Navigating the Different CoinJoin Implementations

This opinion editorial is by Thibaud Mar’chal, a contributor of Wasabi Wallet, a privacy-focused Bitcoin wallet. Divide and conquer is a battle-tested military strategy that causes a group to fight against each other rather than joining forces against an enemy. Samourai and Wasabi, two popular Bitcoin wallets that use different CoinJoin implementations, have been fighting for years. JoinMarket, a third CoinJoin implementation has been involved in lively debates with privacy developers. With all the drama surrounding bitcoin privacy, it has been difficult to learn about CoinJoins. Who can you trust? How can one check for themselves? It’s all very confusing. What does this mean for precoiners, casual Bitcoiners, and purists? FUD stands for confusion, fear, uncertainty, and doubt. With all the constant drama surrounding bitcoin privacy, it is embarrassing. Developers, educators, and regular users waste precious time trying to keep up the drama. It is clear that there is no consensus on how CoinJoins should work. What are the tradeoffs among different implementations? Are some implementations simply flawed? How can CoinJoins bridge the gap between early adopters and mainstream users, when there will be billions of people using bitcoin in the future? Let’s take a closer look at CoinJoins. We will ask fundamental questions and make assumptions to create mental models that can be used to evaluate different implementations. To ensure that CoinJoin transactions scale and Bitcoin is used by more people around the world, not all CoinJoins are equal Blockspace efficiency should also be considered. This is not something that is often considered a top priority. A CoinJoin design that ignores the blockspace scarcity issue is unnecessarily spamming and accumulating technical debt. This will make it difficult to pay back as CoinJoin users increase in number. One goal is to have a minimal footprint on block chain. A small number of transactions is ideal to achieve acceptable anonymity. What is acceptable anonymity? What does anonymity mean in the context bitcoin privacy? This is not the case on the Bitcoin network. It is a pseudonymous system that coins (UTXOs in technical terms, which stands for Unspent Transaction Output in technical terminology) are by default not fungible because they have unique transaction histories. CoinJoins provide anonymity to bitcoin networks by separating transaction inputs from outputs, primarily making the resulting UTXOs undistinguishable. Chain analysis companies also use heuristics to monitor the bitcoin network. These include common input ownership, self spending, round amounts, timing analysis, and self-spending. CoinJoins may not cover these heuristics. CoinJoins can help bitcoiners regain their privacy, but they are not the answer to all problems. CoinJoins can provide great privacy if one understands privacy as the decision to share information about yourself. However, it is important to choose the right implementation. What is my privacy goal with CoinJoins There are many ways to improve privacy in CoinJoins. The anonymity set (one way to measure the privacy provided by a CoinJoin) seems to be the best traditional method to assess how much privacy is being received from CoinJoins. There are many other ways to measure privacy that will be covered in future articles. It is assumed that a large CoinJoin transaction can achieve high anonymity, or that multiple smaller CoinJoin transactions can achieve it. Both of these parameters are important, but which one is more important? Blockspace efficiency is based on the assumption that one transaction with many participants will achieve greater anonymity than several smaller transactions with few participants. Is it better to have one large CoinJoin than multiple smaller ones? How can this be verified honestly and thoroughly? What is the right size for a CoinJoin to be considered small? What is the best way to measure how much privacy you get from a CoinJoin. What blockspace efficiency is best when it comes to the number of CoinJoins you can participate in to reclaim privacy? Is it realistic to expect coins participating in multiple CoinJoins as more people use CoinJoins? How many CoinJoin rounds are enough? Plausibility can be described as a measure or probability. How likely is it that your bitcoins have been spent or moved to another address that you still control? How likely is it for one input to be linked to another? As a hodler, you will get more plausible deniability the lower the probabilities that many options are linked to one another. Plausible denial is difficult to maintain because errors are easy. Change outputs can be problematic for bitcoiners who are concerned about privacy and are often the subject of heated discussions and criticism. Why is change output so controversial in CoinJoins Change OutputIt’s all deterministic links. Bitcoin transactions would have a spectrum of privacy. One end would be a transaction that can be proved to be true, meaning that there is no way to know the connection between inputs or outputs. This is also known as randomness or “entropy” in a CoinJoin. The