Invited Paper: Fault-tolerant and Expressive Cross-Chain Swaps

Yingjie Xue yingjie˙[email protected] Brown UniversityProvidence. RIUnited States , Di Jin di˙[email protected] Brown UniversityProvidence. RIUnited States and Maurice Herlihy [email protected] Brown UniversityProvidence. RIUnited States

Abstract.

Cross-chain swaps enable exchange of different assets that reside on different blockchains. Several protocols have been proposed for atomic cross-chain swaps. However, those protocols are not fault-tolerant, in the sense that if any party deviates, no asset transfer can happen. In this paper, we propose two alternative protocols for structuring composable and robust cross-chain swaps. Participants can propose multiple swaps simultaneously and then complete a subset of those swaps according to their needs. Their needs are expressed as predicates which capture acceptable payoff of each participant. Our proposed protocols are thus more expressive due to the introduction of predicates. The proposed protocols are fault-tolerant since, even if some participants deviate, those predicates can still be satisfied, and conforming parties can complete an acceptable set of swaps.

Cross-chain transactions, Cross-chain swaps, Fault tolerance

1. Introduction

Imagine a world where financial transactions span multiple independent ledgers, each managing a different token. Alice’s salary is paid in apricot tokens, managed on the Apricot ledger, but she pays her utility bill using banana tokens, managed on the Banana ledger. The apricot-to-banana exchange rate is volatile, so Alice waits until the first day of each month to buy the banana tokens she needs.

Because Alice does not trust centralized exchanges, she sets up a recurring trust-free atomic swap with some willing counterparty. Suppose Alice and Bob agree to swap some of Alice’s apricot tokens for Bob’s banana tokens using a well-known atomic swap protocol (Nolan, 2013; Herlihy, 2018) which require both Alice and Bob to place their tokens in escrow. Any such protocol is safe for Alice in the narrow sense that if Bob deviates from the protocol, perhaps by abandoning the swap in the middle, then Alice gets her escrowed tokens back (minus fees). Alice still pays a price because she regains access to her escrowed tokens only after a substantial delay. Alice must then attempt another swap with another counterparty, exposing her to the same risk of inconvenience and delay. Roughly speaking, if Alice eventually succeeds on her $k^{\text{th}}$ attempt, where each failed swap releases her escrowed tokens only after $t$ hours, then Alice spends about $(k-1)t$ hours acquiring her banana tokens.

Suppose instead that Alice sets up all $k$ swaps together, and tentatively executes those swaps in parallel. Some swaps (tentatively) succeed and the rest fail. Alice chooses to commit one of the successful swaps (perhaps the one with the best exchange rate), and aborts the rest. As long as one tentative swap succeeds, Alice acquires her banana tokens with a worst-case delay of $t$ , not $(k-1)t$ .

Prior cross-chain swap protocols are atomic (all-or-nothing), but not robust: any component failure typically causes the entire exchange to abort, undoing any tentative changes. Alternative paths can be explored only sequentially, not in parallel. This paper proposes novel cross-chain swap protocols that allow parties to explore multiple complex trades in parallel, and to select some satisfactory subset of those trades to be completed.

Devising robust cross-chain swap protocols presents non-obvious challenges. In the apricot-to-banana token swap example, only Alice sets up alternative parallel swaps. What if Bob, too, wants alternatives? (Perhaps he buys banana tokens from Xerxes, or else from Zoe, and then resells them to Alice.) Can Bob and Alice’s parallel swap alternatives compose in a well-defined way? What if their choices interfere?

Prior cross-chain swap protocols (Herlihy, 2018; Herlihy et al., 2021; Yocom-Piatt, 2017; Shadab et al., 2020; Zie et al., 2019) typically ask participants to escrow their assets. If all goes well, the escrowed assets are redeemed by their new owners (the swap commits), but if something goes wrong, the escrowed assets are refunded to their original owners (the swap aborts). The “all-or-nothing” nature of these protocols prevents a party from redeeming only a subset of assets. (Some payment channels (Bagaria et al., 2020; Rahimpour and Khabbazian, 2021) do support robustness though redundant payments, but these are limited to one-way payments, not support cyclic transfers as in swaps.)

In this paper, we propose two alternative protocols–ProtocolA and ProtocolB, for structuring composable and robust cross-chain swaps. These protocols make different trade-offs.

•

We propose a framework where participants can set up multiple tentative swaps and commit only a subset. Participants express their requirements as predicates. The overall exchange is feasible if all parties’ predicates are simultaneously satisfiable.
•

We translate the predicates to a system of locks controlled by hashes (Nolan, 2013).
•

ProtocolA has fast best-case completion time, but requires high collateral: each party must fund a separate escrow for each tentative swap, even though some swaps will abort.
•

ProtocolB has slower best-case completion time, but requires lower collateral: the same escrow can be used in multiple alternative swaps.

This paper is organized as follows. Section 2 describes the model, Section 3 elaborates our motivation, Section 4 introduces preliminaries for our proposed protocols. Section 5 describes challenges and some building blocks in proposed protocols. ProtocolA and ProtocolB appear in Section 6 and Section 7 respectively. Section 8 analyzes the protocols’ security and efficiency. Section 9 summarizes related work, and Section A.3 considers future directions.

2. Model of Computation

Although our problem is motivated by cross-chain asset exchanges, nothing in our protocols depends on specific blockchain technologies, or even whether ledgers are implemented as blockchains or some other kind of tamper-proof data store. The fundamental problem addressed here is how to conduct fault-tolerant and safe commerce among mutually-distrusting parties whose assets reside on multiple ledgers.

2.1. Ledgers and Contracts

A blockchain is a ledger (or database) that tracks ownership of assets. A blockchain is tamper-proof, meaning that it can be trusted to process transactions correctly and store data reliably. We assume blockchains supports smart contracts (or contracts). A smart contract is a program residing on the blockchain that can own and transfer assets. Contract code and state are public. A contract is deterministic since it is executed multiple times for reliability. A contract can read and write data on the same blockchain where it resides, and it can invoke functions exported by other contracts on the same blockchain, but it cannot directly access data or contracts on other blockchains. A party is a blockchain client, such as a person or an organization. A party can send transactions to be executed on the blockchain. When we say transactions, we mean transactions that happen on a single blockchain, including asset transfers, smart contract initialization, and calling smart contract functions.

2.2. Communication Model

We assume a synchronous communication model where there is a known upper bound $\Delta$ on the time needed for a transaction issued by one party to included and confirmed ¹¹1The mining process to include a transaction in a block and the confirmation of the block take a non-trivial time, see more in (Poon and Dryja, 2016). Local computation is considered instantaneous.in a blockchain and to become visible to others.

2.3. Fault Model

As mentioned, blockchains are assumed to be tamper-proof, and calls to smart contract functions are executed correctly. We rule out attacks on blockchain itself, for example, denial-of-service attacks. Parties can be Byzantine, departing arbitrarily from any agreed-upon protocol. We do not assume Byzantine parties are rational: they may act against their own self-interest. Because smart contracts typically reject ill-formed transactions, Byzantine parties are limited in how they can misbehave.

2.4. Cryptographic Assumptions

We make standard cryptographic assumptions. We assume a computationally bounded polynomial-time adversary. The hash function in our scheme is collision-resistant. Each party is equipped a public key and a private key, and the public keys are known to all. Participants use standard public key algorithms, e.g. ECDSA (Johnson et al., 2001), to sign their transactions so that they cannot be forged. We use $sig(m,u)$ to denote the signature generated by a party $u$ where he/she signs a message $m$ using his/her secret key.

3. Motivation

Suppose Alice owns $\mathit{Xcoin}{}$ s and she wants to buy an NFT from Bob. However, Bob only accepts payment in $\mathit{Ycoin}$ s. Alice finds an intermediate party, Carol, who accepts her $\mathit{Xcoin}{}$ s and in exchange pays $\mathit{Ycoin}$ s to Bob. Since Alice does not want to hold $\mathit{Ycoin}$ s if the trade fails, the three of them need to swap their assets atomically: Alice pays Carol $\mathit{Xcoin}{}$ s, Carols pays Bob $\mathit{Ycoin}$ s, and Bob sends the NFT to Alice (Shown in Figure 1(a), we call this Example I).

Refer to caption — (a) Example I: Trade With Carol

Atomic swap protocols (Herlihy, 2018) are designed to handle this situation. They execute the tentative asset transfers with guaranteed atomicity: either all asset transfers happen, or no transfer happens.

Suppose that Carol is not that reliable and she crashes with 50% probability, but Alice and Bob want the trade to happen in a timely manner (the market might be very volatile). Alice and Bob can mitigate such problem by finding more trading partners (David) to boost their probability of success (Example II in Figure 1(b)). As long as one of the trading partners is responsive, the trade can succeed.

We call what a participant wants to achieve in a trade their motive, and a set of transactions that satisfies everyone’s motive a feasible swap. In Example I, Alice’s motive is to get the NFT from Bob while paying at most one $\mathit{Xcoin}{}$ to Carol (she would be perfectly happy is she could get away with not paying), and in Example II, Alice’s motive is to get the NFT from Bob, and paying at most one $\mathit{Xcoin}{}$ to either Carol or David. Bob has similar motives in Example II. Carol and David have the same motive, either not doing any transaction or trading a $\mathit{Ycoin}{}$ for an $\mathit{Xcoin}{}$ . As a result, in Example I there is one feasible swap, but in Example II, there are two distinct feasible swaps: Alice pays P $\mathit{Xcoin}{}$ s, P pays Bob $\mathit{Ycoin}$ s, and Bob sends the NFT to Alice, where P is either Carol or David.

There is no easy way to run an atomic swap protocol to achieve the desired outcome: one of the two feasible swaps being completed. Intuitively, trying each feasible swap sequentially will take too much time, but running them in parallel requires resource sharing between different instances of the protocol, which is non-trivial.

4. Preliminaries and Definitions

This section describes an existing atomic swap protocol, which lays the foundation of our proposed approaches. We start with terminologies in atomic swaps. The notation and terminology needed to define robust cross-chain swaps are also given in this section.

4.1. Directed Graphs

An atomic cross-chain swap is represented by a directed graph. A directed graph(or digraph) $G=(V,A)$ is a set of vertices $V$ and a set of arcs $A\subseteq V\times V$ . Each vertex represents a party, and each arc is labeled with an asset. A path from $u$ to $v$ in $G$ is a sequence of arcs $(v_{0},v_{1}),\ldots,(v_{k-1},v_{k})$ where $u=v_{0}$ and $v=v_{k}$ , and each arc $(v_{i},v_{i+1})\in A$ . A digraph is strongly connected if there is a path from any vertex to any other vertex.

An arc $(u,v)$ represents a proposed asset transfer from party $u$ to party $v$ . All digraphs considered here are strongly connected, implying that all transfers are (perhaps indirect) exchanges. In real life, some exchanges may have off-chain components. For example, if Alice uses a token to pay for a sandwich, we would formally represent the off-chain food transfer as a “virtual” token transferred from the restaurant to Alice.

