Replying to Avatar Karadenizli

Why is this a problem if they will lose it when it moves? It doesn't matter if they know your address when you receive, if they can't see where you spend it.
Avatar
Super Testnet 7mo ago

> Why is this a problem if they lose it when it moves?

Because on monero, the sender knows which of your pubkeys he sent money to and can watch the blockchain to see *whether* it moves

For example, if the pubkey he sent money to never appears in a future ring sig, the sender knows the recipient still has that money -- he knows it hasn't moved

That's bad for receiver privacy. What if you don't want him to know? Why *should* he know? What if, at some point in the future, you claim you sold all your monero, but an exchange proves that they sent money to your pubkey, and the monero blockchain proves it hasn't moved since then? That's a serious privacy defect.

And that's not the only defect. You say "they will lose it when it moves" but some blockchain analysts have managed to track what happens to monero after it's sent by eliminating some or all of the decoys used in monero's ring signature scheme. Chainalysis even offers a paid service where they brag about their ability to do this, and law enforcers have used this service to arrest monero users. So your claim "they will lose it when it moves" might *sometimes* be true but monero provides no guarantees here.

That's why *omitted* information is better for your privacy than *obscured* information. Monero *obscures* details about the transaction. Lightning *omits* those details altogether by (1) not posting anything to a blockchain (2) actually encrypting all parts of the transaction (3) using HTLCs and (sometimes) rendezvous routing to ensure that the sender can't even be sure he knows the recipient's public key

Reply to this note

Please Login to reply.

Discussion

Avatar
Saberhagen The Nameless 7mo ago

(2) isn't accurate. Lightning doesn't technically encrypt amounts at all. Every hop knows how much is being forwarded, but Monero does conceal amounts (except for fees). Also, for (3) the sender being unsure seems like obscured information. Because it still *could* be the recipient's public key, but maybe it's not. Just like you can't be sure a recipient is spending just because you see their stealth address in a ring sig. Maybe it's not.

Avatar
Super Testnet 7mo ago

> Lightning doesn't technically encrypt amounts at all

Yes it does. It uses the Sphinx encryption standard specified in bolt4. You can see in the bolts what the encrypted payload includes:

```

payload format

...

tlv_stream: payload

types:

type: 2 (amt_to_forward)

data:

[tu64:amt_to_forward]

```

source: https://github.com/lightning/bolts/blob/master/04-onion-routing.md#packet-structure

You can also see the code for this in LND, starting at line 13 here:

https://github.com/lightningnetwork/lnd/blob/fc906f2a65518606f9a3100e5005b3241d73f35d/htlcswitch/packet.go#L13

Notice what that packet includes on lines 42---47:

```

// incomingAmount is the value in milli-satoshis that arrived on an

// incoming link.

incomingAmount lnwire.MilliSatoshi

// amount is the value of the HTLC that is being created or modified.

amount lnwire.MilliSatoshi

```

And notice that this information is encrypted per lines 52---54:

```

// obfuscator contains the necessary state to allow the switch to wrap

// any forwarded errors in an additional layer of encryption.

```

It speaks of an "additional" layer of encryption because "this" layer (the htlc packet itself) is also encrypted so that the only people who can read it are the sender, the recipient, and the routing nodes.

Also, thanks to multipath payments, the routing nodes do not know if the amount they see passing through their node is the full amount or just a shard of the full amount.

Avatar
Saberhagen The Nameless 7mo ago

"only people who can read it are the sender, the recipient, and the routing nodes."

Routing nodes are third parties. Ideally only the sender and recipient should know.

With Monero no third parties know the actual amounts being transacted between sender and receiver - not even part of the amount

I take your point that routing nodes don't know for sure if that is the full amount because of multipath payments, but it's still a partial privacy leak

Avatar
Super Testnet 7mo ago

Right, there are tradeoffs:

- monero unnecessarily exposes the full amount received to the sender. This is none of the sender's business and is harmful to receiver privacy. Monero also exposes the fee in plaintext on the blockchain, which is bad because analysts use the fee data for wallet fingerprinting.

- lightning unnecessarily exposes part of the amount to each routing node on the path. This info is in encrypted packets and does not get published, and the routing nodes can't know if it is the full amount or a shard. The fee is also encrypted and no one but the sender knows the full fee paid, though each routing node knows the portion of the fee they received. The sender also doesn't know how much the recipient receives, which is good, he shouldn't know that.

So which has better amount privacy, LN or XMR? I'm not sure, but certainly neither is perfect. I think lightning protects receiver privacy better in regard to the amount, but monero protects it from third parties better, unless the sender colludes with them.

Avatar
Saberhagen The Nameless 7mo ago

Sounds like fair enough breakdown