Paying Yourself? Self-Payments Could Be a Key to Lightning Privacy
The Lightning Network is finest identified for its quick and low cost funds. But the Layer 2 protocol might additionally supply extra privateness than on-chain funds, since transactions aren’t printed on Bitcoin’s blockchain, blockchain evaluation is essentially unattainable.
The Lightning Network does current its personal privateness dangers, nevertheless. Payments are routed over a community of customers, and nothing stops spies from collaborating on this strategy of forwarding transactions whereas monitoring the move of funds. On the Lightning Network, blockchain evaluation might be substituted for community evaluation.
There are some options to restrict these dangers, like Tor-style onion routing. These assist, however, relying on community topology and kinds of funds, weaknesses can stay. The Bitcoin and Lightning developer going by the pseudonym ZmnSCPxj has, in latest weeks, printed intensive evaluation of persisting dangers on the Lightning-dev mailing listing (1, 2, three).
Based on his evaluation, ZmnSCPxj additionally supplied a answer. Similar to Payswap — his proposal for on-chain privateness, lined by Bitcoin Magazine two weeks in the past — the developer thinks that “self-payments” might be an necessary a part of the privateness puzzle.
In a earlier article, we mentioned Payswap, a proposal by ZmnSCPxj to enhance on-chain privateness by seemingly inverting the relation between payer and payee. ZmnSCPxj really initially got here up with this concept within the context of the Lightning Network. In truth, it will most likely be of even higher use on the Lightning Network: Some of the trade-offs embedded within the on-chain various don’t apply on the Layer 2 protocol.
In brief, for the Lightning model of Payswap, the self-payment is a part of the identical cost route.
To clarify how this works, let’s have a look at a particularly simplified model of a Lightning Network. A(lice) has cost channels with B(ob) and C(arol). Bob has channels with Alice and D(ave). Carol has channels with Alice and Dave. And Dave has channels with Bob and Carol.
A — — B
C — — D
If Alice desires to pay Dave three bitcoin, she’d usually route the cost by both Bob or Carol. Bob or Carol would cost a small payment for the service, however for simplicity, we’re going to ignore charges on this instance. However, the truth that, in actuality, charges are paid shall be related a few paragraphs down, so hold that in thoughts.
For now, we’ll say that Alice opts for Bob’s route to make the cost. She sends three cash to Bob, and Bob goes on to ahead three cash to Dave. The cost is a success.
But sadly, on this instance, it will be simple for Bob to accurately assume that Alice paid Dave three cash. He is aware of the quantity as a result of he forwarded it, whereas if Alice needed to pay Carol, or Carol needed to pay Dave, they might have carried out so instantly, with out relying on Bob as an middleman. If Bob is a spy monitoring community visitors, his right assumption harms each Alice and Dave’s privateness.
ZmnSCPxj, due to this fact, proposes another. Alice might route the cost all the best way again to herself … a “self-payment,” with Dave taking a very huge “fee.” The payment would surely be the actual cost.
To pay Dave like earlier than, Alice would, for instance, route 5 cash this time. First, she’d ship the 5 cash to Bob, who would ahead the 5 cash to Dave. Then — that is the trick — Dave would go on to ahead the cost, to Carol … however he solely forwards 2 cash! Lastly, Carol would ahead the two cash again to Alice. In the top, Alice is three cash poorer, and Dave is three cash richer. Hence, Alice paid Dave three cash.
This self-payment would mislead each Bob and Carol. Bob forwarded 5 cash and should logically however wrongly assume that Alice paid Dave 5 cash. Meanwhile, Carol would arguably be even worse off: She’d suppose that Dave paid Alice 2 cash. From Carol’s perspective, the course of the cost is inverted.
If both Bob or Carol had been secretly spying on community exercise, they’d have been misled in regards to the dimension and/or course of the cost, benefiting Alice and Dave’s privateness. If spies are misled typically sufficient, it might even render such spying exercise ineffective altogether.
PTLCs, Standard Amounts and More
Everything in regards to the instance above is simplified, from the community graph to the quantities transacted, whereas extra refined privateness dangers equivalent to payment quantities and timelocks are ignored altogether. Meanwhile, it’s assumed that even when each Bob and Carol are spies, they aren’t cooperating, or worse: They are one spy pretending to be two customers.
In actuality, each the privateness dangers and privateness advantages of routing are larger and extra nuanced on the identical time. Addressing all these subtleties is past the scope of this text; ZmnSCPxj’s submissions to the Lightning-dev mailing listing are a higher useful resource for a extra in-depth evaluation. And extra typically, analysis into Lightning privateness is ongoing.
Still, it’s price stating that ZmnSCPxj’s proposals to enhance Lightning privateness transcend self-payments — in some situations, extra protocol modifications would the truth is be more-or-less crucial for self-payments to be efficient privateness enhancements. The two most necessary modifications are a swap from hashed timelock contracts (HTLCs) to public key timelock contracts (PTLCs), and adoption of ordinary quantities. So let’s have a look at these two in short.
Right now, Lightning funds are routed utilizing HTLCs. All customers alongside a route basically go on a code which ensures that they’ll declare funds from one counterparty if the opposite counterparty claims funds from them (This is how funds are forwarded over the community). Unfortunately, if cooperating spies are a part of the identical route, they’ll use the HTLCs to inform that completely different hops are the truth is a part of the identical cost, to an extent undoing the advantage of onion routing. PTLCs would leverage cryptographic tips to forestall spies from linking completely different hops to the identical route.
ZmnSCPxj additionally proposes that Lightning customers undertake normal quantities. While non-obligatory, wallets can be inspired to cut up funds up into smaller (however interlinked) funds, the place every smaller cost consists of ordinary quantities. If the usual quantities are for instance 1, 2 and 5 cash, Alice within the above instance would make two funds of 1 coin and a couple of cash, as a substitute of 1 cost of three (Or, if she makes a self-payment, she might ship 5 and route 2 again to herself).
If sufficient customers would restrict their (fractions of) funds to normal quantities, spies can’t depend on quantities to hyperlink completely different hops to the identical cost. In the context of self-payments, customers might even route nonstandard quantities from the payee again to themselves, making these look much more like common funds.
The on-chain model of ZmnSCPxj’s proposal, Payswap, comes with vital trade-offs. Compared to a common cost, extra transactions are wanted, which interprets into greater charges. On high of that, Payswap transactions require interplay between customers exterior of the Bitcoin protocol; common bitcoin transactions don’t.
On the Lightning Network, these drawbacks don’t maintain up — or they maintain up to a lesser extent. Lightning funds require interplay in both case, so a self-payment wouldn’t make the scenario worse. And whereas some further transaction hops are crucial to make a self-payment, these hops occur off-chain, so that they don’t require further blockspace.
That stated, self-payments nonetheless include some drawbacks, even on Lightning. While cheaper than on-chain charges, further hops do price a bit extra in routing charges. Additionally, as extra hops are added to a cost, the chance of a failed cost will increase, and the chance of a spy being a part of a route will increase, too (If solely Carol was a spy within the instance above, the self-payment would have given her extra data than a easy route by Bob would have).
Lastly, in fact, there could be different (as of but unexpected) trade-offs as effectively; self-payments are a comparatively new proposal. As ZmnSCPxj concluded in his emails, “More analysis on the use of circular payments when paying may be in order.”