Nostr Web Client

On twitter, someone wrote this post (slightly modified - original: https://x.com/smspoolnet/status/1941786886902558831):

------------------------

Monero (XMR) > BTC Lightning Network for privacy:

• XMR hides sender, receiver, & amount by default

• All transactions look the same on-chain

• No channel or routing leaks

• No reliance on third parties

• LN privacy is optional & can be broken with analysis

------------------------

My reply:

> XMR hides sender

Not through encryption. It puts them in a list with 15 other random pubkeys and says "one of these is the true sender." Then it publishes that list forever on a blockchain. Chain analysts can often figure out which pubkey is the true spender. In lightning the sender is actually encrypted and nothing is published to a blockchain. This makes it much harder for analysts to identify the sender.

> XMR hides...receiver

Not from the sender. The receiver's XMR address and stealth pubkey are shown to the sender in plaintext, and this makes it possible to do poisoned output attacks to trace monero, i.e. the attacker sends some money to a target and then watches the blockchain to see if the target sends it to someone who knows their identity. This is how many of the targets in the case studies on moneroleaks.xyz got caught. On lightning, by contrast, the sender does *not* know who received the funds, because lightning supports trampoline routing by default, meaning the sender cannot know if the person who *looks* like the recipient is *really* the recipient or just another routing node.

> XMR hides...[the] amount by default

(1) Only part of it. The fee is published in plaintext, and this is useful to chain analysts because they use it for wallet fingerprinting -- e.g. custodial services tend to set higher fees than users of self-custodial wallets do. Lightning, of course, hides the fee better by (a) using encryption so that each routing node only knows the portion of the fee they received (b) not publishing anything about the transaction on a blockchain.

(2) Monero does not hide the mount received from the sender. The sender picks how much to send to the recipient and monero does not support transaction chaining so the recipient cannot modify it. Whereas in lightning, the sender knows how much he *sent,* but due to transaction chaining, he does not know how much the recipient *received.* The recipient may have atomically forwarded all, some, or none of the payment to someone else, and the sender would have no idea. In this respect, LN has better amount privacy than XMR.

> All transactions look the same on-chain

No they don't. Some pay higher fees; some have more inputs; some have more outputs; some use pubkeys as decoys that analysts *know* are decoys (because they control those pubkeys, or their partners do). All of this data is used by analysts for fingerprinting and tracing.

But once again, LN does better here: the data produced by the sender is actually encrypted and padded to 1300 bytes. It looks the same to the routing node as if he was forwarding a payment from someone else. It's *truly* indistinguishable, verifiably, through cryptography.

And that's a major improvement on this metric.

> No channel or routing leaks

Monero uses something with a lot of similarities to routing: dandelion++

They are similar in this respect: both try to hide the sender's ip address by forwarding a packet to someone else, who then forwards it to another node, etc., such that "later" nodes don't know if "prior" nodes are the sender or just another "stem node" (in dandelion++) or "routing node" (in LN). This is actually really good for your privacy, but when LN does it, XMR people call it a leak, whereas, of course, when they do it, it's the best thing since sliced bread.

> No reliance on third parties

There is: if you use dandelion++, the nodes in the stem phase can collude to identify you as either the sender or at least another stem node. This is a leak that LN and XMR both share. But in XMR it's worse, because if you are using a light client (e.g. a phone wallet), you don't actually use dandelion++, instead you pick a random node on the network and use RPC commands to send your transaction, thus doxing your ip address to a random node, possibly one run by chainalysis. That is how one of the people got caught in the Case Studies section of moneroleaks.xyz. Lightning, of course, improves this: you don't pick random nodes on the network to send your transaction to in plaintext, instead you encrypt all your transactions and only show them to a select group of nodes chosen by you when you created your channels. This is way better.

> LN privacy is optional

That's also the case with monero. What wallets do most users pick? Ones like exodus and coinomi and freewallet, which are able to easily log your ip address and associate them with your transactions. (Freewallet is also custodial, so it knows even *more* data.)

Privacy is always optional, and if you're seeking good privacy, LN is the better option.

Reply to this note

Please Login to reply.

Discussion

ManyKeys 5mo ago

Here's to that.

Sascha-Oliver Prolić 5mo ago

Thanks man, great post.

Cody 5mo ago

nostr:nprofile1qqs0lwcu2ay0j0lysa5tfya5z9ak53mkmc629tncm7eh8l58j3gs2cqpzemhxue69uhkzat5dqhxummnw3erztnrdakj7qgewaehxw309amhxue09anksmmnwshxgmmvw5hxgetkqyv8wumn8ghj7ur0wd6x2u3wwpkxzcm99aex2mrp0yt9fhz7

Super Testnet 5mo ago

I am posting a correction thanks to x.com/ofrnxmr, who, on twitter (https://x.com/ofrnxmr/status/1942063609384730641) pointed out a mistake with the following claim:

> if you are using a light client (e.g. a phone wallet), you don't actually use dandelion++, instead you pick a random node on the network and use RPC commands to send your transaction

He said: this is false. You dont use a random node, you use 1 or more nodes that you explicitly choose

I checked in multiple monero wallets and this does indeed seem to be a standard feature. So I was wrong; let this stand as a correction.

ede3d957... 5mo ago

This is a great take. Thanks for taking the time to look at the things more closely that are indeed not working in Monero's favour. Many things are well understood others are less.

I guess that even post FCMP++ some things like trust in remote nodes and unencrypted fees stay. Do you have any recommendations how to fix things other than putting LN on top of Monero?

Could encrypted fees work?

Also Robosats come in quite handy for those who want to use both Monero and LN (on BTC) and vice versa.

Nicolas ⚡️ 5mo ago

Seems like Monero is obsolete!

nostr:nevent1qqs8gpleyvw97s0h667rn3gy75cjsflxza5xs229ca75658taylsh3cprdmhxue69uhkvet9v3ejumn0wd68ytnzv9hxgtmzv4h8xt3kpp5

Cardinal 5mo ago

Small anonymity set and infeasibility of verifying non-existence of inflation bugs are reasons enough to avoid XMR.

x 5mo ago

Continuing the anti-monero crusades

Efe 5mo ago

Hey monero can't be that idiotic and probably I'm wrong but gonna ask it anyway:

if you have to do one more hop every time you receive xmr to hide all of your future txs from the sender(shitty design btw) and other 14 fake pubkeys won't do that hop obviously, isn't your real pubkey is exposed within those 15 pubkeys?

Super Testnet 5mo ago

> other 14 fake pubkeys won't do that hop obviously

Other *15* fake pubkeys -- the total ring size is 15 decoys + 1 true sender

> isn't your real pubkey...exposed...?

It depends. Some of the other 15 pubkeys might have, by chance, sent money around the same time you did; but even if they didn't, some other transaction within the same time frame might have selected them as a decoy too, so that it *looks like* that decoy might have sent money in the same time frame you did.

If neither of those happens, then your pubkey is the only one that shows up in a future ring signature, which might be logged as evidence that there's something special about it. Namely, the attacker knows two things: the "special pubkey" received money in one transaction, and then in a future transaction, it *might* have sent money.

Efe 5mo ago

SpontaneousOrder 3mo ago

nostr:npub1s0thm3trpndws2ek57vum8qdpwk5jl6mllklg60tvplfq90st4jqgdl3mn

AlexAnarcho 3mo ago

Danke, soll ich dazu eine Folge mit nostr:nprofile1qqs9ehsd8je8e3vmh3qn9ll6t3h8f3670ej2tt6e9cw4cmsw3hxfu3sppemhxue69uhkummn9ekx7mp0wjjssg machen?

SpontaneousOrder 3mo ago

Gerne! Würde auch ein paar sats oder XMR da lassen.

Anderer Folgenvorschlag: was man jetzt konkret machen kann für mehr Anarchie in seinem Leben, konkrete Ideen etc. Und oder auch über dein Leben/das von Anarchisten als Inspiration ✨

SpontaneousOrder 3mo ago

Oder sogar eine Serie daraus 🚀 aber vielleicht find auch nur ich das interessant und wichtig

AlexAnarcho 3mo ago

Coole Ideen! Nehme ich auf die Ideen Liste :) freue mich mega über Anregungen