Skip to main content
SpringerLink
Log in

Scalable Funding of Bitcoin Micropayment Channel Networks

Regular Submission

  • Conference paper
  • First Online:
Stabilization, Safety, and Security of Distributed Systems (SSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10616))

Abstract

The Bitcoin network has scalability problems. To increase its transaction rate and speed, micropayment channel networks have been proposed, however these require to lock funds into specific channels. Moreover, the available space in the blockchain does not allow scaling to a world wide payment system. We propose a new layer that sits in between the blockchain and the payment channels. The new layer addresses the scalability problem by enabling trust-less off-blockchain channel funding. It consists of shared accounts of groups of nodes that flexibly create one-to-one channels for the payment network. The new system allows rapid changes of the allocation of funds to channels and reduces the cost of opening new channels. Instead of one blockchain transaction per channel, each user only needs one transaction to enter a group of nodes – within the group the user can create arbitrary many channels. For a group of 20 users with 100 intra-group channels, the cost of the blockchain transactions is reduced by 90% compared to 100 regular micropayment channels opened on the blockchain. This can be increased further to 96% if Bitcoin introduces Schnorr signatures with signature aggregation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Notes

  1. 1.

    The original publication preceded the introduction of relative timelocks and as a result had to use a different tree.

  2. 2.

    See Schnorr signatures at https://bitcoincore.org/en/2016/06/24/segwit-next-steps/.

  3. 3.

    ed25519 is not the only possible implementation of Schnorr signatures. If you prefer the implementation based on curve secp256k1 just calculate with a 33 byte public key instead of 32.

  4. 4.

    It is mentioned in https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000188.html.

References

  1. Bairn, A.: Ionization protocol: flood routing (2015). http://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000212.html

  2. Bamert, T., Decker, C., Elsen, L., Wattenhofer, R., Welten, S.: Have a snack, pay with bitcoins. In: 13th IEEE International Conference on Peer-to-Peer Computing (2013)

    Google Scholar 

  3. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptographic Eng. 2(2), 77–89 (2012)

    Article  Google Scholar 

  4. BtcDrak, Friedenbach, M., Lombrozo, E.: Bip 112: Checksequenceverify (2015). https://github.com/bitcoin/bips/blob/master/bip-0112.mediawiki

  5. Corallo, M.: Bip 152: compact block relay (2016). https://github.com/bitcoin/bips/blob/master/bip-0152.mediawiki

  6. Croman, K., Decker, C., Eyal, I., Gencer, A.E., Juels, A., Kosba, A., Miller, A., Saxena, P., Shi, E., Gün, E.: On scaling decentralized blockchains. In: 3rd Workshop on Bitcoin Research (2016). http://www.tik.ee.ethz.ch/file/74bc987e6ab4a8478c04950616612f69/main.pdf

    Chapter  Google Scholar 

  7. Decker, C., Wattenhofer, R.: Information propagation in the bitcoin network. In: 13th IEEE International Conference on Peer-to-Peer Computing, September 2013

    Google Scholar 

  8. Decker, C., Wattenhofer, R.: A fast and scalable payment network with bitcoin duplex micropayment channels. In: Pelc, A., Schwarzmann, A.A. (eds.) SSS 2015. LNCS, vol. 9212, pp. 3–18. Springer, Cham (2015). doi:10.1007/978-3-319-21741-3_1. http://www.tik.ee.ethz.ch/file/716b955c130e6c703fac336ea17b1670/duplex-micropayment-channels.pdf

    Chapter  Google Scholar 

  9. Dryja, T.: Scalability of lightning with different bips and some back-of-the-envelope calculations (2015). http://diyhpl.us/wiki/transcripts/scalingbitcoin/hong-kong/overview-of-bips-necessary-for-lightning/

  10. Friedenbach, M., BtcDrak, Dorier, N., kinoshitajona: Bip 68: Relative lock-time using consensus-enforced sequence numbers (2015). https://github.com/bitcoin/bips/blob/master/bip-0068.mediawiki

