款项支付分割与兑换功能在提高闪电网络交易隐私中的作用
自从比特币于12月3日突破4万美元的阻力位以来,这个加密货币先锋又重新回到了2022年4月的价格水平,这期间发生了夹美联储加息周期的启动以及Terra (LUNA)崩溃事件。
虽然目前尚不确定比特币的下一轮牛市最终将何时开启,但其他方面的反应也几乎没有什么含糊的了,即比特币费用。在今年的大部分时间里,比特币的平均交易费用一直稳定在5美元以下。近期在ETF获批炒作的推动下,市场重新燃起对比特币的兴趣,如今已将比特币每笔交易的价格推高至略低于30美元的高位。
比特币越受欢迎,比特币转账的成本就越高。图片来源:ycharts
这并不让人感到意外。在2015年至2017年的“区块大小之战”争论之后,比特币区块链开始处理频率不高但具有高价值的交易。反过来,其“数字黄金”的说法得到了肯定。
然而,如果比特币网络一直限制在每秒7笔交易的水平,导致在高流量期间产生高额的交易费用,那么它又如何能够在全球范围内得到大规模的应用呢?何况是高频小额、在线购物、服务订阅、游戏内购买,甚至是未来的交易策略的需求呢?
这些日常的交易要求的交易延迟很低,扣除的交易费用也很少,小到可以忽略不计。比特币的第2层扩展解决方案即闪电网络在解决这一延迟问题方面取得了重大进展,但仍有一些挑战需要解决。
闪电网络正在释放比特币网络的潜力
闪电网络作为一个链下支付通道网络,成功地绕过了比特币主网的瓶颈。这个概念很简单。两个交易方在双方之间建立一个频道,该频道在BTC资金被存入到链下记账本时建立。
由于链下记账本作为第二层网络,不记录比特币网络上的交易,因此比特币矿工对此将不不会产生交易费用。相反,许多交易可以在几乎可以忽略不计的交易费用下立即执行。
The LN LN网络交易费用相对低了一个数量级。图片来源:1ml.com统计
只有在支付频道手动或自动关闭之后,这些交易才会被汇总成为单笔交易,然后,合并的LN单笔交易会被广播到比特币主网进行最终网络确认,但仍需要支付矿工费。但是如果B不承认A开出的收据怎么办?
闪电网络通过集成的退款功能解决了这个信任问题。支付频道资金到位后,在一定的时间之后,可激活(解锁)退款操作。退款条款由双方签订,可以单方行使。
遗憾的是,尽管闪电网络速度快、费用低,但关于比特币款项是通过频道转移的,使得LN支付仍存在一个缺点。
了解闪电网络当前存在的隐私性挑战
另一种LN扩容的方案是将其描述为附带转发(collateral forwarding)。在该体系结构中,LN节点将充当中介机构,在路由过程中赚取节点托管费用。相反,那些具有可靠的正常运行时间记录、高效路由记录的节点则可以获得更高的费用收益。
目前,LN网络的节点平均提供约8.3个支付频道,节点的平均年龄约为2年。正如预期的那样,路由过程中出现了一些摩擦(friction,交易成本)。因此,我们鼓励用户在频道之间进行间进行链接。毕竟,打开与关闭频道的过程会产生区块链费用。
因此,款项支付可以通过第三方托管的多个频道进行,而这些频道的路由费用也比使用比特币主网要低几个数量级,但是在探测路由的Gossip过程中,用户信息泄露了。
换而言之,转发付款(forwarding payments)可有效地提供最经济的信息收集行为,这种信息收集可以确定LN频道的准确状态,这个过程则被称为信道探测(channel probing),它不仅改善了支付摩擦,还降低了欺诈风险。
在信道探测的过程中,因onion加密路由技术,发送方的数据将有一层隐私保护层。然而,对于收款人来说,情况并非如此。
在信道探测的过程中,因onion加密路由技术,发送方的数据将有一层隐私保护层。然而,对于收款人来说,情况并非如此。——闪电网络开发者Tony Giorgio
其中一个改进的方面则是选择通过多个中介来路由款项支付,以此来混淆路由信息,使其更难以追踪款项的来源。同时,用户还可以通过加密手段来对其来款进行“盲化”处理。当支付被转发时,route blinding确保只有资金接收方可以看到交易的整个路径。
LN的款项分割与交换机制
由于闪电实验室致力于实现核心协议级别的隐私性能增强,路由盲化的一个相关技术是款项分割与交换(PSS)。当支付路径的某些部分路径盲化模糊时,PSS系统将其分割成更小的部分。
这些更小的款项bits随后通过其他路由转发,既增强了隐私性,又提高了支付成功的几率。PSS技术的开发者Gijs van Dam阐述了以下步骤:
- Alice和Bob(中介)上线了一个支持PSS的支付频道。
- Alice把她想要支付的钱分成两部分。
- 一部分沿着原来的路线到达Bob,而另一部分则通过另一条路线。
- Alice将通过HTLC(hashed-timelock-contract)提交原始路由转发,其BTC数量低于Bob所需的BTC数量。
- 在看到不足的总金额之后,Bob等待商定的数字,即第二次付款,因为他支持PSS。
- 然后Alice使用相同的交易hash来发送一笔新的款项,来填补缺失的总金额。
当然,当Bob收到包含转发费用的付款时,他就会被激励转发原始的款项。他也会选择通过HTCL来这样操作。需要记住的是,HTLC是LN的底层建筑。这些智能合约有助于:
- Fund locking
- Fund unlocking
- Off-chain routing
- Timelock mechanism
- Preimage commitment
Preimage commitment is a cryptographic puzzle with a unique solution only Alice knows. In other words, Bob can only claim payments with a revealed preimage that generates the payment hash.
Altogether, PSS makes it possible for LN nodes to forward payments using any route available via “localized packet switching”. The question is, how does PSS boost the Lightning Network privacy?
Enhancing Privacy with Payment Splitting and Switching
Let’s go back to channel probing, as the necessary requirement of the LN architecture. If that channel is now PSS-supported, how would potential attackers be thwarted?
With PSS packet switching, the attacker would have to take into account that payment could go through any possible Alice-Bob route simultaneously. With that in mind, the attacker would have to probe total liquidity between Alice and Bob.
Biryukov et al. (2022) developed the LN Probing Simulator to test such likelihood. It can be conducted in two ways:
Direct probing - attacker opens a channel to one of the two nodes (on either side) of the targeted channel. Not only would Alice/Bob have to participate when opening the channel, but the attacker would suffer on-chain fees for each probed channel.
In this case, the payment would be routed through exactly two nodes. As 2-hop payment it would be less expensive, typically used for smaller sums.
Remote probing - the attacker foregoes direct channel link. Instead, they choose which node to connect in order to avoid on-chain fees.
Because remote probing is run through a multi-hop, the attacker could gather data on intermediaries like Bob. However, this probing is likely to fail if the intermediary lacks funds to relay the payment.
In graph form, this means that for both direct and remote probing the information gain is reduced if PSS is enabled.
Image credit: Gijs van Dam∗
Moreover, because the potential attacker lacks the knowledge if PSS is enabled or not, this creates another layer of uncertainty. The attacker would only be able to tell this if linking to both node peers on either side of the channel, which would bring about the aforementioned on-chain fee problem.
Overall, simulations conducted by Gijs van Dam show that PSS could drop information gain by 50% for direct probing and 62% for remote probing. On top of this, the new PSS technique leads to such complexity that Balance Disclosure Attacks (BDA) would require off-the-shelf hardware to properly scale up.
Conclusion
For regular banking users, it is difficult to appreciate what it means to have an open-source, permissionless storage and payment system. In such a traditional system, parties don’t seek sovereignty. Instead, they form a contract of permissioned custody.
Bitcoin broke that paradigm with true private, permissionless wealth storage and transfer. Yet, to ensure that such a network remains decentralized, a compromise had to happen in the form of smaller block sizes. And if block sizes for transactions are small, the network’s throughput is lower, eventually incurring higher transfer fees.
Lightning Network came in as a scaling solution to solve this, upgrading Bitcoin from store-of-value to low friction currency. Still, some laws are difficult to circumvent. Transaction data still has to be publicly broadcasted through LN channels for payments to happen.
During this broadcasting, user info can be deanonymized. Among many techniques to safeguard privacy, Payment Splitting and Switching (PSS) comes to the rescue. Would-be attackers then have to deal with greater costs and complexity to break through it and succeed in Balance Disclosure Attacks (BDA).
Although not perfect, PSS shows that LN has ample room for improvement. More importantly, it shows that Lightning Network itself can continue to scale the Bitcoin network while retaining its conservative nature.