[Lightning-dev] Decoy node_ids and short_channel_ids
ZmnSCPxj
ZmnSCPxj at protonmail.com
Mon Feb 3 14:51:33 UTC 2020
Good morning t-bast,
> > This is relevant if we ever want to hide the node id of the last node: Bob could provide a symmetric
> > encryption key to all its peers with unpublished channels, which the peer can XOR with its own true
> > node id and use the lowest 40 bits (or 46 bits or 58 bits) in the SCID.
>
> I don't understand your point here. Alice cannot hide her node_id from Bob since the `node_id` is
> tied to the (unannounced) channel creation.
>
> But this is not an issue. What Alice wants to break is the ability to link multiple HTLCs together
> because they use the same `node_id`. Since Alice can use a different `node_id` in every invoice,
> it's easy for her to make sure Carol cannot tie those HTLCs together.
That is precisely what I am referring to, the lowest bits of the node ID are embedded in the SCID, which we do not want to openly reveal to Carol.
Though if the point is to prevent Carol from correlating different invoices as arising from the same payee, then my scheme fails against that.
>
> In order to hide from Bob, the best Alice can do is use a different `node_id` for each channel she
> opens to Bob and use Tor. This way Bob cannot know that node_id_1 and node_id_2 both belong to Alice.
> I don't think we can do better than that.
Alice would do better to use multiple Bobs in that case.
Regards,
ZmnSCPxj
More information about the Lightning-dev
mailing list