It is easy to see that there is no advantage in doing so. Lastly, could send which belongs to an older update transaction than but a newer one than settlement transaction. If is in fact included in the blockchain, then the protocol terminates successfully nevertheless. However, there is no incentive for to store as storing instead is a dominant strategy, since the set of potential settlement transactions for which is a valid proof-of-fraud is a subset of the set of settlement transactions for which is a valid proof-of-fraud.