Scaling Cryptocurrencies�via State Channels
Patrick McCorry
�with lots of help from Andrew Miller, Iddo Bentov, Surya Bakshi, Chris Buckland, Sarah Meiklejohn, and Karl Wust.
paddypisa
Cryptocurrencies do not scale.
https://github.com/stonecoldpat/anonymousvoting
7 tps (sort of)
1 MB blocks
12 tps (sort of)�
Complexity of transaction
paddypisa
What is the problem?
vs
“Decentralisation and Public Verifiability”
Large user-base vs Large set of validators
paddypisa
OK. How can we scale?
“Off-chain”
�Local consensus amongst participants involved in application
Centralised
�“The chosen one” produces blocks and there is no competition!
Tweak Consensus Protocol
�DAG blockchain, etc.
Sidechain
�Peg coins to “another” blockchain that is maintained by another group of maintainers.
Local Consensus (Channel)
All parties execute and authorise every update.
Sharding
�Distribute processing across several shards
paddypisa
OK. How can we scale?
“Off-chain”
�Local consensus amongst participants involved in application
Centralised
�“The chosen one” produces blocks and there is no competition!
Tweak Consensus Protocol
�DAG blockchain, etc.
Sidechain
�Peg coins to “another” blockchain that is maintained by another group of maintainers.
Local Consensus (Channel)
All parties execute and authorise every update.
Sharding
�Distribute processing across several shards
paddypisa
Spilman Payment Channels
Duplex Micropayment Channels
Lightning Channels
Raiden Channels
Payment channels
Only re-distribute deposit
Spilman Payment Channels
Duplex Micropayment Channels
Lightning Channels
Raiden Channels
Sprites Channels
(us!)
Perun Channels
Counterfactual
Kitsune�(us!)
State channels
gaming, voting, auctions, etc
Payment channels
Only re-distribute deposit
What is a state channel?
Every party collectively authorises a new state of an application locally amongst themselves.
�The blockchain acts as a root of trust to guarantee:
Balance Security : Each party gets the coins they deserve
State Progression : The application will always progress
paddypisa
Observation: Liveness is *not really* a problem for payment channels!
What modifications are required before an application can be deployed as a state channel?�
What applications make sense in a state channels?
What are the inherent weaknesses?
What modifications are required before an application can be deployed as a state channel?�
What applications make sense in a state channels?
What are the inherent weaknesses?
Application Contract
State Channel Contract
Block 1
One way to set up the state channel
Let’s assume that battleship is already deployed
Block 1
Block 2
One way to set up the state channel
σA,σB, “lock”
Alice and Bob agree to “lock up” the contract
Block 1
Block 2
One way to set up the state channel
σA,σB, “lock”
Alice and Bob agree to “lock up” the contract
Block 1
Block 2
One way to set up the state channel
σA,σB, “lock”
Alice and Bob agree to “lock up” the contract
Block 1
Block 2
Block 3
One way to set up the state channel
State channel is created and the battleship game is frozen!
How do we play battleship off-chain?
Let’s pretend….
It is Alice’s turn to take a shot.
State 0
Turn in Game: Alice
Counter: 0
If you squint hard enough…
Alice is shooting from a real battleship
Replace by Monotonic Counter (or Version)
New state of game:
Bob’s turn to take a shot
State 0
Turn in Game: Alice
Counter: 0
State 1
Turn in Game: Bob
Counter: 1
State 0
Turn in Game: Alice
Counter: 0
How does she “lock in” her shot?
State 1
Turn in Game: Bob
Counter: 1
State 0
Turn in Game: Alice
Counter: 0
State 1
Turn in Game: Bob
Counter: 1
Attack command,
State1
How does she “lock in” her shot?
State 0
Turn in Game: Alice
Counter: 0
State 1
Turn in Game: Bob
Counter: 1
Attack command,
State1
Bob computes the following…
State1’ = transition(state0, attack)
Does State1’ == State1?
Yay! Accept it!
How does she “lock in” her shot?
State 0
Turn in Game: Alice
Counter: 0
State 1
Turn in Game: Bob
Counter: 1
How does she “lock in” her shot?
