Super Testnet's avatar
Super Testnet
npub1yxp7...399s
Open source dev w/ bitcoin focus | supertestnet.org bc1qefhunyf8rsq77f38k07hn2e5njp0acxhlheksn
Super Testnet's avatar
Super Testnet 5 months ago
Today I decided to analyze a paper discussing attacks against the privacy of the lightning network. The paper is here: https://arxiv.org/pdf/2003.12470 and it is called “An Empirical Analysis of Privacy in the Lightning Network.” It analyzes a number of attacks on LN privacy, including one I found particularly interesting, the discussion of which contains this sentence: “We thus developed a tracing heuristic, which follows the “peeling chain” initiated at the opening and closing of public channels to identify any associated private channels.” (page 6) The Peeling Attack (page 6) The peeling attack is designed to identify unannounced channels on the lightning network. As part of the attack (the name for which I made up), they identified all outputs on the blockchain that could feasibly be channel opening transactions on the lightning network, and then checked how those outputs were spent. Some of them were “channel closure” transactions, confirmed by this method: they observed that the transaction sent money to a lightning node who had public channels, and they confirmed *that* by observing that the recipient *spent* the money to open a “public” channel, which showed up in the public channel graph. Since they identified channel closure transactions of a channel that was not announced on the public graph, they knew it must be an unannounced channel. A particularly poignant sentence is this one: “Out of the 27,183 transactions we identified as representing the opening of private channels, we were able to identify both participants in 2,035 (7.5%), one participant in 21,557 (79.3%), and no participants in 3,591 (13.2%).” By identifying many unannounced channels via their opening and closing transactions, they could get the total capacity of those channels, as well as the “final” balance of both parties when the channel closed. What are the weaknesses of this attack? Some are: it only finds unannounced channels if they are in a peel chain, that is, a series of transactions that keep opening and closing channels using a particular utxo and its change; it does not identify unannounced channels that are not part of a peel chain; it does not get anyone’s channel balance while the channel is open, only its total channel capacity; when it identified a channel closure, it only learned the “final” balance of the two nodes, not their transaction history. The Targeted Probing Attack (page 8) Regarding balances, they also have an attack for guessing the internal balances of an individual announced channel, though the attack has weaknesses. The attack is discussed in section 4, page 8 of the paper. It’s similar to Rene Pickhardt’s channel probing attack, but I will dub the new method the “targeted probing attack,” as opposed to Rene’s attack, which I dub the “dragnet probing attack.” The targeted probing attack requires identifying a channel, which they call B -> C, where B and C are lightning nodes and the arrow is the channel between them. Then the attacker must open two “attacker” channels (the dragnet method requires only one channel), one with B and another with C. Then the attacker sends a series of payment probes, such that their channel with B is always the “from” channel and their channel with C is always the “to” channel. By only having those two channels, they know the payment probe must pass through B and C. If the payment makes it to the destination node, then they infer that the capacity of B -> C is split up in such a way that B has at least that much money on his side of the channel; then they cancel the payment and try again with a higher amount, and keep doing they reach the channel’s capacity or the payment fails. (That’s a bit simplified; they optimize the number of transactions they must try by doing a binary search, but whatever.) At that point, they infer that the internal balance of node B in the channel B -> C is just below whatever amount failed (if there was a failure), or is just the entire capacity of the channel (if there never was a failure), and the balance of C is whatever’s leftover of the capacity of the channel. They admit that the targeted probing attack has a weakness: “[In] the case in which there is more than one intermediate channel between the two attacker nodes…the above method identifies the bottleneck balance in the entire path, rather than the balance of an individual channel.” (page 9) Consequently, B and C may have channels between them that the attackers don’t know about (e.g. unannounced channels that weren’t in a peel chain), and thus this attack does not for-sure discern the internal balance of B for a particular channel, it only finds that he has *at most* whatever amount they got through. E.g. if they got a payment of $500 through, maybe B only had $200 on his side of the B -> C channel they were probing, but he had $300 or more in another channel with C that they didn’t know about, and routed the remainder through that channel. The AOH Attack (Assume One Hop - page 10) The paper discusses an attack for guessing the senders and recipients in a lightning payment, in section 5, “Path Discovery,” on page 10. They describe their attack thusly: “The strategy of our…adversary is simple: they always guess that their immediate predecessor is the sender. … Similarly, they always guess that their immediate successor is the recipient.” Their attack relies on the assumption that most nodes will try to pass their payment through the shortest possible route to the destination, and that this means most payments will actually only have one hop: “the route to the destination in LN is constructed solely by the payment sender. All clients generally aim to find the shortest path in the network, meaning the path with the lowest amount of fees.” (page 11) They simulate this attack in section 5.1 (page 11), where they say they took “snapshots” of the lightning network’s public nodes and channels (specifically, they say their methodology for getting the snapshot is outlined in section 3.1 on page 5, and that section only mentioned public nodes and channels – unannounced ones are only discussed later, in section 3.2). Then they assigned a routing algorithm semi-randomly to each node on this network, where the algorithms were re-written versions of the routing algorithms used by LND, CLN, and Eclair. Then they pretended these nodes sent simulated payments to one another at random, and checked how often a routing node was right if a payment passed through it and it guessed that the node before it was the sender and the node after it was the recipient. They were correct 56.65% of the time. What are the weaknesses of this attack? Well, they were *wrong* about a single hop 43.35% of the time, so that’s already pretty damaging to their case. But also, they were working on a constrained network: they completely excluded private nodes as possible senders, and it is a lot easier to guess the sender/recipient when your simulator excludes, right at the start, a huge number of nodes that could otherwise be the sender/recipient.
