Euro social fiscal

Bitcoin Lightning Network

by

admin
in

The Lightning Network is an off-chain solution for the Bitcoin blockchain. It is a “second layer solution”. With such technologies, actions for a blockchain can be outsourced and processed in an external system. Such technologies are one of the best known and best solutions for scaling blockchains.

While the Bitcoin blockchain can handle around 7 transactions per second, it is possible with the Lightning Network to handle up to 1,000,000 transactions per second within one channel. In this article we explain what a channel is. The transactions can be transferred almost in real time and cost almost nothing, sometimes even nothing at all.

Therefore, Lightning is also ideal for paying for microtransactions or paying for certain services on a regular basis. The processes are fast, cheap, secure and anonymous. International financial transactions are also possible with Lighting Network. Here, the participants also benefit from the speed and the very low transaction fees. This is possible within seconds, also by exchanging real currencies.

What is the point of the Lightning Network?

Off the blockchain, scalability isn’t an issue, and scaling is quicker off the blockchain than on a giant blockchain like Bitcoin. At the same time, the Bitcoin blockchain can remain as safe as possible. The low speed and the high computing power required ensures that the bitcoins and the transactions associated with them are maximally secure. Special solutions such as the Lightning Network use the security of the Bitcoin blockchain and integrate their own functions, such as higher speed when transferring transactions.

The Bitcoin Lightning Network was officially unveiled in 2015 and has been available on the Bitcoin mainnet since around 2018. The public alpha release took place on January 10, 2017. Since its official launch, the Lightning Network has continued to grow and more and more users are using Lightning to process their transactions quickly. The Bitcoin blockchain reached its limits as early as 2017, as not all transactions could be processed in the necessary time.

The situation was a threat to the entire blockchain, as it could not be used as a global currency under these circumstances. The Lightning Network (LN) is a tool that can be used against such problems. Simply put, LN allows transactions to be sent without requiring and burdening the blockchain. The transactions take place in an intermediate layer, relieve the blockchain and at the same time ensure an enormous transaction speed.

What is Bitcoin Lightning?

The Lightning Network is a “second layer” payment protocol that works on a blockchain (usually Bitcoin). It enables instant transactions between participating nodes and was developed as a solution to the Bitcoin scalability problem. Two parties can transact quickly and cheaply via Lightning. However, peer-to-peer technology can also be used to integrate more participants who exchange bitcoins with each other.

The Lightning Network can process transactions on Bitcoin’s blockchain without requiring energy-hungry mining. For this to work, the use of off-chain technologies is almost essential. Lightning Network is basically another payment network for Bitcoin. The Lightning Network is also ideal for sending smaller transactions, as the fees are much lower than in the conventional blockchain.

More anonymity in the Lightning Network

Added to this is the comprehensive anonymity of use. Lightning Network is highly secure. At the same time, security in the Bitcoin blockchain remains as high as possible. Anonymity is provided by Lightning. For example, there is no transaction history here. Of course, every user can create such a history himself, but there is no such history in the network itself. If you’re not part of a channel, you can’t track checkouts. The level of anonymity is therefore very high.

Transactions are settled on the Bitcoin blockchain using Satoshis (SAT). A SAT is equal to 100,000,000 of a bitcoin. Due to the increasing value of bitcoins, it may make sense to further split SAT in the future. This can hardly be implemented in the Bitcoin blockchain, since the division would be far too complicated. In the Lightning Network, however, this is possible without any problems, since Lightning is much more flexible.

Development of the flash payment method

If you want to delve deeper into the topic, you can read the Lightning White Paper  by Joseph Poon and Thaddeus Dryja. The Bitcoin Lightning Network specification is based on the white paper. The network is being developed by multiple parties including Elements Project, Lightning Labs and ACINQ

Blockchains work as if a computer had to store every mail it receives. The Lightning Network, on the other hand, makes it possible to conduct blockchain transactions and only store the data that users care about – their own token. The network is thus a protocol for scaling and accelerating blockchains. It was designed to solve some of the technical limitations of the Bitcoin blockchain.

The Lightning Network explained in simple terms

In simple words: In order to process transactions faster with the Lightning Network, users do not send transactions to the blockchain, but to the Lightning Network. A Lightning wallet is required for this to work. By sending transactions from the traditional wallet to the Lightning wallet, the transaction can be leveraged on the Lightning Network. After connecting the Lightning Wallet to a node in the Lightning Network, a channel to the Lightning Network opens and a payment channel between the two participants.

We will return to these channels in this article. The transactions in this payment channel are initially not part of the Bitcoin blockchain. Within a payment channel, users can carry out any transactions that are not implemented in the slower Bitcoin blockchain, but in the Lightning Network. Only at the end of all transactions do users transfer their bitcoins from the Lightning wallet back to their bitcoin wallet and thus back to the bitcoin blockchain. This quickly makes it clear that Lightning is particularly helpful in the case of multiple transactions that are carried out between partners at the same time.

The actual bitcoins stay where they are, of course: in the bitcoin blockchain. By using Lightning, the blockchain locks the bitcoins used for further use, and only the equivalent value of the bitcoins is traded in Lightning. After the transactions are completed, Lightning offsets the equivalent value against the actual bitcoins in the blockchain.

The payment channels allow participants to transfer funds without having to publish all transactions on the blockchain. When opening a channel, participants must set an amount. Time-based script extensions such as Check Sequence Verify and Check Lock Time Verify monitor the operations. In a large network of channels in the Bitcoin blockchain, where at least one channel of the blockchain is open, it is possible to create an almost unlimited number of transactions on this network. This makes it easier to send larger transactions, speeds up processes and is also an ideal approach if business partners regularly carry out transactions on the Bitcoin blockchain.

Faster and cheaper transactions

Scalability was the first key motivator for Lightning, as the network’s transaction rate has room for improvement. While the Visa company can process tens of thousands of transactions per second, Bitcoin’s network is limited to fewer than 10 per second.

Another reason for developing Lightning is that the Bitcoin blockchain’s “block confirmation time” is around 10 minutes. This means it takes 10 minutes for the transaction to be confirmed. Of course, this is not ideal for payment transactions. In addition, the fees can be quite high. The Lightning Network, on the other hand, can enable near-instantaneous transactions at rates in the thousands to millions per second and fees as low as a fraction of a cent (or even free).

In the Lightning Network, transactions can be processed in fractions of a second. The use is therefore not only useful for carrying out large and comprehensive transactions, but also interesting for business areas in which transactions have to be carried out very quickly. Instead of 10 minutes, the participants in the transactions only have to wait a few seconds or even less.

Routing Fees

Channels are like pipes — you can send money through them and pay fees along the way. Bitcoin uses a single channel called the blockchain where transactions are stored. Lightning Network does away with the blockchain altogether and creates multiple channels. These channels allow people to make instant micropayments without having to wait for confirmations.

But besides the transaction fees to open or close channels, there is another fee associated with transferring funds between channels. In addition to the transaction fees, each node must pay a small amount of money every time it routes a payment.

