📅 Original date posted:2023-07-26
🗒️ Summary of this message: Blinded paths in the Lightning Network can potentially lead to a loss of privacy and decentralization. They could enforce that payments only go through "compliant" nodes, bypassing smaller routing nodes. This could also compromise sender-side privacy.
📝 Original message:
Hey Ben,
I'm not sure why it would be dramatically different from today. If I
understand your scenario correctly, the recipient would only provide
blinded paths that go through "regulated" nodes so that they can
witness the payment. Since the recipient agrees on doing that, the
recipient could simply share data with those "regulated" nodes without
forcing payments to go through them? And they can do that today without
blinded paths?
Even if the payments go through such "regulated" nodes, what preserves
the sender's privacy are the hops before the introduction point, that
they can choose freely. This is exactly the same model as freely chosing
the hops to the recipient directly (when not using blinded paths). Apart
from the loss of potential payment routes for the recipient, it doesn't
look like the sender's privacy is very different?
Cheers,
Bastien
Le mer. 26 juil. 2023 à 16:56, Ben Carman <benthecarman at live.com> a écrit :
> Hi list,
>
> This is an idea I had the other week about a potential downside of blinded
> paths that people should be aware of.
>
> Blinded paths work by encrypting specific paths to reach the destination
> node, and each of these paths have an introduction point.
> This has big privacy benefits for the receiving node as they can hide
> among an anon set of anyone within X hops of the introduction node (X being
> the size of the blinded path).
>
> However, this can have a potential downside for privacy and
> decentralization on the network as a whole.
> With blinded paths since you do not know the destination node the only way
> to pay them is through one of the given paths.
> Because of this, they can be used to enforce that "compliant" nodes are
> the only ways to reach a given destination.
>
> In my experience today you can get away with telling your compliance
> officer you will only open channels with people you trust, and we see this
> with some regulated businesses today (Cash App & River only open to
> sepcific peers).
> However with blinded paths we could have a world where not only do they
> only open channels to specific peers but they enforce that when paying
> them, the payment must go through at least N "compliant" nodes first.
> This would make it so the pleb routing nodes of today would be completely
> circumvented and users would be forced to route only through large
> regulated hubs.
> The receiver would be hurting their payment reliability as they are
> removing potential paths they can receive from, but this is already the
> case for all blinded paths.
>
> This could hurt sender side privacy as well, since payment reliability
> rapidly falls off the more hops that are needed it is likely the sender
> would need to be very closely connected the introduction node or any of the
> nodes along the blinded path, and if all these compliant nodes are data
> sharing they'll be able to track a payment as it happens through the
> network just through basic timing analysis.
>
> My concern is lightning "chain analysis" companies could strong arm
> businesses into doing things like this under the guise of making sure you
> don't receieve OFAC coins. However, I am not sure if this is a "fixable"
> problem and just a trade off we'll have to make to get receiver privacy in
> lightning but wanted to put out there for people's opinions/awareness.
