176 sats \ 2 replies \ @endothermicdev 7 Jul 2023 \ on: Routing options 'minimum amount of hops' to improve privacy in LND bitcoin
You could absolutely do what you are suggesting, but sender privacy on lightning is already quite good. The only way they could discern it was YOU that was paying is by probing your other channels to determine if the balances changed. (If yes, you could have easily forwarded the payment from elsewhere.)
A fair amount of probing goes on in the network - mostly passive, i.e. seeing changes in channel balances over time. This is about the worst you have to contend with.
To reclaim some privacy here it's recommended that you set your htlc_maximum_msat to much less than the total channel size. I like to use ~25%, which means I can only route a payment that it at maximum 25% of the total size of the channel. However, if your channel balance is greater than 25% of the capacity, it also means a single probe can't determine the exact balance of the channel.
Of course, channels can be probes in both directions, so if your peer doesn't also set a smaller htlc_maximum_msat, the channel balance could still be probed from their side.
I expect more implementations to roll out privacy preserving features and defaults outlined in the "Oakland Protocol" in the near future, which should help mitigate channel surveillance via probing.
I would encourage you to create the manual payment routing script because it sounds great, but also, you're only protecting yourself from someone who's already continually probing your channel balances, so it may be overkill.
Right, didn't think of that aspect, the only I see with changing the
htlc_maximum_msat
is that my channels are rather small which would prevent much of the channels from being used for routing other payments, however this might be a small price to pay for increased privacy.
I should do some reading on the "oakland protocol", haven't heard of it before.Thank you for your thoughts!
reply
Yeah, it really deserves a full write-up - I'll take a stab at it when I get some time. Here's the gist (read Rusty's description too):
https://twitter.com/endothermicdev/status/1533856189057990658
and a few notes from Laolu if you look under the jamming section:
https://www.mail-archive.com/lightning-dev@lists.linuxfoundation.org/msg02852.html
As you pointed out, there's clearly a tension between routing effectiveness and privacy. I'm hoping in the future that wallets will factor privacy preserving features into account when constructing a route (and prioritize nodes that incorporate them.) Maybe that's optimistic, but I think it's important to promote privacy preserving features on the lightning network. Cheapness of the route isn't everything!
reply