  11. Gervais, A., Karame, G.O., Wüst, K., Glykantzis, V., Ritzdorf, H., Capkun, S.: On the security and performance of proof of work blockchains. In: 23rd ACM Conference on Computer and Communications Security (2016). http://dl.acm.org/citation.cfm?doid=2976749.2978341

  12. Gervais, A., Ritzdorf, H., Karame, G.O., Capkun, S.: Tampering with the delivery of blocks and transactions in bitcoin. In: Conference on Computer and Communications Security (2015)

    Google Scholar 

  13. Hearn, M.: Low bandwidth block relay using thin blocks (2015). https://github.com/bitcoinxt/bitcoinxt/pull/91

  14. Karame, G.O., Androulaki, E., Capkun, S.: Two bitcoins at the price of one? Double-spending attacks on fast payments in bitcoin. In: Conference on Computer and Communications Security (2012)

    Google Scholar 

  15. Luu, L., Narayanan, V., Baweja, K., Zheng, C., Gilbert, S., Saxena, P.: SCP: a Computationally-Scalable Byzantine Consensus Protocol for Blockchains (2015)

    Google Scholar 

  16. Luu, L., Narayanan, V., Zheng, C., Baweja, K., Gilbert, S., Saxena, P.: A secure sharding protocol for open blockchains. In: Conference on Computer and Communications Security (2016)

    Google Scholar 

  17. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf

  18. Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments (2016). https://lightning.network/lightning-network-paper.pdf

  19. Prihodko, P., Zhigulin, S., Sahno, M., Ostrovskiy, A., Osuntokun, O.: Flare: an approach to routing (2016). http://bitfury.com/content/5-white-papers-research/whitepaper_flare_an_approach_to_routing_in_lightning_network_7_7_2016.pdf

  20. Rosenfeld, M.: Analysis of hashrate-based double-spending (2012). https://bitcoil.co.il/Doublespend.pdf

  21. Russel, R.: Ionization protocol: flood routing (2015). http://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000199.html

  22. Russell, R.: Lightning networks part ii: Hashed timelock contracts (HTLCs) (2015). https://rusty.ozlabs.org/?p=462

  23. Russell, R.: Reaching the ground with lightning (2015). https://github.com/ElementsProject/lightning/blob/master/doc/deployable-lightning.pdf

  24. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. (1991)

    Google Scholar 

  25. Sompolinsky, Y., Zohar, A.: Accelerating bitcoin’s transaction processing (fast money grows on trees, not chains) (2013)

    Google Scholar 

  26. Towns, A.: Network topology and routing (2015). https://lists.linuxfoundation.org/pipermail/lightning-dev/2015-September/000188.html

  27. Wuille, P.: Elliptic curve schnorr-based signatures in bitcoin (2016). https://scalingbitcoin.org/transcript/milan2016/schnorr-signatures

Download references

Author information

Authors and Affiliations

  1. ETH Zurich, ETZ G 83, Gloriastrasse 35, 8092, Zürich, Switzerland

    Conrad Burchert & Roger Wattenhofer

  2. Blockstream Inc., San Francisco, USA

    Christian Decker

Authors
  1. Conrad Burchert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Decker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roger Wattenhofer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Conrad Burchert or Roger Wattenhofer .

Editor information

Editors and Affiliations

  1. University of Liverpool, Liverpool, United Kingdom

    Paul Spirakis

  2. Chalmers University of Technology, Gothenburg, Sweden

    Philippas Tsigas

A Appendix

A Appendix

1.1 A.1 Coordination of Allocation Updates

When a new allocation is created, the members of a channel factory need to coordinate the creation of a new allocation transaction and all transactions to make the new or recreated subchannels of this new allocation. Due to the number of involved parties this might take a considerable amount of time. However this is not a problem, as normal channel operation can be continued as long as care is taken to make changes to the subchannels of both the old and the new allocation. An allocation update can be executed in the following order:

  1. 1.

    A member decides that an update of the allocation is necessary, e.g., because it wants to move funds to another channel, and broadcasts to all nodes of the group that a new allocation should be created.

  2. 2.

    As soon as someone receives the allocation update request, he will issue a request to all his subchannel partners to use the current channel state as the base for the new allocation.

  3. 3.

    In each subchannel the two cooperating parties decide on a starting state for the new subchannel and broadcast it to the group. Nodes can apply changes that move funds to other channels in this step.

  4. 4.

    Each node creates the new allocation transaction. These should all be identical, as they fund the same two party shared accounts.

  5. 5.

    The two cooperating parties of each subchannel create the subchannel commitment transactions and sign them. From this point on they keep both subchannels based of the old and new allocation updated.

  6. 6.

    All nodes sign the new allocation and exchange signatures.

  7. 7.

    After receiving all signatures on the new allocation, a node can stop to update the subchannels based on the old allocation, as those cannot be enforced anymore.

From the view of any node there are three states during this process. In the first state the node knows that only the old allocation may come into effect. In the second state the node has given away its signature on the new allocation, however not received all signatures from the other nodes, thus it is uncertainty which allocation may be enforced on the blockchain. After receiving all signatures the node can enforce the new allocation due to its lower timelock. By starting to apply changes to both the old and new subchannels before giving away the own signature on the new allocation it is always ensured that the newest subchannel state is enforceable on the blockchain.

Note that it is ensured that movements of funds are consistent, i.e., no node can create money by telling different partners different information about moving funds between channels, as the total sum must not exceed the locked funds of the group. A net gain for some party must result in a net loss for another party, which will refuse to sign the new allocation. Furthermore if there are different versions of the new allocation the signatures will not match and the new allocation cannot come into effect. This case can be resolved either by retrying with another new allocation or by giving up and eventually resolving the situation on the blockchain.

The described procedure uses broadcasts of subchannel sizes and signatures. This results in a communication overhead of \(O(p^2)\). If this is considered too large, a leader can be chosen, e.g., the node with the smallest input index in the funding transaction of the channel factory. The leader can collect and distribute the information, reducing the number of messages to O(p). The time used by the protocol is constant.

1.2 A.2 Scripts

This appendix lists the different Bitcoin scripts to implement the proposed system. For completeness we also include the already known scripts for two-party payment channels. For every output there is one script that describes the conditions to claim the output and another one that fulfills those conditions and is provided in the input. These scripts depend on a deployed fix for malleability, e.g., Segregated Witness. Note that an implementation might move the output script into the input and use a hash commitment to ensure its integrity and authenticity as usually done in Bitcoin transactions.

1.3 A.3 Two-Party Channel with Timelocks

These scripts implement the transactions in Fig. 5.

The funding and kickoff transactions use Script 1 in their output, which is then claimed with Script 2.

figure a
figure b

All transactions in the invalidation tree have a simple multisignature output with a timelock, implemented in Script 3.

figure c

The locktime is smaller each time a transaction is replaced and thus a new branch in the tree created. They can all be spent with the same input script as the funding transaction, Script 2. The leaves of the invalidation tree split the funds into two outputs, one to each party without restrictions.

1.4 A.4 Multi-party Channel with Timelocks

These scripts implement the timelock based multi-party channel in Fig. 7. Assume p parties. The funding transaction has a regular p-party multisignature output, Script 4.

It is spent by the kickoff transaction with Script 5.

figure d
figure e

The kickoff transaction creates another output with the same conditions, again Script 4. The transactions of the invalidation tree have one multisignature output with an additional timelock, Script 6.

figure f

These are all spent with the corresponding input script of the next node in the tree with Script 5.

The leaves of the tree have any number of outputs, each creating a two-party subchannel with Script 1.

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Burchert, C., Decker, C., Wattenhofer, R. (2017). Scalable Funding of Bitcoin Micropayment Channel Networks. In: Spirakis, P., Tsigas, P. (eds) Stabilization, Safety, and Security of Distributed Systems. SSS 2017. Lecture Notes in Computer Science(), vol 10616. Springer, Cham. https://doi.org/10.1007/978-3-319-69084-1_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-69084-1_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-69083-4

  • Online ISBN: 978-3-319-69084-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation