Improving The Privacy Of The Lightning Network’s Gossip Protocol

Currently, the gossip protocol introduces privateness leaks and concerns that could beryllium remedied portion condensing the magnitude of messages sent.

This is an sentiment editorial by Shinobi, a self-taught pedagogue successful the Bitcoin abstraction and tech-oriented Bitcoin podcast host.

The Lightning protocol works by atomically updating payments crossed aggregate outgo channels successful specified a mode that everything confirms oregon fails each unneurotic — i.e., it routes payments crossed aggregate hops. An integral portion of immoderate routing-based strategy is simply a routing table, a postulation of each the accusation indispensable to really conception a way from constituent A to constituent B. Without this information, you can’t truly way thing anyplace due to the fact that you don’t cognize however to get the accusation from wherever it is to wherever you privation it to go. Lightning evidently requires a routing table, which is what the gossip protocol specified successful BOLT 7 accomplishes; the propagation and attraction of the grounds of channels disposable connected the web to way payments through.

This gossip protocol is 1 of the scaling concerns of the full Lightning protocol stack. Currently, it is precise basal and works successful a mode that is rather akin to the propagation of transactions connected the Bitcoin web proper; nodes connected the web person a gossip message, they past verify the connection according to the rules of validity, and walk it connected to each of their peers to further propagate crossed the network. It is simply a naive flood capable protocol that assumes that valid messages volition yet propagate crossed the full network.

Because of this, determination is simply a interest of denial-of-service attacks (spam) that volition upwind up consuming a ample magnitude of processing resources and bandwidth to woody with. In the lawsuit of the main Bitcoin network, nodes volition not relay invalid transactions, truthful to broadcast thing that consumes nodes’ bandwidth and computational resources requires you to really person bitcoin to make a transaction with. In the lawsuit of the Lightning gossip protocol, you are required to beryllium you power a valid UTXO backing a transmission successful bid to relay a gossip connection astir the channel. This performs the aforesaid spam extortion relation arsenic connected the main Bitcoin network; you cannot spam messages crossed the web without really controlling bitcoin.

This brings maine to the existent operation of the gossip protocol. This volition by nary means beryllium a broad breakdown of the protocol, but a heavy capable glimpse into it to look astatine a projected alteration and measure the trade-offs betwixt the connection and existent protocol. There are 3 main messages presently successful the gossip protocol. The channel_announcement message, node_announcement connection and channel_update message. There is besides an announcement_signatures message, but this is lone utilized with nonstop transmission peers to motion messages announcing channels, and it is not wide broadcast crossed the full network. I’m not going to screen the messages for requesting data, arsenic they are not truly applicable to the constituent of this article.

The channel_announcement connection is the archetypal happening required successful bid to denote a transmission to the web and past to denote your node to the nationalist arsenic well. It is collaboratively constructed and requires some transmission partners to marque and broadcast. This connection includes impervious that the backing transaction to a transmission pays into the transmission multisig address, and past it includes signatures from the Lightning node individuality cardinal of some participants implicit the message. It declares which multisig cardinal is owned by which node and includes signatures from each multisig cardinal of the on-chain UTXO backing the channel. This proves that some nodes progressive successful a transmission person power of the on-chain multisig, and past it proves that their Lightning node individuality cardinal is associated with it.

Next up is the node_announcement message. If a node attempts to relay this connection without having antecedently sent a channel_announcement connection for a valid channel, it is ignored and not relayed. Nodes relay this connection by themselves aft opening their archetypal nationalist transmission to let different nodes to link to them. This connection contains a signature from the node individuality cardinal connected the message; immoderate diagnostic bits for aboriginal mentation updates, the web code the node tin beryllium reached astatine to unfastened channels with, an alias (nickname) and a fewer different bits of info.

Lastly, the channel_update message. This connection is besides made and broadcast unilaterally by a azygous node. It contains the minimum and maximum worth hashed timelock contracts (HTLCs) a transmission volition route; the interest that the relation volition complaint for routing done that transmission (base interest and percent interest rate); and the magnitude of timelock quality it requires betwixt itself and the erstwhile hop, truthful that it has clip to find a transaction settling on-chain and enforce the due result for itself if necessary. It is besides signed similar each different messages.

So the protocol arsenic it is present provides each the accusation indispensable to find channels you tin way payments through, advertise the accusation indispensable to cognize what fees each transmission volition charge, and provides a denial-of-service extortion mechanics to forestall the Lightning Network from being spammed each time with nonsense advertisements of channels that don’t beryllium by requiring signatures from the keys holding the backing UTXO on-chain.

But it has 1 large problem: a full deficiency of privacy. In bid to advertise your transmission connected the web for radical to way payments through, you person to dox the nonstop UTXO utilized to money that transmission and subordinate it with your Lightning node’s individuality key. So what tin we bash to hole this?

Rusty Russell from Blockstream proposed an updated version of the gossip protocol successful February 2022. It would instrumentality the halfway protocol from 3 messages down to 2 and drastically amended the privateness properties arsenic a consequence.

Effectively what would hap is to wholly region the channel_announcement connection and permission the protocol with node_announcement_v2 and a channel_update_v2 message. Instead of doxxing each idiosyncratic UTXO associated with a channel, and requiring a channel_announcement first, the node_announcement_v2 could beryllium done initially and beryllium power implicit a UTXO not really utilized to money a channel. The node relation would past beryllium allowed to advertise channels reflecting immoderate aggregate of that magnitude (so accidental you person 1 BTC you proved power over, you tin present advertise 10 BTC of routing capacity), without having to dox the existent transmission UTXOs.

This would beryllium a monolithic privateness betterment for the web by not requiring each transmission to necktie itself to a circumstantial on-chain UTXO; concatenation investigation firms would nary longer beryllium capable to easy travel each nationalist node operator's funds on-chain betwixt channels. The channel_update_v2 connection would past instrumentality the spot of some channel_announcement and channel_update, fulfilling the aforesaid wide intent successful the protocol.

In the agelong term, the thought of a gossip protocol based connected flood capable propagation is astir apt not scalable. Flood capable is 1 of the astir inefficient web designs for propagating accusation determination is, and this is simply a occupation that, successful the agelong term, is going to person to beryllium optimized and shifted into different absorption to truly beryllium scalable for a outgo web that hopefully volition beryllium planetary successful size. There is nary existent mode astir that. But 1 of the biggest shortcomings of the existent gossip protocol is the evisceration of the privateness of routing node operators. You can’t beryllium a routing node without publically tainting your transmission UTXOs arsenic tied to you and making it casual to surveil them on-chain.

Given that 1 of the biggest imaginable utilities that the Lightning Network could adhd too the scalability of payments is the privateness of payments, shouldn’t we beryllium addressing the monolithic ways successful which the protocol stack falls abbreviated successful fulfilling those promises of privacy? I deliberation we should, and 1 large mode to commencement is by improving the privateness of node operators who really play the relation of facilitating payments crossed the web successful the archetypal place.

This is simply a impermanent station by Shinobi. Opinions expressed are wholly their ain and bash not

necessarily bespeak those of BTC Inc oregon Bitcoin Magazine.