Explanation here: https://x.com/super_testnet/status/1881453818413822457
Discussion
I forgot that twitter doesn't let non-members view threads anymore. So here are the details:
Even without bolt12, LN receiver privacy is better than monero in this respect:
In monero, the sender always knows the recipient's "real" address (the one on the blockchain) and can provably map it to their stealth address. But in lightning payments, the invoice has to tell you the pubkey of the *node* which received the payment (though you can spoof it), but that pubkey doesn't contain any money. It's like a stealth address in monero, except the sender *cannot* map it to the *real* address that received the money, or at least, not necessarily. There are *some* people who've managed to figure out the receiver's address on the blockchain just from their lightning invoice, but even that information is spoofable. In monero, it isn't. So even in this respect, LN > Monero.
Also, it is wonderful to hide your lightning node from the sender, and is similar to not showing your monero stealth address to the sender. But in monero, there's no tools for that. In lightning, blinded paths are becoming standard. So LN is way better.
just put "cancel" in front of "x" like this:
https://xcancel.com/super_testnet/status/1881453818413822457
> without bolt-12 receiver privacy is garbage
Even without bolt12, LN receiver privacy is better than monero in this respect:
In monero, the sender always knows the recipient's "real" address (the one on the blockchain) and can provably map it to their stealth address. But...
...in lightning payments, the invoice has to tell you the pubkey of the *node* which received the payment (though you can spoof it), but that pubkey doesn't contain any money. It's like a stealth address in monero, except the sender *cannot* map it to the *real* address that...
...received the money, or at least, not necessarily. There are *some* people who've managed to figure out the receiver's address on the blockchain just from their lightning invoice, but even that information is spoofable. In monero, it isn't. So even in this respect, LN > Monero.
Also, it is wonderful to hide your lightning node from the sender, and is similar to not showing your monero stealth address to the sender. But in monero, there's no tools for that. In lightning, blinded paths are becoming standard. So LN is way better.
>In monero, the sender always knows the recipient's "real" address (the one on the blockchain) and can provably map it to their stealth address.
True, but since it is a one-time stealth address it is useless for tracing or tracking anything beyond that.
The problem with Lightning is the complexity involved in using it in a sovereign manner. It's not as "plug-and-play" as Monero. Vast majority of users are using custodians and a small portion use LSPs - both introduce third-parties back into the equation along with privacy implications...a hardly visible remnant is using Lightning to it's full privacy and sovereign potential because of this. Theoretical privacy of Lightning VS how it's actually used in the real world.
This is also somewhat apples and oranges comparison as Lightning isn't a blockchain. Would be more analogous to compare versus a Monero L2.
Major work is being done for FCMP which will resolve the problems with ring signatures, add forward secrecy, and introducing L2s onto Monero. Can't get much more private than a privacy L2 built on an encrypted blockchain.
> it is a one-time stealth address it is useless for tracing or tracking anything beyond that
If that was true, it would still only be *almost* as good as lightning, because (1) that's also true of lightning invoices (they are useless for tracking down *other* payments to the recipient) and (2) unlike monero public addresses, the sender *can't* (usually) map it to the "real" destination
But it's not true that stealth addresses are useless for tracking. You can watch a stealth address to see when it shows up as a possible spender in a future transaction, and then use heuristics to probablistically identify whether or not it's the "real" spender. You cannot do that with a lightning invoice because it *actually* never appears again (and never shows up on the blockchain at all).
> The problem with Lightning is the complexity involved in using it in a sovereign manner. It's not as "plug-and-play" as Monero.
Using monero in a "plug and play" manner gets people arrested. For example, Chainalysis was able to successfully trace a monero payment to the right user in part because they had access to so many user IP addresses, given to them for free (along with user transaction data) by Cake Wallet and Monerujo: https://www.digilol.net/blog/chainanalysis-malicious-xmr.html Even the monero website warns against using monero without taking extra precautions to guard your personal info: https://www.getmonero.org/get-started/faq/#anchor-magic
To use monero properly, you have to run a tor service and your own monero node. It's not a "plug and play" privacy solution, there is no "plug and play" privacy solution. So if you're going to do privacy properly, run a lightning node, not a monero node. Neither one is plug and play, and both require some setup, but lightning offers better privacy once you do the setup.
