đź“… Original date posted:2021-06-29
đź“ť Original message:
Good morning lisa,
> A dedicated attacker could probably figure out your UTXO set, but that's not
> much different from the current system; the only difference is the span of time
> it takes them to figure it out.
>
> ## Things We've Done to Counter This:
> I had the pleasure of finally meeting Nadav of SuredBits and DLC fame in Miami
> a few weeks ago. The DLC team has adopted a version of the interactive
> transaction protocol for their own purposes. Nadav pointed out that the
> protocol we landed on for lightning interactive construction transactions
> is *quite* interactive; the DLC version modified it to use batching to
> transmit the input/output sets (the interactive protocol is one-by-one).
>
> The rationale for doing the addition of inputs and outputs in a non-batched
> fashion is that this allows for you to interleave UTXOs from a variety
> of sources, for example multiple channel opens in the same tx. With the current
> protocol, you can initiate a dual-funded open with many peers at the same time,
> each of which may contribute UTXOs and outputs for their own respective
> channel opens or UTXO consolidations etc.
>
> This gives us the real possibility of doing multiparty coinjoins on lightning.
> In fact, this is currently possible with c-lightning *today* using
> the multifundchannel command (h/t to ZmnSCPjx for the original framework
> for multifund opens).
>
> As written, the interactive transaction protocol is exceedingly flexible.
> We traded off succinctness for some plausible deniablity wrt
> any UTXOs you send to any peer -- are they yours or are they
> some third party's? How to tell?
>
> I think it's interesting to point out that "succinctness" in rounds
> of required interaction is typically a *highly* desirable trait for
> any cryptographic protocol. The establishment of a lightning channel relationship,
> however, isn't a cryptographic signature. A lightning channel, by its very
> nature, is typically a highly interactive relationship between two peers.
> Increasing the rounds of messaging required to establish the channel doesn't
> change the overall interactivity profile of a channel's operation, thus
> adding rounds of comms to channel open is generally a no-op in terms of
> performance/uptime requirements of a node's operations.
Possibly, a difference between the DLC use-case and the Lightning use-case is that the DLC use-case has a definite deadline when the contract expires, whereas the Lightning use-case has no definite end termination for the channel.
In addition, DLC requires transmitting significant amounts of data measurable in megabytes, whereas Lightning transmits little 32-byte blobs (well not really mostly 1366-byte onion-wrapped packages but still much tinier than the megabytes of adaptor signatures in DLCs).
So the DLC setup stage getting hit with the optimization hammer (as a collateral damage from the optimization hammer being used on the actual core DLC) seems like a reasonably thing happening in the DLC use-case.
Finally, there is a big enough directory of Lightning nodes that you can reasonably pick up this directory in lots of places, pick some random number of them to channel to, and then make channels to them, and making them in a single tx is always a good thing.
Whereas I imagine that the DLC use-cases (even in the future) are more limited userbase (and with payment points on Lightning I believe the smaller and shorter-term DLCs can run on top of Lightning), so the opportunity to aggregate may be much rarer in DLCs than in Lightning channel opens.
> ## How important is UTXO privacy on lightning?
> Obviously important. But given that the real transactions happen inside
> of channels, invisibly, and that your public channels really truly
> are public via the gossip protocol the much more important "thing" in the
> lightning arena isn't your UTXO privacy so much as *not* associating your
> identity with your node.
I broadly agree here --- published channels trade off onchain privacy (marking "hey this UTXO is totally owned by these two peeps!") but gain offchain privacy ("no, that is not my payment, somebody else asked me to forward it, promise!")
>
> ## Does Taproot fix this?
> I'm not up to date enough on the progress of Taproot scripts, however,
> assuming the current requirement that every routing node is able to independently
> verify the opening output script via the signatures provided
> in the channel_announcement, it seems reasonable that on-chain transactions
> will still be assignable to a node given gossip data. (Purely on-chain analysis
> will be stymied, however.)
Hmm wait Taproot fixes this?
We can drop/reinterpret `short_channel_id` post-Taproot?