The fees for the lightning network could mean that no one wants to route payments because of how much they cost. If that happens, we won’t see many lightning networks popping up around the world.

How do Bitcoin Lightning transactions work?

The network is based on the payment channels already mentioned. A two-party payment channel is created when both parties create a 2-of-2 multi-signature transaction on the blockchain, with at least one party providing funds for the 2-of-2 ledger booking.

Each participant has a private key. The expenses from the ledger posting can only be made if both keys are confirmed. This first transaction to open a channel takes 10 minutes (or whatever the normal block time is). After that, the participants can immediately trade with each other using the bitcoins allocated in the channel. These instant transactions are performed by passing signed transactions back and forth, with expenses being posted from the 2-of-2 ledger.

Every transaction is valid when it is transmitted into the network and recorded in the blockchain by the nodes of the network. In a payment channel, these signed transactions are only transmitted when the participants want the channel to be closed. Transactions signed but not transmitted are exchanged via direct peer-to-peer communication and held by participants like redeemable receipts.

The Bitcoin blockchain aggregates transactions and executes them in blocks for processing. This is different from the Lightning Network. This executes every transaction immediately. The transactions can run across multiple nodes.

Real-world example of channels between multiple participants in Lightning

To use Lightning, two participants, Alice and Bob, create an initial transaction on the blockchain for $20, with each party having $10 of value. The basis is a new payment channel in the Lightning Network. The first transaction is opening the channel and defining the bitcoins that should and can be traded in the payment channel. The bitcoin blockchain locks these bitcoins, so to speak.

The transaction on the Bitcoin blockchain has a multi-signature. The two participants have keys for the transaction carried out. Each participant can send the amount of bitcoins to the other partner that he has defined and owns for the channel as part of the first transaction in the bitcoin blockchain.

This initial allocation can be updated so that Alice gets $5 of the $20 total and Bob gets $15. These transactions now take place initially in the payment channel. That means the processes are faster and cheaper than in the Bitcoin blockchain. The bitcoins that Alice and Bob want to trade with Lightning in this example are locked in the bitcoin blockchain by the first transaction. There is no limit on the number of transactions.

These actions take place outside of the blockchain, within the Lightning Network. When the participants have completed their transactions, the last exchanged transaction signature is sent to the network, completing the movement of tokens in the channel – some to one party and (if any) some back to the other. Only the completed, last transaction can be seen on the Bitcoin blockchain. All other transactions remain in the blockchain. The two participants in the channel can send the amount of blocked blockchain back and forth as they wish. All actions remain in the Lightning Network.

Transactions are also possible in Lightning with more than two parties

This quickly makes it clear how the Bitcoin network is relieved. All transactions between Alice and Bob are not processed through Bitcoin, but in the Lightning Network. This saves enormous amounts of resources in the Bitcoin blockchain, which are available for other transactions, for example. At the same time, the participants benefit from a significantly faster processing of transactions, especially when not just one transaction is to be processed, but several.

Lightning takes the technology behind the payment channels and creates a network of these channels, using smart contracts to ensure that the network can function in a decentralized manner and without counterparty risk. As an example, Alice can open a channel with Bob, who has a channel with Carol, who has one with Dave. If Alice wants to do business with Dave, she can send tokens through Bob and Carol and Dave will eventually receive them. But due to the multi-signature and smart contracts inherent in Lightning’s design, Alice doesn’t have to trust Bob and Carol as an intermediary – the protocol uses cryptography to ensure that the tokens either get to Dave via Bob and Carol, or to Dave automatically Alice to be refunded.

A common mesh network is also created in which transactions outside the blockchain can be implemented quickly. There does not have to be a direct connection to the participant in the channel with which another participant wants to carry out transactions. It is sufficient if each participant has a different channel and the connection can be established via the different channels. These transactions are covered by the individual bitcoins that exist between the channels.

With the peer-to-peer network it is therefore possible to send bitcoins between the participants. In this case, only the two participants in the channels carry out transactions directly with one another, which are also connected to one another. For example, if Alice has a channel with Bob and Bob has a channel with Mike, Alice can trade with Mike. However, Alice trades first with Bob and then Bob with Mike to complete the transaction between Alice and Mike.

Here, only the maximum amount of Bitcoin that is available between two participants in a channel can be sent. In this example, if Alice wants to send a bitcoin to Mike, but Bob only has a half-bitcoin connection with Mike, then Alice can only send that half-bitcoin, regardless of how many bitcoins she has anchored in the channel with Bob.

When a payment channel is closed, the bitcoins are written back to the blockchain, since the Lightning wallet in turn transfers the bitcoins back to the respective wallet.

Disadvantages and problems with Lightning

In order to be able to use the Lightning Network, users not only need a wallet for Bitcoin, but also a wallet for Lightning. At the same time, these wallets must be linked in such a way that transactions are possible between the wallet and the Lightning wallet.

The network cannot be used with conventional wallets, but only with compatible ones. Of course, this does not make it easier for users to use bitcoins. Added to this is the effort involved in opening up new payment channels. Unfortunately, this is still not very user-friendly.

Lightning nodes must be online at all times for Lightning to work. Closing a channel takes some time so that the two participants can be informed in time. A permanent connection to the network is required to avoid fraud.

Liquidity in Lightning only works if all connected participants within the route also have sufficient liquidity. This problem resolves over time as more participants join the network. That doesn’t change the fact that Lightning is a huge benefit of Bitcoin and a solution to the blockchain’s apparent scaling problem.

This exchange risk exists because the business might be paid by their customers in a fiat currency and not Bitcoin.

How many transactions can bitcoin process per second?

An often-recited metric when discussing the functionality of Bitcoin is transactions per second. A block in Bitcoin can be a maximum of 1 megabyte in size. An average transaction is 400 bytes in size. This means that on average 2,500 transactions fit into one block. A new block is found approximately every 10 minutes. Consequently, the Bitcoin system can process approximately 4 transactions per second.

How many transactions per second can the Bitcoin competition?

To get some perspective on Bitcoin’s capacity, let’s compare transactions per second to two attractive alternatives; Visa and PayPal. While the Bitcoin blockchain reaches its limit at more than four transactions per second, PayPal can process up to 115 transactions per second. Market leader Visa even makes 2,000 transactions per second without any problems, and 4,000 transactions at peak times. According to Visa, however, it can do much more: up to 56,000 transactions per second should be possible. How can Bitcoin compete and become a global payment system?

However, two nuances also need to be mentioned in this discussion: the transaction size and the finality of a transaction.

In Bitcoin, it doesn’t matter to the fees and the network whether an amount of 0.001 BTC or 10,000 BTC is sent. What matters is the number of inputs and outputs of the transaction. With alternative payment systems such as Visa and PayPal, you usually pay a percentage of the transaction amount instead. Sending large amounts is correspondingly expensive.

The finality of the transaction describes the possibility that the transaction can be reversed. This is very difficult with Bitcoin: once a transaction has been sent and written to a block, it can hardly be undone. This is an advantage, because sellers can be sure that the supposedly friendly customer will not cheat them afterwards. This is different with PayPal and Visa: here there is a period (usually 30 to 120 days) in which the payment can be revoked. This is possible because PayPal or Visa are the central authority in the monetary system. You determine the history of the transactions and can also change them later.

