Atomic Cross-Chain Swaps with Improved Space and Local Time Complexity
Soichiro Imoto, Yuichi Sudo, Hirotsugu Kakugawa, Toshimitsu Masuzawa

TL;DR
This paper introduces an improved atomic cross-chain swap protocol that reduces space and local time complexity by using only signature information, enhancing efficiency in multi-party blockchain asset exchanges.
Contribution
The paper presents a novel protocol that decreases space complexity to O(|A||V|) and local time complexity to O(|V|) compared to Herlihy's original method, using only signature information.
Findings
Reduces space complexity from O(|A|^2) to O(|A||V|).
Reduces local time complexity from O(|V||L|) to O(|V|).
Maintains protocol guarantees despite complexity improvements.
Abstract
An effective atomic cross-chain swap protocol is introduced by Herlihy [Herlihy, 2018] as a distributed coordination protocol in order to exchange assets across multiple blockchains among multiple parties. An atomic cross-chain swap protocol guarantees; (1) if all parties conform to the protocol, then all assets are exchanged among parties, (2) even if some parties or coalitions of parties deviate from the protocol, no party conforming to the protocol suffers a loss, and (3) no coalition has an incentive to deviate from the protocol. Herlihy [Herlihy, 2018] invented this protocol by using hashed timelock contracts. A cross-chain swap is modeled as a directed graph D = (V,A). Vertex set V denotes a set of parties and arc set A denotes a set of proposed asset transfers. Herlihy's protocol uses the graph topology and signature information to set appropriate hashed timelock contracts. The…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6| local time complexity | execution time | space complexity | |
|---|---|---|---|
| Herlihy’s protocol | |||
| Our protocol |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsBlockchain Technology Applications and Security · Distributed systems and fault tolerance · Caching and Content Delivery
Atomic Cross-Chain Swaps with Improved Space and Local Time Complexity
Soichiro Imoto Contact author. email:[email protected] Osaka University, Japan
Yuichi Sudo
Osaka University, Japan
Hirotsugu Kakugawa
Ryukoku University, Japan
Toshimitsu Masuzawa
Osaka University, Japan
Abstract
An effective atomic cross-chain swap protocol is introduced by Herlihy [Herlihy, 2018] as a distributed coordination protocol in order to exchange assets across multiple blockchains among multiple parties. An atomic cross-chain swap protocol guarantees; (1) if all parties conform to the protocol, then all assets are exchanged among parties, (2)even if some parties or coalitions of parties deviate from the protocol, no party conforming to the protocol suffers a loss, and (3) no coalition has an incentive to deviate from the protocol. Herlihy [Herlihy, 2018] invented this protocol by using hashed timelock contracts.
A cross-chain swap is modeled as a directed graph . Vertex set denotes a set of parties and arc set denotes a set of proposed asset transfers. Herlihy’s protocol uses the graph topology and signature information to set appropriate hashed timelock contracts. The space complexity of the protocol (i.e., the total number of bits written in the blockchains in a swap) is . The local time complexity of the protocol (i.e., the maximum execution time of a contract in a swap to transfer the corresponding asset) is , where is a feedback vertex set computed by the protocol.
We propose a new atomic cross-chain swap protocol which uses only signature information and improves the space complexity to and the local time complexity to .
1 Introduction
1.1 Motivation
The seminal work [2] by Nakamoto Satoshi in 2008 for developing bitcoins has attracted many researchers to the research of blockchains. However, the blockchain has problems in privacy level, increased transaction time and scalability. In order to overcome them, new cryptocurrencies with a wide variety of advantages are developed. There are also blockchains that handle physical rights as well as virtual currency (e.g., ownership of cars, copyrights of songs, proof of circulation and so on) [3]. It is a great advantage of blockchains that it allows us to exchange them in the absence of any trusted third parties.
