Researchers Surface Privacy Vulnerabilities in Bitcoin Lightning Network Payments
Privacy holes in the Lightning Network, a bitcoin transaction settlement layer, are leaking payment information.
New research warns cryptocurrency users the Lightning Network can expose financial information of bitcoin payments thought to be anonymous.
A second financial layer, the Lightning Network, was proposed in 2016 to improve the speed, affordability and privacy of bitcoin payments. In an attempt to enhance anonymity, transactions are broadcast off the bitcoin blockchain and routed through encrypted communications.
“The gap between the potential privacy properties of the Lightning Network and the actual ones is large. As it is designed right now, the Lightning Network opens the door for various attacks,” said Ania Piotrowska, a cryptography researcher at the University College London, which collaborated with the University of Illinois at Urbana-Champaign on the March study.
Nodes, building blocks of the Lightning Network, are software gateways that exchange bitcoin via payment channels. Both research teams, the other at the University of Luxembourg and the Norwegian University of Science and Technology, conducted attacks on only public channels. According to a report in January from cryptocurrency exchange BitMEX, 72.2 percent of Lightning Network channels are publicly announced, and 27.8 percent are kept private.
“As Lightning Network gains popularity, it is often touted as an alternative to bitcoin that is not only more scalable but also more private,” said Piotrowska, who also works at cryptocurrency privacy infrastructure startup Nym Technologies. “We felt that it was an interesting research question to study how private Lightning actually is.”
A raft of academic and corporate institutions have taken up Lightning Network development, from the Massachusetts Institute of Technology’s Digital Currency Initiative to bitcoin satellite maker Blockstream, engineering group Lightning Labs and Square Crypto, the cryptocurrency unit of the publicly traded financial technology company Square.
In December, Bitfinex, a high-volume cryptocurrency exchange, opted to let customers trade bitcoin over the Lightning Network.
Three-pronged attack
The American and British researchers, a team of seven, carried out three attacks on the Lightning Network during the months of December, January and February. Two attacks targeted the Lightning Network’s test network and main network to determine balances.
By forwarding payments with fake hashes – unique cryptographic identifiers of transactions – to channels opened with 132 test network nodes and six of the 10 largest main network nodes, the first balance attack accessed the balances of 619 test network channels and 678 main network channels.
The counterfeit payment spamming was stopped when error messages went away, a sign that actual channel amounts had been matched.
At the start of the first balance attack, 4,585 test network channels and 1,293 main network channels were trialed from 3,035 test network nodes sharing 8,665 channels and 6,107 main network nodes sharing 35,069 channels.
The second balance attack also discovered the balances of randomly selected main network channels in a process of elimination with error messages. However, payment hashes were routed through two channels the researchers opened with two intermediate channels that sat between one start and one end channel.
Piecing together changes in balances learned from the first two attacks, the third attack constructed snapshots of the Lightning Network at different time intervals to detect payment movements and their senders, recipients and amounts.
“Identifying the sender and recipient means that we identify them according to their public keys and any other information linked to the node,” such as an IP address, a numerical string that tags the location of an electronic device that connects to the internet, she said. Public keys are handed out freely between parties in payment interactions; private keys that are guarded closely and that give ownership access of funds were not extracted.
Piotrowska noted that, owing to ethical concerns, the third attack was performed on a simulation of the Lightning Network.
Attack analysis
Mariusz Nowostawski, a computer scientist at the Norwegian University of Science and Technology and one of four authors of the April paper, said the March paper’s first balance attack is a derivative of “an older, known method” and that the second balance attack, while new, is limited to small-scale attacks.
The second balance attack “requires opening two channels for each single channel being probed, which is extremely costly as those opening and closing channels need to be on-chain,” Nowostawski said. “And it requires the balance in one of the channels to be placed on the side of the node being probed,” risking the attacker’s funds.
To stave off the loss of funds, an external liquidity service – similar to the Bitrefill liquidity provider used in the March paper attack – needs to fund the channel. Even so, the balance attack falls flat if a channel refuses to accept a channel opening, Nowostawski said.
The balance attack studied by the Luxembourger and Norwegian researchers doesn’t expend resources or rely on intermediate channels, said Nowostawski. The attack is also an error-message-reading algorithm that probes channels, but supposedly on a larger and faster scale that reduces new channel openings, fund lock-up time and contact with the bitcoin blockchain.
Benedikt Bünz, a Stanford University Applied Cryptography Group researcher, called the papers important to privacy in cryptocurrencies.
“For strong and good privacy, cryptographic solutions such as zero-knowledge proofs and confidential transactions are needed,” said Bünz. Zero-knowledge proofs, a cryptographic structure, could facilitate payments that don't leave traces of information behind with another party.
Read both papers below:
STORY CONTINUES BELOW