“Citadel Dispatch” episode 70, “Using Lightning privately with Tony and @FuturePaul“:
“There is a fine line between educating and being catastrophic. People need to be informed that it is not perfect and there are a lot of privacy holes in Lightning and Bitcoin as well. It’s not a lost cause. I like to draw the line between breaking privacy and fixing privacy. Breaking privacy to educate people that it is somehow broken and to be careful. But also trying to educate and improve it at the same time. The reason I’m doing this is so we can improve privacy.
“To solve problems, you must first be aware of the problems.”
It’s still very early in the project, but the use case is very clear, considering all the pitfalls of trying to spend bitcoin on Lightning in a privacy-preserving way.
The primary goals of pLN’s Minimum Viable Product (MVP) launch are to enable users to:
- Open Lightning Channels via Chain Repository
- Make payments through Lightning
And, above all, at least in the initial version:
- Receiving Lightning payments will be disabled
- Each channel will be open on its own separate node
To understand why receiving payments will be disabled from the start, it’s important to understand some of the main pitfalls of Lightning as it currently exists:
- All invoices contain recipient’s channel ID
- Channel ID leaks deterministic node/owner information
However, if you are using the “not yet widely supported”short channel ID“Instead, these have no connection to the state of the channel, the owner of the node, or the original UTXOs used to fund the channel.
The pLN app itself is be written using Flutterwhich means desktop and mobile versions (both for Android and iOS) will be available.
under the hood
The root node does the heavy lifting: listening for gossip messages, building the network graph, calculating routes, etc. Individual channel nodes only track their own channel state and nothing else.
The Bitcoin backend can be either a connection to bitcoind or a personal Electrum server. For mobile, Electrum would probably be the best choice as it is designed for secure remote connections.
What if I want to pay my friend who also uses pLN?
Since direct channel partner payments betray information about your node and make it clear that the payments are coming from you, you should be careful about making them, sparingly at best.
The concept of plausible deniability comes into play with more hops between you and the end recipient. The more jumps you make along the way, the greater your anonymity.
The app would eventually allow you to override the built-in protections and make a payment to a peer, but only after clear and clear warnings about what it entails and what information you might divulge, should you choose to continue.
For example, you can choose to make a direct payment to your friend who is also using pLN if you wish. (Imagine you don’t care or they know what channels you opened, since you pay them in person and trust them.)
But the app would encourage you to try making payment with multiple skips if possible. (The defaults would likely opt for more than a few hops at least, I suppose.)
It will also notify you if you try to open a channel with a major public hub (like in ACINQ or Breez nodes). Ideally, you should open channels with unknown/smaller nodes whenever possible.
What about large payments?
Large payments can be made to appear as partially completed AMP (Atomic Multipath Payments) payments (AMPs that are halfway through), with cash flowing out of a number of your individual channel nodes as needed. The sats all converge to the final destination at the end. Pretty cool!
Future ideas for the app (TBD)
- Enable blind paths once this is available in LDK
- Continuous CoinJoin with on-chain UTXOs in the wallet on the root node
- Splice out/splice in continuous and CoinJoin with sats in channels
- Timeout UX options: If your payment is taking too long to route, the app may ask you if you want to try another route with fewer hops
- Privacy is a spectrum
- We need to balance usability and user experience with anonymity sets and privacy while trying to prevent users from shooting themselves in the foot.
I think this is an exciting new wallet and project that should help both educate users about privacy and allow them to use Lightning in an easy way.
This is a guest post by Adam Anderson. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.