> Vast majority of users are using custodians and a small portion use LSPs - both introduce third-parties back into the equation along with privacy implications...
There are no good statistics on whether the majority of LN users use a custodian or not. The best I've seen is nostr statistics, where most people self-report using a custodian. But using a custodian for nostr zaps does not imply that you use a custodian for your daily spending money. And besides that, some custodians (like ecash mints) offer better privacy than monero, and some LSPs (like Acinq and Zeus) also offer better privacy for their users by supporting blinded paths, and often defaulting to them. Moreover, what are the stats on custodians in monero? I suspect it is rather large. The XMR blockchain indicates that a lot of the payments in monero are batch (multi-output) payments, which are usually done by exchanges and probably DNMs. Maybe I'll make a stats page tracking probable-custodian usage in monero and see how it compares with nostr.
>"You can watch a stealth address to see when it shows up as a possible spender in a future transaction"
That's why it's called a "one-time" stealth address. It only ever appears on the blockchain once. Receiver privacy is zero knowledge. I think you're accidentally conflating this with the sender privacy of ring signatures.
>"Using monero in a "plug and play" manner gets people arrested. For example, Chainalysis was able to successfully trace a monero payment to the right user in part because they had access to so many user IP addresses"
I'm saying in relation to Lightning it has better "plug-and-play" privacy than the average Lightning user who is using a custodian like Wallet of Satoshi who can see everything in addition to seeing your IP address. I'm not saying Monero is perfect there are definitely edge cases where your privacy can be reduced.
>"To use monero properly, you have to run a tor service and your own monero node"
What is unique about this to Monero? Same thing applies to a Bitcoin and Lightning nodes. The only difference is if a Monero user is using someone elses remote node that node has way less information about transactions than a Bitcoin node or LSP/LN custodian.
>"And besides that, some custodians (like ecash mints) offer better privacy than monero"
Being custodial already disqualifies it from the same category as Monero which offers non-custodial privacy. Even the creator of Cashu has basically said this. But besides that, I don't think the claim that it offers more privacy than Monero is true or at least more nuanced. Mints can see token denominations (amounts) so the anonymity set is fractured in buckets within each mint (1,2,4,8,16,32, etc). This means less common denominations such as larger amounts offer less privacy. Amounts in Monero are completely hidden. Additionally Ecash anonymity set is only as large as the amount of users of any individual mint. It's not shared between all mints.
>"Moreover, what are the stats on custodians in monero? The XMR blockchain indicates that a lot of the payments in monero are batch (multi-output) payments, which are usually done by exchanges and probably DNMs."
Considering the attitude of the community and that Monero is banned from almost all major exchanges I would say custodial Monero users are far fewer.
All popular Monero wallets are non-custodial as well. In fact I'm not sure I've ever seen or heard of a custodial Monero wallet, but I'm sure they exist in some small corner.
Some of those batch (multi-output) payments could also be from P2pool which is non-custodial decentralized pool mining, but I would have to look more into it.
>"There are no good statistics on whether the majority of LN users use a custodian or not."
-There is Zapalytics. Custodial wallets for Lightning zaps and addresses are near ~80%. It also doesn't account for LSPs like Phoenix which also reduce privacy.
-You can check out all major LN liquidity providers mempool space (mostly custodial wallets, CEXs, LSPs)
-Compare total downloads from custodial LN wallets, LSP wallets like Phoenix, and wallets that require or allow you to run your own LN node
All these metrics converge on the same picture. Lightning is mostly custodial with no privacy or reduced privacy
Far from the ideal picture you're trying to paint about Lightning.
