What do you get when you put one of the greatest researchers in the bitcoin privacy space and a “Rothbardian Crypto Anarchist” together in a podcast? “A golden conversation worth listening to”. And that’s probably the best way to describe episode 7 of Join the Wasabikas podcast on the “Privacy Guarantees of the Lightning Network”.
The conversation focused on developing the next generation of a more privacy-focused Lightning network with Istvan Seres, a researcher based in Budapest working on Wasabi as well as completing very groundbreaking research and education in the privacy aspects of the Bitcoin Lightning Network.
Here are a few things we learned from this podcast :
What is the Lightning Network
"Lightning is the one and only scalable solution for Bitcoin, which is non-custodial. So this is a super important property. So we want to scale Bitcoin in a non-custodial way, but also even maybe even more importantly at the end of the day, we want to preserve privacy. So, lightning is a layer on top of Bitcoin, which presumably provides both of these properties. So scalability and privacy and security." ~ István Seres
Types of transactions on the bitcoin blockchain
"Lightning is a layer on top of Bitcoin. So, whenever we talk about privacy, obviously we need to see these two layers simultaneously because it just doesn't make sense. I mean, an adversary will be present on both layers, for sure. So, you can think of your favorite three-letter agency: KGB, NSA, whatever.
So, obviously lightning requires two on-chain transactions. First, you need to open a payment channel with your peer or peers. That's an opening channel transaction that happens on-chain. It has an on-chain footprint that costs an on chain transaction.
Once the payment channel is open, then you can send transactions back and forth between you and your peer. If this channel is depleted or your business relationship is over, then you can say, “Okay, I had enough ice cream, I had enough pizza, I want to close this payment channel.
Also this channel closing transaction goes to the Bitcoin main net. You can have as many transactions as you want, but still, two transactions will be visible on the Bitcoin main net. But even so, whenever we talk about privacy, I cannot stress enough that we need to consider an adversary that is present on both layers. The adversary will surely do some transaction graph analysis in the first place to assess and see where the channel was opened and closed, as well as how it was closed. And then, the adversary is surely present also on lightning. That's the reason why this argumentation is completely flawed, that we move off-chain so the transactions are not visible on the public ledger, on the blockchain, thus we are fine.
This is not the case because this is a permissionless financial network. Obviously, anyone can just fire up a lightning node and just listen to what's going on, and record everything that they hear on the gossip layer, on the public channel layer. "~ István Seres
Potential attackers we should defend against
"In the on-chain case, usually we consider an ‘adversary’ who has access to the distributed ledger, to the blockchain, so obviously sees every transaction, in addition, in a more evolved case, we also assume that the adversary can hear what's going on on the network layer. Thus, you can imagine that it's already pretty devastating if the adversary can link, if you don't use. For example, Tor, then they can link your IP address with the Bitcoin transaction you just broadcasted.
This is the on-chain adversarial model so, the adversary hears everything on the network layer and also sees the public ledger. In the lightning case, we assume that the adversary is inside the network. Meaning, the adversary who wants to deanonymize us has many open payment channels with many other nodes in the network. It's well embedded into the lightning graph and has many payment channels open with many other peers. Most likely whenever you want to route a payment, so Alice wants to route a payment to Bob then they will route it through Cecil, Dave, Eve, Frederic and so on. We can assume that some of these intermediaries are controlled by the adversary so the adversary will log that I needed to route some payments here and there.
That's the model. Lightning Network if we think of an adversary then we think that the adversary has many open payment channels with other peers and they log every public information. The most important is that the adversary can have open payment channels with lots of nodes and has a lot of capacity." ~István Seres
The goal of the Lightning Network
"One of the papers which recently came out and was presented in the Financial Cryptography Conference 2021 one or two weeks ago. It's work by George Kappos, Ania Piotrowska and others from UCL and Cornell and they identify basically four main privacy guarantees we want to achieve in the lightning network. First obviously, if you have a private channel, then in lightning, you can have public channels and private channels. So to exemplify, if Alice and Bob open a public channel, then it's fine because all the networks can use this channel for routing payments. But if they decide not to disclose the details of this payment channel, then this is classified as a private channel and then no one else should be able to use this payment channel for routing unless they know the existence of this private payment channel. Some people say that approximately even 30% of the channels on the lightning network currently are private channels.
Therefore, the first privacy guarantee we want is that, if we have a private channel between Alice and Bob, then Alison, Bob wants this private channel to be secret. So, not even the existence of this private channel should be known to anyone.
The second privacy guarantee we want is third party balance secrecy.
In the lightning network, each payment channel’s capacity is public knowledge. Hence, we cannot hide that. If there's a payment channel between Alice and Bob, then the capacity of it is known. The capacity of the payment channel is basically the sum of the individual balances of Alice and Bob, of the two parties corresponding to the payment channel and obviously, this information is known to Alice and Bob. But this privacy requirement dictates or this is at least our desire, that we want the individual balances themselves to be hidden. In short, Alice and Bob know their individual balances in the payment channel, but we want this information to be hidden from other parties.
The third Privacy property we achieve on the lightning network is on path relationship anonymity. Suppose Alice sends some payment to Bob and they route this payment through many intermediary nodes like Carol, Dave, Eve, Fred, whatever. What we want is, for example, if we just pick a random intermediary, Dave, then Dave should not be able to tell who is the sender and the receiver of this payment, right? That would be pretty devastating. With that, Dave should not be able to tell whether Carol is the sender of this transaction or Alice or one of Carol's neighbors and similarly, also Dave should not be able to tell whether Eve is the recipient of the payment or Bob.
Lightning uses onion routing. Every routing node only knows the predecessor and the subsequent nodes where they need to route the payment to. Obviously if there's one hop then we cannot really do anything because then it's already obvious who is the sender and that receiver. But also the length of the payment path is unknown to intermediaries. Even if the payment has just one hop the payment router cannot know whether the payment has one or two or three hops, whether he or she the only routing. This is on, on path relationship anonymity.
And the fourth and the last one, according to this paper, is off-path payment privacy. For instance, let's say I am an observer. I have many payment channels to my friends, and I should not be able to tell what’s going on along payments that do not involve me as an intermediary. If Alice sends a payment to Bob okay, there are some intermediaries, Carol, Dave and all, all these nice guys. But still, I should not be able to tell how much money went through along those payment routes, or even just the existence that the payment occurred along some routes. Again, these are the four privacy guarantees according to this paper so hiding private channels, second, third party balance secrecy, third anonymity, fourth payments, privacy."~István Seres
Of course, the guys delved deeper into this topic and discussed each of these aspects in tandem, but you’d have to listen to the entire podcast to learn more about the lightning network. Don’t just take my word for it.
Listen to the full episode here: