From bastien at acinq.fr Mon Feb 3 15:05:25 2020 From: bastien at acinq.fr (Bastien TEINTURIER) Date: Mon, 3 Feb 2020 16:05:25 +0100 Subject: [Lightning-dev] Decoy node_ids and short_channel_ids In-Reply-To: References: <87h808cml7.fsf@rustcorp.com.au> Message-ID: Hi ZmnSCPxj, That is precisely what I am referring to, the lowest bits of the node ID > are embedded in the SCID, which we do not want to openly reveal to Carol. > Got it, I wasn't understanding your point correctly. We totally agree on that. Though if the point is to prevent Carol from correlating different invoices > as arising from the same payee, then my scheme fails against that. > IMO we should prevent Carol from correlating different invoices by using a different node_id for each invoice. This requires minimal changes and happens entirely payee-side (see my initial mail). Alice would do better to use multiple Bobs in that case. > That's of course a solution as well. Even with that though, if Alice opens multiple channels to each of her Bobs, she should use Tor and a different node_id each time for better privacy. Cheers, Bastien Le lun. 3 f?vr. 2020 ? 15:51, ZmnSCPxj a ?crit : > Good morning t-bast, > > > > > This is relevant if we ever want to hide the node id of the last node: > Bob could provide a symmetric > > > encryption key to all its peers with unpublished channels, which the > peer can XOR with its own true > > > node id and use the lowest 40 bits (or 46 bits or 58 bits) in the SCID. > > > > I don't understand your point here. Alice cannot hide her node_id from > Bob since the `node_id` is > > tied to the (unannounced) channel creation. > > > > But this is not an issue. What Alice wants to break is the ability to > link multiple HTLCs together > > because they use the same `node_id`. Since Alice can use a different > `node_id` in every invoice, > > it's easy for her to make sure Carol cannot tie those HTLCs together. > > That is precisely what I am referring to, the lowest bits of the node ID > are embedded in the SCID, which we do not want to openly reveal to Carol. > Though if the point is to prevent Carol from correlating different > invoices as arising from the same payee, then my scheme fails against that. > > > > > In order to hide from Bob, the best Alice can do is use a different > `node_id` for each channel she > > opens to Bob and use Tor. This way Bob cannot know that node_id_1 and > node_id_2 both belong to Alice. > > I don't think we can do better than that. > > Alice would do better to use multiple Bobs in that case. > > > Regards, > ZmnSCPxj > -------------- next part -------------- An HTML attachment was scrubbed... URL: