I often find myself in discussion with either hardcore Monero fans, or hardcore Bitcoin Lightning fans. As a fan of both technologies, I see that people locked in an echo chamber often get things wrong. A prominent bitcoiner that I otherwise like bullshitting about Monero on a mainstream podcast made me feel “shared embarrassment”. I wanted to stop it, because it was clear he had no idea how Monero works. But then you talk to Monero people and they have a brutal misconception about Lightning privacy, often confusing channels and transactions.
This blog is specifically about privacy, not about other topics (money supply – emission, ASIC friendliness, mining, censorship, …) and focuses on Lightning, not Bitcoin on-chain, although I will touch onchain. In fact, let’s start with Bitcoin on-chain.
Bitcoin on-chain
Bitcoin on-chain is notoriously privacy unfriendly. All transactions are public. Inputs, outputs and amounts. There are techniques to help privacy, such as coinjoins, payjoins, but they often need a surgical precision and someone who knows what they are doing.
Imagine you want to pay an invoice of 20M sats to a supplier. It will most probably not go through Lightning, definitely using consumer-grade mobile wallets (I did a comprehensive test of Lightning wallets and you can currently expect payments of up to 1.5M sats to go through). You can run your own node, but most businesses do not want the risk of running a node with a lot of money, securing private keys, etc. Security solutions for Lightning are not there yet, there are no hardware wallets, …
So what are my options for on-chain? If I am a supplier and I just receive a Bitcoin transfer, my customers see what I do with the coins. If more customers pay me, they can see other payments I receive (because I spend more than one output in some transactions). That means at least customers have quite a deep insight on my business operations.
If as a supplier I want to avoid this, I can swap all the UTXOs separately into lightning. But again, surgical precision and understanding what is going on. Forget that a farmer or wholesale machinery supplier will be able to do this.
Also, what if I get “tainted coins” and I need to use it with another third party that uses chain surveillance companies?
Of course, both sides can do coinjoins, but these are problematic. Coinjoined coins cannot be safely used on centralized exchanges (which one or the other side of transaction will likely use). Also, if being audited, it is quite hard to explain why you coinjoined your coins (in “state speak” called “money laundering”). You might try an argument about business privacy in theory, but I don’t know about you, I would not like to explain to some regulator that I was willingly “money laundering” (their preferred terminlogy, not mine) because I did not want my customers to cluster my transactions.
Monero
Let’s look at Monero first, because it solves this particular case. It is not a magic bullet for privacy though, as we will see.
Monero has “automatic coinjoins” using ring signatures. It is technically not a coinjoin, but it has similar properties. You do not know if a transaction spends a particular output out of the ring, but you can see it spends one of the outputs. So Monero is a game of probabilities (that’s why it is similar to coinjoins). This can be attacked using sibyl attacks. Monero has low fees (thanks to dynamic block size), so it is plausible for an attacker to do a lot of cheap transactions, mark which are theirs and then reduce the anonymity set of each transaction. If an attacker looks at a transaction, they can exclude all the inputs that only they have private keys to, greatly reducing privacy. We do not know if an attacker is already doing this.
There will be some older inputs, but they are usually less used, so with some heuristics, it is plausible to narrow down the real input used. Monero is expanding the ring size and there are two other protections to make this difficult.
First is stealth addresses. It is not enough for someone to have someone’s address, because destination addresses are not seen on the blockchain at all. Two transactions that send to the same address are not easily seen. But… and this is a strong but – when people spend their coins, they will often include two inputs with different set of rings, but if there was a suspiction that these two transactions belong to the same user, it greatly improves the plausibility of this assumption if they are included in rings of two inputs used in the same transaction.
A very practical result of this is when I realized what I was doing with orders on my e-shop. I use the amazing btcpayserver to accept payments. It generates a different address for each transaction, in order to know which customer paid and which has not. This is a common practice with all cryptocurrencies. The problem is that in order for this to work, I need a longer lookahead setting, which means I need a specially configured wallet (you need to increase address lookahead), so I was consolidating transactions to a normal wallet from time to time.