As trading on blockchains becomes popular, demands for trading across multiple blockchains increase [3]. As a specific example of exchanging assets across multiple blockchains among multiple parties, consider the case that Alice wants to sell the copyrights of her songs for bitcoins. Bob is willing to buy her copyrights with alt-coins. Carol wants to exchange alt-coins for bitcoins. An atomic cross-chain swap protocol is a mechanism by which multiple parties exchange their assets managed by multiple blockchains. It is common that some parties do not know and do not trust each other, thus the protocol must guarantee that no party conforming to the protocol suffers from a loss in their trading. Specifically, this protocol guarantees the following three conditions. (1) if all parties conform to the protocol, then all assets are exchanged among parties, (2) even if some parties or coalitions of parties deviate from the protocol, no party conforming to the protocol suffers a loss, and (3) no coalition has an incentive to deviate from the protocol. The more blockchain users have request to trade as blockchain technology develops in the future, the more important atomic cross-chain swaps are [10, 11, 12, 13, 14, 15, 16, 17].
In many blockchains, assets are transferred from one party to another party by using smart contracts. A smart contract is a program that runs on a blockchain and has its correct execution enforced by the consensus protocol [4, 5]. In this paper, hashed timelock contracts (HTLCs) [6, 7] are used. In HTLC, recipients of a transaction have to acknowledge payment by generating cryptographic proof within a certain timeframe. Otherwise, the transaction does not take place. For example, consider the case Alice wants to send an asset to Bob by using HTLCs in gratitude for taking money from Bob. Alice first generates random secret data , called a secret, and produces hashlock , where is a cryptographic hash function. Next, Alice publishes the contract with hashlock . After that, if Alice takes money form Bob, Alice reveals the secret to Bob. When Bob sends the secret to the contract, the contract irrevocably transfers Alice’s asset to Bob. Alice also sets timelock so that her escrowed asset can be returned if Bob does not give money to Alice within the time.
In this paper, we consider the case that more than two parties exchange their assets, as shown in Figure 1.
In the following, we quote a simple protocol presented by Herlihy [1] for exchanging assets among Alice, Bob, and Carol, as illustrated in Figures 2 and 3.
In that exchanging, Alice sends the copyrights of her songs to Bob, Bob sends alt-coins to Carol and Carol sends bitcoins to Alice. Let be time enough for one party to publish a smart contract on any of the blockchains, or to change the state of a contract, and for the other party to detect the change.
A simple protocol presented by Herlihy [1]
Alice creates a secret , hashlock , and publishes a contract on the music copyright blockchain with hashlock and timelock in the future, to transfer her music copyrights to Bob. 2. 2.
When Bob confirms that Alice’s contract has been published on the copyright blockchain, he publishes a contract on the alt-coin blockchain with the same hashlock but with timelock in the future, to transfer his alt-coins to Carol. 3. 3.
When Carol confirms that Bob’s contract has been published on the alt-coin blockchain, she publishes a contract on the Bitcoin blockchain with the same hashlock , but with timelock in the future, to transfer her bitcoins to Alice. 4. 4.
When Alice confirms that Carol’s contract has been published on the Bitcoin blockchain, she sends the secret to Carol’s contract, acquiring the bitcoins and revealing to Carol. 5. 5.
Carol then sends to Bob’s contract, acquiring the alt-coins and revealing s to Bob. 6. 6.
Bob sends to Alice’s contract, acquiring the copyrights and completing the swap.
Everyone can stop the swap if published contracts are different from predetermined ones. There is no possibility that Alice transfers to Bob the copyrights without acquiring the bitcoins because only Alice initially knows secret . If Carol’s bitcoins have been transferred, this guarantees that she can get and acquire the alt-coins as well because she publishes her contract after confirming publication of Bob’s contract and the timeout specified by the time lock of Bob’s contract is one greater than that of her contract. Bob also acquires the copyrights if his alt-coins have transferred. Even if Alice and Bob conspire to deceive Carol, they can not get the bitcoins without payment for Carol, thus Carol never suffers from a loss. As seen from these facts, every party should publish his contracts only after all the contracts for assets transferred to him are published unless he generates a secret for a swap. We call a party who generates a secret for a swap a leader, and denote the set of leaders by . From the above discussion, must be a feedback vertex set. This simple protocol works if and only if we have exactly one leader such that is a feedback set.
