pull down to refresh

On Lightning Network Privacy
930 sats \ 2 comments \ @m0wer 14h bitcoin lightning

Lightning Network privacy is real. And limited. Let me explain both.

LN is a genuine privacy improvement over on-chain Bitcoin. Payments don't touch the blockchain, they're not broadcast to the whole network, and onion routing means each hop only knows its immediate neighbors. If you're paying for something, your counterparty will learn little about who you are.

But "better than on-chain" isn't the same as "private."

A 2020 paper by Kappos et al. titled “An Empirical Analysis of Privacy in the Lightning Network”, did a thorough job of poking holes in four privacy properties LN “claims” to offer. Here's what they found:

  1. Private channels aren't really private

LN lets you open channels without announcing them to the network. In theory, nobody knows they exist. In practice, the researchers used blockchain analysis (following "peeling chains" of Bitcoin UTXOs) to identify ~27,000 likely private channel openings. Of those, they could identify at least one participant in 79.3% of cases. Meaning that they could link it to a public node on the network.

So the channel is quiet on the network graph, but it's still written to Bitcoin's public Blockchain.

Additionally , there's a point not covered in the paper: even without any "fancy" analysis, you would directly need to disclose your "private" node's pubkey and routing hints (channels a.k.a. UTXOs) to the payer. So the privacy of that opening channel UTXO does matter.

  1. Your channel balance can be probed

This one is the most direct attack. An active adversary opens channels with nodes in the network and routes fake payment hashes with varying amounts (binary search). The success or failure of those probes reveals the exact balance of a channel. On testnet, they probed 1,017 channels and successfully determined the balance of 568 of them (~56%). No special privileges needed, just some sats (that don't even have to be spent) and patience. The attack is generic enough that even if LN clients stop returning detailed error messages, it still works.

  1. Routing nodes can guess who you are

When your payment is routed through an intermediate node, that node isn't supposed to know if you're the sender or just another hop. The paper shows the simple strategy of "assume my immediate predecessor is the sender" works surprisingly well:

  • For successful payments: the attacker correctly identifies the sender between 15% and 57% of the time (depending on network parameters)
  • For failed payments: up to 83%. Because a failed payment leaks path length information

34% of LN payments fail on the first try (per measurements cited in the paper). That's a lot of free signal for routing nodes.

This is partly structural: LN's topology is centralized, paths are short, and clients are designed to find the cheapest (and therefore shortest) route. Short paths mean fewer hops hiding you.

  1. Balance snapshots reconstruct payments

Combine the balance probing attack with a periodic snapshot approach: an attacker checks channel balances at time t, then again at t+τ, and looks at what changed. If a path of channels shows correlated balance shifts, there was likely a payment along that path.

At a snapshot interval of 30 seconds (already feasible in their experiment), the attacker achieves:

  • Recall >67% (correctly detecting payments that actually happened)
  • Precision ~95% (most detected payments are real, few false positives)

The faster they sample, the better it gets. And the attacker doesn't need to be involved in routing the payment at all.

What helps:

None of this means LN is broken. But it means there are real mitigations worth using:

  • BOLT12 / blinded paths: instead of your node's pubkey being in every invoice (BOLT11), blinded paths hide the recipient's identity. This is a big deal.
  • lnproxy: wraps the invoices through a proxy node to further obscure the final recipient. It's trustless for funds but not for privacy respect the lnproxy operator (which will see the memo and final destination).
  • Private channels: reduce your surface area on the public graph, even if not fully hidden (see above). Using "private enough" UTXOs for opening those channels and ideally having a private channels only node.

Even with all of this, the anonymity set is inherently small, since there aren't that many Lightning nodes.

The same lesson applies here as everywhere else in privacy: LN gives you real, meaningful privacy improvements over on-chain Bitcoin, and zero privacy guarantees. The threat model matters. Who are you hiding from, and what are they willing to do?

Use Lightning. It's genuinely better. Just don't use it as if it made you invisible.

Kappos et al., "An Empirical Analysis of Privacy in the Lightning Network" (2020)
arXiv: https://arxiv.org/abs/2003.12470

write
compose
related posts
47 sats \ 0 replies \ @standard_sats 7h

It is verry old paper.

reply
3 sats \ 0 replies \ @moptosh 4h

Try this, available on Umbrel and Start 9.

https://github.com/Alex71btc/lndk-pay

reply