bitcoin++ privacy edition in Riga wrapped up a little over two weeks ago. Eltordev and I are hanging out, filming an interview for Insider Edition. We had just wrapped up a 45m chat about the state of Tor, VPNs, and how he's working on building incentives into the lightning network when he drops a simple, yet memorable, phrase.

You wouldn't give your mom a UTXO.

Eltordev is a lightning payments maxi. He confessed to me that "bitcoin is boring without lightning". There's nothing to do or build at the UTXO protocol level. Not to mention that it's broken for privacy. To Eltordev, Lightning fixes the privacy issues that are abundant onchain.

But does it? @tnull_, aka Elias Rohrer, a longtime contributor to the Lightning Development Kit and Spiral employee[1] was gracious enough to attend the privacy summit and talk about the state of privacy in lightning. His research has focused on figuring out the contours of what's visible in Lightning, from a privacy perspective. His talk at bitcoin++ highlighted the takeaways and challenges remaining. There's a number of issues with lightning privacy, particularly at wire packet observation levels that can make it easy to trace the movement of funds across the network, along with more data exposure level problems. The tldr is that lightning needs to update the spec to add padding to messages to make it harder to pattern match traffic over the wire to message exchanges, and more randomization of timings of sending payments, to frustrate timing attacks.

Claudia Diaz of Nym Technologies, a leading mixnet implementation headed up by longtime cryptographer Harry Halpin, had an excellent talk on networks and privacy. In it, she shows that while centralization risk is certainly a problem for on-path deanonymization, making lightning more decentralized doesn't actually improve privacy that greatly, as the liquidity layout as well as network topology makes the set of nodes that might have sent a payment smaller than you'd think.

Lightning is semi-private from an outside observer, but on-path observers of payments can guess more about the origin and destination of any payment than we may be comfortable with. Is it more private than onchain? Certainly. Do we have some work left to do? Also yes.

Speaking of anonymity sets, we were lucky to have Kruw, the operator of the largest Wasabi coordinator, on prem to talk about challenges with effectively coordinating large numbers of transactors in coinjoin rounds. The more people in a round, the better your anonymity (in theory), but the more people in a round the more likely that a participant will fail to sign in time and prevent the transaction from being created successfully. Balancing the number of participants with privacy is a challenge.

Not just for coinjoins. eltordev's project, El Tor, is an open source project funded by the OpenSats foundation which aims to marry Lightning as a payments protocol with bootstrapping more Tor nodes. Lightning BOLT12 offers get added to node directory advertisements; a lightning payment to the offer on file grants you up to 10m of access to the circuits that run through that Tor route. Run a Tor node and a lightning node? You could get paid to provide bandwidth to the onion network. Except there's one problem with the current El Tor implementation. eltordev had to update the Tor onion to include proofs of payment. This change makes El Tor onions incompatible with the existing network, which means that you'd need to bootstrap another set of nodes running El Tor to be able to receive payment for routing private packets. Despite the bootstrapping challenges, I'm still bullish on the project. If every Start9 and Umbrel node ran an El Tor node, that'd be a considerable number of nodes compared to the existing Tor network. It'd be very exciting to see bitcoiners birth a new paid privacy network.

El Tor wasn't the only payments for bandwidth scheme present at the conference. bitcoin++ privacy edition was also the debut of the TollGate project, an effort by Sovereign Engineering cohort participants to build a protocol for Payment for WiFi. The software adds a captive portal to any wifi router. Much like a hotel often makes it such that you have to enter your room number and last name, TollGate sees you pay a few sats for a few minutes of internet access. The payment is done using ecash tokens. Starlink makes wandering around with internet in your car much easier; the team had driven up from Berlin and were selling internet access at the bar afterhangs. I spent a few sats for 10m of WiFi coverage. Getting my wallet to where I could successfully send ecash from my wallet to their mint took about as long as the internet coverage that I purchased. But other than the bystanders who gathered to watch me move sats through three different ecash wallets to effectively make the payment, no one else knew about my payment for internet. (I had the pleasure to talk more in-depth with TollGate developer Arjen in Oslo this past May; check out our interview here).

One of the passersby who stopped to take note of the challenges I ran into while paying for the Internet TollGate was Erik Cativo. I met Erik last October at the bitcoin++ ecash edition that we did in Berlin. He was excited to get started on working on building intuitive user interfaces for ecash last October; now, 10mo later he's one of the most well respected designers in the space. He took notes as I walked through trying to get the Chorus wallet to add a new mint, swap sats between mints, fail and then download and try out Macadamia. At the conference, Erik gave us an update on what's happening in the Cashu ecosystem, and why design is so important for solving user pain points when transacting with e-cash.

E-cash is an off-chain protocol that trades off custody and peer-to-peer transacting with privacy. You wouldn't give your mom a UTXO but you would, maybe, give her a fat stack of ecash tokens. Ecash is a bearer asset, basically a small text document that contains a special signature that you can send to someone else. It's centralized though, which means you have to get help from a mint to forward the payment to the next party [2]. We had quite a few Cashu and Fedimint devs at the privacy-focused event. Both Calle, the inventor of Cashu, and Eric Sirion, the leading contributor to the Fedimint protocol both gave talks on Friday. Calle spoke about the importance of privacy for preserving freedom from tyranny. Calle’s been deeply involved in the Bitchat application development, a project that allows anyone to anonymously chat with others via Bluetooth[3]. We also had an amazing talk from Cashu developer lollerfirst, who covered his work to bring Key Verified Anonymous Credentials (KVACs for short) to cashu. This will allow the protocol to move away from fixed-size denominated notes to more of a UTXO model of variable sized notes. It uses more advanced cryptography techniques like rangeproofs to achieve anonymous notes with variable sizes.

Like ecash, private messaging was a big topic of conversation at the event. The White Noise team was there in force, with Jeff Gardner the project's founder giving a great, in-depth talk about how MLS works. Building private group messaging services is difficult. Luckily, nostr provides a good backbone for coordination and messaging delivery. MLS or the inventively named 'Message Layer Security' is an Internet Engineering Task Force standard for building group chats that are encrypted. Jeff has done the Lord's work bridging the MLS standard to the nostr network, and deploying it to an end user app: White Noise. I'm looking forward to the day that bitcoin++ can move our conference comms over to it. Increasingly, we're seeing nostr be built into decentralized messaging platforms by bitcoiners and privacy advocates. There's a good chance that the work Jeff and the rest of the White Noise team are doing will monumentally change our ability to communicate privately at scale over the next decade, and we were very lucky to have him and his team in Riga with us earlier this month.

SuperTestnet also joined us in Riga. He's been raising eyebrows recently on x.com, baiting Monero maxis to admit that Lightning privacy is pretty damn good. His presentation at the conference focused on his current project to make coinjoins happen with Hedgehog, an improvement on the lightning protocol for making peer to peer payment channels.

Other notable presentations included a great workshop of how ASMap works by Julian Urraca, a brilliant nix-advocate and developer; a deep dive into how UTXOracle, a blockdata price oracle, works by inventor Simple Steve; an overview on the state of privacy in Bitcoin from Max Hillebrand, a White Noise collaborator and long time cypherpunk; an in-depth report on current CoinJoin implementation privacy guarantees by Peter Todd; an introduction to how Cashu can fit in your bitcoin payments workflows by CDK developer thesimplekid; an intermediate level introduction to Miniscript by Ady Shimony, a Chaincode BOSS graduate; UX challenges with Payjoins from Yashraj of the Bitcoin Design Community; an announcement from spacebear of Payjoin Dev Kit about the new PDK Foundation along with an update on the PayJoin protocol’s development; a fictional(?) report on how disrupting Bitcoin adoption and development is going from Urban Hernandez of the Escape the Technocracy privacy consultancy; a look at Cross Input Signature Aggregation from Fabian Jahr, a Bitcoin Core developer at Brink; along with talks from Bitcredit, Fedimint, Ritrek, Vexl, and Djuri Baars of the BTClock project.

Privacy onchain with Bitcoin, ironically, remains as elusive as ever. While coinjoin implementations continue to exist and operate, and with new solutions such as Payjoin joining the fray, it seems that off-chain protocols such as Lightning and e-cash are increasingly the frontier of improving privacy for transacting with bitcoin. While not without their own drawbacks, one huge improvement is that there is no permanent onchain record or transactions that might later be deanonymized or traced.

As we roll into our next bitcoin++ event in Istanbul this week, focusing on scaling Bitcoin through Zero Knowledge proof systems, I'll be paying attention to how ZK applications and primitives might contribute back to privacy for transactoors, both onchain and off.

You can catch the livestream of our upcoming Istanbul event on our Youtube, or our X account.

Here's to staying anon, Insiders.

~nifty

[1] They say that Jack Dorsey pays for bitcoin development, both eltordev (an OpenSats grantee) and Elias (employed at Spiral) are good examples of how far important Jack's wallet has been for engineers committed to working on Bitcoin.

[2] @janusz has a great writeup on off chain ecash and bitchat on Insider Edition.

[3] Though recent updates also include the ability to join global chats via nostr relays.