Generally, a cross-chain swap is modeled as a directed graph . Vertex set denotes a set of parties and arc set denotes a set of proposed asset transfers. When there are multiple cycles, this simple protocol does not work. For example, there are three parties and all want to exchange each other in the swap, as illustrated in Figure 4.
The leader can publish his two contracts without anxiety about a result of the swap. However, each of other two parties cannot publish his contracts until he confirms the other publishes a contract to him. Therefore, at least one leader is necessary on each cycle of a swap graph. Moreover, if there are multiple cycles, it is not possible to assign consistent timeouts across cycles in a way that guarantees a gap of at least between contracts for giving assets and those for taking assets. That is, it is not easy to realize a mechanism such that each leader reveals its secret with confidence when there are multiple leaders.
To circumvent the problem, Herlihy [1] sets complicated conditions for each smart contract to design an atomic cross-chain swap protocol. In the Herlihy’s protocol, each leader creates a secret and one hashlock for each of the secrets is set in each contract in order to publish contracts safely. Each leader sends his own secret with his signature to the contracts corresponding the asset which he wants to get. The party who published the contract looks at it and gets the secret with the leader’s signature. Parties unlocks the hashlock created by the leader by sending all secrets with the signature and his own signature. Each hashlock has its timelock, which depends on length of the path along which the secret is transferred from the leader generating the secret. The sequence of signatures of parties indicates the path. It is necessary to check whether the path actually exists in a given swap. Therefore, topology information of a swap graph is stored in every contract, which requires bits. A contract is triggered when all secrets of each leader are sent into its timelock to the contract and the network nodes of the blockchain of the corresponding contract verify that these paths exist.
1.2 Our contributions
Let be a given directed graph that represents a cross-chain swap to general graphs. We propose an atomic cross-chain swap protocol, which improves the space complexity (bits stored on all blockchains) of Herlihy’s protocol [1] from to , and the local time complexity (the maximum execution time of a contract in a swap to transfer the corresponding asset) from to . The protocol dose not store the swap topology in a contract. Instead, it simply assigns each contract the timelock depending on the number of signatures of parties. Specifically, we set the timelock of a contract as follows: the contract is triggered if and only if the contract is given signatures of distinct parties in a swap before time for some where is the time instance we will explain later (the starting time of the execution plus alpha). Suppose that an asset of party is transferred to another party by executing a contract. This means that the signature of parties are published in the corresponding blockchain before time . Then, party can trigger all the contracts that transfer an asset to because can obtain the signature of parties from that blockchain and can give those contracts signatures by adding its own signature before time . As a result, it is not necessary to store the topology information of a swap in any contract, thus the space complexity is improved.
Let local time complexity be how long a contract takes to be triggered from executing a first action for triggering, which is sending a secret to the contract from a party at first. The local time complexity is much smaller than the execution time of the protocol. However, it is worthwhile to mention that each contract is executed by all network nodes that host the copies of the ledger of the corresponding blockchain. Therefore, the local time complexity is an index independent of the execution time and reducing local time complexity of a smart contract is of practical importance. In Herlihy’s protocol, a contract must verify at most signatures for the hashlock of each leader. Thus, we need time to trigger one contract. On the other hand, in the proposed protocol, we only need to verify secrets and at most signatures. That is why the proposed protocol improves local time complexity from to . We summarize our contribution to Table 1.
2 Model
2.1 Graph Model
is a directed graph, where is a finite set of vertexes, and is a finite set of ordered pairs of distinct vertexes called arcs. The number of vertexes is denoted by . An arc has tail and head . An arc leaves its tail and enters its head. Therefore, an arc is leaving arc from and entering arc to . A digraph is a subdigraph of if , .