>it's called a "one-time" stealth address [because it] only ever appears on the blockchain once
"One-time" stealth addresses almost always appear on the blockchain multiple times. For example, this stealth address:
7d1526b3376ecc11530dc68650111013b125fa32b1d3c639bd7a694d8c6275f7
appears in two transactions. He receives money in this transaction: https://localmonero.co/blocks/search/936c2d0659e21d81f26388f9a21a2965085ab0e7dd3b4b97194967b05ca5fdff
And he appears as a possible sender in the fourth input of this transaction: https://localmonero.co/blocks/search/5470b681c6c443556722150f496f07b2b5d36c47b30c65cb132b9d0cbb5dff76
See this screenshot:
> Receiver privacy is zero knowledge
It is not zero knowledge. The receiver's "stealth address" is unencrypted and it is not in fact "one time." Despite some people calling it that, you cannot spend from it unless you put it on the blockchain a second time as a possible spender in a future transaction. So analysts can and do watch for that to happen and then use heuristics to estimate the probability of it being the "real" spender in that future transaction.
>"Using monero in a "plug and play" manner gets people arrested. For example, Chainalysis was able to successfully trace a monero payment to the right user in part because they had access to so many user IP addresses"
I'm saying in relation to Lightning it has better "plug-and-play" privacy than the average Lightning user who is using a custodian like Wallet of Satoshi
I'd like to deal with your contention that most lightning users use custodians here. You cite the following evidence:
> There is Zapalytics. Custodial wallets for Lightning zaps and addresses are near ~80%
That doesn't imply that users use custodial wallets for anything other than zaps. I use a custodian for zaps and then withdraw them to my self custody wallet whenever they grow to be worth about $20. I suspect thus usage pattern is very common.
> You can check out all major LN liquidity providers mempool space (mostly custodial wallets, CEXs, LSPs)
Of the top 10, half are self custodial (Acinq, C=, and 3 LNBigs) and half are exchanges (OKx, Binance, 2 Bitfinexes, and Kraken). And this doesn't tell you anything about the distribution of that money. Lots of people open a channel to Binance from their own node, because you earn money by doing so. The channel opener retains self custody of all of that money, but the amount of money listed as being in a "Binance channel" will increase. Just because it's in a channel with Binance or another exchange does not mean the exchange has that money. It just means that's a place where lots of money flows into and out of.
> Compare total downloads from custodial LN wallets, LSP wallets like Phoenix, and wallets that require or allow you to run your own LN node
Okay, I did, and here are the results: https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e
As you can see, self custodial lightning wallets are more popular than custodial ones
> What is unique about this to Monero [i.e. having to run your own node over tor for good privacy]? Same thing applies to a Bitcoin and Lightning nodes
I agree, I'm just saying that if you have to do that for good privacy anyway, then do the thing that gets you better privacy. Run a lightning node, not a monero node.
> The only difference is if a Monero user is using someone elses remote node that node has way less information about transactions than a Bitcoin node or LSP/LN custodian
A lightning user who connects to a remote node reveals less information to that node about the sender and the recipient than a monero user who connects to someone else's remote node. This is because in LN the sender and the recipient are actually encrypted so that the remote node cannot see them; in monero, they are unencrypted, though at least the sender is obscured as being one in a group of 16. The recipient is barely obscured; most transactions only list 2 outputs.
Regarding amounts, the remote node in a monero transaction gets to see the total amount you paid in fees, and can use that to get an exact lower bound on the amount money in the inputs and an estimated lower bound on the amount of money in the outputs. In lightning, the remote node does not get to see the total amount you paid in fees, and, given the prevalence of multipath payments, they also don't know how much money you sent, though they can get a lower bound on it. This lower bound is less useful than the one monero gives you because it's harder to estimate how much of the payment flowed through your node.
>"And besides that, some custodians (like ecash mints) offer better privacy than monero"
Being custodial already disqualifies it from the same category as Monero which offers non-custodial privacy
Some users care more about their transaction being private than about having self custody of the money. I wonder if ecash mints are more popular than monero wallets. I'll have to think of a way to assess this statistically.
> Mints can see token denominations (amounts) so the anonymity set is fractured in buckets within each mint (1,2,4,8,16,32, etc). This means less common denominations such as larger amounts offer less privacy
Good point, I didn't think of that. Makes me want to get more statistics.
