pull down to refresh

State of Lightning Privacy - Elias Rohrerwww.youtube.com/watch?v=2Jg6jxws8ko
290 sats \ 0 comments \ @supratic 19h lightning

Summary

In this video, Elias from Spiral discusses lightning privacy, highlighting that it hasn't been a prominent topic recently despite ongoing challenges. The talk covers three selected privacy topics, excluding on-chain and routing privacy. Elias explains key aspects of lightning's privacy, including off-chain unobservability, value privacy, and sender/receiver anonymity, noting Bolt 12's improvements in sender anonymity. He points out that only about 5.6% of nodes support onion message forwarding, which is crucial for Bolt 12 adoption, and urges node operators to enable it. Elias identifies three core privacy issues: balance discovery attacks (probing), on-path attacks, and network-level attacks. He details how adversaries can use probing to track channel balances and infer payment paths, and suggests countermeasures like increasing network traffic and setting HTLC limits. On-path attacks involve malicious forwarding nodes inferring sender and receiver information through timing analysis, which can be mitigated by strengthening path diversity and adding randomized forwarding delays. Network-level attacks, as researched by Fonark et al. in 2023, involve adversaries controlling ASes to de-anonymize payments by logging message patterns and timing. Countermeasures include strengthening AS-level diversity and implementing message padding. Elias concludes that while lightning is better than on-chain privacy, these limitations should be addressed, advocating for message padding and random forwarding delays, while acknowledging community pushback against delays and emphasizing the need for finding an acceptable threshold.

Highlights

Introduction to Lightning Privacy

  • Elias from Spiral introduces the talk on lightning privacy, noting its reduced discussion in recent years.
  • He mentions the talk will cover selected privacy topics, excluding on-chain and routing privacy.
  • Elias states the talk isn't meant to give a full picture of lightning privacy.

Key Aspects of Lightning Privacy

  • Elias explains that while on-chain privacy isn't great, lightning offers improvements.
  • He highlights off-chain unobservability, value privacy, and on-path relationship anonymity as key benefits.
  • Elias notes that Bolt 12 improves sender/receiver anonymity, allowing sending payments without explicitly knowing the receiver.
  • He mentions that only around 5.6% of nodes support onion message forwarding, which is essential for routed Bolt 12 adoption, and encourages node operators to enable it.

Core Privacy Issues: Probing Attacks

  • Elias identifies balance discovery attacks (probing) as a core privacy issue.
  • He explains that adversaries can probe channels to track balances and potentially break relationship anonymity and value privacy.
  • Elias mentions that probing is a feature to improve payment reliability, but can be exploited for privacy breaches.
  • Countermeasures include increasing network traffic and setting HTLC limits to create a ceiling for probing.
  • Elias notes the trade-off between privacy and the utility of probing.
  • He adds that upfront fees could mitigate probing by making probes costly.

On-Path Attacks on Privacy

  • Elias discusses on-path attacks, where malicious forwarding nodes infer sender and receiver information.
  • He explains how timing analysis can be used to estimate the distance to the sender and receiver.
  • Elias mentions that even assuming a mean payment path length of three hops can significantly reduce the anonymity set.
  • Research indicates that adversaries can correctly identify senders and receivers with up to 50% precision and recall.
  • Countermeasures include strengthening path diversity, adding randomized forwarding delays, and HTLC batching.
  • Elias emphasizes the need to find a balance between optimizing protocol speed and maintaining privacy through forwarding delays.

Network Level Attacks on Privacy

  • Elias introduces network-level attacks, where adversaries controlling ASes can de-anonymize payments.
  • He cites research from Fonark et al. (2023) showing that message patterns and timing analysis can reveal multi-hop patterns.
  • Elias explains that even with encrypted messages, the size and order of messages can expose channel opening and payment flows.
  • The top five central ASes see about 80% of observable channels, with Amazon alone seeing roughly 34%.
  • In around 32% of cases, adversaries can achieve perfect de-anonymization, reducing the anonymity set to one.
  • Countermeasures include strengthening AS-level diversity and implementing message padding.

Countermeasures and Conclusion

  • Elias suggests strengthening AS-level diversity by opening channels with peers in different ASes and running nodes across different providers.
  • He advocates for implementing message padding in the lightning protocol.
  • Elias reiterates that randomizing forwarding delays and HTLC batching can help break heuristics used in network-level attacks.
  • He concludes that lightning has unresolved privacy issues that should be addressed, despite being better than on-chain solutions.
  • Elias emphasizes the need for community discussion on acceptable thresholds for forwarding delays.

Discussion on Timing Analysis and Message Padding

  • A participant questions how attackers average out timing differences, citing potential variations in latency across different continents.
  • Elias refers to a paper explaining the creation of a latency model using ping messages from multiple AWS regions to estimate hops.
  • Another participant notes existing message padding in the onion protocol.
  • Elias clarifies that while HTLC onion messages are padded, individual network messages are not, allowing analysis based on message size.
  • The discussion explores making all messages the size of the largest message and the trade-offs between constant size and random padding.

AS Level Access and Intra-LSP Privacy

  • It's pointed out that the network-level attack requires full access to an AS, such as Amazon or Google.
  • Elias notes that LSP operators have similar access and raises the issue of intra-LSP privacy, questioning whether it's possible to hide communications between users of the same LSP.
  • The discussion touches on random padding and constant message sizes as potential solutions.
  • Elias emphasizes that the goal is to reduce the entropy and information gained from message patterns.

Probing, Cover Traffic, and Protocol Improvements

  • The conversation shifts to cover messages and the potential for increased probing to generate network noise.
  • Elias cautions against excessive probing that could lead to DoS attacks.
  • A participant mentions a 2022 proposal for a message protocol with randomized delays and HTLC values.
  • Elias notes that splicing has changed the dynamics of max HTLC values.
write
preview
related posts