A path in is a sequence of vertexes with for every , where we define as the length of the path. The distance from vertex to vertex is the length of the shortest path from to in . ’s diameter is the largest distance between two vertexes in . A vertex is reachable from vertex if there is a path from to . Directed graph is strongly connected if every vertex is reachable from any other vertex in . A path with is a cycle if . A feedback vertex set of is a set of vertexes whose removal makes a graph acyclic. By definition, any feedback vertex set contains at least one vertex in any cycle in .
2.2 Blockchain and Smart Contract Model
A blockchain is a distributed ledger that can record transactions between parties in a verifiable and permanent way. We do not assume any specific blockchain algorithm. We only assume that every blockchain used in a cross-chain swap supports smart contracts. An owner of an asset can transfer ownership of the asset to a counterparty by creating a smart contract. The owner specifies conditions in the contract to transfer the asset. A counterparty can get ownership of the asset when the conditions are satisfied. We say that a contract is published when the owner of the corresponding asset releases the contract on a blockchain. A contract is triggered when all conditions of the contract are satisfied and the ownership of the asset on the contract is transferred to the counterparty. The owner of an asset can also specify conditions to get back the asset on a smart contract. If the conditions are satisfied before the contract is triggered, the asset is returned to the owner. Thereafter, the asset is never transferred to the counterparty by this contract. Typically, the owner can specify the condition to get back the asset in the form of timeout condition. The owner can regain the asset anytime after the specified time in a contract. Smart contracts are immutable, which means smart contracts can never be changed and no one can tamper with or break the contract. We assume that every operation on any blockchain can be completed within a known amount of time . In particular, every party can publish a contract within unit time and every party can trigger a contract within unit time (if he has all information to satisfy all conditions of the contract). Blockchains require each party to create the public key and the private key for transactions. A signature is the the signature on data signed with . Every party can verify the signature with the public key .
2.3 Swap model
Parties are given a digraph , where each vertex in represents a party, and each arc represents an asset on a blockchain to be transferred from party to party . When ownership of an asset on an arc transfers from to , we say the asset transfer happens, or the arc is triggered.
We denote the corresponding asset for arc as . The value of each asset may vary from one party to another; for example, may find a higher value on the asset than . Otherwise, that is, if all the parties see the same value about an asset, exchanging their assets following is meaningless (no one can gain unless someone loses.). The value of for (resp. ) is denoted by (resp. ). We define as the sum of the values for of all entering arcs to in , i.e., . We also define as the sum of the values for of all leaving arcs from in .
We assume that meets the following condition because otherwise party should not participate in a swap .
Moreover, we assume that there exists no connected subgraph of such that
[TABLE]
Inequality (1) means that one coalition in gets more benefits in than , and (2) means that any party in gets equal to or more benefits in than . If swap has such a subgraph , we can say that forces to perform disadvantage exchanges because gets larger benefits in swap . Therefore, is not an appropriate swap. This is the reason why we exclude such a swap. As we will explain in Section 5, this assumption is weaker than the assumption that Herlihy [1] makes to guarantee that no party and coalition can get more benefits by deviating from the protocol than following the protocol. Even without this assumption, the proposed protocol is an atomic cross-chain swap protocol under another specific assumption about value function which Herlihy’s protocol requires. We discuss that in the Section 5.
A protocol is a strategy for a party, that is, a set of rules that determines which action the party takes. Ideally, all parties in a swap follows the common protocol . However, we must consider the case that some party does not follow (i.e, deviates from) the common protocol to get larger benefits. To make the matter worse, those parties may make a coalition and take actions cooperatively to get larger benefits in total (some party in the coalition willingly loses aiming at larger total benefits of the coalition) . We must design a protocol such that any party following the protocol does not suffer from a loss even if such selfish parties or coalitions exist. We assume that every party in a swap can send any message to any party in the swap. Space complexity of a protocol is measured by the total number of bits required store information on all blockchains in a swap. Local time complexity of a protocol is measured by the maximum execution time of a contract in a swap to transfer the corresponding asset.
Definition 1**.**
A swap protocol is uniform if it guarantees the followings:
- •
If all parties follow , all arcs in are triggered.