> Considering the attitude of the community and that Monero is banned from almost all major exchanges I would say custodial Monero users are far fewer
Exchanges like Kucoin and Huobi Global continue to list monero and do millions of dollars in volume in XMR trading pairs. As for the community, everyone in the monero community that I've talked to sings the praises of DNMs even though almost all of them take custody of user funds. (The largest one did an exit scam last year: https://x.com/DarkDotFail/status/1765104459913330820)
So I suspect custodial Monero users are a large percentage of the total -- especially since there aren't very *many* monero users.
>"appears in two transactions. He receives money in this transaction"
You seem to be confusing reciever and sender privacy again. One is an input the other is an output. It doesn't appear as another output again.
>"It is not zero knowledge"
Yes it is. Potential receivers can literally be any Monero user that has ever existed. All you know is that the receiver is a Monero user - that's all.
>"That doesn't imply that users use custodial wallets for anything other than zaps. I use a custodian for zaps and then withdraw them to my self custody wallet whenever they grow to be worth about $20."
Are zaps not lightning transactions? Value of the transactions are irrelevant.
>"Of the top 10, half are self custodial (Acinq, C=, and 3 LNBigs)...It just means that's a place where lots of money flows into and out of."
The main point is the reduced privacy they provide from your ideal presentation of lightning (running your own node, etc.), not if they are custodial or not. Everything flowing through these large node isn't ideal for privacy and reduces the benefits of onion-routing of Lightning,
>"Okay, I did, and here are the results: https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e"
Interesting chart. I also have a similar one I made awhile back to see for myself. I noticed you don't have Strike or Chivo included (some of the largest custodial lightning wallets in downloads - 1,000,000+ each). You also only have two types of wallets, but I would include another category of non-custodial LSP wallets like Phoenix which reduces user privacy. Blinded paths are also not widely used yet and not default for most.
Some of the wallets included that have multiple kinds are hard to figure out, but considering Bitcoin only has 60,000 nodes and there being roughly 80-130 million total Bitcoiners in the world, it's pretty safe to assume the vast majority aren't running their own Lightning nodes. I'm sure the ratio is similar for those wallets.
>"I agree, I'm just saying that if you have to do that for good privacy anyway, then do the thing that gets you better privacy. Run a lightning node, not a monero node."
Far more Lightning and Monero users don't run their own node and likely never will. So when it comes to those users it's probably good to direct them to use Monero. If you're going to run your own node and do everything correctly then yea I at least see your argument in that case, pros and cons, but imo it's still debatable especially if you're going through large LN nodes in your hops that reduce the benefits of onion-routing.
>"This is because in LN the sender and the recipient are actually encrypted so that the remote node cannot see them"
Not sure this applies to custodial LN, and pretty sure LN receive privacy is notorious for being bad. I know blinded paths exist, but aren't widely used yet. Not sure how popular multi-path payments are yet either.
>"Good point, I didn't think of that. Makes me want to get more statistics."
Yea in the future ecash tokens will not reveal amounts, but that isn't true at the moment. I've heard about Calle saying he is going to eventually implement "blinded amounts" in addition to blinded signatures which would solve this particular problem. Don't get me wrong I think ecash is cool because it can do some neat things that Monero can't, but it has it's own downsides obviously. Ecash (and even L2s) aren't necessarily unique to Bitcoin either. You can build ecash on Monero now somewhat trivially (and a Bitcoiner is actually currently doing that) and L2s will soon be possible with FMCP.
>"Exchanges like Kucoin and Huobi Global continue to list monero and do millions of dollars in volume in XMR trading pairs....everyone in the monero community that I've talked to sings the praises of DNMs even though almost all of them take custody of user funds."
In comparison to Bitcoin this is nothing even accounting for Mcap and tx volume of each. The largest exchanges like Binance have already delisted Monero.
DNM thing is true, good point, but I doubt anyone uses those as their personal wallets theyre actually using. They're usually only used to deposit/withdraw funds. Even if Lightning was used there would have to be a similar setup for this. Some use multisig, but not as common.
Thank you for pointing out the omission of Strike and Chivo. I've updated the gist:
https://gist.github.com/supertestnet/5bceb60d9c691da744a55dad3f60e65e