So while Bitcoin is lagging behind in terms of transaction frequency, the technology can already score massively in terms of transaction size and financial finality.

Payment Channels – The basis of the Lightning Network

The core of the Lightning Network are payment channels. A payment channel can be thought of as a tunnel between two parties, Alice and Bob. So it connects Alice and Bob directly to each other. The difference between a payment channel and a transaction on the blockchain is that payments within the tunnel are not recorded on the blockchain. Instead, Alice and Bob can keep updating the status of the payment channel and only write the last status to the blockchain when they are “done”. The payment channel is updated outside of the blockchain and is not bound by its limitations. Alice and Bob could update their channel status several times per second. In other words, micro-transactions are not only possible, but also plausible.

So if you want to understand the Lightning Network, you should first understand payment channels.

One-way payment channels

The classic channel or payment channel consists of two participants (peers), Alice and Bob. The multi-signature technology Bitcoins and a so-called lock time are used for the channel. Multisignature transactions can be used to generate transactions that require more than one private key to sign a transaction. In the case of payment channels, so-called 2-2 multisig transactions are generated. This means that the bitcoins associated with this transaction require the consent of both parties in order to be sent. The lock time ensures that the coins within the multisig cannot be transferred for a certain period of time.

A  unidirectional payment  channel only ever sends money in one direction. So from A to B, not the other way around.

Let’s use a real-world example to illustrate this: Bob runs a coffee shop where Alice buys coffee every morning. So that Alice does not have to write a transaction to the blockchain every time, which takes a relatively long time and costs a lot. Therefore, she opens a payment channel with Bob. It sends a certain amount, in our example 10,000 satoshi, to a 2-2 multi-sig address. Alice controls one private key and Bob controls the other. For a valid transaction to be written to the blockchain, both Alice and Bob must sign the transaction.

The transaction that opens the payment channel is also called a  funding transaction . It is written and minded in the blockchain. The funding transaction indicates the maximum amount of money that can be spent.

In addition, Alice brings in a second transaction that automatically sends the 10,000 satoshi back to her address after one month. This is your insurance. So if there are problems with Bob, Alice will get her money back after a month. So Bob could “hold the 10,000 satoshi hostage” for a maximum of one month—not forever.

On the one hand, Alice has now opened a payment channel to Bob, on the other hand, she has a guarantee that she will get her money back in a month at the latest. How does this payment channel work now?

When Alice comes to Bob’s coffee shop in the morning, she has 10,000 satoshi in the payment channel and Bob has zero satoshi. Alice pays for her coffee by updating the channel status. To do this, she creates a transaction within the multi-sig wallet that would only send her 9,000 satoshi and Bob 1,000 satoshi. She signs this transaction and sends it to Bob. Bob now has a signed transaction from Alice for the 2-2 multi-sig wallet. That means he could decide to add his signature as well and then write this transaction (9,000 satoshi to Alice, 1,000 to Bob) in the blockchain. However, he doesn’t do that because he knows that Alice will be back tomorrow. The certainty that he already has a signed check from Alice is enough for him.

The next morning, Alice comes back to the store to buy coffee. Again she pays through the payment channel. So, she creates a new transaction in the multi-sig wallet, which now only sends her 8,000 satoshi and sends 2,000 satoshi to Bob. She signs this transaction and hands the metaphorical check to Bob. This incremental update can continue until the locktime expires. Or until Alice runs out of money left in the channel to spend.

The term “off chain” is also explained in this context. Alice pays Bob with bitcoin, but these payments don’t touch the blockchain directly. They happen outside the blockchain (off chain).

So the advantage is that Alice can buy her coffee every morning. She doesn’t do this with a transaction on the blockchain, but with a check for Bob, which he can cash at any time. Before that, Alice has to top up a kind of pre-paid account from which she can then deduct the individual transactions. When Bob cashes the check, or when the lock time expires, the payment channel is closed. A transaction is written to the blockchain and distributes the remaining money to Alice and Bob accordingly.

There are only two transactions in the blockchain. Once the transaction that financed the multi-sig wallet and once a transaction that closes the payment channel. But between those 2 transactions on the blockchain, a million or more small transactions could have happened between Alice and Bob.

If a payment channel is closed, this is referred to as a  settlement transaction . The settlement transaction is written and minded on the blockchain.

So far, however, we have only considered a unidirectional payment channel. So if Alice only sends money to Bob (like when buying coffee). But if the whole thing is also supposed to work in the other direction, things get a little more complicated.

Commitments – When channels should go both ways

A  two-way payment  channel is a channel where money can flow in both directions.

However, these payment channels must also be established “trustlessly”. That is, neither party can gain anything from cheating and no third party arbitration is required.

For example, one scenario would be that Bob writes an  old  state of the payment channel to the blockchain. If Alice had already accepted the payment in the payment channel and had given Bob a good or service, she would have been cheated of her money. Of course this must not happen. Therefore, bidirectional payment channels require an extra step. Cryptographic protection must be established for both parties so that participants cannot revert to old payment channel states with impunity.

Recap  –  additional information] Why is this scenario not a problem with unidirectional payment channels? In the one-way payment channel, only Alice pays Bob money. In return, she hands Bob a check signed by her with the current status of the channel. At no point does Alice receive a signed check from Bob. This means that she cannot make a transaction from the multi-sig wallet, which requires two signatures. Bob, on the other hand, only ever gains more money with new transactions. Out of economic self-interest, he would not write an old state to the blockchain, as this would mean he would receive less Bitcoin than Alice actually wrote over to him. So in one-way payment channels, it’s always best for Bob to post the latest.

Bidirectional payment channels are structured and secured as follows:

Alice and Bob want to establish a two-way payment channel. To do this, the two parties must first agree on an opening transaction (funding transaction) with the respective amounts. So how much each pays into the channel. In our example, Alice deposits 10,000 satoshi and Bob deposits nothing. Alice sends the 10,000 satoshi to a 2-2 multi-sig wallet. For this wallet, Alice has one key and Bob has the other. Both must therefore sign for a valid transaction on the blockchain. If Bob disappears, Alice can get the money back after a certain time.

Now Alice wants to use the payment channel and send Bob 1,000 satoshi. A second multi-sig wallet comes into play for this. After the funding transaction has taken place, Alice creates a new transaction where they send 9,000 satoshi to an address she controls and 1,000 satoshi to the new multi-sig wallet. Two signatures are again required for this new multi-sig wallet. One belongs to Alice, the other is a temporary new address for Bob. In addition, this transaction has a time lock, so it can only be spent after an elapsed period of time. So far so good. Bob could now decide to sign with his temporary signature and thus close the payment channel. Or he waits for the next update of the payment channel.

Bob now wants to send 500 satoshi to Alice via the same channel. To do this, he must reveal his previous signature by sharing the associated private key with Alice. He then creates a new transaction where Alice gets 500 satoshi and 500 satoshi still goes to Bob. For this transaction, a temporary, new signature is required from Alice and a signature from Bob. This transaction is again time locked so Bob gets his full 1,000 satoshi if Alice doesn’t respond.

