Both Alice's and Bob's payment codes are known since they are public and in addition the time frame of the notification transaction is also known. Couldn't such an agency then look for all transactions in that specific time frame that might be a notification transaction and try them until finding one that matches? Does such an attack gain information for Eve, or are there reasons this isn't possible or useful?
If an attacker already expects Alice and Bob to transact, then seeing a notification transaction doesn't tell them much. The attacker won't be able to connect the notification transaction with the actual payments.
See:
https://www.reddit.com/r/Bitcoin/comments/34prd6/i_made_a_3d_printed_stainless_steel_bitcoin/cqy16lrIf an attacker knows that certain UTXOs are associated with a particular individual (Bob), and if the attacker then sees those outputs used as inputs to a transaction which creates an output at a known notification address (Alice's), then the attacker can assume a probability that the Bob will send some bitcoins to Alice at some point in the future.
Bob might have sent a decoy notification to Alice, so the attacker can never be sure. All the attacker knows that Bob will sent Alice somewhere between 0 and 232 payments to Alice between the time of the notification transaction and forever.
The attacker might assume that any payments appearing in the mempool immediately following the notification transaction are a payment between Bob and Alice, but that's a problem that tends to solve itself as the transaction rate increases and can be addressed by intelligent clients which make sure to put a random amount of temporal separation between the notification transaction and the first payment.
OK, thanks that helps. So this is saying that the only knowledge gained is that Bob and Alice setup a payment connection, but even with that an attacker couldn't identify what payments happened in the future (or even if any payments happened at all for that matter). So if Bob inadvertently used the notification payments incorrectly, the only information lost is that a payment channel was established between Alice and Bob. Is that right?
If an attacker already expects Alice and Bob to transact, then seeing a notification transaction doesn't tell them much.
I'm not 100% sure on this.
Let's say for example I am a Snowden sympathizer and the government has outlawed payments to Snowden and the government also suspects that I might want to illegally give Snowden payments. In such an environment identifying the creation of a payment channel to Snowden might be enough for the government to determine guilt, regardless of whether or not they identified the actual payments. So if they knew my payment code and Snowden's payment code, could scanning the blockchain history result in identifying the payment channel (not the actual payments).
I understand this situation is a bit of a reach, just trying to understand it though.