For brevity, when discussing a swap defined by a digraph, we use the terms vertex and party interchangeably. We use ”arc $(a,b)$ ” as shorthand for ”proposed transfer from party $a$ to party $b$ ”, and we say an arc is triggered if that proposed transfer takes place.

4.2. Hashlocks, Hashkeys and Hashlock Circuits

Generally speaking, an atomic swap works in the following way: an asset is first escrowed and protected by locks, and then the asset is transferred to the recipient upon unlock. Here we describe the lock mechanism used in the atomic swap protocol described later.

Let $Hash(.)$ be a collision-resistant hash function. A pair of value $s$ and $h$ , where $s$ is a secret random value, and $h=Hash(s)$ , forms a “lock and key” structure: a lock $h$ can be unlocked when the key $s$ such that $h=Hash(s)$ is shown. A hashlock is such a lock, augmented with more information in the hashkey to keep track of the propagation of the secret $s$ on the graph.

Formally, a hashlock is a hash value $h$ . The structure to unlock hashlocks is called a hashkey. Given a digraph $G=(V,A)$ , a hashkey on an arc $(u,v)$ is a triple $(s,p,\sigma)$ , where $s$ is a randomly-chosen value called a secret, $p$ is a path $(u_{0},...,u_{k})$ from $u_{0}$ to $u_{k}$ in the graph where $u_{0}=v$ , $u_{k}$ is the party who chose $s$ . $\sigma$ is called a path signature, where each party in the path $p$ provides a signature. Recall that $sig(m,u)$ denotes the signature of a party $u$ signing a message $m$ using his/her secret key. $\sigma$ is a signature composed recursively by each party $u_{j}$ in the path signs the signature of $u_{j+1}$ as a message using their secret key. More formally,

(1)

\sigma=sig(sig(...sig(sig(s,u_{k}),u_{k-1})...,u_{1}),u_{0})

A hashkey $(s,p,\sigma)$ has its lifespan. The exact definition of the lifespan and more details can be found in the original document (Herlihy, 2018). In short, the hashkey $(s,p,\sigma)$ ’s lifespan is linear to the length of the path: it times out at $|p|\Delta$ , where $\Delta$ is the upper bound of message delay defined in Section 2.2 ²²2More precisely, it times out at $(MaxPathLength(G)+|p|)\Delta$ after the protocol starts. Here we focus on brevity other than precision.

We say a hashkey matches a hashlock if it can unlock the hashlock. On any arc $(u,v)$ , its hashlock $h$ can be unlocked by a hashkey $(s,p,\sigma)$ if and only if all of the following condition holds. (1) $h=Hash(s)$ ,(2) $p$ is a path from $v$ to the party who chose $s$ . (3) $\sigma$ is a valid path signature for $s$ and $p$ constructed as Eq.1. (4) The hashkey does not time out. Roughly speaking, the hashkey structure guarantees that, if a hashlock $h$ on an outgoing arc from $u$ is unlocked, then $h$ on all arcs entering $u$ can be unlocked.

A hashlock circuit $C(u,v)$ for an arc $(u,v)$ is a formula linking hashlocks on that arc via operators $\vee$ , $\wedge$ and $\neg$ .

4.3. An Atomic Cross-Chain Swap Protocol

Here we describe a protocol (Herlihy, 2018) that is atomic, but not robust. It does not support alternative swaps, but it does provide a starting point for developing robust protocols.

The swap is represented as a strongly-connected directed graph $G=(V,A)$ , where each arc represents a proposed asset transfer. Each transfer along an arc is controlled by a contract. We say an asset is escrowed on an arc when the owner forfeits the asset’s control to the contract on the arc.

The protocol starts with a feedback vertex set (FVS), a set of vertices whose removal leaves the graph without cycles. The vertices in the FVS are called leaders, the rest followers. At the beginning, each leader $l_{i}$ chooses a random secret $s_{i}$ and construct the hashlock $h_{i}=Hash(s_{i})$ . After the hashlocks are distributed among the leaders, the protocol can start running on the blockchains. Each contract/arc is associated with a hashlock circuit $C=\bigwedge_{l_{i}\in FVS}h_{i}$ to protect the escrowed asset. When a hashlock is unlocked, it evaluates to $\mathit{true}$ and when the hashlock circuit evaluates to $\mathit{true}$ , the asset is redeemed by the proposed recipient. We call an arc is triggered when the asset is redeemed.

Overview of the protocol is shown in Figure 2. The protocol consists of two phases: Escrow phase and Redeem phase. Note that transactions sent to blockchains can included on blockchains and observed by others within $\Delta$ .

In the Escrow phase, each leader escrows their assets on all outgoing arcs (Leader Step a). Then the leaders start waiting for their incoming arcs before they enter redeem phase (Leader Step b). Followers first wait until all the incoming arcs are escrowed (Follower Step a), then they escrow their assets on the outgoing arcs (Follower Step b).

The total amount of assets by a party escrowed is called the party’s collateral. During the Escrow phase if any expected escrow does not arrive for an extended period the party should just abort the protocol.

In the Redeem phase, hashkeys are sent to contracts that manage their assets to unlock hashlocks. For a leader $l_{i}$ , if it has observed that all its incoming assets are escrowed, it constructs a hashkey $(s_{i},l_{i},sig(s_{i},l_{i}))$ and sends it to corresponding contracts representing all its incoming arcs (Leader Step c). The hashlock $h_{i}$ associated with the contracts can be unlocked upon receiving $(s_{i},l_{i},sig(s_{i},l_{i}))$ . Then both leaders and followers can propagate the secrets (Leader Step d and Follower Step c) using the hashkey structure. For a party $u$ , when a hashlock on its outgoing arcs is unlocked by a hashkey $(s,p,\sigma)$ , it can construct and send the hashkey $(s_{i},u||p,sig(\sigma,u))$ to all contracts managing its incoming arcs to unlock the same hashlock.

The hashkey mechanism guarantees that if any party observes a matching hashkey sent to its outgoing arc, there is one more $\Delta$ allowing it to send a new matching hashkey to all of its incoming arcs. If all secrets are propagated correctly, all hashlocks are unlocked, and all the assets will be redeemed.

There is an additional time-out structure that ensures that assets cannot be escrowed forever, which is described in the original document (Herlihy, 2018). In short, if a hashlock cannot be unlocked anymore, the asset will be refunded. .

In summary, the atomic swap protocol satisfies liveness: if all parties conform, all asset transfers happen. It also satisfies safety: a conforming party $u$ ’s assets are all refunded if $u$ does not receive all its incoming assets. We call atomic swaps as all-or-nothing swaps because of those properties.

4.4. Predicates

The directed graph formalism suffices to describe all-or-nothing swaps, where success means all proposed transfers take place. We now define a way to describe swaps where parties also accept outcomes where only a subset of the proposed swaps take place.

We first define a boolean variable $v$ on each arc. $v$ is $\mathit{true}$ if the transfer it represents takes place, and $\mathit{false}$ otherwise. An acceptable outcome for a party $x$ can be represented with a boolean predicate of its incoming and outgoing arcs. Suppose party $x$ has incoming arcs $i_{1}$ , $i_{2}$ , outgoing arcs $o_{1}$ , $o_{2}$ , and $x$ wants to exchange $o_{1}$ with $i_{1}$ , or exchange $o_{2}$ with $i_{2}$ . Naively one would construct the predicate as $(o_{1}\wedge i_{1})\vee(o_{2}\wedge i_{2})$ . Looking at it closely, this predicate definition has two problems. Firstly, it does not capture safety. When $o_{1}\wedge i_{1}$ is $\mathit{true}$ , this predicate will be $\mathit{true}$ even if $o_{2}$ is $\mathit{true}$ , but this would mean that $x$ is paying both $o_{1}$ and $o_{2}$ , i.e. $x$ overpays. Secondly, it does not allow $x$ to accept greedy outcome. If $i_{1}$ is $\mathit{true}$ , and all other arcs are $\mathit{false}$ , it is perfectly acceptable to $x$ , but our predicate evaluates $\mathit{false}$ to this situation.

To capture their expected exchanges (liveness), safety requirements, and allow greediness, each party has liveness and safety requirements, characterizing acceptable outcomes in the (partial) success and failure cases respectively. First, we consider safety requirements. For each possible outgoing asset, there is an income predicate associated with it. That captures the payoff that, if this party pays this asset, what should they get at least to be safe. Note that, a participant may want some exchanges to happen atomically, say does not pay an asset unless getting a bundle of other assets even though get a subset of them already gives him/her a better payoff. This is also characterized as a safety requirement. The safety requirement for party $x$ is given by a predicate $S_{x}$ .

In Example I, we use the arc ” $(a,c)$ ” as shorthand for “the asset labeling arc $(a,c)$ is transferred from party $a$ to party $c$ ”. Alice’s safety predicate is

S_{a}:=(a,c)\implies(b,a),

meaning that if Alice transfers her assets to Carol (“ $(a,c)$ ”) then Bob transfers his assets to her (“ $(b,a)$ ”). Importantly, Alice can be greedy. Her predicate is satisfied if she gets something for nothing: that is, if Bob pays her but she somehow does not pay Carol. This predicate is also satisfied if no payments are made, an outcome that Alice may not prefer, but considers acceptable because it leaves her no worse off. The no payment scenario incentives Alice to try alternatives.

Formally, for every asset $\gamma$ that a party $x$ may pay, there is an income predicate $I_{x}^{\gamma}$ . In addition, there is a predicate $O_{x}$ over those outgoing payments to make sure $x$ does not overpay, for example, the predicate may require that at most two of three outgoing assets are paid.

In Example II, Alice’s predicate is

\begin{split}S_{a}:=&\left((a,c)\implies(b,a)\right)\\ &\wedge\left((a,d)\implies(b,a)\right)\\ &\wedge\neg\left((a,c)\wedge(a,d)\right).\end{split}

The first two clauses say that if Alice pays either Carol or David, then she gets Bob’s NFT in exchange, and the third clause says that Alice does not want to pay both.

In general, if party $x$ has potential exchanges with parties $u_{1},\ldots,u_{k}$ , then $x$ ’s safety predicate has the form:

S_{x}:=\left(\bigwedge_{i=1}^{k}((x,u_{i})\implies I_{x}^{(x,u_{i})})\right)\wedge O_{x},

where each implication clause states that if $x$ pays $u_{i}$ it gets the agreed-upon amount in return, and the final clause limits how many of the outgoing payments’ clauses $(x,u_{i})$ can be $\mathit{true}$ . For example $O_{x}$ might say “no more than one of the $k$ transfers can occur”, or “no more than $m$ ”, or “at least $m$ ”, and so on.

Next, we consider liveness requirements. The liveness requirement for party $x$ is given by a predicate $L_{x}$ . First, the liveness predicate contains the safety predicate since this is a property that should always hold. In addition to safety, liveness characterizes that something good should happen. That means, one of the income predicates $x$ specified previously in safety requirements should be $\mathit{true}$ . That is,

L_{x}:=S_{x}\wedge\left(\bigvee_{i=1}^{k}I_{x}^{(x,u_{i})}\right)

The predicate for each party $x$ is denoted as $P_{x}$ , which consists of two predicates $L_{x}$ and $S_{x}$ . Unless otherwise specified, $P_{x}$ means $S_{x}$ , since $S_{x}$ should always be $\mathit{true}$ , while, reasonably, $L_{x}$ is $\mathit{true}$ only if a party completes an asset transfer. Thus, $L_{x}$ is implied implicitly in $P_{x}$ , since if a party transfers an asset to someone, one of its income predicates in $S_{x}$ must be $\mathit{true}$ .

4.5. Example

Suppose Alice would like to exchange 1 Xcoin for 1 Ycoin. She sets up alternative trades with Bob and Carol, but she is willing to trade with only one of them. Bob expects to exchange 1 Ycoin for 1 Xcoin, with either Alice or Carol, but not both. Carol is willing to trade with Alice, or Bob, or both.

The predicates are as follows. For brevity, arcs are labeled as shown in Figure 3. (For example, $a_{1}$ is the arc from Alice to Bob.)

\begin{split}\text{Alice: }&P_{a}:=(a_{1}\to b_{1})\wedge(a_{2}\to c_{1})\wedge\neg(a_{1}\wedge a_{2})\\ \text{Bob: }&P_{b}:=(b_{1}\to a_{1})\wedge(b_{2}\to c_{2})\wedge\neg(b_{1}\wedge b_{2})\\ \text{Carol: }&P_{c}:=(c_{1}\to a_{2})\wedge(c_{2}\to b_{2})\end{split}

5. Roadmap and Building Blocks

This section describes a roadmap to devise a robust cross-chain swap protocol, the challenges, and the building blocks from which we construct our approaches.

5.1. Roadmap

A robust cross-chain swap can be described by a digraph $G=(V,A)$ accompanied with a set of predicates from all participants. Each arc in $G$ is a proposed asset transfer. An arc is set to $\mathit{true}$ if the asset transfer happens. A predicate is satisfied if it evaluates to $\mathit{true}$ . Is there a trade that satisfies every party’s predicate? Whether such a trade exists is the satisfiability problem. If not, then the proposed trade is infeasible.

We should first find solutions that satisfy all parties’ predicates. A solution $s$ is an assignment that satisfies all parties’ predicates, where each arc is assigned a Boolean. ³³3The trade where no assets are transferred is acceptable to all parties, but we exclude that solution as trivial. For example, here is one possible solution for the digraph shown in Figure 3:

\left\{a_{1}\mapsto\mathit{true},a_{2}\mapsto\mathit{false},b_{1}\mapsto\mathit{true},b_{2}\mapsto\mathit{false},c_{1}\mapsto\mathit{false},c_{2}\mapsto\mathit{false}\right\}

After finding solutions, we can map them to feasible swaps. In each solution $s$ , we look at the set of arcs that $s$ assigns to $\mathit{true}$ , which forms a digraph denoted as $G_{s}$ . The set of transfers in $G_{s}$ , if executed atomically, will satisfy all parties. A digraph $G_{s}$ is a called feasible swap, or an alternative.

If there is more than one such feasible swap, it is tempting to execute all the alternatives in parallel, because some alternatives might fail. The following describes challenges that arise if we try to execute the alternatives in parallel.

5.2. Challenges

(1)

Alternatives may conflict: in one solution, Alice pays Bob and not Carol, but in another, she pays Carol and not Bob. Completing both swaps would cause Alice to overpay.
(2)

Alternatives may charge twice for the same transfers: if there are two solutions where Alice pays Bob, then Alice has to escrow the same amount of assets twice. Alice’s collateral would exceed the value of the assets she trades away.
(3)

Trades are not independent when one alternative’s digraph is a subgraph of the other. For example, Figure 4 shows two solutions. In $s_{1}$ , Alice and Carol trade only with one another, setting only $a_{2},c_{1}$ to $\mathit{true}$ . Suppose Alice is the only leader. In $s_{2}$ , Alice trades with Carol, and Carol with Bob, setting $a_{2},c_{1},b_{2},c_{2}$ to $\mathit{true}$ . Suppose Alice and Bob are leaders. To complete both alternatives, Alice would have to create and release secrets for both $s_{1},s_{2}$ . She might not have an incentive to participate in $s_{2}$ , since that alternative provides her no additional robustness.

5.3. Building Blocks in Proposed Protocols

To tackle the challenges, we first describe some concepts and building blocks for our proposed protocols.

5.3.1. Mapping Arc Assignments to Swap Digraphs

A robust cross-chain swap is described by a predicated directed graph defined as $({\mathcal{P}},G)$ , where $G$ is the digraph of all proposed transfers, and ${\mathcal{P}}$ is the set of all parties’ requirements. $\phi({\mathcal{P}})$ denotes the conjunction of predicates $p\in{\mathcal{P}}$ :

\phi({\mathcal{P}})=\bigwedge_{p\in P}p.

Given a digraph $G=(V,A)$ , an assignment is a map $\alpha:A\to\left\{\mathit{true},\mathit{false}\right\}$ that assigns a Boolean to each arc. For any assignment $\alpha$ , $\phi({\mathcal{P}})(\alpha)$ denotes the value of $\phi({\mathcal{P}})$ under assignment $\alpha$ . A solution $s$ is an assignment where $\phi({\mathcal{P}})(s)=true$ . A swap digraph $G_{s}$ contains the set of arcs that $s$ assigns to $\mathit{true}$ , denoted as

G_{s}=\left\{(a,b)\in A|(a,b)\mapsto\mathit{true}\in s\right\}.

Some $G_{s}$ is a subgraph of a larger graph $G_{s^{\prime}}$ . We define this relation as inclusion $\subsetneq$ .

Definition 0.

Inclusion $\subsetneq$ . Consider solutions $s,s^{\prime}$ where $\phi({\mathcal{P}})(s)=\phi({\mathcal{P}})(s^{\prime})=\mathit{true}$ . $G_{s}=(V_{s},A_{s})$ and $G_{s^{\prime}}=(V_{s^{\prime}},A_{s^{\prime}})$ . If $V_{s}\subset V_{s^{\prime}}$ and $A_{s}\subsetneq A_{s^{\prime}}$ , then we say $s\subsetneq s^{\prime}$ .

5.3.2. Redundancy Providers

Some parties may prepare redundant trades for fault tolerance even though they do not intend to complete all of those trades.

Definition 0.

Let $({\mathcal{P}},G)$ be a predicated directed graph, and $x$ a vertex in $G$ . If there are solutions $s_{1},s_{2}$ , where $x\in V_{s_{1}}$ and $x\in V_{s_{2}}$ , such that $\phi({\mathcal{P}})(s_{1})=\phi({\mathcal{P}})(s_{2})=\mathit{true}$ , but setting all the arcs in $G_{s_{1}}$ and $G_{s_{2}}$ to $\mathit{true}$ makes $P_{x}=\mathit{false}$ , then $s_{1}$ and $s_{2}$ are called conflicting solutions, and $x$ is called a redundancy provider.

5.3.3. Swap Schemes

Next we describe a swap scheme derived from the atomic swap protocol (Herlihy, 2018) with minor changes, which lays the foundation for the robust protocols defined later.

A swap scheme is a tuple $(G,{\mathcal{H}})$ , where $G$ is a digraph and ${\mathcal{H}}$ the set of hashlocks on each arc. The circuit $C=\wedge_{\forall h\in{\mathcal{H}}}h$ denotes that all hashlocks in ${\mathcal{H}}$ need be unlocked to trigger any arc. Each arc has the same hashlock set ${\mathcal{H}}$ . In a swap scheme, a swap $(G,{\mathcal{H}})$ is executed in two sequential phases: the Escrow Phase (denoted as $\mathit{Swap}.\mathit{Escrow}(G,{\mathcal{H}})$ ), and the Redeem Phase (denoted as $\mathit{Swap}.\mathit{Redeem}(G,{\mathcal{H}})$ ).

Compared to the original swap protocol (Herlihy, 2018) described in Section 4, the only difference in our swap scheme is that, the set ${\mathcal{H}}$ in the original scheme is the set of hashlocks generated by leaders, while in ours, ${\mathcal{H}}$ also contains a set of hashlocks generated by redundancy providers. As a result, in the Redeem Phase, redundancy providers also need to send their hashkeys like leaders do.

The interface we defined in the swap scheme works as follows.

•
$\mathit{Swap}.\mathit{Escrow}(G,{\mathcal{H}})$
- –
  
  The same as the original swap protocol.
•
$\mathit{Swap}.\mathit{Redeem}(G,{\mathcal{H}})$
- –
  
  If $x$ is a leader or a redundancy provider, send hashkeys as a leader in the original swap protocol.
- –
  
  Once any party $x$ receives a hashkey on their outgoing arc, it sends a new hashkey to their incoming arcs as in the original swap protocol.

We intend to run different swap schemes in parallel. Here we define a maximal set of compatible schemes that can be completed.

Definition 0.

A maximal set of schemes. A set of schemes is maximal, if all schemes in the set are not conflicting, and there is no new swap schemes can be added to the set without having a conflict with some of existing schemes.

5.4. Two Protocols and a Trade-off

We propose two novel protocols for composable and robust cross-chain swaps. These protocols make different trade-offs: one optimizes for time at the cost of higher collateral, and the other makes the opposite choice.

$\mathit{ProtocolA}$ prioritizes time over collateral. In the best case, when all parties conform to the protocol and avoid delays, the trade can be completed in a short time. In the worst case, when all trades fail, the parties’ assets are refunded quickly. The catch is that parties must provide higher collateral: parties must create separate escrows for each alternative, temporarily tying up more assets than are eventually traded.

$\mathit{ProtocolB}$ prioritizes collateral over time. A party can use a single escrow for multiple alternatives. The catch is that the trade takes longer to settle: transfers require a hard timeout even when all parties conform to the protocol and avoid unnecessary delay. $\mathit{ProtocolB}$ also provides more fault-tolerance than $\mathit{ProtocolA}$ . See Section A.2 for more details.

6. ProtocolA: Higher Collateral

6.1. Overview

This section describes $\mathit{ProtocolA}$ , a protocol that favors time over collateral. Given a predicated digraph $({\mathcal{P}},G)$ , we first find a set of solutions $s_{1},\cdots s_{k}$ by identifying sets of arcs such that executing trades on those sets satisfies $\phi({\mathcal{P}})$ . Such solutions could be generated by an all-SAT solvers (Toda and Soh, 2016; Yu et al., 2014; Toda, 2015), though it may not be necessary to identify all solutions. The parties run these solutions in parallel. The follow summarizes $\mathit{ProtocolA}$ .

•

To control conflicting trades, each redundancy provider uses distinct hashlocks in distinct solutions. In the Redeem Phase, that party can choose which hashlocks to unlock.
•

A party can add additional hashlocks after an asset is escrowed, allowing overlapping arcs in different solutions, indexed by their hashlocks.
•

If $G_{s_{1}}\subsetneq G_{s_{2}}$ , then the hashlocks on $G_{s_{1}}$ are reused in $G_{s_{2}}$ .

6.2. Detailed Construction

First, the parties set up a mutually-agreeable trade, and express their requirements in the form of predicates, yielding a predicated digraph $({\mathcal{P}},G)$ . We assume the predicates are reasonable and if not, a party can be rejected to join in the trade. A preliminary Market Clearing Phase decides what swaps are feasible, and what hashlocks to use in each swap.

6.2.1. Market Clearing Phase

Find solutions

Given $({\mathcal{P}},G)$ , the first step is to find a set of solutions acceptable to all parties, perhaps by applying an all-SAT solver to $\phi({\mathcal{P}})$ , yielding assignments $\alpha$ for which $\phi({\mathcal{P}})(\alpha)$ evaluates to $\mathit{true}$ . If we do not need all solutions, we can stop after finding enough assignments. Suppose we have found $k$ solutions $S=\left\{s_{i}|\phi({\mathcal{P}})(s_{i})=\mathit{true},i\in[1,k]\right\}$ . We rule out solutions that are not strongly connected, since if the graph is not strongly connected, some rational parties have incentive to deviate (Herlihy, 2018).

Sort solutions

Each digraph $G_{s_{i}}$ corresponds to a swap, and we construct schemes to execute the swap as atomic swap does. Since we plan to reuse hashlocks if some solutions $s$ , $s^{\prime}$ satisfies $s\subsetneq s^{\prime}$ , solutions are sorted by inclusion. This can be done trivially by comparing each pair of solutions $(s_{i},s_{j})$ . We use a directed graph $T$ to depict their relation (Figure 5), where an arc from $s_{i}$ to $s_{j}$ means $s_{i}\subsetneq s_{j}$ . $T$ is a directed acyclic graph (DAG) since $\subsetneq$ is not reflexive. In Figure 5, each node is a solution and each arc is a $\subsetneq$ relation. For example, $s_{1}\subsetneq s_{4}\subsetneq s_{5}$ . If one solution, say $s_{8}$ , is reachable from another solution, say $s_{1}$ , then $s_{1}\subsetneq s_{8}$ . (There is no need for a direct arc $(s_{1},s_{8})$ since inclusion can be inferred). Note that if there is an arc $(s,s^{\prime})$ in $T$ , then no $s^{\prime\prime}$ exist such that $s\subsetneq s^{\prime\prime}\subsetneq s^{\prime}$ . If one solution is not reachable from another, then those solutions are incomparable.

We call solutions that are not reachable by any other solutions root solutions. The solutions that they can reach directly are called their children. Solutions that do not reach other solutions are called leaves. A path to a leaf node $v$ is denoted as $q=[v_{0},\cdots,v]$ , where $v_{0}$ is a root node and $v$ is reachable from $v_{0}$ . In the graph $T$ , all paths from all roots to reachable leaf nodes in the tree are denoted as $Q(T(S))$ , where $T(S)$ is a DAG of solutions in the set S.

Assign hashlocks

After sorting solutions in $S$ , we are ready to assign hashlocks to swap diagraph $G_{s}=(V_{s},A_{s})$ where $s\in S$ .

We first assign hashlocks to the root solutions. For any root solution $s$ , if the corresponding $G_{s}$ is cyclic, like in atomic swap, then we choose a feedback vertex set (FVS).The vertices in FVS are called leaders ${\mathcal{L}}$ . Although finding a minimum feedback vertex is NP-complete, there exists an efficient 2-approximation (Becker and Geiger, 1996). Recall that two exchanges are conflicting if there exists a party $x$ such that $P_{x}=\mathit{false}$ if both exchanges are completed. We identify the set of redundancy providers $RP$ by checking whether a party $x$ is involved in two conflicting solutions such that $P_{x}=\mathit{false}$ if two conflicting exchanges are both completed. The set of hashlock generators is $HG=RP\cup{\mathcal{L}}$ . Each party $x\in HG$ generates a hash $h_{x}^{s}=Hash(\theta_{x}^{s})$ meaning the hashlock is used for solution $s$ generated by a party $x$ , and the secret is $\theta_{x}^{s}$ . For all arcs in solution $s$ , the set of hashlocks ${\mathcal{H}}_{s}$ is ${\mathcal{H}}_{s}=\{h_{x}^{s},\forall x\in HG\}$ and the corresponding circuit is $C_{s}=\bigwedge h,\forall h\in{\mathcal{H}}_{s}$ .

After assigning hashlocks for root solutions, we move to their children. Their children will reuse the hashlocks from them. Note that a root can have multiple children, and a child can have multiple parents. For this reason, a solution’s hashlock may be used by multiple children, and a solution may reuse hashlocks from multiple parents. From each root node in the graph $T$ , we search all paths from the root to its children in the tree until the leaf. A path is denoted as $q=[s_{0},s_{1},s_{2},\cdots,s_{k}]$ , where each $s_{i}$ denotes a node and $s_{0}$ is a root node. For ease of exposition, we used $(G_{s},{\mathcal{H}}_{s,q})$ to mean that all arcs in $G_{s}$ are assigned hashlock set ${\mathcal{H}}_{s,q}$ for solution $s$ in the path $q$ . For root solutions, ${\mathcal{H}}_{s,q}$ is the same for all $q$ since $q=s$ . For non-root node $s$ , ${\mathcal{H}}_{s,q}$ is different for different $q$ .

Starting with a root solution $s_{0}$ , we assign hashlocks for solutions reachable from $s_{0}$ . Here we show how to assign hashlocks for solutions in a path $q=[s_{0},s_{1},s_{2},\cdots,s_{k}]$ starting from $s_{0}$ . For $i\in[1,k]$ , assume $s_{i-1}$ is associated with hashlock set ${\mathcal{H}}_{s_{i-1},q}$ . Then, for $s_{i}$ , the hashlocks are set using the following steps.

•
Compute $G_{s_{i}\setminus s_{i-1}}=A_{s_{i}}\setminus A_{s_{i-1}}$ and find hashlock generators for $G_{s_{i}\setminus s_{i-1}}$ . We also use $s_{i}\setminus s_{i-1}$ to denote $G_{s_{i}\setminus s_{i-1}}$ when there is no confusion.
- –
  
  If $G_{s_{i}\setminus s_{i-1}}$ is acyclic, then no leader is introduced.
- –
  
  If $G_{s_{i}\setminus s_{i-1}}$ is cyclic, then new leaders in $G_{s_{i}\setminus s_{i-1}}$ are chosen. Denote by ${\mathcal{L}}_{s_{i}\setminus s_{i-1}}$ the set of leaders in $G_{s_{i}\setminus s_{i-1}}$ .
- –
  
  If redundancy providers are introduced in $G_{s_{i}\setminus s_{i-1}}$ , then redundancy providers are added. Let $RP_{s_{i}\setminus s_{i-1}}$ denote the redundancy providers in $G_{s_{i}\setminus s_{i-1}}$ .
- –
  
  New hashlock generators $HG_{s_{i}\setminus s_{i-1}}={\mathcal{L}}_{s_{i}\setminus s_{i-1}}\cup RP_{s_{i}\setminus s_{i-1}}$
•

Each party in $HG_{s_{i}\setminus s_{i-1}}$ generate a new hashlock. And the set of hashlocks generated is denoted as ${\mathcal{H}}_{s_{i}\setminus s_{i-1}}$ .
•

The hashlocks for $G_{s_{i}}$ on the path $q\in Q(T(S))$ is ${\mathcal{H}}_{s_{i},q}={\mathcal{H}}_{s_{i-1},q}\cup{\mathcal{H}}_{s_{i}\setminus s_{i-1}}$ .

6.2.2. Execute the protocol on chain

After assigning hashlocks for solutions, each solution $s$ can be described as a set of swap schemes $\mathit{Swap}(G_{s},H_{s,q}),\forall q\in Q(T(S))$ . Those swap schemes can be executed in parallel on the chain. Denote the solutions output by all-SAT solvers as $S=\{s_{1},\cdots,s_{k}\}$ .

For each party $x$ , we first find all solutions involving it, i.e. $x\in V_{s_{i}}$ . Then for each such solution, it executes a separate swap scheme $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ for all $q\in Q(T(S))$ , in three phases called escrow, select and redeem.

Escrow Phase

Each party in $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ runs $\mathit{Swap}.\mathit{Escrow}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ in parallel. If an asset is already escrowed, it is not escrowed again. Instead, the asset’s circuit is updated with an OR gate: $C_{s_{i},q}\vee C_{\mathit{current}}$ . Suppose $C_{\mathit{current}}$ means the current hashlock circuit on an arc. $C_{s_{i},q}$ is the hashlock circuit for $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ , which is the conjunction of all hashes in ${\mathcal{H}}_{s_{i},q}$ . Symmetrically, parties do not require incoming assets to be escrowed twice, only that the hashlocks on those incoming assets are updated to $C_{s_{i},q}\vee C_{\mathit{current}}$ . A party can update the hash circuit on its outgoing arc using OR gate since it adds more possibilities to be redeemed and does not affect the ability to redeem using the current hash circuits.

Select Phase

After the escrow phase is finished, the parties select which swap scheme should proceed, since some swap schemes are conflicting so that not all of them can be completed. First, redundancy providers run an agreement procedure to decide which set of swap schemes they would like to complete. The agreement procedure is not the main focus of the protocol, here we give an algorithm to reach an agreement without considering its efficiency.

A redundancy provider is randomly chosen as a proposer. That party proposes a maximal set of compatible schemes $S_{c}$ (which can be generated by a greedy algorithm) from all swap schemes where no party deviates in the escrow phase. The rest of the redundancy providers are voters, who vote whether to complete those schemes. If the proposer is conforming, $S_{c}$ should be acceptable for all of them, and conforming voters should all vote yes. If some of voters do not vote yes, then this scheme is removed from $S_{c}$ . Another round lets the proposer add schemes to $S_{c}$ to make sure $S_{c}$ is maximal. The role of proposer can be replaced by a program shared among all parties, which observes all escrows on the chain and deterministically outputs a maximal set of schemes $S_{c}$ . Redundancy providers then vote on each scheme in this set $S_{c}$ . The search for $S_{c}$ ends when all redundancy providers vote yes on each proposed swap scheme, or there are no new swap scheme to be added to $S_{c}$ . For fast settlement, this protocol can run on the side. For example, once the escrow phase in a swap scheme $s_{1}$ is completed, the protocol can start to decide whether to complete the swap.

