@ -110,13 +110,14 @@ Multiple companies have been established to deanonymize users of Bitcoin and oth
At first glance, Lightning provides better privacy than Bitcoin because Lightning payments are not broadcast to the whole network.
While this improves the privacy baseline, other properties of the Lightning protocol may make anonymous payments more challenging.
For instance, larger payments may have fewer routing options.
This may allow an adversary who controls well-capitalized nodes to route most large payments and discover payment amounts and probably other details.
This may allow an adversary who controls well-capitalized nodes to route most large payments and discover payment amounts and probably other details. Over time, as the Lightning Network grows, this may become less of a problem.
Another relevant difference between Lightning and Bitcoin is that Lightning nodes maintain a permanent identity, whereas Bitcoin nodes do not.
A sophisticated Bitcoin user can easily switch nodes used to receive blockchain data and broadcast transactions.
A Lightning user, on the contrary, sends and receives payments through the nodes they have used to open their payment channels.
Moreover, the Lightning protocol assumes that routing nodes announce their IP address in addition to their node ID.
This creates a permanent link between node IDs and IP addresses, which may be dangerous, considering that an IP address is often an intermediary step in anonymity attacks linked to the user's physical location and, in most cases, real-world identity.
It is possible to use Lightning over Tor, but many nodes https://1ml.com/statistics[do not use] this functionality.
It is possible to use Lightning over Tor, but many nodes do not use this functionality, as can be seen from https://1ml.com/statistics[statistics collected from node announcements].
A Lightning user, when sending a payment, has its neighbors in its anonymity set.
Specifically, a routing node only knows the immediately preceding and following nodes.
@ -125,7 +126,7 @@ Therefore, the anonymity set of a node in Lightning roughly equals its neighbors
[[anonymity_set]]
.The anonymity set of Alice and Bob constitutes their neighbors.
image:images/anon-set.png[]
image::images/anon-set.png["The anonymity set of Alice and Bob constitutes their neighbors"]
Similar logic applies to payment receivers.
Many users open only a handful of payment channels, therefore, limiting their anonymity sets.
@ -240,7 +241,7 @@ Note that in any case, Mallory's estimation becomes twice as precise after just
She can continue probing, choosing the next probing amount such that it divides the current estimation interval in half.
This well-known search technique is called _binary search_.
With binary search, the number of probes is _logarithmic_ in the desired precision.
For example, to obtain Alice's balance in a channel of 1 million satoshis up to a single satoshi, Mallory would only have to perform stem:[\log_2(1000000) \approx 20] probings.
For example, to obtain Alice's balance in a channel of 1 million satoshis up to a single satoshi, Mallory would only have to perform latexmath:[\log_2(1000000) \approx 20] probings.
If one probing takes 3 seconds, one channel can be precisely probed in only about a minute!
Channel probing can be made even more efficient.
@ -288,7 +289,7 @@ Generally, this is achieved by the attacker bombarding a resource with requests,
The attacks seldom result in the target suffering financial loss aside from the opportunity cost of their service being down and are merely intended to grief the target.
Typical mitigations for denial-of-service attacks require authentication for requests to separate legitimate users from malicious ones or to incur a trivial cost to regular users but will act as a sufficient deterrent to an attacker launching requests at scale.
Anti-denial-of-service measures can be seen everywhere on the internet - websites apply rate limits to ensure that no one user can consume all of their server's attention, film review sites require login authentication to keep angry r/prequelmemes members at bay, and API keys are purchased to allow a limited number of hits.
Anti-denial-of-service measures can be seen everywhere on the internet - websites apply rate limits to ensure that no one user can consume all of their server's attention, film review sites require login authentication to keep angry r/prequelmemes (Reddit group) members at bay, and data services sell API keys to limit the number of queries.
===== DoS in Bitcoin
@ -326,7 +327,7 @@ In the absence of fees for failed payments, the only cost to the attacker is the
==== Commitment jamming
Lightning nodes update their shared state using asymmetric commitment transactions, on which HTLCs are added and removed to facilitate payments.
Each party is limited to a total of https://github.com/lightningnetwork/lightning-rfc/blob/c053ce7afb4cbf88615877a0d5fc7b8dbe2b9ba0/02-peer-protocol.md#the-open_channel-message[483] on the commitment at a time.
Each party is limited to a total of https://github.com/lightningnetwork/lightning-rfc/blob/c053ce7afb4cbf88615877a0d5fc7b8dbe2b9ba0/02-peer-protocol.md#the-open_channel-message[483] HTLCs in the commitment transaction at a time.
A channel jamming attack allows an attacker to render a channel unusable by routing 483 payments through the target channel and holding them until they timeout.
