> Will the big nodes execute it? How do we know they're executing it? Are we turning privacy into a matter of faith?
I think this gets really interesting if/when routing nodes start publishing privacy policies, e.g. "we do not log payments." Then you can start to build routes that *do* have some cryptographic guarantees. E.g. "if I route my payment through N nodes with zero-log policies, then even if only 1 is honest, an attacker gets subpoenas records from every node on my route *still* won't find full records of my payment."
Many cryptographic protocol rely on assumptions like that one. Tor works like this and Dandelion++ works like this, for example. Lightning has always had privacy assumptions that work best when routing nodes don't collude together, but these assumptions are undermined if attackers can easily access node logs and thus effectively *force* them to collude after-the-fact. If every node has the ability to easily delete logs, that makes lightning's privacy assumptions stronger, because it makes it more likely that an attacker who tries to acquire those logs won't be able to get them.
I think this gets really interesting if/when routing nodes start publishing privacy policies, e.g. "we do not log payments." Then you can start to build routes that *do* have some cryptographic guarantees. E.g. "if I route my payment through N nodes with zero-log policies, then even if only 1 is honest, an attacker gets subpoenas records from every node on my route *still* won't find full records of my payment."
Many cryptographic protocol rely on assumptions like that one. Tor works like this and Dandelion++ works like this, for example. Lightning has always had privacy assumptions that work best when routing nodes don't collude together, but these assumptions are undermined if attackers can easily access node logs and thus effectively *force* them to collude after-the-fact. If every node has the ability to easily delete logs, that makes lightning's privacy assumptions stronger, because it makes it more likely that an attacker who tries to acquire those logs won't be able to get them.