If an attacker wanted to see how many orders I am getting, they can do this. Create an order on the store. Either pay the order fully or just send some small amount of XMR there. Do it one or two more times. Then watch for a transaction that has inputs with all the outputs you created (which you know) as their inputs. That’s your consolidating transactions.
So I send $1 three times to the merchant, then I look for the transaction that has all of them in the rings of inputs (this happening by accident would be a huge coincidence). And count other inputs. That is the lower bound of the amount of orders the shop got between your first transaction (approximately, if you do this consistently, you can make it more precise) and the time of the transaction.
You do not get the amounts (this is because Monero uses confidential transactions), but this shatters the narrative of “you cannot see anything on the Monero blockchain”. The truth is, you can see many things and many attacks are not theoretical, but work in practice.
Blockchain and forward secrecy
Monero is based on a blockchain (contrary to Lightning, where state channel is backed by Bitcoin blockchain, but Lightning transactions are never recorded on a blockchain), which means it creates a permanent record of the transaction.
A practical consequence of this fact is that there is no forward secrecy. A good metaphor would be an encrypted zip file that is uploaded publicly to the cloud as a torrent that is constantly seeded. Once the encryption key to the zip file leaks, or the encryption scheme is broken, everyone is able to decrypt this message.
A feature called “perfect forward secrecy” in encryption communication ensures that you either break into communication when it is happening, or you won’t be able to do it in the future. For example a PGP-encrypted e-mail does not have this feature (a leaked private key means the possibility of decrypting all e-mail encrypted to the corresponding private key), while Signal or the most recent version of Threema has this property – a leaked key could allow you to break future communication for an active attacker (although still very unlikely), but there is no way to break older communication.
While Monero is not a communication technology, one thing to note is that if keys leak, you can look back. For example a leaked private view key means that an attacker will be able to deanonymize all transactions that were sent to that address.
Monero transactions, similarly to Bitcoin on-chain are here forever. If you can secure the keys and there are no fundamental attacks to cryptography, you might be fine.
The positives of Monero compared to Lightning
Monero is a blockchain and it has some good properties. First, there are hardware wallets that enable you to protect your keys. That makes leaks and hacks much less likely. You can protect your Monero wallet by generating it within a Trezor T or a Ledger device.
Unfortunately, with Lightning, in order to receive a payment (not only send), your Lightning node (including non-custodial lightning wallets) has to be online and it has to have private keys available for (usually automatic) signing of incoming transaction. Any hack over the network can mean lost funds.
Another advantage is that it allows larger amounts to be sent easily. As I said before, most consumer wallets work well up to 1.5M sats. For larger amounts, you are better off going on-chain.
Because Monero uses confidential transactions, it is quite hard to separate interesting payments based on amounts. You cannot ignore small payments, a payment sending $2 and $2M looks exactly the same. This also makes the coinjoin more efficient and less prone to errors. Bitcoin-based coinjoin solutions (Wasabi, Samourai) have to normalize outputs to equal size and you have to deal with change. With Monero transactions, a $2 input and a $2M input mixes perfectly and you cannot tell them apart.
Bitcoin lightning
Lightning is a channel-based payment network. It has a backing in a form of pre-signed Bitcoin transactions, but this backing is for channels, not transactions. Transactions never appear on-chain. A single payment can (and usually does) use multiple channels, even multiple paths. The nodes in the middle do not know what kind of payment exactly goes through.
There were a few privacy attacks on Lightning, mostly concerning channel state, but again, channel state does not represent transactions. A somehow good metaphor is an attacker being able to say you have 1Gbps internet connection, maybe even probing the type of connection (using latency) or it’s usage (a bit more tricky, but doable). But that does not mean they can tell that you are downloading porn, or watching Netflix. An attacker with a complete wide view of the network (owning most nodes) could see a traffic pattern going from your computer towards Netflix, but here’s where it gets tricky with Lightning – a network attack can see a stream of data that usually uses a same route. With Lightning, one payment is usually split and it uses many routes at the same time. Some can even be used to just rebalance channels, meaning you could see that a channel balance changes by 1M sats, even though you are only paying 100k sats – or even nothing, you could create a loop that pays yourself.