- •
Even if there are parties arbitrarily deviating from , every party following gets all assets of entering arcs to or regains all assets of leaving arcs from .
Definition 2**.**
A swap protocol is Nash equilibrium if no party can get more benefits by deviating from than following unless he joins a coalition.
Definition 3**.**
A swap protocol is strong Nash equilibrium if it guarantees that no party and coalition can get more benefits by deviating from than following .
Definition 4**.**
A swap protocol is atomic if it guarantees to be uniform and strong Nash equilibrium.
3 Proposed protocol
3.1 Outline of proposed protocol
The proposed protocol consists of four phases. In Phase 1, every party finds a common feedback vertex set of locally by using the same algorithm. Although finding a minimum feedback vertex set is NP-hard [8], we do not need the minimum set, thus we can use any approximate solution. For example, there exists an algorithm to find a 2-approximate solution [9]. The parties belonging to the vertex set are called leaders. We call the other parties followers. In this phase, every leader generates a secret which is a random bit string and calculates a hashlock based on the secret. In Phase 2, a smart contract corresponding to each arc of is published. Each leader spontaneously publishes contracts for all his leaving arcs. Each follower publishes contracts for all his leaving arcs after confirming that the contracts for all his entering arcs are already published. In Phase 3, each of the leaders sends its secret to after confirming that the contracts for all its entering arcs have been published. The leader starts Phase 4 after confirms that the contracts for all the entering arcs to have been published and all secret have been sent from each other leaders. In Phase 4, each arc of is sequentially triggered, which starts from leader .
As described in Section 3.2, we design the contracts in Phase 2 so as to guarantee the following three properties. (i) For any arc, no party can trigger the corresponding contract without knowing the secrets of all leaders. (ii) For any party , if a contract on leaving arc from is triggered, can trigger the contracts published on all entering arcs to . (iii) For any arc , party can regain if the contract on are not triggered during a certain period after it was published. If a leader follows the proposed protocol, sends its secret to the leader after confirming that the contracts on all entering arcs have been published. Therefore, from Property (i) and (ii), it is guaranteed that no leaving arc from is triggered unless all entering arcs to are triggered. Moreover, from property (iii), after a certain period of time, gets assets of all entering arcs to , or regains assets of all leaving arcs from . If a follower follows the proposed protocol, publishes the contracts for all leaving arcs after confirming that the contracts for all entering arcs have been published. Therefore, according to the same argument, after a certain period of time, gets assets of all entering arcs to , or regains assets of all leaving arcs from .
In the following, we describe the trigger condition and regain condition of the smart contract in Section 3.2, and the detailed operation in Phases 1, 2, 3 and 4 in Sections 3.3, 3.4, 3.5 and 3.6, respectively. We describe codes for a smart contract, and the behaviors of the the leader , the other leaders and followers in Algorithm 1, 2, 3, 4. We distinguish entering arcs to each party by locally labeling those with where is the number of the entering arcs. We also label leaving arcs from each party with where is the number of the leaving arcs. In the codes, we abbreviate Smart Contract to SC.
3.2 The conditions of smart contracts
In this subsection, we specify what each party writes in a contract. In a contract, its publisher specifies the conditions for transferring and regaining the asset. Each leader makes hashlock with random secret data , called a secret, where is a cryptographic hash function common to all parties. In any blockchain, as mentioned in Section 2.2, time is enough to publish and trigger a contract. The condition of the contract on arc to transfer asset is as follows: Asset is transferred to counterparty if sends the secrets of all leaders and signatures 111 on k-tuple by arbitrary parties to the contract before time , where is the starting time of the protocol. That is, the more a party collects the signatures of the parties, the later he can trigger the contracts on his entering arcs. Let be the time required to complete each of Phases 1 and 3. We set the deadline of the smart contract to time , so that the publisher can regain his asset on the contract if the corresponding contract is not triggered before that time.