However, since it is a two-way payment channel, a step must be taken before the commitment transaction. You have to come up with the secret, the pre-image, and exchange it.

In practice, the wallet does this and the user does not notice much of the process. In general, however, you can imagine it like this. The wallet application generates a random, large number. This is the pre image. Then the wallet application hashes the pre image. That’s the hash. Before the payment channel can really get going, both participants create such a pre-image and the associated hash. They exchange this hash with each other. Now everything is ready for the two-way payment channel.

Alice now sends Bob 10,000 satoshi by again signing a check to the multi-sig wallet. This check pays her 49,990,000 satoshi and Bob pays 50,010,000 satoshi. It is therefore a commitment transaction. But this transaction is special because it is provided with a hashed timelock contract. That means Alice uses the hash that Bob gave her and says “whoever can prove that they know the pre-image for this hash can resolve the HTLC.” The other possibility of making a transaction is that a certain period of time elapses . With an HTLC, this time is given in blocks (a block lasts about 10 minutes).

Bob can get his money at any time. To do this, he resolves the payment channel in a settlement transaction by presenting his pre-image in the transaction. Alice can’t do that because she doesn’t know the pre image. Should Bob not cooperate with Alice and try to “hold” the money hostage, he can only do so until the time lock expires. If he hasn’t closed the channel and claimed his money by then, Alice can get all her money back.

If the balance in a payment channel is changed, i.e. one party gives up more Bitcoin, this is also referred to as a  commitment transaction . Commitment transactions are not written to the blockchain.

Lightning Network – Channels become a network

Now we understand the technical basics for the Lightning Network. But how does it come from a bidirectional payment channel between Alice and Bob to the network between all participants?

A  Hashed Timelock Contract  (HTLC) is a class of transaction that must meet a specific condition in order to be valid. More specifically, the sender must either provide cryptographic proof or wait until a specific date.

The HTLC consists of two components, on the one hand the secret (Secret) and on the other hand a time lock. The secret is a random number hashed using a hash function. The initial number used to create the hash is also called  Pre Image .

The  Pre Image  is a random number that serves as a secret for an HTLC. Anyone who knows the pre-image for an HTLC has the cryptographic proof to make a transaction.

Previously, participants would have to set up a new channel for each new payment activity. So if Alice wants to do business with Carol, both business partners would have to set up a payment channel. This is where the Lightning Network comes in – payments could be routed through the individual participants. Instead of Alice creating a new channel with Carol, she instead uses existing channels between her and Bob and Bob and Carol. In this case, Bob acts as an intermediate step, as a  hop , between Alice and Carol.

Lightning Network

The  Lightning Network  is a routed network of bidirectional, end-to-end payment channels. This means that the participants can send each other payments from channel to channel without having to use an intermediary.

The critical reader is puzzled here: ” For a moment, the money goes from Alice via Bob to Carol – isn’t that exactly the trustee model that wants to replace Bitcoin ?”

The Lightning Network is not a trust-based escrow model. Even if the payment finds its way to Carol via Bob, Bob never has control over Alice’s money. This is made possible by advanced cryptography. Just the mechanism of bidirectional, trustless payment channels, the Hashed Timelock Contracts (HTLC).

This process guarantees that nobody in the chain of payment channels can cheat, or that cheating does not pay. It works like this: Carol thinks up a secret, again a random number. Carol passes the hash on to Alice. This hash now becomes a pledge: Bob receives a payment if he knows the secret. Alice can check this using the hash. Bob passes on the hash, again promising to pay if the recipient reveals the secret. In principle, the path between Alice and Carol can contain other participants, all of whom use the hash as a pledge. In the figure, only a simple network of three parties has been formed.

HTLCs can be used to connect payment channels between different parties. You can see: Participants in the network, who form a bridge between Alice and Carol as nodes, are the backbone of the Lightning Network. Their importance can be compared to that of the miners on the regular blockchain.

Whoops

The blockchain continues to play a central role in the final settlement of payments and thus for the global consensus. It is secondary whether it is actually the Bitcoin blockchain: The Lightning Network can also interact with other cryptocurrencies such as Litecoin. This is how you can finally  realize Atomic Swaps  . A channel is opened here, the final settlement of which is stored on different blockchains.

– regardless of whether Carol and Bob have already exchanged bitcoins with each other or not. Peer-to-peer would be skewed to one extreme and thus totally inefficient. One approach would be for participants in different payment channels to pass on transactions. Alice would be able to send money to Carol through Bob. The question is can you trust Bob. On the one hand, he could claim the money and simply not pass it on, on the other hand, Bob’s Lightning Node could fail.

Challenges with the Lightning Network

The practical implementation of the Lightning Network is far from being ready for this technology to be used by a large number of people. The network is currently in an experimental phase. To use it, it is essential to have a healthy understanding of technology. But even then it can lead to the loss of your own Bitcoin. In short: Even if the approach and the idea are already clear, there are still many construction sites.

One of the biggest construction sites – and one of the most frequently mentioned points of criticism against the Lightning Network – is the routing. When a network consists of payment channels, the payment has to find its way through the network. However, the routing method is not specified in the Lightning Network white paper. Lightning Network critics say this is an unsolvable problem. Eventually, new nodes would come online all the time and others would go offline. The mere requirement that you have to be online to receive a transaction deters many from the Lightning Network. So it’s a step backwards instead of forward, because with Bitcoin the recipient does not have to be online to receive payments.

So the technological status of the Lightning Network is still immature. For widespread adoption, the technology must be easy and safe to use. At best, the user does not even notice that he is interacting with the Lightning Network and payment channels. However, it will probably take a few more years before that happens. Last but not least, the experiment could also fail.

Experience Lightning Network in your own wallet

The Lightning Network is not ready yet. There are now over 2,000 Lightning Nodes. Nevertheless, there is no guarantee that two users can actually set up a payment channel. So there is still a lot to do. True to the motto “Be your own bank”, everyone can help: particularly ambitious ones can set up their own Lightning  Node .

The anti-cheat mechanism

”  Understanding the Lightning Network  is a series of short videos aimed at explaining how Bitcoin’s Lightning Network works. In this fifth episode, we continue our analysis of what really happens behind the scenes when transferring funds from one side of a channel to the other on the Lightning Network. In particular, we go into detail about the mechanisms that make it possible to guard against possible cheating on the part of one’s peer within the channel. 

Closing a Channel

”  Understanding the Lightning Network  is a series of short videos aimed at explaining how Bitcoin’s Lightning Network works. In this sixth episode, we are interested in channel closure through a Bitcoin transaction, which can take different forms depending on the case. 

Who Chooses Lightning Network Rules?

Lightning Network is a protocol described by Thaddeus Dryja and Joseph Poon in a white paper published in 2016 and whose specifications were developed by a college of individuals and startups.