A channel uses a UTXO that is chosen by the side that opens the channel. This UTXO is used only between these two nodes. Consider a payment going from A to X, using a path (A->B represents a channel between A and B) A->B->C->D->X. A->B can be (but does not have to be) represented by a Bitcoin UTXO. B->C is represented by another UTXO. But X has no UTXO with A->B and they do not care about their source of coins.
For a more detailed and visual explanation on how this works, check out this video:
It is a part of my course Lightning network for private bitcoin payments among friends and for products and services. You can also read the description in my book Cryptocurrencies – Hack your way to a better life.
The point? There is no information stored about transactions publicly. That means either the attacker learns about a money flow when it happens, or they will never learn about it. That is a similar concept to “perfect forward secrecy”.
Lightning has great transaction privacy.
But what about onchain?
Lightning solves many problems of privacy. There is no problem of tainted coins, because if you need on-chain coins, you get them by either using a reputable swap service (that won’t give you tainted coins), or you can close a channel. By closing a channel, you get a part of a UTXO that was used to open the channel, which is unrelated to people that were sending you money.
Also note, that there might not be an UTXO yet. By use of trampolines, you can receive money even if you do not have a channel open yet. For example if you install a second-generation non-custodial lightning wallet, you do not have any channel open yet (there is no UTXO on chain!). It will be created only when you receive a first payment and it will be created by the wallet operator (liquidity provider), not by the sender.
There are some cases, where there is no UTXO backing the channel (hosted / unbacked channels), or the backing might be on a completely different blockchain! A great way to think about this is that blockchain backing is a dispute resolution, not transaction mechanism. This dispute resolution happens between two peers that have opened a channel and has nothing to do with transactions. As a routed payment network, it is like taking your internet provider to court when they try to cheat and not provide you with a good service. It does not matter what you want to transact with.
A good operation of lightning network is just opening channels and close channels only in rare cases when the other node stops communicating (for example they were shut down), or they try to cheat (this is extremly rare, because they will lose all the money in the channel, if they attempt to cheat – even those that would have belonged to them). So most channels can stay open “forever”. If you need to go on-chain, it is better to use a (trustless) swap service rather then mess with the channels. That further obscures the UTXO relationships and is often cheaper and faster than closing channels (especially if it is a non-cooperative – forced – close).
When to use Monero/Lightning?
I prefer using Monero for larger B2B transactions. Both sides of the transaction preserve their privacy, if you need to disclose transaction information to a regulator, you can, without significantly affecting the privacy of your counterparties. So you can be both legal and private.
Monero is also good when the recipient is expected to be offline. A good example is Gratuitas Coffee. It is a merchant that sells coffee with Monero QR codes on the packaging. If you like the coffee, you can tip the farmer (which might be sleeping or off-line, and they are definitely not running a dedicated node). The transaction is peer to peer – you are sending money directly to the farmer and no one else can see how much they receive (thanks to stealth addresses and confidential transactions).
I often hear Bitcoiners saying that Monero is a “shitcoin”. Last year, it’s price performance has been better than Bitcoin, of course, selected timeframe matters. For other use-cases (like B2B transactions), the price does not matter at all. One side buys, the other side sells for whatever they want. A transaction currency does not have to be hard money at all. Heck, many people use USDT for B2B, which is usually horrible for privacy and quite unethical (USDT being backed by government bonds).
Lightning is good for B2C transactions, but sending $10k over Lightning is either not feasible, or it requires a custom setup with channels and good server security. On the other hand, Bitcoin has much larger network effect – both as a payment network and as an accounting unit. In my experience, there are 5x-10x more payments with lightning than with Monero if you let people chose and the amount is not too high.
Lightning is being used on many services, and is even adopted by El Salvador, although I am strictly against forcing people to use Bitcoin or any other cryptocurrency.
My answer to most Monero and Lightning haters is – both are private enough and I am glad both options exist.
If you are interested in how to use Bitcoin Lightning and Monero to get more privacy and some more quirks in your life, check my two books: