And, importantly, at least in the initial version:
Receiving Lightning payments will be disabled
Each channel will be opened on its own separate node
To understand why receiving payments will be disabled at the outset, it’s important to understand some of the major pitfalls in Lightning as it exists currently:
All invoices contain the channel ID of the recipient
The channel ID leaks deterministic information about the node/owner
However, if you use the not-yet-widely-supported “Short Channel ID ” instead, these have no link to the chainstate, node owner or original UTXOs used to fund the channel.
The pLN app itself is being written using Flutter , which means desktop and mobile (both for Android and iOS) versions will be made available.
Under The Hood
Under the hood, the app uses a “root node” and a number of “channel nodes,” one for each channel. The app borrows heavily from John Cantrell ‘s Sensei project, which is based on LDK .
The root node takes care of the heavy lifting: listening to gossip messages, building the network graph, computing routes and so on. The individual channel nodes only track their own channel state and nothing else.
The Bitcoin backend can be either a connection to bitcoind or a personal Electrum server. For mobile, Electrum would likely be the best choice as it is designed for secure remote connections.
What If I Want To Pay My Friend Who’s Also Using pLN?
Given that direct payments to channel partners betray information about your node and make it clear that payments came from you, you should be cautious about making them, doing so sparingly at best.
The concept of plausible deniability comes into play with a greater number of hops between you and the final recipient. The more hops you make along the way, the greater your anonymity set.
The app would eventually allow you to override the built-in protections and make a payment to a peer, but only after loud-and-clear warnings about what this entails and what information you may be leaking, if you choose to proceed.
For example, you could choose to make a direct payment to your friend who’s also running pLN if you wish. (Imagine you don’t care or it doesn’t matter if they know what channels you have open, since you’re paying them in person and you trust them.)
But the app would encourage you to try to make a payment with multiple hops if at all possible. (Defaults would be likely to opt for more than a couple hops at least, I assume.)
It would also warn you if you try to open a channel with a major public hub (like in ACINQ’s or Breez’s nodes). Ideally, you should open channels with unknown/smaller nodes whenever possible.
What About Large Payments?
Large payments can be made to appear to be partially-completed atomic multipath payments (AMP) payments (AMPs that are halfway done), with liquidity flowing out from a number of your individual channel nodes, as needed. The sats all converge on the final destination in the end. Pretty cool!
Future Ideas For The App (TBD)
Enable blinded paths once this is available in LDK
Continual CoinJoin with on-chain UTXOs in the wallet on the root node
Continual splice out/splice in and CoinJoin with sats in channels
Timeout UX options: If your payment is taking too long to route, the app may prompt you if you wish to try another route with fewer hops
Closing Thoughts
Privacy is a spectrum
We have to balance usability and user experience against anonymity sets (anonsets) and privacy while trying to help prevent users shooting themselves in the foot
I think this is an exciting new wallet and project that should help both with educating users about privacy and allowing them to use Lightning in a straightforward manner.
This is a guest post by Adam Anderson. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.