Redeem Phase

After $S_{c}$ is chosen by the redundancy providers, the parties proceed as follows. We use a tuple $(s,q)$ to denote the swap scheme $\mathit{Swap}(G_{s},{\mathcal{H}}_{s,q})$ . A leader or redundancy provider $x$ needs extra consideration before they proceed to the redeem phase for a scheme $(s,q)\in S_{c}$ because of the reuse of hashlocks. They proceed in $\mathit{Swap}(G_{s},{\mathcal{H}}_{s,q})$ only if the hashlock $h$ that $x$ generated for $(s,q)$ satisfies: for all $\mathit{Swap}(G,{\mathcal{H}})$ where $h\in{\mathcal{H}}$ , $x$ receives all incoming escrows in $\mathit{Swap}(G,{\mathcal{H}})$ . Otherwise, it does not proceed. This requirement guarantees that, if a leader/redundancy provider releases a hashkey for a hashlock $h$ , and any outgoing arc is triggered in any scheme $\mathit{Swap}(G_{s},{\mathcal{H}})$ who uses this $h$ , then they can get assets from incoming arcs in this scheme, leaving them no worse off. See more analysis in Section A.1. If $x$ is not a leader or redundancy provider, no extra consideration is required before they proceed. For each selected swap scheme $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ , those who proceed run $Swap.\mathit{Redeem}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ .

An asset escrowed can be redeemed by a counterparty if its hashlock circuit evaluates to $\mathit{true}$ , where we assign $\mathit{true}$ to hashlocks that have been unlocked, and false to the rest. Recall that the circuit is composed of the disjunction of hashlock circuits of each independent swap scheme. That means, if the circuit of any independent swap scheme evaluates to $\mathit{true}$ , a swap happens.

7. ProtocolB: Lower Collateral

Suppose Alice wants to exchange one apricot token for one banana token. Using $\mathit{ProtocolA}$ , Alice sets up tentative trades with Bob, Carol, and David. She must escrow three 3 apricot tokens, one for each possible trade. In the end, she will commit one trade, spending one token, and cancel the rest, reclaiming the other two tokens. Nevertheless, she must have three tokens at hand to provide collateral for the alternative trades.

In this section, we describe $\mathit{ProtocolB}$ , a protocol that allows Alice to provide collateral for all three alternatives with the same token. The catch is that $\mathit{ProtocolB}$ requires a hard timeout to complete the trade. In both the best and worst cases, $\mathit{ProtocolB}$ takes time $4\Delta$ ⁴⁴4Each swap takes 4 rounds, where $\Delta$ is the upper bound of message delay for a round., while $\mathit{ProtocolA}$ requires less time since participants can complete an alternative immediately after its escrow phase is completed. Note that even with a hard timeout, $\mathit{ProtocolB}$ requires less time than attempting the alternative trades sequentially.

7.1. Overview

Here is a high-level sketch of $\mathit{ProtocolB}$ .

We focus on the difference between $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$ in the description.

Predicates reflect the reuse of assets.

To start, parties express their exchange requirements just as for $\mathit{ProtocolA}$ . The difference between $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$ is that, in $\mathit{ProtocolA}$ , each arc represents a unique asset, while in $\mathit{ProtocolB}$ , some arcs can represent the same asset, e.g. one token is reused on multiple arcs. To cater for that change, each participant provides an additional predicate: for different arcs that represent the same assets, at most one of them is assigned $\mathit{true}$ . Given the participants’ new predicates, we find assignments to satisfy all the predicates.

Solutions are sorted by preferences.

Suppose there are $k$ solutions. We assign hashlocks as in $\mathit{ProtocolA}$ (the definition of redundancy providers change a bit, explained later). For an asset that has multiple different recipients, solutions are sorted according to participants’ preferences to indicate who has priority to get the asset. For example, if Alice’s escrowed asset $a_{1}$ is transferred to Bob in swap1 but transferred to Carol in swap2, then Alice, Bob, and Carol rank swap1 and swap2 by preference.

Circuits use negations to indicate preferences.

Suppose swap1 is preferred than swap2, and the circuit for those swaps are $C_{1}$ and $C_{2}$ , respectively. Each circuit also indicates the recipient when they evaluate to $\mathit{true}$ . To implement this priority, the circuit on the escrowed asset $a_{1}$ would be $(\neg C_{1}\wedge C_{2})\vee C_{1}$ , indicating that if $C_{1}$ evaluates to $\mathit{true}$ , swap1 will be completed and swap2 will only be completed if $C_{1}$ evaluates to $\mathit{false}$ .

7.2. Detailed Construction

7.2.1. Market Clearing Phase

First, participants express their exchange requirements as before. Taking predicates $P_{x}$ from a party $x$ , there will be an addition restriction $r_{x}$ due to the fact that multiple arcs represent the same asset. $r_{x}$ is defined as: for arcs that represent the same asset, at most one of those arcs can be $\mathit{true}$ . This can be expressed in the same way as predicates we define in Section 4.4. Then, the new predicate for $x$ is

P_{x}^{new}=P_{x}\wedge r_{x}.

For convenience, $P_{x}^{new}$ is called $P_{x}$ from now on. The set of new predicates are called ${\mathcal{P}}$ .

We find assignments that satisfy $\phi({\mathcal{P}})$ . The solutions are denoted by $S=\{s_{1},\cdots,s_{i},\cdots,s_{k}\}$ . We sort the solutions by inclusion, and organize them into a DAG, and find hashlocks for each solution as $\mathit{ProtocolA}$ , except the redundancy provider is defined differently.

Definition 0.

Suppose $s_{1}$ and $s_{2}$ are two solutions for a predicated graph $({\mathcal{P}},G)$ . A party $x$ is a redundancy provider in $\mathit{ProtocolB}$ iff, it is a redundancy provider defined in Def. 2 and completing both $s_{1}$ and $s_{2}$ does not conflict with $r_{x}$ .

The reason why the definition is updated is that, if $s_{1}$ and $s_{2}$ shares the same asset with different recipients(i.e. completing both $s_{1}$ and $s_{2}$ conflicts with $r_{x}$ ), it is impossible to complete both. In other words, $x$ does not provide redundant collateral in $s_{1}$ and $s_{2}$ . It is not a redundancy provider in this case.

In addition to sorting solutions into a DAG by inclusion, we also sort them by participants’ preferences. Assume there is a protocol which allows the participants to agree on a ranking: a total order on the solutions. Let $S^{*}:=\{s^{*}_{1},s^{*}_{i},\cdots,s^{*}_{k}\}$ be the set of sorted solutions, where $s^{*}_{i}$ precedes $s^{*}_{j}$ if $i<j$ . In other words, $s^{*}_{i}$ is preferred over $s^{*}_{j}$ . To distinguish, we call the circuit $C_{s^{*}_{i},q}$ in the original swap scheme as old circuit, the one in $\mathit{ProtocolB}$ as new circuit. For each swap scheme $(s^{*}_{j},q)$ , the new hashlock circuit is

C^{new}_{s^{*}_{j},q}:=(\bigwedge_{i<j,\forall q^{\prime}\in Q(T(S)),s^{*}_{j}\text{ conflicts with }s^{*}_{i}}\neg C_{s^{*}_{i},q^{\prime}})\wedge C_{s^{*}_{j},q}.

The new circuit implements the following logic: a swap $s_{j}^{*}$ is completed if and only if the hashlocks in $s_{j}^{*}$ are unlocked, and there is no preceding conflicting swap $s_{i}^{*}$ ( $i<j$ ) such that hashlocks of $s_{i}*$ that can be unlocked.

7.2.2. Running the protocol on chain

This phase is similar to the previous protocol, but it only include two phases: Escrow Phase and Redeem Phase.

Escrow Phase

Each participant runs $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q}).\mathit{Escrow}$ . Note that the circuit corresponding to ${\mathcal{H}}_{s_{i},q}$ is $C_{s_{i},q}^{new}$ now as defined above. If an asset $a$ is already escrowed, $C(a):=C_{current}(a)\vee C_{s_{i},q}^{new}$ . Suppose $C_{\mathit{current}}(a)$ means the current hashlock circuit on an arc $a$ . If an asset participates in multiple swaps with different recipients, the ${\mathcal{H}}_{s_{i},q}$ also specifies the recipient in this swap.

Redeem Phase

We say a hashlock set ${\mathcal{H}}_{s_{i}}$ is unlocked when all hashlocks in ${\mathcal{H}}_{s_{i}}$ are unlocked, and a hashlock set ${\mathcal{H}}_{s_{i}}$ times out if any hashlock in ${\mathcal{H}}_{s_{i}}$ times out. We cannot let parties simply run $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q}).\mathit{Redeem}$ since it is not safe. For example, if a party’s one outgoing arc has ${\mathcal{H}}_{s_{i}}$ unlocked, and all ${\mathcal{H}}_{s_{j}}$ where $j<i$ times out, then this outgoing arc will be triggered as in $\mathit{Swap}(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ . However, if another outgoing arc has ${\mathcal{H}}_{s_{j}}$ unlocked where $j<i$ , then this party’s incoming arcs will have ${\mathcal{H}}_{s_{j}}$ unlocked, then all incoming arcs can be triggered in swap scheme $\mathit{Swap}(G_{s_{j}},{\mathcal{H}}_{s_{j},q})$ . Completing payments in two different schemes may produce a worse payoff. To overcome this problem, we use to a broadcast scheme to synchronize the state of hashlocks. Assume there is a broadcast scheme where there is an upper bound $t_{u}$ to synchronize all hashlocks such that, if a hashlock $h$ is unlocked on any arc, then all arcs’ hashlocks $h$ can be unlocked. The redeem phase takes $(MaxPathLength(G)\Delta+t_{u})$ , where $MaxPathLength(G)$ is the length of the longest path in the graph. We provide a broadcast scheme based on a modification of hashkeys.

The key behind our design is, once a hashkey appears on any arc of a party, this party can relay it to all its related arcs, both outgoing arcs and incoming arcs. We first transform the directed graph $G$ into an undirected graph $G^{u}$ . If there is more than one arc between two vertices, we just add one to the undirected graph. Then, a hashkey corresponds to a simple path in the undirected graph. It times out after $(MaxPathLength(G)+|p|)\Delta$ , where $G$ is the original directed graph containing all participants, and $p$ is a path in the transformed undirected graph $G^{u}$ . The Redeem phase ends after $(MaxPathLength(G)+MaxPathLength(G^{u}))\Delta$ .

An asset transfer happens on an arc if one clause of its hashlock circuit is $\mathit{true}$ . Each clause corresponds to hashlock circuits in one swap scheme, which is composed of the negations of conflicting preceding solutions’ (old) circuits and the current solution’s (old)hashlock circuit. The clause is $\mathit{true}$ only if both of the following two conditions are met.

•

All conflicting preceding solutions’ old circuits are $\mathit{false}$ until timeout. That means the contract needed to wait until it timed out to decide whether conflicting preceding solutions’ old circuits are unlocked.
•

Current solution’s old hashlock circuit need to evaluate to $\mathit{true}$ . That means all hashes in the old hashlock circuit need to be unlocked before they time out.

All contracts agree on the order of conflicting solutions. A solution is triggered only if the conflicting preceding solutions are not triggered. Each arc will at most complete one asset transfer to one recipient. A detailed analysis appears in Section 8.

7.3. Ranking Solutions

Solutions that can conflict with each must be ranked to decide which one is preferable. This ranking is established by some kind of negotiation. Participants who are not proposers can accept if the proposed order is acceptable and leave the deal otherwise. We can design a more sophisticated protocol to make a smarter decision. Details are left to interested readers.

8. Analysis and Proof

In this section, we analyze our proposed protocols. We provide definitions of required properties below, and detailed proof for those properties can be found in Section A.1.

8.1. Security Properties

Let $S$ be the set of solutions output by an all-SAT solver. Here are some desired properties for both protocols.

Definition 0.

Universal Liveness: if all parties are conforming, then a maximal set of compatible exchanges out of $S$ can be completed.

Definition 0.

Local Liveness: in a swap scheme $(G,{\mathcal{H}})$ , if all involved parties are conforming, and this scheme is selected (in $\mathit{ProtocolA}$ ) or no scheme with higher priority is completed (in $\mathit{ProtocolB}$ ), then the asset transfers in $G$ can be completed.

Definition 0.

Safety: A conforming party $x$ will never end up worse off, that is, $x$ never pays an asset unless its liveness predicate is $\mathit{true}$ , and never overpays (as defined by the safety predicate in Section 4.4).

Definition 0.

Fault-tolerance. A party can complete an exchange according to its liveness predicate as long as there exists one swap scheme $s$ where all parties are conforming, and $s$ is chosen by negotiation (in $\mathit{ProtocolA}$ ) or no scheme with higher priority is completed (in $\mathit{ProtocolB}$ ). If this party is involved in $m$ swap schemes (out of the swap schemes output by an all-SAT solver), we say they can tolerate $(m-1)$ failed schemes.

Definition 0.

A protocol is a strong Nash equilibrium strategy if no coalition improves its payoff when its members cooperatively deviate from the protocol.

Definition 0.

A protocol provides economic-efficient redemption if a party can complete multiple exchanges by only redeeming once.

8.1.1. Customized Properties for $\mathit{ProtocolA}$

Definition 0.

A protocol satisfies fast settlement if it has no hard timeout. If all parties are compliant, no party has to wait a fixed time to complete the transfer.

8.2. Protocol Comparisons

We compare the two proposed protocols with prior protocols in Section A.2.

9. Related Work

There is an extensive body of research on blockchain interoperability (Belchior et al., 2021). Some research addresses general-purpose cross-chain communication, focusing on the problem of reliably communicating the source chain’s internal state to a target chain. Other research addresses atomic asset transfers, for example, Alice trades her bitcoin for Bob’s ether.

This paper’s protocols focus on cross-chain asset transfers. Note that we do not mint or burn any assets. An asset transfer occurs between a sender and a receiver. There are many prior proposals for asset exchanges. Some are centralized (Heilman et al., 2020), and some use connectors to route packetized payments across different blockchains (Thomas and Schwartz, 2015). These protocols are surveyed elsewhere (Robinson, 2021; Belchior et al., 2021).

Many prior works utilize hashed timelock contracts (HTLCs). HTLCs allow one party to safely exchange assets with another party without the need for a trusted third party. The only trust anchors are the blockchains themselves, and any blockchain that supports smart contracts supports HTLCs. HTLCs are the basis for the Lightning network (Poon and Dryja, 2016), for two-party atomic cross-chain swaps (Nolan, 2013; DeCred, [n. d.]; Griffith, 2018), and for multi-party atomic cross-chain swaps (Herlihy, 2018) on strongly-connected digraphs. In (Shadab et al., 2020), the authors integrate off-chain steps to deal with swaps whose digraphs may not be strongly connected.

Cross-chain transactions that tolerate deviating participants are studied by Bagaria et al. (Bagaria et al., 2020), which proposes a technique called Boomerang to be used on top of multi-path routing schemes to construct redundant payment paths. A payment is split into $n$ paths, each of which carries the same amount of payment. The payee can trigger $t$ paths out of $n$ , where $t$ yields the intended amount of payment. If the payee tries to cheat by collecting payments from more than $t$ paths, all payments will be voided. The approach can tolerate participants on $(n-t)$ paths being faulty. A limitation of this approach is that it has to split the payments to $n$ equal shares and it does not support heterogeneous payments along different paths. Spear (Rahimpour and Khabbazian, 2021) improves Boomerang by allowing different payment amounts on different paths. However, Spear only works for single payments from one payer to one payee, e.g. from Alice to Bob, and the multi paths are disjoint. It is not straightforward to generalize these protocols to a cyclic graph, multiple paths overlap, and multiple parties have set up tentative redundant payments. Mercan et al. (Mercan et al., 2021) propose protocols to improve transaction success rate in payment networks by improving payment channel networks’ performance with better routing strategies and ways to address imbalances.

10. Remarks

Conclusions and discussions can be found in Section A.3.

References

(1)
Bagaria et al. (2020) Vivek Bagaria, Joachim Neu, and David Tse. 2020. Boomerang: Redundancy improves latency and throughput in payment-channel networks. In International Conference on Financial Cryptography and Data Security. Springer, 304–324.
Becker and Geiger (1996) Ann Becker and Dan Geiger. 1996. Optimization of Pearl’s method of conditioning and greedy-like approximation algorithms for the vertex feedback set problem. Artificial Intelligence 83, 1 (1996), 167 – 188. https://doi.org/10.1016/0004-3702(95)00004-6
Belchior et al. (2021) Rafael Belchior, André Vasconcelos, Sérgio Guerreiro, and Miguel Correia. 2021. A survey on blockchain interoperability: Past, present, and future trends. ACM Computing Surveys (CSUR) 54, 8 (2021), 1–41.
DeCred ([n. d.]) DeCred. [n. d.]. Decred cross-chain atomic swapping. https://github.com/decred/atomicswap
Griffith (2018) Trey Griffith. July, 2018. Sparkswap: Trade across blockchains without custody risk. https://medium.com/sparkswap/sparkswap-trade-across-blockchans-without-custody-risk-a6bfe08013e8.
Heilman et al. (2020) Ethan Heilman, Sebastien Lipmann, and Sharon Goldberg. 2020. The arwen trading protocols. In International Conference on Financial Cryptography and Data Security. Springer, 156–173.
Herlihy (2018) Maurice Herlihy. 2018. Atomic cross-chain swaps. In Proceedings of the 2018 ACM symposium on principles of distributed computing (PODC ’18). ACM, New York, NY, USA, 245–254. https://doi.org/10.1145/3212734.3212736 Number of pages: 10 Place: Egham, United Kingdom tex.acmid: 3212736.
Herlihy et al. (2021) Maurice Herlihy, Barbara Liskov, and Liuba Shrira. 2021. Cross-chain deals and adversarial commerce. The VLDB journal (2021), 1–19.
Johnson et al. (2001) Don Johnson, Alfred Menezes, and Scott Vanstone. 2001. The elliptic curve digital signature algorithm (ECDSA). International journal of information security 1, 1 (2001), 36–63.
Mercan et al. (2021) Suat Mercan, Enes Erdin, and Kemal Akkaya. 2021. Improving transaction success rate in cryptocurrency payment channel networks. Computer Communications 166 (2021), 196–207.
Nolan (2013) Tier Nolan. May, 2013. Alt chains and atomic transfers. https://bitcointalk.org/index.php?%****␣main.bbl␣Line␣175␣****topic=193281.0. Bitcoin Forum.
Poon and Dryja (2016) Joseph Poon and Thaddeus Dryja. 2016. The bitcoin lightning network: Scalable off-chain instant payments.
Rahimpour and Khabbazian (2021) Sonbol Rahimpour and Majid Khabbazian. 2021. Spear: fast multi-path payment with redundancy. In Proceedings of the 3rd ACM Conference on Advances in Financial Technologies. 183–191.
Robinson (2021) Peter Robinson. 2021. Survey of crosschain communications protocols. Computer Networks 200 (2021), 108488.
Shadab et al. (2020) Narges Shadab, Farzin Houshmand, and Mohsen Lesani. 2020. Cross-chain Transactions. In 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC). IEEE, 1–9.
Thomas and Schwartz (2015) Stefan Thomas and Evan Schwartz. 2015. A protocol for interledger payments. https://blockchainlab.com/pdf/interledger.pdf.
Toda (2015) Takahisa Toda. 2015. All Solutions SAT Repository. http://www.sd.is.uec.ac.jp/toda/code/allsat.html
Toda and Soh (2016) Takahisa Toda and Takehide Soh. 2016. Implementing efficient all solutions SAT solvers. Journal of Experimental Algorithmics (JEA) 21 (2016), 1–44.
Tseitin (1983) Grigori S Tseitin. 1983. On the complexity of derivation in propositional calculus. In Automation of reasoning. Springer, 466–483.
Yocom-Piatt (2017) Jake Yocom-Piatt. September, 2017. On-Chain Atomic Swaps. https://blog.decred.org/2017/09/20/On-Chain-Atomic-Swaps/. Decred Blog.
Yu et al. (2014) Yinlei Yu, Pramod Subramanyan, Nestan Tsiskaridze, and Sharad Malik. 2014. All-SAT using minimal blocking clauses. In 2014 27th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems. IEEE, 86–91.
Zie et al. (2019) Jean-Yves Zie, Jean-Christophe Deneuville, Jérémy Briffaut, and Benjamin Nguyen. 2019. Extending atomic cross-chain swaps. In Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer, 219–229.

Appendix A Appendix

A.1. Proof

A.1.1. Proof for the base protocol

We first prove properties of the base protocol–the swap scheme. Our base protocol is a descendant of Herlihy’s swap protocol (Herlihy, 2018), with one change: redundancy providers are asked to provide a hashlock on all arcs. Here we show that our base protocol inherits properties of the original protocol.

Theorem 1.

Our base protocol guarantees: (1) if all parties are conforming, then the swap in the graph happens. (2) a conforming party is always safe: i.e. they never pay any assets without getting all entering assets in the graph.

Proof.

If all parties are conforming, then the assets in the graph will be escrowed starting from leaders, since the graph left by removing leaders’ arcs is a directed acyclic graph, and there is a order to traverse all vertices by topological sorting. When a vertex is traversed, it can escrow outgoing assets. After the escrow phase, no matter a party is a leader or a follower, once a hashkey unlocks a hashlock $h$ on its outgoing arc, it can generate a new hashkey and send it to its incoming arc to unlock the same hashlock. That means, if any hashlock on its outgoing arcs is unlocked, then those hashlocks on its incoming arcs will also be unlocked. In other words, if any outgoing arc is triggered, all of its incoming arcs can be triggered. Thus, a conforming party will never end worse off.

The redundancy providers are treated as additional leaders who send hashkeys corresponding to hashlocks generated by them after they receive all incoming escrows. The only difference between leaders and redundancy providers is that redundancy providers wait for all incoming escrows and before they their outgoing assets. ∎

A.1.2. Proof for $\mathit{ProtocolA}$

Here we prove properties of $\mathit{ProtocolA}$ .

Theorem 2.

ProtocolA satisfies liveness.

Proof.

Suppose there are $k$ solutions output by all-SAT solvers. If all parties are conforming, then the escrow phase in each solution is completed. Then, in the $Select$ phase, a conforming redundancy provider proposes a maximum set of solutions $S_{c}$ where no solutions are mutually exclusive. Since those solutions are compatible with each other, other conforming redundancy providers vote yes to accept those solutions. Then for each solution $s\in S_{c}$ , the redundancy providers and leaders release hashkeys in the $Redeem$ phase, and other parties redeem when they receive hashkeys on outgoing arcs. All assets will be redeemed by Theorem 1. The swaps in chosen solutions can be completed. When a swap happens, the involved parties’ liveness predicates are satisfied. ∎

Theorem 3.

In ProtocolA, a conforming party is always safe.

Proof.

Recall that any swap scheme individually guarantees all involved parties are safe: all-or-nothing. We just need to care about what happens if a party is involved in more than one swap schemes. Here we show that ProtocolA keeps them safe with regard to their safety predicates.

For any solution $s_{i}$ , no matter it is chosen or not, a party is playing a role in the base protocol. Since we reuse some secrets in solutions $s_{i}\subsetneq s_{j}$ , we cannot analyze the safety independently. The reuse of secret poses safety at risk since if a hashkey is released, it can also be used in another swap scheme, rather than the swap scheme that they intend to complete. Thus, we need to analyze the safety implications of reusing secret keys. Recall that when we reuse secrets, a solution $s_{j}$ uses secrets from $s_{i}$ if $s_{i}\subsetneq s_{j}$ .

For any scheme $(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ , no matter it is chosen or not, this party is safe by the following analysis.

(1)

If this party $x$ is a redundancy provider or a leader, then this party only releases the secret $h\in{\mathcal{H}}_{s_{i},q}$ in $(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ when he/she receives all incoming escrows in this solution. Because of the reuse of secrets, it is possible that incoming assets in $(G_{s_{i}},{\mathcal{H}}_{s_{i},q})$ are escrowed, however, incoming assets in other graph $(G_{s_{j}},{\mathcal{H}}_{s_{j},q})$ , where $h\in{\mathcal{H}}_{s_{j},q}$ , are not escrowed but outgoing assets in $(G_{s_{j}},{\mathcal{H}}_{s_{j},q})$ are escrowed. When he/she releases this secret, it is possible ${\mathcal{H}}_{s_{j},q}$ is unlocked and the outgoing arcs are triggered without all incoming arcs being triggered. In the redeem phase, to avoid unsafe outcomes, a conforming redundancy provider or a leader will not release the secret for that case. By not releasing the hashkey that is reused in multiple schemes when some of them have deviating parties, a party does not risk losing assets without getting expected assets.
(2)

If this party $x$ is neither a redundancy provider nor a leader, this party does not own a secret and it just propagates secrets from leaders. Since this party only escrows after receiving incoming escrows, that guarantees him/her that, if any outgoing arc is triggered using ${\mathcal{H}}_{s_{i},q}$ by a set of hashkeys, he/she can always construct new hashkeys on the base of the aforementioned hashkeys to trigger all incoming arcs. The outcomes for $x$ in a single scheme is all-or-nothing, where all means all incoming assets are triggered, and nothing means no outgoing assets are triggered. In either case, $x$ is safe.

In a nutshell, if a party is neither a redundancy provider nor a leader, then each exchange can be completed independently and treated separately. The safety property is preserved. If any of exchanges are completed, the liveness predicate is $\mathit{true}$ . If all exchanges fail, then this party gets all assets escrowed in all exchanges refunded.

If a party is a redundancy provider or a leader, it releases secrets only when releasing it has no risk of completing a partial swap. ∎

Theorem 4.

If a party is involved in $m$ schemes in the market clearing phase, then with our protocol, he/she can tolerate failure of up to $m-1$ schemes.

Proof.

If a party is involved in $m$ schemes, and there is a scheme where all parties are conforming in the escrow phase, then the protocol can proceed to the redeem phase. If the correct solution is chosen, then he/she can complete the exchange, making his/her liveness predicate $\mathit{true}$ . ∎

Theorem 5.

$\mathit{ProtocolA}$ is a strong Nash equilibrium strategy.

Proof.

We prove that no coalition has the incentive to deviate if they assume participants outside the coalition are conforming. We prove by contradiction. Suppose there is a coalition of participants that improve their payoff by deviating. This coalition must get more than what they should or pay less than or both. In any case, there must be a victim who pays more or gets less or both. In either case, a victim ends with a payoff that contradicts its safety predicate. Since a conforming party is always safe by Theorem 3, they do not overpay or get less, which gives us a contradiction. ∎

Theorem 6.

Participants can redeem their incoming assets in multiple schemes with a scheme corresponding to the smallest graph they participate in.

Proof.

Due to reuse of hashes, participants can release one hashkey to unlock the same hash used in multiple schemes. If a party releases a hashkey corresponding to the smallest graph they are involved in, the hashkey can be applied to unlock hashlocks in larger graphs that include this small graph. Thus, participants only need to redeem their incoming assets with the scheme of the smallest graph. ∎

Theorem 7.

Participants can settle a swap immediately after the escrow phase of a swap scheme is completed if all parties are conforming and respond quickly.

Proof.

After the escrow phase of a swap scheme completes, leaders and redundancy providers can choose to release secrets to redeem the assets. As long as they did not agree to complete mutually exclusive schemes before, they can agree on this swap scheme and complete the redeem phase. ∎

A.1.3. Proof for $\mathit{ProtocolB}$

The proof for common properties liveness, a strong Nash equilibrium strategy, redeem efficiency, fault-tolerance are similar to the proof we have for $\mathit{ProtocolA}$ . Here we focus on the difference: safety.

There is a unique total order of all possible swap schemes. Each swap scheme is assigned an index $i\in[1,m]$ where $m$ is the number of distinct swap schemes. $s^{*}_{i}$ has higher priority than $s^{*}_{j}$ if $i<j$ . We first define a state called level to denote which asset transfer will be triggered on an arc, i.e. who is the recipient.

Definition 0.

If an arc has its hashlock circuit evaluates to $\mathit{true}$ , where the clauses with highest priority that evaluate to $\mathit{true}$ corresponding to the swap scheme $s^{*}_{i}$ , then we say the arc is at level $i$ .

Definition 0.

If an arc has its hashlock circuit evaluates to false, the arc is at state $Refunded$ , we define it as level $\infty$ for consistency.

Assuming escrow phase is executed without deviation, we prove two things:

Theorem 10.

For a conforming party, if any of its outgoing assets is at a level $i\geq 1$ , then all of his/her escrowed incoming assets and escrowed outgoing assets are at level $i$ .

Proof.

If an arc is at level $i$ , that means the the clause corresponding to swap scheme $s^{*}_{i}$ evaluates to $\mathit{true}$ . The hashlocks in $s^{*}_{i}$ are unlocked, and hashlocks on all $s^{*}_{j}$ $j<i$ are not unlocked. Based on the property of hashkey schemes which uses undirected paths, this party can unlock hashlocks corresponding to $s^{*}_{i}$ on all its incoming assets and outgoing assets in that scheme. ∎

Theorem 11.

A conforming party is safe.

Proof.

Due to Theorem 10, this party can complete a trade with level $i$ . No outgoing assets will be at a different level. Each level depicts a safe swap scheme, thus this party is safe. ∎

A.2. Comparison among $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$ and Previous Protocols

A.2.1. Comparison between $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$

•

Time efficiency. $\mathit{ProtocolA}$ does not require a hard timeout while $\mathit{ProtocolB}$ does, implying that $\mathit{ProtocolA}$ can be settled faster than $\mathit{ProtocolB}$ .
•

Collateral. $\mathit{ProtocolA}$ does not allow one escrow to have multiple possible recipients while $\mathit{ProtocolB}$ does, implying that $\mathit{ProtocolB}$ needs lower levels of collateral.
•

Fault-tolerance. $\mathit{ProtocolB}$ provides more fault-tolerance than $\mathit{ProtocolA}$ . Both tolerate deviating parties in the Escrow Phase. As long as there is a swap whose escrow phase finishes, the redeem phase can be continued. However, only $\mathit{ProtocolB}$ tolerates deviating parties in the Redeem Phase. In $\mathit{ProtocolA}$ , after Escrow Phase, they need to select a subset of schemes to proceed. If the participants in the selected schemes abort in the Redeem Phase, then the swap fails. On the contrast, in $\mathit{ProtocolB}$ , they do not need to reach an agreement to select a scheme after Escrow Phase. They can proceed with all schemes whose Escrow Phase finish, and redeem in all those swaps. $\mathit{ProtocolB}$ provides more swap schemes than $\mathit{ProtocolA}$ to complete. Thus, it is more fault-tolerant.
•

Flexibility. In $\mathit{ProtocolA}$ , participants can escrow different assets to trade, giving the participants more chance to find a counterparty to a trade. In the Redeem Phase, if a participant is a leader, they can also choose the most economically efficient trade to complete. Thus, $\mathit{ProtocolA}$ is more flexible.

A.2.2. Comparison with Previously Protocols

Here we provide a comparison in terms of time needed for our proposed protocols and previous protocols.

We do not count in the computation time of off-chain processes, such as finding feedback vertex sets, finding solutions, determining the set of redundancy providers and reaching agreement. Those processes are efficient since the problems are trivial and they are not bounded by the throughput of blockchain.

We focus on the time consumption on-chain. Previously protocols do not support robustness and participants have to try different alternatives sequentially. Suppose each alternative swap takes $m\Delta$ to expire, $\Delta$ is the upper bound of message delay. When we say a swap expires, we mean the assets are refunded because of failure.⁵⁵5Different assets in the swap are refunded at different time. Here we use the time when last asset expires for brevity. Let $\epsilon$ be the time needed in the Escrow Phase and Redeem Phase to complete a successful swap. $\epsilon$ can be much small compared to $\Delta$ if participants execute the swap protocol quickly.

Suppose each swap has an independent probability of $q$ to fail. If a participant tries sequentially, then the expected number of tries is $\frac{1}{q}$ . The time needed is $max\{(\frac{1}{q}-1)m\Delta,0\}+\epsilon$ . For example, if $q=0.25$ , the time needed is $3m\Delta+\epsilon$ .

Let $\gamma$ denote the time needed for finding solutions in market clearing phase. If we try those alternative in parallel with $\mathit{ProtocolA}$ , in the best case, the time needed is $\epsilon+\gamma+\omega$ , where $\omega$ is time needed for Select phase. Note that the market clearing phase for finding solutions and the select phase to choose solutions can be short since they are not bounded by the throughput of blockchains, thus much less than $\Delta$ . In the worst case, the time needed is $m\Delta+\gamma$ meaning the successful swap finishes right before it expires.

With $\mathit{ProtocolB}$ , if they do not complete the most prioritized swap, in the both best and worst case, the time needed is $m\Delta+\gamma+\omega^{\prime}$ where $\omega^{\prime}$ is time needed for sorting the solutions. If they complete the most prioritized swap, then the time needed is $\epsilon+\gamma+\omega^{\prime}$ in the best case since there is no waiting needed for check the status of a conflicting but more prioritized swap.

A.3. Remarks

This paper explores trade-offs among time, fault-tolerance, and collateral. As illustrated by $\mathit{ProtocolA}$ , multiple escrows may incur costs when blockchains and counterparties charge fees. On the other hand, as illustrated by $\mathit{ProtocolB}$ , eliminating duplicate escrows can introduce delays in the form of hard timeouts.

We use the notion of a predicate to capture the complexity of multi-party swaps. Prior safety definitions (Herlihy, 2018) tend to be too restrictive, requiring, for each party, that all outgoing assets to be refunded if any incoming asset is not redeemed. Our use of predicates captures the notion that certain subsets of the potential trades are satisfactory.

The hashkey mechanism in the base swap scheme uses path signatures, which require signatures of parties included in the path. We extend the use of path signatures (Herlihy, 2018) to allow the set of signatures from parties that do not necessarily for a path, using pathless hashkeys. Here, a pathless hashkey can correspond to any set of parties’ signatures as long as there is no duplicated parties in the signature. This change can provide more fault-tolerance since if as long as leaders release their secrets, other parties, say $u$ can redeem their incoming assets. In this way, $u$ does not depend on parties on the path from $u$ to the leader to sign and relay the hashkey. More details are provided in Section A.3.4.

A.3.1. Discussion on Maximum Set of Schemes

A set of schemes is maximal, if no other schemes can be added to the set without conflicting with existing schemes. This definition does not guarantee to satisfy as many parties’ liveness predicate as possible. For example, Alice has two conflicting alternative swaps: one is to exchange assets with Bob(2 party swap), and the other is to exchange assets with David through Carol as an intermediary(3 party swap). Even if all of them are conforming in the escrow phase of each swap scheme, at last only one swap will be completed. Either swap is considered the maximal, even though only 2 parties are satisfied in 2 party swap, less than 3 party swap. The reason why we define a maximal set of schemes in this way is that we focus on completing a swap scheme as long as it does not conflict with what they have agreed on. The select phase can be executed gradually, and a group of participants in a swap scheme can complete the swap as soon as their escrow phase finishes if the swap scheme does not conflict with any previously completed swaps.

It is interesting to have more sophisticated mechanisms to try to satisfy as many participants as possible. We will leave this to future work.

A.3.2. Consideration on Number of Alternatives

The number of alternative solutions can be decided by participants based on their fault tolerance preferences and cost of running those alternatives , e.g. if a participant wants more fault-tolerance, he/she may want to have more alternatives, at the cost of paying more transaction fee or commission to parties who wants to trade with him/her.

A.3.3. Complex Predicates

For complex predicates such as “At least $k$ out of $n$ incoming arcs” or “At most $k$ out of $n$ outgoing arcs”, it might seem that expressing these conditions one would need exponentially (e.g. $n\choose k$ ) clauses in conjunctive normal form (CNF). However, it is actually not the case. Those predicates can be efficiently expressed using boolean circuits, which can be converted to CNF in linear size of the circuit (also known as Tseytin transformation (Tseitin, 1983)). The resulting CNF can be fed to SAT solvers.

A.3.4. More Fault-tolerance with Pathless Hashkeys

A pathless hashkey for arc $(u,v)$ is a variation where, given $(s,p,\sigma)$ , $p$ can be any set of unique vertices of $G$ (not just a path).

Here we compare the original hashkey mechanism (Herlihy, 2018) with our proposed pathless hashkey mechanism and answer some questions that may be interesting to readers.

Hashkeys associated with paths and signatures are proposed in Herlihy’s swap (Herlihy, 2018). In this paper, we propose pathless hashkeys which are similar to hashkeys and the only difference is that a pathless hashkey does not have to be associated with a path. It can be associated with a set of vertices as long as those vertices are in the graph and there is no duplicated vertices. The main consequence of using pathless hashkey is that the duration of the redeem phase is prolonged. With traditional hashkeys, the assets are locked until $2MaxPathLength(G)\Delta$ after the start of the protocol execution. With pathless hashkeys, the assets are locked until $(MaxPathLength(G)+n)\Delta$ , see reasons below.

Time Complexity

In the original swap scheme, the assets are locked until $2MaxPathLength(G)\cdot\Delta$ , since escrow and redeem both takes $MaxPathLength(G)$ rounds. If we use pathless keys, the escrow phase still takes $MaxPathLength(G)$ number of rounds since the graph does not change, but the redeem phase will take $n\Delta$ , since every deviating coalition (say $n-1$ parties) can send a hashkey in $(MaxPathLength(G)+(n-1))$ rounds, and the conforming party needs one more round to sign on it, and propagate the hashkey to its outgoing arcs. That means $(MaxPathLength(G)+n)$ rounds are required for safety purposes. In total, assets are locked until $(MaxPathLength(G)+n)\Delta$ .

A.3.5. Discussion on Shortcuts

The hashkey mechanism requires parties in the path to be conforming to provide their signatures. If a party on the path is deviating, some parties’ asset transfer cannot be completed because of the missing of this party’s signature. Beside pathless hashkeys, another possible solution to tolerate deviating parties in the path is to use a shortcut of hashkeys. If the signature of a party on the path, the shortcut hashkey can be used to unlock a hashlock. We show why this approach does not work in this section.

Suppose a hashkey is associated with a path $p=(u_{0},\cdots,u_{k})$ . A shorcut hashkey is defined as a hashkey whose path $p^{\prime}=(u_{0}^{\prime},\cdots,u_{m}^{\prime})$ satisfies (1) $|p^{\prime}|\leq|p|$ (2) all nodes in $p^{\prime}$ are also in $p$ , (3) and the order of nodes in $p^{\prime}$ is consistent with their order in $p$ . A shortcut of a hashkey allows parties to redeem using less intermediate nodes’ signatures on the path. In other words, a hashkey does not have to corresponds to a complete path. It can skip some nodes that should be in a complete path. For example, in a graph showing in Figure 6(a), $A$ is a leader. All valid paths regarding hashkeys on each arc is shown on the arcs, as $p$ . If we allow shortcut of hashkeys to unlock a hashlock, then, there is an attack shown in Figure 6(b). In Figure 6(b), the blue paths $p$ denote the path of hashkeys to unlock a hashlock in the original swap scheme. We ignore the signatures and secrets in the hashkey for brevity and assume they are well-formed. In the original swap protocol, $A$ is a leader, and it first sends a hashkey with path $p=A$ to the arc $(B,A)$ to redeem. Then, after seeing this hashkey, $B$ appends itsself to the path $p$ (insert $B$ in front of $p$ ) and sends a hashkey with path $p=BA$ to the arc $(C,B)$ to redeem ⁶⁶6We write the path in a more compact way, without parenthesis for brevity.. $C$ and $D$ follows this pattern and send hashkeys with $p=CBA$ and with $p=DCBA$ to their incoming arcs one after the other.

Let $p^{\prime}$ denote the paths that would be composed by parties if we use hashkeys shortcuts. $p^{\prime}$ is constructed in the same way as $p$ .

If $A$ does not release hashkeys corresponding to $p^{\prime}=A$ to redeem $(B,A)$ and instead he/she colludes with $C$ , then an execution of the protocol would propagate hashkeys as shown in the Figure 6(b) starting from $C$ redeeming $(D,C)$ with $p^{\prime}=CA$ . And then $D$ will redeem the arc $(B,D)$ with $p^{\prime}=DCA$ and $B$ then has to redeem $(C,B)$ with $p^{\prime}=BDCA$ which cannot unlock the hashlock generated by $A$ since the longest valid path(in the original swap scheme) corresponding to that arc has $|p|=2$ , which is less than $|p^{\prime}|=4$ . That means, if we allow a shortcut of a path, then there is a problem since not all paths $p^{\prime}$ are shortcuts of a original valid path $p$ .

Furthermore, we show that, if we fix the above problem by allowing a path longer than its original path to unlock a hash, then it is possible that we need to set the timeout to be $n\Delta$ for be safe, where $n$ is number of participants. As shown in Figure 7, if we do not allow shortcut of hashkeys, the original valid paths are shown by $p$ . The new path $p^{\prime}$ denotes paths composed by participants when redeeming. Suppose $A$ colludes with $C$ and send $p^{\prime}=A$ secretly to $C$ and $C$ starts redeeming on $(D,C)$ . If we allow a hashkey signed any combination of nodes as long as they do not form a circle, then the longest possible path’s length from $A$ is $n=7$ on $(A,G)$ . In the original scheme, the longest possible path is $5$ on $(A,G)$ .

Invited Paper: Fault-tolerant and Expressive Cross-Chain Swaps

Abstract.

1. Introduction

2. Model of Computation

2.1. Ledgers and Contracts

2.2. Communication Model

2.3. Fault Model

2.4. Cryptographic Assumptions

3. Motivation

4. Preliminaries and Definitions

4.1. Directed Graphs

4.2. Hashlocks, Hashkeys and Hashlock Circuits

4.3. An Atomic Cross-Chain Swap Protocol

4.4. Predicates

4.5. Example

5. Roadmap and Building Blocks

5.1. Roadmap

5.2. Challenges

5.3. Building Blocks in Proposed Protocols

5.3.1. Mapping Arc Assignments to Swap Digraphs

Definition 0.

5.3.2. Redundancy Providers

Definition 0.

5.3.3. Swap Schemes

Definition 0.

5.4. Two Protocols and a Trade-off

6. ProtocolA: Higher Collateral

6.1. Overview

6.2. Detailed Construction

6.2.1. Market Clearing Phase

Find solutions

Sort solutions

Assign hashlocks

6.2.2. Execute the protocol on chain

Escrow Phase

Select Phase

Redeem Phase

7. ProtocolB: Lower Collateral

7.1. Overview

Predicates reflect the reuse of assets.

Solutions are sorted by preferences.

Circuits use negations to indicate preferences.

7.2. Detailed Construction

7.2.1. Market Clearing Phase

Definition 0.

7.2.2. Running the protocol on chain

Escrow Phase

Redeem Phase

7.3. Ranking Solutions

8. Analysis and Proof

8.1. Security Properties

Definition 0.

Definition 0.

Definition 0.

Definition 0.

Definition 0.

Definition 0.

8.1.1. Customized Properties for 𝑃𝑟𝑜𝑡𝑜𝑐𝑜𝑙𝐴\mathit{ProtocolA}

Definition 0.

8.2. Protocol Comparisons

9. Related Work

10. Remarks

References

Appendix A Appendix

A.1. Proof

A.1.1. Proof for the base protocol

Theorem 1.

Proof.

A.1.2. Proof for 𝑃𝑟𝑜𝑡𝑜𝑐𝑜𝑙𝐴\mathit{ProtocolA}

Theorem 2.

Proof.

Theorem 3.

Proof.

Theorem 4.

Proof.

Theorem 5.

Proof.

Theorem 6.

Proof.

Theorem 7.

8.1.1. Customized Properties for $\mathit{ProtocolA}$

A.1.2. Proof for $\mathit{ProtocolA}$

A.1.3. Proof for $\mathit{ProtocolB}$

A.2. Comparison among $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$ and Previous Protocols

A.2.1. Comparison between $\mathit{ProtocolA}$ and $\mathit{ProtocolB}$