Watchtowers Are Coming to Lightning
“The Eye of Sauron casts its gaze upon the Lightning Network.”
This is how Lightning Labs CTO Olaoluwa Osuntokun (aka, roasbeef) has heralded the coming of Watchtowers to the Lightning Network. Though comparing the technical feature to the demonic gaze of Tolkien’s primary antagonist sounds disconcerting, the analogy holds up on the surface: Watchtowers, as the name implies, will keep an eye on Lightning Network channels and potential bad actors.
Why the need for them? Well, if you’re using a custodial Lightning wallet, there isn’t one. But if you’re running your own channels with your own node, then there’s the slim but conceivable chance that the party on the other side of your channel could cheat you when the channel is closing.
For instance, say Molly has a channel with Angela and they each deposit 10,000 sats into it, for a total of 20,000 sats. During the channel’s lifetime, Angela pays Molly 5,000 sats, bringing the total to 15,000 sats for Molly and 5,000 for Angela.
But suddenly, for whatever reason, Molly is unable to access her Lightning wallet (maybe her node is offline, her computer has a malfunction or she’s on vacation), so Angela decides to be a bit mischievous — when it comes time to broadcast the final state of the channel to the blockchain, she decides to broadcast the first state of the channel (the original 10,000 sat balances that they both deposited) to cheat Molly out of what she was paid.
Since Molly is on a remote island in the Gulf of Mexico and not at her computer, she can’t check Angela’s bad behavior and verify the actual state of the channel, so she loses 5,000 sats.
Not the end of the world but still a bummer.
A Check on Bad Behavior
Watchtowers effectively neutralize this threat by monitoring payment channels and the blockchain to make sure acts of fraud don’t slip through unnoticed. They work like this:
Every time a channel’s state is updated, the payment produces an encrypted “blob” for each channel user, which is basically a secret signature that corresponds to the user’s public key, and sends it to the watchtower. At the same time, the watchtower receives half of the transaction ID of the channel’s previous state, and this acts as a decryption key for the blob. The watchtower stores all of these blobs and decryption keys within its database, so if an impish actor tries to broadcast an older state to the mempool, the watchtower will see that the transaction ID matches up with the other transaction ID half it holds. Now that it has both halves of this transaction ID, the watchtower can decrypt the corresponding blob and punish the bad actor by sending the funds to the honest channel user’s wallet.
All of this can be done without the watchtower knowing who the channel users are and how much is being transacted in the channel beforehand (obviously, once the transaction is broadcasted on-chain, the public key and the fund amount is revealed).
“They don’t know anything about a client’s payment history; instead, the client sends them an encrypted blob that can only be decrypted if a breach actually happens,” Osuntokun told Bitcoin Magazine.
Technical innovators have floated the concept for a while, but Lightning Labs’ Lightning Network Daemon (LND) implementation of the technology is the first production-ready iteration available, though Osuntokun said that it is still very much in its infancy.
“It can be used on mainnet as is today, but it’s still at an early phase. We’ve been running the set of changes on our nodes for a few months now, but only until this week did we put out the public pull request,” he told Bitcoin Magazine.
In the initial rollout, the default version features so-called “altruistic” watchtowers, meaning that they operate without promise of payment for their services. Osuntokun said that it also features an operational “basic reward watchtower,” which would allow the watchtower to charge a fee if it acts on a breach, but this has to be activated manually.
The service, Osuntokun continued, is opt-in for both clients and the watchtower operators themselves, and clients have to manually search for towers if they want to make use of them. In the future, the team plans to implement an “automatic discovery system” to streamline this process.
While the initial version will rely on the good graces of watchers to keep users honest, free of charge, Lightning Labs has a three-stage plan for letting watchers monetize their service. The first is the altruistic phase, followed by a reward system, which will be variable depending on market factors like how much watchtowers charge and how much clients are willing to pay. Lastly, Lightning Labs is devising an e-cash token that lets users pay for space for a series of uploads which can be exchanged for bitcoin through the Lightning Network.
“When it is integrated, it will probably resemble a Chaumian scheme where you pay via Lightning to acquire blinded tokens redeemable at the tower,” Conner Fromknecht, head of cryptographic engineering at Lightning Labs, told Bitcoin Magazine.
This token scheme, continued, also has some nifty uses for whitelisting participants while maintaining privacy. If a watchtower operator only wanted to serve their friends, for instance, they could “authenticate users up front but from then on it wouldn’t be able to pinpoint which users are renewing or backing up to the tower” because the tokens are “blinded” and payments can’t be traced to a particular user.
Osuntokun said that the primary cost for running a watchtower is storage, though the 1 TB hard drives users would need to run a Lightning node are fairly cheap at $40 and the blobs watchtowers need to store are “only a few hundred bytes.” Now, depending on how many channels a watchtower decides to monitor, this data burden becomes heavier; one channel obviously requires less space than 100 or 1,000 channels would.
Storage space is also a bit of a trade-off, Osuntokun continued, one that sacrifices storage for privacy since “the tower doesn’t know which channel it’s watching, so it ends up using more storage space.” Another tricky piece of building the technology, he said, is finalizing the automatic discovery protocol for finding towers and devising the e-cash token so towers can be paid for each state update. Right now, they can only be paid if they catch a user cheating.
Another hurdle is hash time locked contracts (HTLC), Fromknecht expressed. For the first release, only manually closed channels can be monitored for the sake of privacy and efficiency. Lightning Labs plans to add support for HTLC monitoring in the future, though, which will “prevent an attacker from claiming them after the relative timelock elapses,” Fromknecht said.
Still, even with this room for improvement, the implementation is a big step toward making Lightning safer and trustless.
“With what’s implemented in the to-be-merged pull request, any routing node, application or business on the network can start to run their own private tower to back up their public node. This can be a standalone instance or a more advanced deployment on dedicated hardware,” Osuntokun said.
So the best-case scenario with this technology, actually, is that every user has their own Eye of Sauron watching over their Lightning channels in the future — and that’s actually a very good thing.