3.3 Phase 1 : Preparation
Every party takes as input. At first, he chooses leaders such that the leaders form a feedback vertex set of . Since all parties are given the same swap as input, they can independently find the same leaders without communication. We call the top leader and the other leaders sub-leaders.
Next, each leader generates a sequence of random bits called a secret and computes hashlock , after which it sends only the hashlock to all parties. Finally, all parties send their public keys for verifying their signatures. We assume that all of these can be done in time .
3.4 Phase 2 : Publication
Every leader spontaneously publishes contracts for all their leaving arcs with the conditions described in Section 3.2.
When a follower finds that the contracts on all his entering arcs are already published, he checks whether the contents of the contracts are consistent with the conditions of Section 3.2. Especially, he checks whether the public keys of all the parties and the hashlocks of all leaders that he receives in Phase 1 match the public keys of all parties and the hashlocks of all leaders specified in the contracts on entering arcs. He quits the swap without publishing any contract if those public keys or hashlocks do not match. Thus, even if the party deviating from may send a fake hashlock or a public key to the other parties in Phase 1, no other party following suffers from a loss. If all the published contracts are consistent, he publishes contracts for all his leaving arcs. As will be described later, each party reveals the signature on with ’s secret key only when triggers all entering arcs. Therefore, all entering arcs of can be triggered if any leaving arc of is triggered. Hence, no follower suffers from a loss, that is, every follower gets assets of all his entering arcs or regains assets of all his leaving arcs.
As described in Section 4, Phase 2 can be completed within at most time.
3.5 Phase 3 : Share secrets
Every sub-leader reveals his secret to the top-leader if the contracts are published on all his entering arcs. This is to ensure that the top-leader can trigger contracts at first in Phase 4.
The top-leader confirms whether or not the secrets acquired from the sub-leaders are correct using hashlocks shared at Phase 1. If the top-leader finds an incorrect secret, it quits the swap without going to Phase 4.
We assume that Phase 3 can be done in time .
3.6 Phase 4 : Trigger
The top-leader starts Phase 4 if he acquires the secrets of all the sub-leaders within time which is enough to complete Phases 1, 2 and 3. This is because the top-leader only need to send secrets of all leaders and its signature within the time to all his entering arcs in order to get the assets of all his entering arcs. The top-leader sends these secrets and his signature to all his entering arcs, by which he triggers the contracts and acquires all assets of the entering arcs.
If the top-leader deviates from , he may not trigger some (or all) contracts that transfer assets to the top leader. However, those actions are irrational. We explain the reason in Lemma 8, (Section 4).
Next, we describe the behavior of the sub-leaders and followers in Phase 4. Each party of them waits until any of his leaving arcs is triggered. Consider that one of his leaving arcs is triggered with the information of the secrets and the signature of distinct parties on k-tuple (). By definition of contracts, the leaving arc must be triggered before . Then, party acquires from the contract the secrets and those signatures within time . He immediately sends and the signatures in addition to his signature (thus signatures in total) to all entering arcs. As a result, sends all necessary information to the contracts on all his entering arcs before time , which guarantees that all his entering arcs are triggered. We describe these in Figure 5.
Every party regains the asset of each of leaving arcs if it is not triggered by the deadline (specified by the timeout) .
4 Correctness and Complexity of Protocol
We prove that proposed protocol is atomic (i.e., uniform and strong Nash equilibrium). First, we prove that is uniform.
Lemma 1**.**
Assume that top-leader follows . If any leaving arc of is triggered, all of entering arcs to are triggered.
Proof.
Assume by contradiction that there is an execution of such that a leaving arc of the top-leader is triggered and an entering arc is not triggered. After is triggered, immediately obtains secrets of all leaders, which is before the time . Thus, sends all the secrets and its own signature to the contract on before the time , which means that triggers in the execution. This contradicts the assumption. ∎
Lemma 2**.**
Assume that sub-leader follows . If any leaving arc of is triggered, all of entering arcs to are triggered.
Proof.