Each of these teams is developing its own implementation:
– LND – Lightning Network Daemon for Lightning Labs
– eclair – A Scala implementation of the Lightning Network for ACINQ
– c-lightning – A Lightning Network implementation for Blockstream
– lit – Lightning Network node software for the MIT

All of its implementations are interoperable.

The Lightning Network therefore does not evolve on the impulse of a single entity. The project is decentralized at all levels: design, evolution, governance and of course the network itself.

The power of the Lightning Network within everyone’s reach

Almost invisible in the media, a discreet revolution is taking place in the world of digital payments: it is now possible, without technical knowledge, without investing too much time and even less money, to receive and issue in a unlimited, almost instantaneous micro-payments to anyone, anywhere in the world and without anyone’s prior authorization.

Thus, with tools like  Tippin.me , Blue Wallet , Wallet of Satoshi or the ZigZag exchange  experimenting with this new type of payment is now within everyone’s reach.

Admittedly, we can only advise the most expert to install their own Lightning node , their own payment server  linked to their own Bitcoin node  so as not to depend on any third party and to contribute to the decentralization of the network. We also advise all others to wait for the update of Eclair Mobile which will allow as many people as possible not just to issue but also to receive “trustless” Lightning payments.

But if your intention is to try without delay the power of this technology by carrying out micro-transactions in the simplest possible way, applications (not trussless ) like  Tippin.me , Blue Wallet  and the exchange ZigZag ,  constitute interesting compromises.

Thus the Tippin application , linked to a Twitter account , will allow anyone to send you payments from an address automatically generated on your Tippin page. The satoshis thus received can be directly spent or sent to another Lightning application.

Blue Wallet  will allow you to easily send and receive Lightning transactions through a third-party node. By generating a payment request with Blue Wallet ,  you can, for example, retrieve the “tips” received on tippin.

Finally, if you want to return to your “cold wallet” engraved in the marble of the Bitcoin blockchain after having made a fortune with micro-payments but you do not have your own Lightning node, the ZigZag exchange will allow you to do this. fairly simple operation, moderately few costs  . Minimum amount per operation: 0.00028 btc, maximum amount: 0.04 btc.

You want to experiment with the Lightning Network but you don’t have any satoshi? Feel free to paste your Tippin address in the comments of this article. If there aren’t too many of you, we’ll send you a handful.

What do we need the Lightning network for?

Since the Bitcoin blockchain is basically a worldwide database in which every transaction made by every participant must be validated and then stored for eternity, it is an almost hopeless undertaking to scale this construct in terms of transaction speed. This does not really make the Bitcoin network an alternative to modern payment service providers such as VISA, Mastercard or PayPal. However, this is not the claim that Satsohi Nakamoto had for his invention. Bitcoin was created to provide a secure, free, unmanipulatable, and unconsumable alternative to the world’s existing monetary systems. In an increasingly digitized and globalized world, Bitcoin provides the infrastructure for a globally active and secure money network. In order to achieve this noble goal, two properties of the network must be particularly pronounced: security and decentralization .
Bitcoin must be as decentralized and secure as possible in order to be really free and, in an emergency, to be able to withstand attempts at censorship or manipulation by large nation states.
Over time, as interest in bitcoin has increased, so has the amount of transactions intended to be processed through the network. Since each transaction requires some space in a block of the blockchain and these blocks are limited in size, not every transaction always manages to become part of the next block. In addition, the Bitcoin protocol is programmed in such a way that a new block can only be found every 10 minutes on average. In the so-called mempool , a queue is therefore formed with excess transactions from the miners according to the principle “the more fees are paid, the sooner the transaction will be included in the next block”. This in turn means that the cost of being able to write a transaction to the blockchain in a reasonable amount of time increases enormously as soon as the number of desired transactions exceeds the capacity of the blocks. If you are not willing to pay high transaction fees, it can sometimes take hours or even days for your transaction to be confirmed by the network.

Perform Lightning transactions with Eclair Mobile

Designed by the Parisian startup Acinq , one of the three teams involved from the start in writing the specifications of the Lightning Network , Eclair Mobile is an Android application allowing to carry out “on-chain” Bitcoin transactions [1] and on the Lightning Network. It is therefore both an SVP wallet and a real Lightning node [2] that does not rely on a trusted third party. This tutorial for beginners will walk you through how to install the app, how to open payment channels, and how to send/receive transactions.

WARNING: It is not recommended to hold large amounts of money on an online device. Use your mobile phone as a wallet, not a safe. To keep bitcoins prefer offline storage or a hardware wallet . Also remember that the Lightning Network is a very recent protocol, still experimental and that incidents likely to cause the loss of your funds are always possible.

Facility

1.You will find the latest version of the application on the GitHub repository of Acinq (.APK) or simply on Google Play .
2.After installation you can:
– either restore a previous wallet from twelve recovery words,
– or create a new wallet.
In this example we create a new wallet: “  Create new wallet”.

3. The twelve recovery words will allow you to restore the wallet in case something goes wrong. Copy these twelve words carefully and keep them away from prying eyes. Please note that they will not allow you to recover the history of the state of the channels, for this Afive offers another solution that we will detail below.
4
5

Then fill in the three words of the verification procedure.

You can register a  passphrase or leave this field blank. The passphrase is an optional additional protection measure provided by BIP39 , and which allows, from the twelve recovery words, to generate another seed . So if someone has access to the 12 words, they will also need the passphrase to access the funds.

Then register a six-digit PIN code that you will be prompted for each time you open the app.

You can link your wallet to a Google Drive account to automatically back up your channel data. This will allow you to restore them in the event of loss of the device (provided of course that you have the twelve recovery words).

The application will now synchronize with the network.

Make an “on-chain” payment

Before you can open a Lightning channel you must have funds on the application.

Click on “Receive” and stay on “On chain” to access the address to which you must send a Bitcoin transaction to fund your wallet. This address changes with each new transaction.

The transaction is awaiting confirmation. A payment channel can however be opened even if the transaction that the opening of the channel will spend is not yet confirmed.

Open a Lightning Channel

Go to “Channels” to open a lightning payment channel. Click on the + at the bottom right.

Choose the lightning node you want to open a channel with. You can select any public node by copying and pasting its URI (“Paste a node URI”) or by scanning its QR Code (“Scan a node URI”) . You can also choose the Afive node . Of course you can open multiple channels with multiple nodes.

In this example we have chosen to allocate all the funds available at the opening of the channel (“Use all available funds”) . We have not chosen to fund a return channel as we intend to make payments before receiving any. This is an important point: you cannot receive on a channel more than what is on the side of your counterparty. We will come back to this below. User can configure on-chain transaction fees including channel opening. By default the application aims for a quick confirmation, ie within the next two blocks (~20min). To reduce the cost as much as possible, we have chosen a slow transaction .

Opening a channel is an on-chain Bitcoin transaction . It is therefore necessary to wait for the validation of this transaction for the channel to be functional.

Perform a Lightning transaction

Unlike an “on chain” transaction for which it suffices to know the public address of the recipient without the latter having to do anything, you can only pay via the Lightning network if the recipient sends a payment request ( an “invoice” = an invoice) for each transaction. This request may or may not be associated with an amount.

