Thread

they know the next hop 🤷 and if network topography tends toward hub-and-spoke and its only 1-3 routing nodes to the destination, it doesn't take much colluding and channel probing to figure out the destination. and we'd never know if it was happening. which is the point.

That's assuming perfect privacy from the original channel peer. You still have to have an on chain transaction locked up with a peer and all payments initially route through them. This gives a huge amount of metadata that can be combined with timing analysis for subsequent hops. Yes payments are onion routed but if the entry node is static and there's no obfuscation packets or anything then timing attacks are trivial. Combine this with centralizing routing nodes as you touched on in another reply you have a scenario where you have good privacy from the recieved but terrible from state intelligence. Most Bitcoiners are under the impression that institutional adoption is good and state intelligence is pro Bitcoin so they believe this threat model is reasonable, but time will tell.

how does having a UTXO locked with a counterparty give "metadata that can be combined with timing analysis for subsequent hops?" not sure what that data is...

The channel peer you open the channel with knows both the history of the UTXO used to open the channel, and every subsequent transaction routed through them. If that UTXO was split from another that's later identified to you, then the whole channel is identified to you and thus anything routed through your channel peer is attributed to you. Then with timing analysis, later hops can be linked to the origin channel thus the whole chain can be broken. If I'm incorrect please inform me this is the limit of my knowledge.

well sure but that's just regular onchain privacy problems, not unique to LN.

Its can break open the whole LN privacy though. Also works both ways. If through timing analysis your LN channel is identified to you, then the UTXO is and thus all previous cospend will break that on-chain anonymity. Its superior privacy to purely on-chain since it requires this network attack but still presents a massive attack vector compared to a Monero with both on-chain sender, recieved and amount privacy AND network level privacy through Dandelion++ IK I'm preaching to the choir on the Monero point with you as you're aware of those technologies, I'm just bringing it back to Clippy's original claim that lightning privacy makes Monero irrelevant.