Super Testnet's avatar
Super Testnet 5 months ago
Hey @Nostr Wallet Connect or anyone else, is there a nice looking service that helps people check out or try a variety of NWC-compatible wallets? I'm making a website where people connect an NWC string and I want to link people to something helpful in case they don't know what NWC is yet
Super Testnet's avatar
Super Testnet 5 months ago
The lightning network has superior privacy tech to the main privacy coin (monero) while simultaneously scaling better Want a real cryptocurrency? It's bitcoin on LN
Super Testnet's avatar
Super Testnet 5 months ago
It's probably just luck, but Ocean entered the top 10 mining pools today. They even surpassed the measured hashrate of the principal spam-friendly mining pool, which is Mara. Let's see if they manage to keep this spot over the next few days. image
Super Testnet's avatar
Super Testnet 5 months ago
There is a new section on
Monero leaks
 It's called "List of attacks" Learn the names and inner workings of 6 common techniques used to trace monero, as well as information about real-world cases where each technique was used to trace and convict a monero user
Super Testnet's avatar
Super Testnet 5 months ago
On twitter, someone wrote this post (slightly modified - original: https://x.com/smspoolnet/status/1941786886902558831): ------------------------ Monero (XMR) > BTC Lightning Network for privacy: • XMR hides sender, receiver, & amount by default • All transactions look the same on-chain • No channel or routing leaks • No reliance on third parties • LN privacy is optional & can be broken with analysis ------------------------ My reply: > XMR hides sender Not through encryption. It puts them in a list with 15 other random pubkeys and says "one of these is the true sender." Then it publishes that list forever on a blockchain. Chain analysts can often figure out which pubkey is the true spender. In lightning the sender is actually encrypted and nothing is published to a blockchain. This makes it much harder for analysts to identify the sender. > XMR hides...receiver Not from the sender. The receiver's XMR address and stealth pubkey are shown to the sender in plaintext, and this makes it possible to do poisoned output attacks to trace monero, i.e. the attacker sends some money to a target and then watches the blockchain to see if the target sends it to someone who knows their identity. This is how many of the targets in the case studies on moneroleaks.xyz got caught. On lightning, by contrast, the sender does *not* know who received the funds, because lightning supports trampoline routing by default, meaning the sender cannot know if the person who *looks* like the recipient is *really* the recipient or just another routing node. > XMR hides...[the] amount by default (1) Only part of it. The fee is published in plaintext, and this is useful to chain analysts because they use it for wallet fingerprinting -- e.g. custodial services tend to set higher fees than users of self-custodial wallets do. Lightning, of course, hides the fee better by (a) using encryption so that each routing node only knows the portion of the fee they received (b) not publishing anything about the transaction on a blockchain. (2) Monero does not hide the mount received from the sender. The sender picks how much to send to the recipient and monero does not support transaction chaining so the recipient cannot modify it. Whereas in lightning, the sender knows how much he *sent,* but due to transaction chaining, he does not know how much the recipient *received.* The recipient may have atomically forwarded all, some, or none of the payment to someone else, and the sender would have no idea. In this respect, LN has better amount privacy than XMR. > All transactions look the same on-chain No they don't. Some pay higher fees; some have more inputs; some have more outputs; some use pubkeys as decoys that analysts *know* are decoys (because they control those pubkeys, or their partners do). All of this data is used by analysts for fingerprinting and tracing. But once again, LN does better here: the data produced by the sender is actually encrypted and padded to 1300 bytes. It looks the same to the routing node as if he was forwarding a payment from someone else. It's *truly* indistinguishable, verifiably, through cryptography. And that's a major improvement on this metric. > No channel or routing leaks Monero uses something with a lot of similarities to routing: dandelion++ They are similar in this respect: both try to hide the sender's ip address by forwarding a packet to someone else, who then forwards it to another node, etc., such that "later" nodes don't know if "prior" nodes are the sender or just another "stem node" (in dandelion++) or "routing node" (in LN). This is actually really good for your privacy, but when LN does it, XMR people call it a leak, whereas, of course, when they do it, it's the best thing since sliced bread. > No reliance on third parties There is: if you use dandelion++, the nodes in the stem phase can collude to identify you as either the sender or at least another stem node. This is a leak that LN and XMR both share. But in XMR it's worse, because if you are using a light client (e.g. a phone wallet), you don't actually use dandelion++, instead you pick a random node on the network and use RPC commands to send your transaction, thus doxing your ip address to a random node, possibly one run by chainalysis. That is how one of the people got caught in the Case Studies section of moneroleaks.xyz. Lightning, of course, improves this: you don't pick random nodes on the network to send your transaction to in plaintext, instead you encrypt all your transactions and only show them to a select group of nodes chosen by you when you created your channels. This is way better. > LN privacy is optional That's also the case with monero. What wallets do most users pick? Ones like exodus and coinomi and freewallet, which are able to easily log your ip address and associate them with your transactions. (Freewallet is also custodial, so it knows even *more* data.) Privacy is always optional, and if you're seeking good privacy, LN is the better option.