>
> Best,
>
> benthecarman
>
> _______________________________________________
> Lightning-dev mailing list
> Lightning-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230726/cc12ed84/attachment-0001.html>;
Bastien TEINTURIER [ARCHIVE] /
npub17f…ntr0s
2023-07-27 00:22:35
in reply to nevent1q…mynp
Author Public Key
npub17fjkngg0s0mfx4uhhz6n4puhflwvrhn2h5c78vdr5xda4mvqx89swntr0sPublished at
2023-07-27 00:22:35Event JSON
{
"id": "513405dc5132b5b0509ab02f6fbb3356b3343625bfe56d2f74c741c40d58eca8",
"pubkey": "f26569a10f83f6935797b8b53a87974fdcc1de6abd31e3b1a3a19bdaed8031cb",
"created_at": 1690417355,
"kind": 1,
"tags": [
[
"e",
"72d9c830ac3071ea1b00924c06fa0283dd04ffc6fdd69774076cf93374fc61cc",
"",
"root"
],
[
"e",
"0b04a0596103cf33de49515b2d2b8b6da7815e209cdd9674bee578c40815d512",
"",
"reply"
],
[
"p",
"f7d7054638b41c5aa85d000f6b5903c1ef32852243483c654798d2a61aa5079c"
]
],
"content": "📅 Original date posted:2023-07-26\n🗒️ Summary of this message: Blinded paths in the Lightning Network can potentially lead to a loss of privacy and decentralization. They could enforce that payments only go through \"compliant\" nodes, bypassing smaller routing nodes. This could also compromise sender-side privacy.\n📝 Original message:\nHey Ben,\n\nI'm not sure why it would be dramatically different from today. If I\nunderstand your scenario correctly, the recipient would only provide\nblinded paths that go through \"regulated\" nodes so that they can\nwitness the payment. Since the recipient agrees on doing that, the\nrecipient could simply share data with those \"regulated\" nodes without\nforcing payments to go through them? And they can do that today without\nblinded paths?\n\nEven if the payments go through such \"regulated\" nodes, what preserves\nthe sender's privacy are the hops before the introduction point, that\nthey can choose freely. This is exactly the same model as freely chosing\nthe hops to the recipient directly (when not using blinded paths). Apart\nfrom the loss of potential payment routes for the recipient, it doesn't\nlook like the sender's privacy is very different?\n\nCheers,\nBastien\n\nLe mer. 26 juil. 2023 à 16:56, Ben Carman \u003cbenthecarman at live.com\u003e a écrit :\n\n\u003e Hi list,\n\u003e\n\u003e This is an idea I had the other week about a potential downside of blinded\n\u003e paths that people should be aware of.\n\u003e\n\u003e Blinded paths work by encrypting specific paths to reach the destination\n\u003e node, and each of these paths have an introduction point.\n\u003e This has big privacy benefits for the receiving node as they can hide\n\u003e among an anon set of anyone within X hops of the introduction node (X being\n\u003e the size of the blinded path).\n\u003e\n\u003e However, this can have a potential downside for privacy and\n\u003e decentralization on the network as a whole.\n\u003e With blinded paths since you do not know the destination node the only way\n\u003e to pay them is through one of the given paths.\n\u003e Because of this, they can be used to enforce that \"compliant\" nodes are\n\u003e the only ways to reach a given destination.\n\u003e\n\u003e In my experience today you can get away with telling your compliance\n\u003e officer you will only open channels with people you trust, and we see this\n\u003e with some regulated businesses today (Cash App \u0026 River only open to\n\u003e sepcific peers).\n\u003e However with blinded paths we could have a world where not only do they\n\u003e only open channels to specific peers but they enforce that when paying\n\u003e them, the payment must go through at least N \"compliant\" nodes first.\n\u003e This would make it so the pleb routing nodes of today would be completely\n\u003e circumvented and users would be forced to route only through large\n\u003e regulated hubs.\n\u003e The receiver would be hurting their payment reliability as they are\n\u003e removing potential paths they can receive from, but this is already the\n\u003e case for all blinded paths.\n\u003e\n\u003e This could hurt sender side privacy as well, since payment reliability\n\u003e rapidly falls off the more hops that are needed it is likely the sender\n\u003e would need to be very closely connected the introduction node or any of the\n\u003e nodes along the blinded path, and if all these compliant nodes are data\n\u003e sharing they'll be able to track a payment as it happens through the\n\u003e network just through basic timing analysis.\n\u003e\n\u003e My concern is lightning \"chain analysis\" companies could strong arm\n\u003e businesses into doing things like this under the guise of making sure you\n\u003e don't receieve OFAC coins. However, I am not sure if this is a \"fixable\"\n\u003e problem and just a trade off we'll have to make to get receiver privacy in\n\u003e lightning but wanted to put out there for people's opinions/awareness.\n\u003e\n\u003e Best,\n\u003e\n\u003e benthecarman\n\u003e\n\u003e _______________________________________________\n\u003e Lightning-dev mailing list\n\u003e Lightning-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230726/cc12ed84/attachment-0001.html\u003e",
"sig": "e15c2375360b3eaeea4778f1565c6ce3b186072d8766dee5f88f249e6b94a0c3a0d9e62a0e0ff5faec03bad4b44f57a8c10e4a8ab708e9e216fa5719bcd37d2f"
}