t-bast

Keybase proof

I hereby claim:

• I am t-bast on github.
• I am tbast (https://keybase.io/tbast) on keybase.
• I have a public key ASAOUDcPswM4FtA7kgxGQyAhcF73gVTekNpkrrc_k_X-_Qo

To claim this, I am signing this object:

t-bast

The BLAKE2b hash of `./response` is:
    e4dafd1b 0fa438a2 b313d66c c9566a0a
    be6d7abe 76252eeb 7d294028 770f830d
    e8670f14 5ed8c8af 4e5c3476 f591d0c7
    bfd58ddd 36dd7c4d 311d1358 420d551f

t-bast

On-chain Privacy in Phoenix

Phoenix users never fund channels themselves; it's always the routing node they're connecting to that opens channels to them via pay-to-open. Let's call such a node an LSP (Lightning Service Provider). Note that for now Phoenix only supports one LSP (Acinq).

We will show that this model provides good UTXO privacy for Phoenix users (and good unlinkability between on-chain and off-chain identities).

Pay-to-Open

t-bast

Route Blinding

Notations

• Alice's real node_id is P_a = k_a * G
• Bob's real node_id is P_b = k_b * G
• Alice's blinded node_id is D_a = d_a * G
• Bob's blinded node_id is D_b = d_b * G
• Alice <-> Bob real short_channel_id is scid_ab
• Alice <-> Bob blinded short_channel_id is blinded_scid_ab

t-bast

Sphinx Rendezvous

Alice wants to receive a payment via rendezvous node Bob. Carol will pay this by "finishing" the onion encryption to route to Bob.

Carol -> N -> Bob -> M -> Alice

Notation:

t-bast

Trampoline error encryption

Trampoline nodes apply the same error-wrapping mechanism that's used for normal onions at the trampoline onion level. That means there's simply two layers of error wrapping.

Notations

We note ss(Alice, Bob) the shared secret between Alice and Bob for the outer onion encryption, and tss(Alice, Bob) the shared secret between Alice and Bob

t-bast

Phoenix in a splicing future (a.k.a death to all swaps)

Phoenix implements trusted swaps for users' convenience (to allow easy onboarding and offboarding). But it's not a satisfying solution for the following reasons:

• It uses two on-chain transactions for swap-in where one should be sufficient (one transaction from the user to Acinq followed by a channel open)
• Swap-out feerates are unpredictable (because we may fund the swap-out with unconfirmed previous outputs) which is frustrating for users
• It forces Acinq to use its own utxos, which doesn't scale well and is an operational burden
• If Acinq doesn't have any utxos available and the mempool is completely full, swaps are stuck which is also frustrating for users

t-bast

Asymmetrical features

Let's explore the following scenario. There is an asymmetrical feature F, with a clear client side and provider side. The client side of the protocol is activated by feature X. The provider side of the protocol is activated by feature Y.

Some nodes want to be a client, but not a provider, and want to connect only to nodes that are providers of this feature. They obviously turn on feature X. Since they are only clients of the feature, they cannot turn on feature Y, so how do they require their peers to support feature Y?

t-bast

Pinning discussion

t-bast

Combining BIP32 keys for fun and profit

We only consider non-hardened children here.

Private parent key → private child key

CKDpriv((kpar, cpar), i) → (ki, ci) computes a child extended private key from the parent extended private key:

• I = HMAC-SHA512(cpar, serP(point(kpar)) || ser32(i))
• IL = I[0:32]