A few days ago I was contacted by Rachel
O’Leary from
CoinDesk regarding an article she was writing about the privacy of
Lightning payments compared to Bitcoin on-chain transactions: Will
Lightning Help or Hurt Bitcoin
Privacy?. These
are very common questions, so I thought I might as well publish my raw
answers.
I’d like to preface this by saying that privacy is neither a binary,
nor a linear thing. Privacy is a multi-facetted issue and comparing
two systems is difficult, so a tradeoff may be sensible in one setting
it may not be in another.
Why is privacy a consideration for Lightning developers?
Payments in the lightning network are fundamentally different from
payments in bitcoin. We move away from a broadcast medium in which
everybody sees every transaction, towards a model in which only the
interested parties, i.e., sender, recipient and intermediate hops, see a
payment. This is what gives us the high scalability in the first place,
however it also makes it easier to identify the endpoints of a
payment. Without the onion routing, every payment would contain the
destination’s address in order for the payment to be routed correctly,
so every node could know the destination, and with sufficient network
access we could also infer who the sender is.
Will Lightning improve or worsen privacy?
That is hard to answer, since payments are so different. In bitcoin we
have every payment permanently recorded in the blockchain, with a lot of
research already showing the possibility of creating extensive user
profiles, tracing payments and deanonymizing many users. It takes a lot
of effort to stay truly anonymous in bitcoin.
Using lightning we don’t create that permanent record for payments in
the first place so this kind of analysis is no longer possible. To learn
about a payment now you have to be part of the route that the payment
went through in the first place, otherwise you’ll be completely unaware
of anything happening. Even if you are part of the route all you learn
is that you got some funds from one side, along with instructions were
to forward them next. You do not learn anything about the sender, the
recipient or even your position in the route.
This protection is certainly not perfect, as some have pointed out,
timing attacks can identify relationships between individual hops, and
the public knowledge about the network’s topology may allow attackers to
infer additional information. However I personally believe that we are
in a better position. The payment information is ephemeral and attackers
need substantially more resources and access to learn anything about the
payments that occur in the network. It’s not perfect, but a step forward.
Why is there dispute about this?
The dispute is mostly comparing the security of our onion routing with
Tor. The key observation is that our routing is restricted to follow the
topology of the overlay network created by lightning. This is different
from Tor, where each hop in a circuit can be chosen arbitrarily from a
set of public nodes, whereas we are restricted to chose adjacent nodes.
This criticism is valid, and may impact the mix quality, though I can’t
say what the exact impact is. While we are bound to follow the topology,
it also means that to get from one point to another we have to traverse
more hops, which again improves our mix quality. While Tor uses just a
few hops for reasonable privacy, Lightning can use up to 20 hops,
counteracting the limited choice for each individual hop.
This is less of a dispute about the privacy of bitcoin versus lightning,
instead it is more about the onion routing as implemented in lightning
versus the Tor network.
If I wanted to send a private Lightning transaction now, could I?
Ideally the client would always attempt to maximize your privacy for
you, so there wouldn’t be anything specific required on your part. The
countermeasures that all three tearms are currently implementing
comprise a topology randomization and route randomization. Topology
randomization tries to avoid having hubs that can observe traffic, by
opening channels in a random fashion, which also strengthens the network
as a whole against single points of failure. Route randomization
involves computing multiple routes and chosing one of them at
random. This may result in slightly longer routes, and thus slightly
higher fees, but increases privacy a lot by making the routes less
predictable.
How will Hornet improve on some of these problems?
Hornet is a protocol that optimizes bidirectional communication along an
existing circuit that was established using the sphinx protocol. We
implement sphinx for our onion routing, so that determines the route
that all subsequent communication would take. We stepped away from the
idea of implementing hornet as part of lightning since it’d create a
general purpose communication layer that we don’t really need. With its
single roundtrip design sphinx perfectly matches our requirements for a
payment, and adding a communication layer that is not bound to payments
could potentially have unintended consequences. We want lightning to be
a payment network, not a way to stream movies anonymously :-)
What other privacy proposals also address this?
We could separate the onion routing from the end-to-end connectivity,
i.e., first creating a publicly routed base network that allows us to
send payments from A to B, and then build onion routing on top of
that. This would more closely match the Tor network in which the base
network is TCP/IP and the onion routing is built on top. However, in the
first iteration we decided that all payments should be private and thus
use onion routing, and not allow users to skip the onion routing and
just use the base routing. This may eventually be picked up again, but
so far it’s not on the roadmap.
I’m a big fan of meetups, with our first Zurich Bitcoin Meetup all the way back in 2011, with just 4 people attending, more on that another time.
The Zurich Bitcoin meetups have become far more popular and better organized, thanks to Lucas, who has been organizing the locations and speakers.
And so it was my turn to speak about my research at the latest Meetup:
The talk has quite a large introduction about how Bitcoin works and why it does not scale. In the second part we talk about Duplex Micropayment Channels, how Payment Service Providers could emerge to build a fast payment network on top of Bitcoin and what some of the remaining challenges are.
I had a lot of fun, and it is always nice to have such an interested crowd. If you get a chance to give a talk at a meetup, go for it.