It should be noted that this limit was chosen in the specification to ensure that all the HTLCs can be swept in a https://github.com/lightningnetwork/lightning-rfc/blob/master/05-onchain.md#penalty-transaction-weight-calculation[single justice transaction].
@ -359,7 +360,7 @@ However, creating and closing payment channels are inherently performed on the B
Consequently, for a complete analysis of LN's privacy provisions, one needs to consider every layer of the technological stack users might interact with.
Specifically, a deanonymizing adversary can and will use off-chain and on-chain data to cluster or link LN nodes to corresponding Bitcoin addresses.
What might be the goals of a deanonymizing attacker in a cross-layer context?
Some of the goals of attackers attemptin to deanonymize LN users, in a cross-layer context:
* Cluster Bitcoin addresses owned by the same user (layer-1). We call these Bitcoin entities.
* Cluster LN nodes owned by the same user (layer-2).
@ -433,14 +434,6 @@ Therefore, many of its properties (privacy, robustness, connectivity, routing ef
In this section, we discuss and analyze the LN from the point of view of network science.
We are particularly interested in understanding the LN channel graph, its robustness, connectivity, and other important characteristics.
==== What is a graph anyway?
A graph is a mathematical model that consists of nodes and edges (connections between nodes).
In the LN, nodes represent LN nodes, and edges represent payment channels between them.
In many cases, just like in the LN, edges can have attributes, for instance, numerical values.
In the case of LN, these attributes can represent a channel's capacity.
We call the degree of a node the number of edges (payment channels) it has.
==== How does the Lightning graph look in reality?
One could have expected that the LN is a random graph, where edges are randomly formed between nodes.
If this was the case, then the LN's degree distribution would follow a Gaussian normal distribution.
@ -494,11 +487,11 @@ However, depending on the utilized attack vector, the adversary may have to prov
The LN is a dynamically changing, permissionless network.
Nodes can freely join or leave the network, they can open and create payment channels anytime they want.
Therefore, a single static snapshot of the LN graph is misleading. We need to consider the temporality and ever-changing nature of the network. For now, the LN graph is growing in terms of the number of nodes and payment channels.
Its effective diameter is also shrinking; that is, nodes become closer to each other, as we can see in <<temporal_ln>>.
Its effective diameter is also shrinking; that is, nodes become closer to each other, as we can see in <<temporal_ln>>:
[[temporal_ln]]
.The steady growth of the LN in terms of nodes, channels and locked capacity.
image:images/ln-over-time.png[]
image::images/ln-over-time.png["The steady growth of the LN in terms of nodes, channels and locked capacity"]
In social networks, triangle closing behavior is common.
Specifically, in a graph where nodes represent people and friendships are represented as edges, it is somewhat expected that triangles will emerge in the graph.
@ -519,11 +512,11 @@ For a precise definition of central point dominance, the reader is referred to h
The larger the central point dominance of a network is, the more centralized the network is.
We can observe that the LN has a greater central point dominance, ie. it is more centralized, than a random graph (Erdős-Rényi graph) or a scale-free graph (Barabási-Albert graph) of equal size.
However, we also note, that over time the central point dominance of the LN gradually decreases as the network grows and densifies, as shown in <<central_point_dominance_ln>>.
However, we also note, that over time the central point dominance of the LN gradually decreases as the network grows and densifies, as shown in <<central_point_dominance_ln>>:
[[central_point_dominance_ln]]
.Central point dominance of the LN, a random graph (ER) and a scale-free graph (BA) of equal size.
image:images/central-point-dominance.png[]
image::images/central-point-dominance.png["Central point dominance of the LN, a random graph (ER) and a scale-free graph (BA) of equal size"]
In general, our understanding of the dynamic nature of the LN channel graph is rather limited.
It is fruitful to analyze how protocol changes like multi-part payments can affect the dynamics of the LN.
@ -543,8 +536,7 @@ Let's look at some of the relevant incentives:
- While we should not base our security assumptions on altruism, to a certain extent, altruistic behavior drives Bitcoin (accepting incoming connections, serving blocks).
- What role does it play in Lightning?
A recent paper has shown that LN nodes are mostly altruistic.
Specifically, the earned routing fees do not compensate for the opportunity costs stemming from liquidity lock-up.
In the early stages of the Lightning Network, many node operators have claimed that the earned routing fees do not compensate for the opportunity costs stemming from liquidity lock-up. This would indicate that operating a node may be driven mostly by altruistic incentives "for the good of the network".
This might change in the future if LN has significantly larger traffic or if a market for routing fees emerge.
On the other hand, if a node wishes to optimize its routing fees, it would minimize the average shortest path lengths to every other node.
Put differently, a profit-seeker node will try to locate itself in the _center_ of the channel graph or close to it.
Andreas M. Antonopoulos
3 years ago