Assume for contradiction that there is an execution of such that a leaving arc of sub-leader is triggered but an entering arc is not triggered. All secrets and the signature of parties are revealed in the contract of by time . By the assumption, those signatures do not include the signature of because reveals its signature only when it triggers the contracts of all entering arcs. The contract on requires the secret of all leaders and does not reveal its secret until the contracts of all its entering arcs are published. Therefore, the contracts of all entering arcs of are published before time . From the above, sends the secrets and the signatures in addition to its signature on to the contract on by time . This implies that edge is triggered in the execution. This is a contradiction. ∎
Lemma 3**.**
Assume that follower follows . If any leaving arc of is triggered, all of entering arcs to are triggered.
Proof.
Follower publishes a contract for a leaving arc from only after the contracts of all entering arcs to are published. Therefore, all entering arcs to are already published when any leaving arc from is triggered. We can prove the lemma in the same way as the proof of Lemma 2. ∎
Lemma 4**.**
Assume that party follows . If any leaving arc of is triggered, all of entering arcs to are triggered.
Proof.
The lemma immediately follows from Lemmas 1, 2, and 3 ∎
Lemma 5**.**
Let SC be the smart contract published on any leaving arc from party that follows . It happens before time that contract SC is triggered or the asset of SC is regained by .
Proof.
If a leaving arc from is not triggered before time , party calls the timeout function of the contract on the arc within at most unit time after the deadline . ∎
Lemma 6**.**
If every party follows , all arcs are triggered within the time .
Proof.
If all parties follow , each leader immediately publishes contracts for all leaving arcs from after the start of Phase 2, and each follower publishes contracts for all leaving arcs from immediately after the contracts for all entering arcs to are published. Since the time required to publish each contract is at most , we can see that all parties complete Phase 2 in time. Therefore, since the upper bound of the time is required for the local computation and the message transmission of Phases 1 and 3, Phase 3 is completed by time . Thus, top-leader will immediately begin Phase 4.
After Phase 4 has started, the leader immediately triggers the contracts of all entering arcs to . Each party other than immediately triggers the contracts of all entering arcs to , once a contract on any leaving arc from has been triggered. The signature on () by is never used to trigger the contract on the arc which is triggered for the first time among all leaving arcs from . Therefore, triggers all entering arcs to by using the signatures used to trigger the leaving arc and his own signatures. Since the time required to trigger each contract is at most , we can show, by the induction on distance from top-leader , that the time required to trigger the contracts on all arcs in a given swap in Phase 4 is at most . Summing up these time for Phases 1 to 4, we can show that all arcs are triggered by time . ∎
Lemma 7**.**
Protocol is uniform.
Proof.
The lemma immediately follows from Lemmas 4, 5, and 6 ∎
Lemma 8**.**
Protocol is strong Nash equilibrium.
Proof.
Assume by contradiction that, in an execution of , a coalition formed from some parties gets more profits by deviating from protocol when the other parties follow . That is, for , the profits gained by is bigger than that gets with , where is the subgraph of induced by all arcs triggered in the execution. In other words, the following inequality holds:
Every party in triggers all his entering arcs by Lemma 4. Therefore, all entering arcs to in are included in . Therefore, the following inequality holds for every party .
However, these condition contradicts the assumption on a swap introduced in Section 2.3.
∎
Theorem 1**.**
Protocol is an atomic cross-chain swaps protocol. If every party follows , the swap can be completed in time . Even if any set of parties deviates from , the swap finishes in at most time . Protocol requires space complexity (the total number of bits on all the blockchains) of . Protocol requires local time complexity (the maximum execution time of a contract in a swap to transfer the corresponding asset) of .
Proof.
Protocol is atomic by Lemmas 7 and 8. The execution time of follows from Lemmas 5 and 6. Space complexity of is because each arc has one contract and each contract requires public keys of parties and hashlocks of leaders. Local time complexity of is because we only need to verify secrets and at most signatures. ∎
5 Discussion
We made two assumptions, in Section 2.3, on the value function specifying the values of assets to parties. Remind that, we assume that for any subgraph of , no coalition in gets more benefits in than when every other party in gets benefits in no less than in .