Return to “  Payments” . The recipient has issued a payment request (in the case of online businesses that have adopted the LN, “invoices” are created automatically during payment). You can copy and paste this “invoice” (“Paste a payment request”) , or scan it (“Scan a payment request”) . Note that in “  Payments” you can obviously also carry out ordinary transactions on the Bitcoin blockchain.

If the payment request is associated with an amount, the latter will be displayed automatically, otherwise enter this amount. All you have to do is confirm.

“Finding route…” : The application searches for a route.

“Pending…” : The transaction is in progress.

The transaction is completed. In this example the whole operation took around three seconds (the duration can vary significantly). The total here is 130,268 satoshis (about half a euro cent): 128 payment sats and 2,268 transaction fees sats (on the lightning network, you can indeed go below the satoshi). The fees are variable, they depend on the amount and the path found. The app automatically searches for the cheapest route. Of course, unlike on-chain transactions, LN transaction fees have no reason to increase if the network is very busy. The more nodes and channels, the more routes.

Receive a Lightning Payment

To receive payments, you must first configure the  application’s “Settings” . To access it, click on the three dots at the top right.

In the settings, you can change the currency in which you can display the balance (“Fiat currency”) , useful for seeing the balance in euros. You can also change the “crypto” unit: bitcoin (default), satoshi (0.00000001 BTC), bits (0.000001 BTC) or milli-bitcoin (0.001 BTC). Finally, you can activate or deactivate the “Lightning fee Protection” which limits fees to a maximum of 3% of the transaction (except for micro-transactions where fees up to 21 satoshis are tolerated). In practice, for a transaction of a few euros, the average fees observed tend to be around 0.01%.

What interests us here to receive transactions must be activated at the very bottom: “Enable receive over Lightning”.

Close the settings and return to “Receive” and the “Lightning”  tab . Below the QR code is displayed the maximum amount you can receive from your counterparty. If you haven’t funded a return channel (see ) and this amount isn’t enough, you haven’t spent enough satoshis yet. To remedy this, you can either make purchases , or send transactions to another Lightning wallet (for example an application based on a trusted third party like Blue Wallet ), or put your bitcoins back on the blockchain with a third-party service like Zigzag (at a cost of 2.5%).

You can use the address of the invoice or the QR code as it is, if you do not want to specify an amount, or click on “Edit request”  :
– “Description” : Name the transaction (indicate what you want, for example the name of the sender).
– “Amount” : enter the requested amount and click on “OK” .

In case of face-to-face payment, the sender can scan the QR code that the recipient will have generated for this purpose. Otherwise you just have to touch this QR code to copy the “invoice” that you will send to the payer.

Upon receipt of payment you will receive a notification on your mobile.

By going back to “Channels” and clicking on one of the active channels you can see how much you can send or receive. It is also in this window that you can close a channel (“Close Channel”) which will cause a new on-chain transaction which will distribute the balance on the two nodes according to the last state. Obviously the idea, when you open a channel, is certainly not to close it immediately but to use it as long as possible. You may never even want to close it (as long as the counterparty agrees) knowing that a channel whose funds you have spent can still be used to receive them and no longer presents a risk of loss.

 How do I use the Breeze app?

Lightning Network and privacy

a company specializing in the “scoring” of Bitcoin and Ethereum addresses, announced last week the integration of the Lightning network into its transaction analysis .

In the absence of a public ledger, however, there is no question of following Lightning Network flows but simply of trying to identify channel creation and closure transactions and mark them as such.

Currently, the analysis of Bitcoin transactions therefore stops at the door of the Lightning network. But what about the future? Could the massive deployment of well-distributed, well-connected and well-powered nodes, for example, make it possible to cross this passage?

“For the moment there are no effective technical tricks that allow you to truly monitor the transactions carried out on this network” , answers Clémence Bonnin from Scorechain . “Furthermore, there is no specific development going on.”

We asked Pierre-Marie Padiou, who is developing  an implementation of Lightning with Acinq as  well as the  Eclair Mobile application , if there were today more advanced attempts at analysis that would be based, for example, on clusters of nodes: “Not to our knowledge, but we know full well that LN is on the radar of these companies, some of which have significant means (cf: chainalysis). This is just the beginning. » 

So can we then consider that Lightning transactions will remain sufficiently confidential?

“LN guarantees that only the intermediary nodes and the receiving node (chosen by the payer for each transaction) will be aware of even the existence of a payment. Confidentiality is therefore much higher than what we have on the blockchain and the work of these companies will be much more difficult (they will have to play an active role and will not be able to content themselves with running algos on public data). The issue of channel opening/closing transactions has been taken into account from the start and every effort is made to ensure that we cannot (or as little as possible) identify them. 

Sell ​​digital content using the Lightning Network

which develops tools to democratize the use of the Lightning Network, offers a paid access lock (a “paywall” ) that is very easy to implement. The principle is simple: the user clicks on the link created by the seller, is directed to a Lightning payment QR code and then accesses the digital content (web page, file, image, etc.) after sending the requested satoshis.

Strike*: Lightning payments from a bank account

creator of the Lightning  Zap app , today announced the US-only beta release of Strike *, an app for making Lightning payments or buying or selling bitcoins via the Lightning Network from a bank account without having to worry about the dollar/bitcoin exchange or the creation of payment channels:

“Today we are pleased to announce Strike, an app that lets you make Lightning payments with your bank account or debit card. Using Strike only requires the following: a debit card or bank account. Just that, no wallet, no node, no channels, no swaps, no liquidity management, nothing. It is an application, built on our Olympus infrastructure, designed to usher in a new era of Bitcoin…”

How it works: If an American wishes to send 100 dollars to El Salvador for example, Strike will take the sum from his account, buy the equivalent in Bitcoin, send them to El Salvador via Lightning, resell them for dollars on the spot and credit the account of the beneficiary.

PTLCs: the art of routing payments within an adversarial network while preserving the privacy of participants

Part of the reason the Lightning Network is so useful today is the ability to route payments through it: if Alice wants to pay Bob, she doesn’t have to have a direct channel with him. Instead, she can have a channel with Carol and, if Carol has a channel with Bob, go through it to reach Bob.

With this operation a new question arises: how can such payments, which depend on the goodwill of third parties like Carole, be made without having to trust anyone? For a long time, it was HTLCs (for Hash Time Locked Contracts, a specific type of conditional transactions on Bitcoin) that provided a satisfactory answer to this question. But HTLCs themselves come with their share of drawbacks, particularly in terms of transaction confidentiality.

This is why a new savior has been created: PTLCs (for Point Time Locked Contracts), which provide the same functionalities as HTLCs while preserving user privacy.

HTLCs

HTLCs are a key component of how Lightning works today, as they allow payments to be routed without trust within the network. It is thus possible to send funds to someone on Lightning without the need to have a direct channel with this person, as long as there is a route to achieve it.

The “trustless” aspect is achieved in the same way as it is often the case on Lightning: by constructing and signing specific Bitcoin transactions, which are not published in the majority of cases but can be, in in the event of a problem, so that each stakeholder recovers the funds due to them on Bitcoin ( on-chain ).