Regards,
ZmnSCPxj
ZmnSCPxj [ARCHIVE] /
npub1g5…3ms3l
2023-06-09 13:02:44
in reply to nevent1q…xjc0
Author Public Key
npub1g5zswf6y48f7fy90jf3tlcuwdmjn8znhzaa4vkmtxaeskca8hpss23ms3lPublished at
2023-06-09 13:02:44Event JSON
{
"id": "49fcfcf7cdb9bfcc2cd8d823712e3dd23936a24a7c6ced5fd296349b63d2f943",
"pubkey": "4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861",
"created_at": 1686315764,
"kind": 1,
"tags": [
[
"e",
"c0db56f5f687527d7194a31bc9d9cc1494b2c90591d7e1087b4d9c4a213203dd",
"",
"root"
],
[
"e",
"2a5187805b9c693673fd495f845480159db5518e323f95044a3c5a290e680616",
"",
"reply"
],
[
"p",
"804770eb58d163d63f0f996fd6bebabe1b8c582a5dd544cf61bba0bc5335720a"
]
],
"content": "📅 Original date posted:2021-06-29\n📝 Original message:\nGood morning lisa,\n\n\u003e A dedicated attacker could probably figure out your UTXO set, but that's not\n\u003e much different from the current system; the only difference is the span of time\n\u003e it takes them to figure it out.\n\u003e\n\u003e ## Things We've Done to Counter This:\n\u003e I had the pleasure of finally meeting Nadav of SuredBits and DLC fame in Miami\n\u003e a few weeks ago. The DLC team has adopted a version of the interactive\n\u003e transaction protocol for their own purposes. Nadav pointed out that the\n\u003e protocol we landed on for lightning interactive construction transactions\n\u003e is *quite* interactive; the DLC version modified it to use batching to\n\u003e transmit the input/output sets (the interactive protocol is one-by-one).\n\u003e\n\u003e The rationale for doing the addition of inputs and outputs in a non-batched\n\u003e fashion is that this allows for you to interleave UTXOs from a variety\n\u003e of sources, for example multiple channel opens in the same tx. With the current\n\u003e protocol, you can initiate a dual-funded open with many peers at the same time,\n\u003e each of which may contribute UTXOs and outputs for their own respective\n\u003e channel opens or UTXO consolidations etc.\n\u003e\n\u003e This gives us the real possibility of doing multiparty coinjoins on lightning.\n\u003e In fact, this is currently possible with c-lightning *today* using\n\u003e the multifundchannel command (h/t to ZmnSCPjx for the original framework\n\u003e for multifund opens).\n\u003e\n\u003e As written, the interactive transaction protocol is exceedingly flexible.\n\u003e We traded off succinctness for some plausible deniablity wrt\n\u003e any UTXOs you send to any peer -- are they yours or are they\n\u003e some third party's? How to tell?\n\u003e\n\u003e I think it's interesting to point out that \"succinctness\" in rounds\n\u003e of required interaction is typically a *highly* desirable trait for\n\u003e any cryptographic protocol. The establishment of a lightning channel relationship,\n\u003e however, isn't a cryptographic signature. A lightning channel, by its very\n\u003e nature, is typically a highly interactive relationship between two peers.\n\u003e Increasing the rounds of messaging required to establish the channel doesn't\n\u003e change the overall interactivity profile of a channel's operation, thus\n\u003e adding rounds of comms to channel open is generally a no-op in terms of\n\u003e performance/uptime requirements of a node's operations.\n\nPossibly, a difference between the DLC use-case and the Lightning use-case is that the DLC use-case has a definite deadline when the contract expires, whereas the Lightning use-case has no definite end termination for the channel.\n\nIn addition, DLC requires transmitting significant amounts of data measurable in megabytes, whereas Lightning transmits little 32-byte blobs (well not really mostly 1366-byte onion-wrapped packages but still much tinier than the megabytes of adaptor signatures in DLCs).\nSo the DLC setup stage getting hit with the optimization hammer (as a collateral damage from the optimization hammer being used on the actual core DLC) seems like a reasonably thing happening in the DLC use-case.\n\nFinally, there is a big enough directory of Lightning nodes that you can reasonably pick up this directory in lots of places, pick some random number of them to channel to, and then make channels to them, and making them in a single tx is always a good thing.\nWhereas I imagine that the DLC use-cases (even in the future) are more limited userbase (and with payment points on Lightning I believe the smaller and shorter-term DLCs can run on top of Lightning), so the opportunity to aggregate may be much rarer in DLCs than in Lightning channel opens.\n\n\n\u003e ## How important is UTXO privacy on lightning?\n\u003e Obviously important. But given that the real transactions happen inside\n\u003e of channels, invisibly, and that your public channels really truly\n\u003e are public via the gossip protocol the much more important \"thing\" in the\n\u003e lightning arena isn't your UTXO privacy so much as *not* associating your\n\u003e identity with your node.\n\nI broadly agree here --- published channels trade off onchain privacy (marking \"hey this UTXO is totally owned by these two peeps!\") but gain offchain privacy (\"no, that is not my payment, somebody else asked me to forward it, promise!\")\n\n\u003e\n\u003e ## Does Taproot fix this?\n\u003e I'm not up to date enough on the progress of Taproot scripts, however,\n\u003e assuming the current requirement that every routing node is able to independently\n\u003e verify the opening output script via the signatures provided\n\u003e in the channel_announcement, it seems reasonable that on-chain transactions\n\u003e will still be assignable to a node given gossip data. (Purely on-chain analysis\n\u003e will be stymied, however.)\n\nHmm wait Taproot fixes this?\nWe can drop/reinterpret `short_channel_id` post-Taproot?\n\nRegards,\nZmnSCPxj",
"sig": "3f978f9abd276c108ae662f8f6464a3fb0bf79ba2cfa1d7cd050265d3181922e7c9283d48b02fbf6c89ceb6b946efd822e31f874ea770f69a7e06adf11c07f09"
}