State 0
Turn in Game: Alice
Counter: 0
State 1
Turn in Game: Bob
Counter: 1
How does she “lock in” her shot?
State 0
Turn in Game: Alice
Counter: 0
All signed! Yay!
State 1
Turn in Game: Bob
Counter: 1
Looks too good to be true?
What if Bob doesn’t respond?
Every state channel has a dispute process to
self-enforce the app’s correct execution
In other words, if one party is no longer cooperating, then the app can be finished via the blockchain.
… so Alice will *always* get her money for winning!
paddypisa
The Dispute Process
What if everyone doesn’t authorise the new state?
Block 1
Initiate Dispute
Initiate Dispute
One party can initiate the dispute process.
Sets a fixed time period for all parties to respond.
The Dispute Process
What if everyone doesn’t authorise the new state?
Block 1
Block 2
Block ...
Block N-1
Initiate Dispute
hstate,
i
Block 3
hstate,
i+1
Send state hash
All parties can hash of latest state (alongside counter)
The Dispute Process
What if everyone doesn’t authorise the new state?
Block 1
Block 2
Block ...
Block N-1
Block N
Initiate Dispute
hstate,
i
Block 3
hstate, i+1
Resolve Dispute
Resolve Dispute
hstate, i+1 stored as the final commitment
But it doesn’t come for free….
Always online assumption:
All parties must remain online to detect and defend against execution forks
Alice is asleep and offline!
I can broadcast an older state and pretend the game never happened!
Bawhahaha
ZZZZzzzzZzzzzzz
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 1
Initiate Dispute
Initiates Dispute
Bob prepares to perform execution fork
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 1
Initiate Dispute
Old Game State
Bob updates the blockchain with an older hstatei-1
σA,σB,hstatei-1 ,i-1
Block 2
Update State i-1
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 1
Initiate Dispute
Block 2
Update State i-1
Block 3
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 3
Block 2
Block 1
Initiate Dispute
Update State i-1
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 3
Block 4
*tense*
Will Bob get away with it?
Will Alice wake up to stop it?
Find out in the next slide!!!
Block 2
Block 1
Initiate Dispute
Update State i-1
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 3
Block 4
Block 2
Block 1
Initiate Dispute
Update State i-1
Update State i
Block 5
Latest Game State
Alice wakes up and updates the blockchain with the latest hstatei
σA,σB,hstatei ,i
Always online assumption:
All parties must remain online to detect and defend against execution forks
Block 3
Block 4
Block 2
Block 1
Initiate Dispute
Update State i-1
Update State i
Block 5
Execution Fork is Cancelled!
Alice keeps her winnings, but only because she remained online and responded at the right time!
Can we help alleviate this new security requirement?
paddypisa
Pisa: Hire an accountable third party!
State Privacy
Custodian should not learn about the state he is watching (unless there is a dispute on-chain!)
Fair Exchange
Custodian should be paid upon accepting appointment from customer
O(1) Storage
Custodian only has to store the latest job received from the customer!
Recourse as Financial Deterrent
There should be indisputable evidence that can be used to punish a malice Custodian
Application-Agnostic State Channel (Kitsune)
Pisa Contract
Only cares about state hashes, signatures and counters.
Compatible with any application designed for a state channel.
Stores large security deposit for Pisa.
Awaits evidence of cheating from customers to self-enforce deposit forfeiture.
Setting up Pisa
Setting up Pisa
Pisa Contract
Stores a large security deposit upon set up.
Deposit can only be withdrawn after a fixed period of time.
paddypisa
Setting up Pisa
Pisa Contract
Stores a large security deposit upon set up.
Deposit can only be withdrawn after a fixed period of time.
paddypisa
Setting up Pisa
Pisa Contract
Stores a large security deposit upon set up.
Deposit can only be withdrawn after a fixed period of time.
paddypisa
Setting up Pisa
Pisa Contract
Stores a large security deposit upon set up.
Deposit can only be withdrawn after a fixed period of time.
paddypisa
Achieving State Privacy
Achieving State Privacy
An Appointment to Pisa only contains:
A state hash, state version, and signature from all parties.
σA,σB,σC, H(statei+1,r), i+1
paddypisa
Fair exchange of payment and cryptographic receipt
Fair Exchange of Payment + Receipt
Payment + Appointment
paddypisa
What if PISA cheats?
Alice is back online… it is too late?
OH NO! Pisa cheated me!!!!
I’ve lost all my coins!
It isn’t too late…
she has evidence that Pisa cheated
Dispute Record*
State channel contract records all successful disputes
Ratified and signed receipt
Evidence Pisa promised to prevent execution fork
+
Evidence: Signed (and Ratified) Receipt + Dispute Record
Pisa Contract
State Channel Contract (Kitsune)
Signed (and Ratified) Receipt
Evidence: Signed (and Ratified) Receipt + Dispute Record
Pisa Contract
State Channel Contract (Kitsune)
Signed (and Ratified) Receipt
Request Disputes
Evidence: Signed (and Ratified) Receipt + Dispute Record
Pisa Contract
State Channel Contract (Kitsune)
Signed (and Ratified) Receipt
Request Disputes
List of disputes
Evidence: Signed (and Ratified) Receipt + Dispute Record
Pisa Contract
State Channel Contract (Kitsune)
Signed (and Ratified) Receipt
Request Disputes
List of disputes
*compares receipt + list of disputes*
Yup! Pisa could have saved the day.
Sorry, I must forfeit the entire security deposit.
Revenge is sweet
| Privacy Preserving | Verifiable Job | Storage | Fair Exchange (Job + Reward) | Publicly Verifiable Warrant | Financial Deterrent (and Accountability) | Deployable Today |
Monitor | | | O(N) | | | | |
WatchTower | | | O(1) | | | | |
PISA | | | O(1) | | | | |
All good!
Not in original protocol,
but compatible
Nope
We are building it
Untrusted Co-ordinator & k-out-of-N watchers
Proving liabilities and assets watched over?
Why don’t you have a side-chain for hiring a bunch of watchers at the same time?
Final thoughts and future work
1 transaction to turn on channel
200+ transactions authorised off-chain for a single game of battleship
1 transaction to turn off channel
Ideal case: No latency, no fees, two transactions on the blockchain
1 transaction to turn on channel
200+ transactions ALL on-chain for a single game of battleship
2-3 off-chain transactions to set up game
Worst case: Commit to playing game, turn off channel, play entire game on-chain.
1 transaction to turn off channel
Why is worst-case really bad?
A transaction fee for every move in the game
LAG! Latency each move can take 5-10 minutes
Why is worst-case really bad?
A transaction fee for every move in the game
LAG! Latency each move can take 5-10 minutes
Ready to pay $24 and nearly 16 hours to finish the game?
Why is worst-case really bad?
A transaction fee for every move in the game
LAG! Latency each move can take 5-10 minutes
Ready to pay $24 and nearly 16 hours to finish the game?
Outstanding Research Problems?
Off-chain (Layer-2) Eco-System Overview
Off-chain Channels
Battleship
Payments
Off-chain (Layer-2) Eco-System Overview
Off-chain Channels
Battleship
Payments
Non-Custodial Hubs
Off-chain (Layer-2) Eco-System Overview
Off-chain Channels
Battleship
Payments
Non-Custodial Hubs
Non-Custodial and SUPER-fast payment/application network!!!
Off-chain (Layer-2) Eco-System Overview
Watchers
Off-chain Channels
Battleship
Payments
Non-Custodial Hubs
Off-chain (Layer-2) Eco-System Overview
Watchers
Off-chain Channels
Battleship
Block 1
Block 2
Block 3
Payments
Non-Custodial Hubs
Settlement System and Root of Trust of all Layer 2
Off-chain (Layer-2) Eco-System Overview
Watchers
Off-chain Channels
Battleship
Block 1
Block 2
Block 3
Payments
Non-Custodial Hubs
Settlement System and Root of Trust of all Layer 2
Our vision: https://goo.gl/tNi1ch
Two years later.
We are on the verge of practical and deployable state channels.
Magic unicorns need not apply.
Thanks for listening!
Follow us on twitter! https://twitter.com/PisaResearch