The first alternative is to replace coalition in the above assumption with just a party . That is, we assume that for any subgraph of , no party in gets more benefits in than when every other party in gets benefits in no less than in . Under this assumption, the proposed protocol is not strong Nash equilibrium but is Nash equilibrium, which can be proved in the same way as Lemma 4.8.
The second alternative is the assumption that Herlihy made for his protocol [1]. Specifically, He classifies the parties into four groups as follows, based on the status of the arcs entering and leaving in the end of an execution of a swap algorithm.
DEAL
: All arcs entering and leaving are triggered.
NO_DEAL
: No arc entering or leaving is triggered.
FRRE_RIDE
: Some arc entering is triggered, but no arc leaving is triggered.
DISCOUNT
: All arcs entering are triggered, but some arc leaving is not triggered.
UNDER_WATER
: Some arcs entering is triggered and some arc leaving is not triggered.
He assumes that no party accepts to be UNDER_WATER, more generally, every coalition tries to avoid the case that any member of the coalition becomes UNDER_WATER, with the highest priority. He also assumes that every party prefer DEAL to NO_DEAL and some parties or coalitions may deviate from the swap protocol because they prefer FREE_RIDE and DISCOUNT to DEAL. Our model has a sufficient power to represent this assumption. It suffices to define the benefit of in as where the exception value is defined as follows: if there exist arc and arc , otherwise . If a party (or some party of a coalition) ends up with UNDER_WATER, then the benefit of the party (or the coalition) is , thus they try to avoid the situation with the highest priority. The situation ending up with FREE_RIDE or DISCOUNT brings a party or a coalition a larger benefit than DEAL.
In what follows, we show that our protocol is strong Nash equilibrium under the second assumption, equivalent to the Herlihy’s assumption[1]. Assume by contradiction that, in an execution of , some coalition gets more benefits by deviating from protocol than by conforming to . Let be the subgraph of induced by the set of the arcs triggered in the execution. Since we introduce the exception value, every party in must trigger all his entering arcs in if one of his leaving arc in is triggered. Since is strongly connected, if there exists an arc , there exists an arc , thus all entering arcs to are included in . Therefore, every entering arc of every party in is included in , which implies . This contradicts the assumption that gets more benefits in than in .
6 Conclusions
In this paper, we proposed an atomic cross-chain protocol to improve space complexity and local time complexity. Herlihy’s protocol [1] requires to store the swap topology in each contract and set timelocks to each secret by using the topology. The proposed protocol need not store the swap topology in any contract. Instead, we set the time condition to trigger a contract depending on the number of signatures sent to the contract. Therefore, every party can immediately trigger the contracts of all entering arcs to , once a contract on some leaving arc from is triggered. This is because the signature of is not included in the signatures used to trigger the leaving contract.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] M. Herlihy. Atomic cross-chain swaps. Proceedings of the 2018 ACM Symposium on Principles of Distributed Computing. ACM, 2018..
- 2[2] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.
- 3[3] S. Underwood. Blockchain beyond bitcoin. Communications of the ACM 59.11 (2016): 15-17.
- 4[4] N. Szabo. The idea of smart contracts.http://szabo.best.vwh.net/smart contracts idea.html, 1997.
- 5[5] L. Luu, D. H. Chu, H. Olickel, P. Saxena, A. Hobor. Making smart contracts smarter. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016., October 24 - 28, 2016.
- 6[6] S. Bowe and D. Hopwood. Hashed time-locked contract transactions. https://github.com/bitcoin/bips/blob/master/bip-0199.mediawiki. As of 9 January 2018.
- 7[7] Bit Coin Wiki. Hashed timelock contracts Timelock Contracts, October 2018.
- 8[8] R. M. Karp. Reducibility among combinatorial problems. In Proceedings of a symposium on the Complexity of Computer Computations, held March 20-22, 1972, at the IBM omas J. Watson Research Center, Yorktown Heights, New York.,pages 85-103, 1972.
