Here’s a risky myth pervading the Bitcoin community: The Lightning Network model will inherently improve Bitcoin privacy.
Off-chain transaction techniques move some transaction data from the indefinitely public blockchain record to other places. By this virtue, advocates conclude this will make sensitive data harder for privacy attackers to gather.
Unfortunately, we do not have the information we need to support these claims:
- Lightning networks have never been deployed in production. As someone who has studied Bitcoin and security and privacy for a few years, I can attest many initial assumptions about what will be good for users turns out to be wrong once software is deployed and matures.
- Specifications for Lightning are still in draft form, and will continue to evolve rapidly over the next several years. This presents a moving target for analysis, though this will undoubtedly ossify over time. As the privacy of Lightning will likely initially revolve around routing algorithms and network topology (See #4 below), the Tor project might be a reasonable analogue. Tor took years of academic analysis, security engineering, and adjustments for experts to understand its threat model and to pluck the low-hanging privacy fruit it has to offer.
- In order to evaluate positive claims about a technology’s privacy, you need a threat model. A threat model reveals our assumptions about users’ privacy concerns and allows us to compare apples to apples rather than bananas to space dolphins. No such formal model exists yet, though I hope future work will build off of the OBPP’s Bitcoin privacy threat modeling work.
- By moving transaction data from a public blockchain to a new network of Lightning nodes, much of the privacy properties will depend on the topology of these networks. If the networks end up routing much traffic through a small number of hubs or spokes, privacy protection will be more difficult. Unfortunately, we can’t know this topology in advance, as there are many different kinds of incentives (security, economic, efficiency, etc.) in play that will determine these topologies in the future. There are a variety of predictions today.
- While dozens of academic papers have studied the privacy of transactions on blockchains, the privacy of Lightning networks is comparatively under-studied.
- The privacy of evolving systems will be relative to consumer demand. Suppose Lightning helps us onboard 10x the current number of Bitcoin users who care more about low transaction fees and high transaction speeds, and not so much about privacy. Will the companies developing Lightning networks continue to allocate R&D funds into privacy improvements? Maybe not. I hope this isn’t the case as it will likely lead to consumer regret in the future once the data toxicity of now-ossified protocols becomes evident, but it would be consistent with our observations of weak demand for privacy in Bitcoin to date and digital privacy as a whole.
Although we don’t know exactly when we’ll achieve parity of understanding between Bitcoin privacy and Lightning network privacy, we can speculate about the best- and worst-case scenarios.
Best-case scenario for Lightning networks: Nodes become widely used, cheap to operate, and evenly distributed. Early attempts to protect routing privacy prove robust, and the cost of information attacks which are currently cheap for blockchain-based attackers soars. Privacy attackers and financial censors struggle to catch up to this new development.
Worst-case scenario for Lightning networks: Lightning networks become widely used due to the high cost and slowness of on-chain transactions resulting from today’s Bitcoin protocol decisions. Routing nodes are expensive to operate. The topology of the network devolves into simple hub-based networks. Protocol-level attempts to protect routing privacy prove inexpensive to overcome by attackers due to the small number of hubs that can correlate transactions. Users have poor access to information on how much of their privacy is lost, since it is no longer made transparent due to common access to blockchain data. Privacy attackers thrive on the model of operating hubs or vampirically feeding off of hubs’ data, and financial censors win a crucial battle against Bitcoin users.
References:
- Lightning Spec RFC, various authors (6be58570…) https://github.com/lightningnetwork/lightning-rfc/tree/6be5857021446ac9550feed3dc83a7ad2f71bda2
- Security improvements in Tor, Wikipedia https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Improved_security
- Weaknesses in Tor, Wikipedia https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#Weaknesses
- OBPP Wallet Ratings project, various authors https://github.com/OpenBitcoinPrivacyProject/wallet-ratings
- Peak Indifference, Cory Doctorow http://www.locusmag.com/Perspectives/2016/07/cory-doctorow-peak-indifference/
- The #Bitcoin #Lightning Spec Part 5/8: Onion Routing Protocol, Rusty Russell https://medium.com/@rusty_lightning/the-bitcoin-lightning-spec-part-5-8-onion-routing-protocol-86c91e455909
This article incorporates early review feedback from Daniel Cousens and others. Errors herein are the sole fault of the author.
Great article!
Do you accept bitcoin donations?
Good article.
It prompts me to ask a more fundamental questions: is privacy good for Bitcoin? [preface2nextQuestion: i’m a huge privacy fan and burgeoning practitioner] Is it possible that developing Bitcoin so that off-chain/private transactions are economically incentivez as the ideal default scheme breaks Bitcoin (tbf, that might be good sometimes) (I recall certain parties saying Segwit was necessary rebalance transaction/economic incentives).
Consider this: isn’t it true that one of Bitcoin’s most valuable and fundamental assets is the blockchain-as-official-public-record? In p2p internet commerce, parties need to be able to trace transactions to prove ownership claims about specific digital coins or products traded for coins (how else does one prove they’re not a thief).
True story: what got me interested in bitcoin was the similarity of BTC transactions to real estate transactions a la the blockchain. From my POV, the blockchain-as-a-record is almost identical to the official public records on which modern real property (aka “real estate”) laws and rights are substantially built (i.e., “title chain” or “title record” or “grantor/grantee index” (etc. depends on jurisdiction and industry)). If nobody could trace how the ownership history of a parcel of property, then nobody could perfect or protect their property rights in any specific parcel adequately even if they’re in sole possession of said property (i.e., they’d be at risk of courts ruling that possession is unlawful, they run the risk of scammers dishonestly claiming legal title to property, etc). Applying that idea here, it seems to me that off-chain transactions take parties out of the Bitcoin-world altogether because those off-chain transactions don’t travel on the public record and can’t be verified there. Consequently, moving most transactions off-chain breaks Bitcoin in a sense because it makes it more difficult for parties to a transaction to prove that their possession of property or bitcoin is the result of a mutual consent.
Building off the last idea, compare bitcoin to physical cash. Lets use dollars: physical USD transactions can be traced via serial numbers today ( https://www.moneyfactory.gov/resources/serialnumbers.html). For example, If parties to a prospective transaction of dollars4goods know the serial numbers of the dollars to be used in said prospective transaction, then claims of valid/legal ownership (and therefore mutual consent to a transaction) of goods and cash exchanged in their transaction can be proven to the whole world (this is how p2p credit can exist also). Physical cash transactions are therefore pseudonymous like bitcoin transactions. Memory is another similarity between btc and physical cash transactions. More specifically, Physical cash transactions have the security benefit of a party’s memory/recollection of direct and indirect transaction details and events ranging from price info to recollections about what the parties were wearing at the time of transacting, witness testimony, what the counter-party looked like, time of day, date, other identifying features, etc. Similarly, the blockchain facilitates both memory of the transaction events (for tracing) and the digital environment in which transactions with digital cash take place. People/parties in can sleep easy at night knowing their is a strong public record out there showing their property is not the result of theft (without this, a presumption of innocence seems like a hard right to maintain – at least in the US).
I’m sort of torn here. Privacy via off-chain transactions seems like a great product/service to offer to bitcoin users (sorta like how exchanges currently work), but it also seems like privacy is the opposite thing a protocol-focused dev should be focused on. Intentionally generating transaction congestion to route transactions off-chain for privacy purposes (more recently under the guise of “fungibility”) risks breaking Bitcoin by undercutting the ability to verify ownership by pointing to a public title chain. It makes owning bitcoin risky.
Would welcome your feedback.
I can appreciate your sentiments here:
“Privacy via off-chain transactions seems like a great product/service to offer to bitcoin users (sorta like how exchanges currently work), but it also seems like privacy is the opposite thing a protocol-focused dev should be focused on.”
This part I think is mostly political but I can understand your opinion about why privacy tech within the protocol itself could make owning Bitcoin risky:
“Intentionally generating transaction congestion to route transactions off-chain for privacy purposes (more recently under the guise of “fungibility”) risks breaking Bitcoin by undercutting the ability to verify ownership by pointing to a public title chain. It makes owning bitcoin risky.”
One reason why SW soft-fork is good, is that it is backwards compatible with existing Core implementations and allows multiple tx types (regular tx and SW tx) and exploration of new version types (Schnorr signatures & signature aggregation), as well as the malleability fix for Lvl 3 Lightning implementations.
While wallet services and block explorers will need updating, there is a substantial amount of lead time and most major services are now supporting SegWit SF or will be be the time it activates.
In addition to Lightning networks, schnorr signature aggregation could obfuscate transactions if this is so desired.
I see both a public viewable blockchain with Bitcoin alongside some transactions being obfuscated through LN and Schnorr aggregation, and possible on sidechains as well.
There are many avenues to explore here, and at this time, there’s little reasons other than politics to not activate SegWit and explore these new areas of development with the proper tools.