In the talk I said that most of this information is in my dissertation, so for those who would like to read up on these technologies the dissertation is available at Amazon: On The Scalability and Security of Bitcoin.
Git is a really cool version control system. So cool in fact that I decided to use it to distribute the project I’m working on to several hundreds of Planetlab nodes. So I went ahead and created a repository with git init --bare somewhere in under the root of my local Apache2. Using pssh we can clone and pull from the repository simply by specifying the URL to that repo.
Obviously the traffic is still pretty high, after all every request still ends up at my machine, so I have to serve the whole repository once for each machine. Then I stumbled over CoralCDN, a free Content Distribution Network, that runs on Planetlab. So instead of cloning directly from my machine I took the URL of the repo, added .nyud.net to the domain and cloned from that URL instead.
The drop in traffic when cloning was immediate and I was happily working with this setup, for some time. Then I noticed that having the CDN cache the contents has its drawbacks: if I want to push changes quickly one after another, say, because I noticed a typo just after issuing the update, I have to wait for the cache to time out.
To solve this problem we have to set the objects files, which do not change because it is part of gits content addressable design, and set a short caching time for the few files that do change. Placing this .htaccess file in the repository and activating mod_headers and mod_expires should do the trick:
It’s an amazing time to be part of the Bitcoin family. With the Wikileaks scandal we had some quite heated discussions on whether to promote ourselfs as an alternative way for them to acquire funds, but in the end we decided not to, preferring not to be associated with a company being investigated by some countries. However the decision seems to have already been taken for us: as this article in PCWorld demonstrates we are not the only ones making that connection.
Furthermore people are investing more and more resources into Bitcoin as the confidence in the future of the currency grows. Currently the Bitcoin economy containing 4’464’000 coins is worth just short of 1 million USD (MtGox). Meanwhile the growing interest increased the difficulty to generate blocks (the means to acquire new coins and confirm transactions) to incredible heights, and newcomers are getting frustrated at how long it takes them to earn their first real coins. Luckily the Bitcoin Faucet and a pooled mining effort should counteract part of this problem, but the trend is quite clear, people that do not invest heavily into GPUs are will have nearly no chance at accumulating large quantities just by mining, but then where does a country just give you freshly printed money?
In the meantime a lot of discussion is going on about improvements to the Protocol, and what should be part of the Bitcoin ecosystem, specifically an alternative DNS system is in discussion, which would piggyback on the currency transactions.
I’ve been bothered with the now famous PermGen Space error while
developing a web application on a local jetty instance quite often,
and I was hoping that the problem wouldn’t prove to be that serious
once deployed on a tomcat server, but quite the opposite is the case.
The problem happens when the JVM runs out of permanent generation heap
space, which most of the time is due to classloaders not being
correctly garbage collected. Permanent generation heap space is an
optimization that the Sun JVM contains to speed up object creation,
but the default size is too small if classes are loaded and unloaded
often during runtime, which is exactly the mechanism most application
servers load applications. So the first, quick and dirty, solution
would be to enlarge the permanent generation heap space:
-XX:MaxPermSize=256m. Sadly, this still doesn’t get rid of the
problem. Another solution is to use a completely different JVM
altogether: JRockit.
JRockit, a proprietary Java Virtual Machine (JVM) from BEA Systems,
became part of Oracle Fusion Middleware in 2008. Many JRE class files
distributed with BEA JRockit exactly replicate those distributed by
Sun. JRockit overrides class files which relate closely to the JVM,
therefore retaining API compatibility while enhancing the performance
of the JVM. [from Wikipedia]
I wasn’t thrilled having to change JVM because it isn’t available in
the openSuse repositories at all, and I wasn’t quite sure how hard it
would be to make the switch. As I found out, it’s incredibly easy.
Getting the package
Getting your hands on the JRockit installation package isn’t all that
easy, because BEA became part of Oracle and everything is still in
transition. The download location is http://edelivery.oracle.com/,
where you’ll be greated by a wizard to select the products to
download. JRockit can be found under BEA Products and then BEA
WebLogic Media Pack, scrolling down you’ll find the zip package you
need depending on your operating system.
Installation
Installation is straight forward, just unzip the archive and then
execute the contained installer:
Now all you have to do is follow the instructions of the
installer. When asked for a location to install JRockit into, I used
/opt/jrockit but every location will do just fine. The next step is
optional, but if you use update-alternatives I strongly suggest you
to do it. We’ll add jrockit java and the the jrockit compiler (javac)
as alternatives:
So when doing an update-alternives we see the jrocki VM:
$ update-alternatives --config java
There are 2 programs which provide `java’.
Selection Command
-----------------------------------------------
+ 1 /usr/lib64/jvm/jre-1.6.0.u7-sun/bin/java
* 2 /opt/jrockit/bin/java
Enter to keep the default[*], or type selection number: so now we can
easily switch between the Sun VM and the JRockit VM. That’s it. Now
just check to see if we really have the JRockit VM and we’re ready to
code:
$ java -version
java version "1.6.0_03"
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
BEA JRockit(R) (build R27.5.0-110_o-99226-1.6.0_03-20080528-1505-linux-ia32, compiled mode)