Nostr Web Client

(2) isn't accurate. Lightning doesn't technically encrypt amounts at all. Every hop knows how much is being forwarded, but Monero does conceal amounts (except for fees). Also, for (3) the sender being unsure seems like obscured information. Because it still *could* be the recipient's public key, but maybe it's not. Just like you can't be sure a recipient is spending just because you see their stealth address in a ring sig. Maybe it's not.

Super Testnet 7mo ago

> Lightning doesn't technically encrypt amounts at all

Yes it does. It uses the Sphinx encryption standard specified in bolt4. You can see in the bolts what the encrypted payload includes:

```

payload format

...

tlv_stream: payload

types:

type: 2 (amt_to_forward)

data:

[tu64:amt_to_forward]

```

source: https://github.com/lightning/bolts/blob/master/04-onion-routing.md#packet-structure

You can also see the code for this in LND, starting at line 13 here:

https://github.com/lightningnetwork/lnd/blob/fc906f2a65518606f9a3100e5005b3241d73f35d/htlcswitch/packet.go#L13

Notice what that packet includes on lines 42---47:

```

// incomingAmount is the value in milli-satoshis that arrived on an

// incoming link.

incomingAmount lnwire.MilliSatoshi

// amount is the value of the HTLC that is being created or modified.

amount lnwire.MilliSatoshi

```

And notice that this information is encrypted per lines 52---54:

```

// obfuscator contains the necessary state to allow the switch to wrap

// any forwarded errors in an additional layer of encryption.

```

It speaks of an "additional" layer of encryption because "this" layer (the htlc packet itself) is also encrypted so that the only people who can read it are the sender, the recipient, and the routing nodes.

Also, thanks to multipath payments, the routing nodes do not know if the amount they see passing through their node is the full amount or just a shard of the full amount.

Reply to this note

Please Login to reply.

Discussion

Saberhagen The Nameless 7mo ago

"only people who can read it are the sender, the recipient, and the routing nodes."

Routing nodes are third parties. Ideally only the sender and recipient should know.

With Monero no third parties know the actual amounts being transacted between sender and receiver - not even part of the amount

I take your point that routing nodes don't know for sure if that is the full amount because of multipath payments, but it's still a partial privacy leak

Super Testnet 7mo ago

Right, there are tradeoffs:

- monero unnecessarily exposes the full amount received to the sender. This is none of the sender's business and is harmful to receiver privacy. Monero also exposes the fee in plaintext on the blockchain, which is bad because analysts use the fee data for wallet fingerprinting.

- lightning unnecessarily exposes part of the amount to each routing node on the path. This info is in encrypted packets and does not get published, and the routing nodes can't know if it is the full amount or a shard. The fee is also encrypted and no one but the sender knows the full fee paid, though each routing node knows the portion of the fee they received. The sender also doesn't know how much the recipient receives, which is good, he shouldn't know that.

So which has better amount privacy, LN or XMR? I'm not sure, but certainly neither is perfect. I think lightning protects receiver privacy better in regard to the amount, but monero protects it from third parties better, unless the sender colludes with them.

Saberhagen The Nameless 7mo ago

Sounds like fair enough breakdown