Almost a year ago I published a video explaining how HTLCs work. The video is in French, and subtitled in French and English. I invite you to watch it if the video format suits you more, but I will reiterate these explanations in the following paragraphs anyway.

The life of a Lightning payment begins when the person who wants to be paid (Bob) creates an invoice . This invoice contains various information, such as Bob’s public key (his “address” within the network), the amount he wishes to receive (for example 40,000 satoshis), etc. It also contains a number, often denoted r . This number is the hash of a secret, denoted s and called a preimage , that Bob randomly created for this payment. Bob then sends the invoice to the person he wants to receive payment from (Alice).

 

When she receives the invoice , Alice starts by trying to find a route to Bob’s node. Ideally, this would be a direct channel between her and Bob, but more often than not, it will have to go through intermediate nodes within the network. In this case for example, Alice selects a route that goes through Susie’s node.

She then constructs a conditional payment, an HTLC, which she sends to Susie. This HTLC says: “Here are 40,000 satoshis. To retrieve them, you must give me a secret s’ such that the hash of s’ is equal to r ”. In the rest of this article, we will note such an HTLC HTLC(r) . Susie is also told that a good way for her to learn the secret is to ask Bob. It therefore in turn builds its own HTLC(r), sending 40,000 satoshis on the condition of revealing a secret s’ whose hash is equal to r ; and sends it to Bob.

From there, all Bob has to do to unlock Susie’s contingent payment and collect the 40,000 satoshis it contains, is reveal a number with a hash of r . However, he has precisely that in stock since, by construction, r = hash(s). Bob therefore reveals the preimage s to Susie, allowing him to unlock Susie’s conditional payment and collect the 40,000 satoshis. Now that Susie knows s, she can in turn reveal it to Alice and thus satisfy Alice’s HTLC condition. Once all the HTLCs are resolved, the payout is complete: Alice has 40,000 fewer satoshis, Bob 40,000 more, and Susie’s total balance has not changed. To move 40,000 satoshis from Alice to Bob, 40,000 satoshis were therefore moved in the channel between Alice and Susie, from Alice’s side to Susie’s; and 40,000 satoshis were moved in the channel between Susie and Bob, from Susie’s side to Bob’s side  ; all atomically.

If the payment involves two intermediate nodes (Susie and Tim) instead of just one, there is simply one more HTLC between Susie and Tim. Each intermediate node is only aware of the node before it and the one after it: Susie knows that she has to send an HTLC to Tim to learn the secret, but she does not know if Tim is the final recipient of the payment or a simple intermediary. Likewise, it doesn’t know if Alice is the original issuer of the payment, or just another node in the road. This mechanism is called Onion Routing, and it brings some privacy to payments on the Lightning Network.

Naughty HTLCs?

One of the problems with HTLCs is reusing the same preimage along the entire route. Moreover, since the preimage is randomly generated by the recipient of the payment, the probability that two different payments have the same preimage is negligible. Thus, if an entity (individual, company, State, etc.) controls several nodes on the route of a given payment, it can detect that what entered at one point and exited at another is in fact the same transaction. . Then, using certain heuristics (such as the length of the route or the type of Lightning node), it can attempt to determine which node on the route is the issuer of the payment, and which node is the recipient. The confidentiality provided by Onion Routing is lost.

Consider a simple example with 5 nodes: Alice, Bob, Carol, Daniel and Eve. Alice sends a payment to Eve but, because there is no direct channel between them, must find a route within the network through other nodes. She chooses a route that follows the channels of Bob, Carole and Daniel. What she doesn’t know, however, is that Bob’s and Daniel’s nodes actually belong to the same entity

Since the HTLCs all use the same preimage s (whose hash is r ), the attacker controlling Bob and Daniel’s nodes knows that this is one and the same payment. Bob’s node knows that it received an HTLC(r) from Alice and sent an HTLC(r) to Carol. Daniel’s node knows that it received an HTLC(r) from Carole and sent one to Eve.

With this information, the attacker can already establish with certainty that Carole is indeed an intermediate node. If there were other nodes between Bob and Daniel besides Carole, the attacker wouldn’t necessarily know all of them, but he would know that whatever was happening there would only be about intermediate nodes.

However, the attacker cannot conclude with certainty that Alice is the sender of the payment. Indeed, there could be another node before Alice, and Alice could be just one more intermediary. It is the same for Eve. However, we know that the reliability of a payment, its ability to be carried out, decreases with the length of the route: a node can be offline, the liquidity of a channel can be on the wrong side of our needs, etc ; and with every knot in the road the chances of something failing are multiplied. The attacker can therefore consider that it is unlikely that a route has more than 3 intermediates . The attacker could also know that Alice and Eve have mobile nodes (because they are often offline and their IP addresses change regularly) which generally do not transmit other people’s payments and are therefore only senders or receivers. of payments. By using this type of heuristics, the attacker could consider it probable that Alice is the issuer of the payment and that Eve is the recipient. He might say something like, “Our investigations have determined, with a 90% confidence interval, that Alice is the sender and Eve is the receiver.”

If an attacker has a few very well-connected and competitively charged nodes, he could become a hub of the network and regularly find himself in this type of situation, where he is able to “break” the confidentiality of Onion Routing and determine origin and destination of a payment. So is privacy on Lightning doomed?

PTLCs to the rescue

The main issue with respect to privacy is that we consistently reuse the same preimage every step of the way. Specifically, every HTLC on the road requires the same preimage to be unlocked  . Is there another way to achieve the same result? It must be ensured that:

  • the sender (Alice) is able to provide proof of payment to the receiver (Bob) once the payment is complete,
  • each node in the route must be able to unlock the conditional payment sent by the previous node by revealing a secret s ,
  • to learn this secret s , each node on the route must send a conditional payment to the next node requesting that it reveals a secret s’ , from which it is possible to find s .

The “easy” way to achieve this and verify these three conditions is to reuse the same secret s along the way. This is what happens with HTLCs. But this is not the only way. Indeed, it is not necessary that s and s’ are equal. The only indispensable condition is that the secrets be such that, by learning s’ , a node can deterministically find s . What is called PTLCs.

With HTLCs, the recipient (Bob) starts by creating a secret for this payment, the preimage. With PTLCs, the recipient does something very similar, but with a private key. The preimage and the private key are ultimately nothing more than large random numbers, and the difference is in what you do with them.

To understand the following, some basic aspects of elliptic curve cryptography are needed. An elliptic curve is a very specific curve, some properties of which are very useful to cryptographers. The objective of this article is not to dig too deeply into this subject, so we will content ourselves with the bare essentials.

  • We define an addition operation, denoted +, between two points on the elliptic curve. The sum Rof two points Pand Qof the curve is also a point of the curve, but its location on the latter cannot be directly linked to those of Pand Q.
  • We define a multiplication operation, denoted *, representing the successive additions of a point of the curve to itself. Thus, if kis a number and Pa point on the curve, k*P = P + P + ... + P, k times. Because we add Pto itself many times, k*Pcan be anywhere on the curve. That is, even though I know Pand k*P(which are two points on the curve), I cannot find k.
  • The operation *has other interesting properties, such as the distributive property: a*P + b*P = (a + b)*P.

These properties of elliptic curves are applied to cryptography as follows:

  • A private key sis a very long number.
  • The public key associated with the private key sis s*G, where Gis a specific point on the curve, called the generator. That is, Gis a point on the curve and a constant.
  • Even if someone knows the public key s*Gand G, they still can’t guess the private key s.

Another important point to note, although it may seem trivial, concerns the classical addition of numbers: knowing a + bis very different from knowing aor b. Likewise, even if I know a + b + cand a, I am far from knowing bor c.

Now that our mind is armed with these few concepts, let’s go back to our example at 5 knots, where Alice pays Eve through the channels of Bob, Carole and Daniel; and where Bob and Daniel happen to be an attacker trying to de-anonymize the transaction.

The payment path looks something like:

  1. Eve generates a private key (therefore secret) sand gives the corresponding public key s*Gto Alice in an invoice , in the same way that she had given her the hash of the preimage in the case with the HTLCs.
  2. Alice searches for a route to Eve and chooses one passing through 3 intermediate nodes: Bob, Carole and Daniel.
  3. Alice generates 4 random numbers abcand d. She sends bto Bob, cCarole and dDaniel. She also sends (a + b + c + d)to Eve (the sum, not abcand separately).
  4. Alice sends a conditional payment to Bob, for which the condition is that Bob reveals the private key associated with (a + s)*G, which is (a + s)by definition. Bob is also told (in the onion packet) that Carole knows the private key associated with (a + s)*G + b*G, which is (a + b + s).
  5. Bob realizes that if he knew (a + b + s), he would be able to calculate a + s = a + b + s - band reveal it to Alice to recover the conditional payment, since he already knows that bAlice communicated to him in step 3. So he sends a conditional payment to Carole, requesting that she provide him with the private key associated with ( a + b + s)*G.
  6. When Carole receives the conditional payment from Bob, she is also informed that Daniel knows the private key associated with (a + b + s)*G + c*G, which is (a + b + c + s). If she knew a + b + c + sand c, Carole could then calculate a + b + sby subtraction. She therefore sends a conditional payment to Daniel, with the condition that he reveal to her the private key associated with (a + b + c + s)*G.
  7. When Daniel receives the conditional payment from Carole, he is also informed that Eve knows the private key corresponding to (a + b + c + s)*G + d*G, which is (a + b + c + d + s). If he knew a + b + c + d + sand d, he could then calculate a + b + c + sby subtraction and unlock Carole’s conditional payment. To find out a + b + c + d + s, he sends a conditional payment to Eve demanding that she reveal to him the private key associated with (a + b + c + d + s)*G.
  8. Eve already knows s, since it is the secret that she initially generated. She also knows (a + b + c + d), since Alice sent it to her in step 3. She is therefore able to reveal a + b + c + d + sit to Daniel and thus recover his payment.
  9. Now that he knows a + b + c + d + s, Daniel can calculate a + b + c + sand communicate it to Carole, thus recovering his payment.
  10. Now that she knows a + b + c + s, Carole can calculate a + b + sand communicate it to Bob, thus recovering his payment.
  11. Now that he knows a + b + s, Bob can calculate a + sand communicate it to Alice, thus recovering his payment.
  12. Alice knows now a + s. Since she already knows a, she can easily calculate sby subtraction. The secret sthen constitutes Alice’s proof of payment, which she can show to Eve to prove to her that she has indeed paid the invoice .

Through this mechanism, each node along the route is made aware of a different secret. Even though they work together, Bob and Daniel don’t know enough to be able to tell if they’re part of the same payment, or if they were two different payments:

  • once the payment is completed, Bob only knows a + b + sband a + s,
  • once the payment is completed, Daniel only knows a + b + c + d + sdand a + b + c + s.

Even by putting all this information together, they can’t guess if they participated in the same global transaction. From our omniscient point of view, we can clearly see that they can calculate cwith c = a + b + c + d + s - d - (a + b + s), but this number means nothing to them, and they would find one anyway, just as abstruse from their point of view, if they were part of two different payments  . They just don’t know enough to calculate s, the only common denominator of payment.

Of course, if the attacker controlled two consecutive nodes of the same payment, he could easily deduce that it is indeed the same payment, since each node on the route knows the identity of the next one. But then he would have to check the nodes of Bob, Carole and Daniel to be able to apply the same heuristics as before (namely, that a route “probably” has no more than 3 intermediate nodes). In other words, PTLCs are only truly defeated when the attacker controls all nodes of a route. And even so, let us remember, he still cannot say with certainty that Alice is the sender and Eve the receiver, since he is basing himself on heuristics.

TL;DR

Because they reuse the same secret along the entire route, HTLCs can significantly reduce the privacy gains provided (at the cost of serious inefficiencies) by Onion Routing. PTLCs, on the other hand, use a different secret for each node on the route. Thus, the confidentiality brought about by Onion Routing is preserved.

Additional Resources

In this article, I have chosen to focus on the contributions of PTLCs that concern the protection of privacy. They have many other applications, however, detailed in this Suredbits article series .

  1. The payment amount is omitted because it is not particularly useful in this article. Of course, a more detailed notation might be HTLC(40000, r)for an HTLC paying 40,000 satoshis provided the recipient reveals a secret s’ such as hash( s’ ) = r .
  2. We omit for simplicity the routing fees that Susie may levy.
  3. Obviously, a payment with 4 intermediate nodes is quite possible. The argument here is rather that it is possible to attach probabilities, derived from statistics, to the success of the payments depending on the length of the route.
  4. Note: this mechanism does not only impact confidentiality. In our example at 5 nodes where Bob and Daniel are actually working together, Daniel can very well send the preimage to Bob as soon as he learns it from Eve, and thus bypass Carole. Bob can then reveal the preimage to Alice: for everyone except Carole, the payment is complete. For Carole, it appears to be still ongoing, until her HTLC expires. But in the meantime, Bob and Daniel will have collected Carole’s routing costs for her.
  5. It’s also worth noting that they can only learn once the payment is complete. Thus, unlike HTLCs where Daniel could transmit the preimage directly to Bob and bypass Carole, this type of attack (resulting in the theft of charges due to Carole) is not possible with PTLCs.

Transactions for the Future

Instant Payments. Lightning-fast blockchain payments. Blockchain security enforced by smart contracts without creating a separate on-blockchain transaction. Transaction speed measured in milliseconds to several seconds. Capable of handling millions to billions of transactions each second across the network. All of this makes Ethereum one of the most promising payment networks in existence today.

Powered by Blockchain Smart Contracts

Lightning Network is a protocol for fast, scalable bitcoin micropayments. It allows people to send money directly to each other without going through a financial institution. Lightning uses a combination of cryptography and marketplaces to achieve scalability. In addition, it provides a trustless system where transactions are secured by cryptographic proof rather than third party intermediaries such as banks. Lightning is being built on top of the Bitcoin blockchain, enabling instant payments across a network.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *