Bitcoin developers divide on how to scale the network. Some advocate for larger blocks to boost transaction capacity. Others champion the Lightning Network. This architectural choice matters because i
Bitcoin developers divide on how to scale the network. Some advocate for larger blocks to boost transaction capacity. Others champion the Lightning Network. This architectural choice matters because it determines how transaction privacy will function.
The Lightning Network routes transactions off the main blockchain using payment channels. Two parties communicate about payments rather than the network broadcasting transactions to every node. This creates questions about privacy. How much information gets exposed? Who can see what? Rusty Russell at Blockstream and Olaoluwa Osuntokun, who works on the Lightning protocol, have begun wrestling with these questions.
Russell considers privacy central to the project. He told MiningPool: "Privacy is an important topic. While Lightning's first use case is microtransactions, in some ways their privacy is more important than large transactions! Imagine an ad-blocker which tipped websites in bitcoin: I don't care if you know that I pay my mortgage on time, but I might care if you know every web page I visit."
The challenge doesn't end once developers solve the obvious privacy gaps. Russell noted: "Even once you've covered the obvious privacy concerns, we'll have an arms race over things like timing attacks and traffic analysis: just look at the Tor network, for example." Tor provides anonymity but doesn't shield users from determined state actors or governments. Russell and his colleagues expect the same pattern to emerge for Lightning.
Russell, a veteran kernel contributor whom Linus Torvalds once called a "top deputy," began working on an onion routing implementation for Lightning in late 2015. He sent a proposal to the Lightning Network mailing list in October. When Osuntokun posted an alternative design in December, Russell recognized the value in Osuntokun's approach. Russell explained: "Laolu posted to the mailing list on a proven design which would save us the work of validating mine, so we'll clearly do that instead."
Osuntokun had studied academic literature on mix-nets and onion routing to identify the best existing solutions. He found two candidate schemes: Sphinx and Hornet. Academic reviewers had vetted both schemes, each containing formal proofs of security. Hornet offered advantages if implemented well, Osuntokun explained: "With the addition of Hornet, the state of privacy within the Lightning Network can be taken to the next level. Within the scheme, Hornet allows for an optional rendezvous system similar to Tor's hidden services. Leveraging this system within the Lightning Network will allow full sender-receiver anonymity."
He praised Russell's work building an onion routing format from first principles, but saw advantages in using an existing, vetted solution. "I really commend Rusty for developing an onion routing format, from scratch, following first principles. That's no small feat! However, I felt that we may be able to save some review [and] vetting time by using an existing peer-review solution."
Russell acknowledged limits even with these privacy upgrades. Each payment exposes its bitcoin amount. Two parties on the network must communicate with each other. That communication creates openings for traffic analysis when routed through multiple hops. He contrasted this with broadcasting a transaction onto Bitcoin through Tor, where a recipient receives it like any other broadcast message with no prior communication pattern. When comparing to alternatives, Russell noted: "As far as I can tell, Zerocash is the ultimate in privacy, which doesn't [reveal] what inputs were spent, what addresses received, or how much was sent."
The R-value in Lightning's payment design creates a remaining gap. Since R stays the same along the route, an attacker can correlate payments between two parties without learning the full route, Osuntokun explained: "Even with [Hornet], there's still a glaring hole within the Lightning Network as far as privacy of payments: the R value! Since the value of R remains constant along the route, it's trivial for an adversary to correlate payments within the onion circuit even though it doesn't learn the full route."
Blockchain.info's Mats Jerratsch and Greg Maxwell from Bitcoin Core have each designed possible fixes for this problem. Intermediate nodes never learn the total payment path length, their position within it, the sender's and receiver's identity, or the R value. As Osuntokun elaborated: "Intermediate nodes are oblivious to: the total length of the payment path, their position within the route, the sender, the receiver, and the R value that the receiver and all other intermediate nodes will used to settle the final payment."
Russell and Osuntokun say onion routing will arrive for Lightning. Osuntokun stated: "As Rusty said, this is definitely going to happen! At this point, it may be a bit early to concretely assert what the final production system will look like, but it seems that the primary primitives have been agreed upon."