assumption is that the higher the entropy and the more random it is, the better. A transaction that has 100% deterministic links between its input and output would be on the other end. A transaction with high entropy does not necessarily provide privacy. A transaction that has three inputs and three outputs of equal amounts technically has 100 entropy. This means that there is no way to distinguish any output from the other. However, there is a 33.33% chance each input is linked with a particular output. High entropy doesn’t necessarily mean high plausible deniability. Change almost always has a very strong deterministic link with its previous transaction. This means that it is unlikely that a change output is tied to the transaction that spent it. This can pose a privacy problem if a change output is co-spent following CoinJoins. However, exceptions may be made in certain cases. This is commonly known as UTXO consolidation. It can be very dangerous to your privacy if you do it naively. If spent together, change outputs can de-anonymize outputs which have gained some plausible deniability through CoinJoins. Bitcoiners make mistakes all the time, and sometimes they realize too late. This can lead to years of hard work in privacy enhancements. How can you get rid of the change output problem? There are three options for dealing with change outputs in CoinJoin: either isolate the change to another wallet, or include the change output in CoinJoining. Or you can simply eliminate the change output entirely. This last option seems to be the best in terms of privacy, blockspace efficiency, and privacy. However, further research is needed to confirm or reject this assumption. A CoinJoin that has a high entropy score is considered to be good for privacy. However, it is important to determine if change outputs are necessary. Coin denominations must be variable in a CoinJoin to get rid of change outputs. The inputs in a CoinJoin must have a variable size, such as 0.1 BTC. Otherwise, it is impossible to consume inputs without creating new change outputs. Most UTXOs are not round numbers (i.e. 0.19572394 BTC, where 0.09572394 BTC is the change in a CoinJoin fixed coin denomination of 0.1 BTC. Remember that change outputs can be dangerous to your privacy. Multiple inputs and outputs in a CoinJoin seem to be a bad idea. It brings us closer to deterministic connections between inputs. Yes and no. It depends. Different denominations are not a good idea if a CoinJoin has a low number of participants (meaning that there are few inputs and few outputs). What if there are many inputs and outputs in a CoinJoin? Multiple denominations can provide a high level in plausible deniability to each output in a large CoinJoin without creating change outputs or requiring additional transactions. This is a highly efficient way to use blockspace. At this point, it seems like there are many boxes that could be checked. Is it better to have fixed coin denominations in a CoinJoin or variable? Are variable coin denominations the best option to eliminate change output from CoinJoins CoinJoin rounds interconnectivity shouldn’t be tolerated in any circumstance, regardless of coin denominations or whether the CoinJoin is large or small. There is another important point to remember. Interconnectivity of Coinjoin Rounds It is claimed that in all cases, it is not a good idea to register inputs from previous CoinJoins into new CoinJoins. Mixing in CoinJoins with participants from past CoinJoins that are mutually beneficial does not seem to be a benefit. It is often criticized as being invasive of privacy. What happens if a CoinJoin grows in size and some inputs are registered from multiple CoinJoins, each one being downstream from multiple CoinJoins. Participants remixing together can improve their privacy even though they come from the same past CoinJoin. Participants are not required to remix more than once if each CoinJoin is sufficiently large. However, they can do so if they wish to increase their anonymity sets. The anonymity set that results from large, intertwined CoinJoins should allow for plenty of plausible deniability despite the fact that funds have been derived from past CoinJoins. CoinJoin rounds interconnectivity is a bad thing? If there are many CoinJoins that share past CoinJoins, the anonymity set should be sufficient to allow for a lot of plausible deniability. It seems like a great idea on the surface. Some CoinJoin implementations permit this, while others require it. Some won’t even allow you to use your full node. Is this something to be utterly condemned? Is that something you must condemn? If you have a small number of CoinJoin participants, running your own node can give you a false sense security and privacy. This can be very harmful. If Tor is used to anonymize CoinJoin transactions (and we’ll leave that as it is), then using a trusted full Node to broadcast the CoinJoin transaction may be acceptable as the default. There are many nuances to consider. Don’t trust, verify. To avoid falling into the privacy virtue signaling trap, there are some important questions you should ask. Is it possible to run full nodes with CoinJoin? If so, do they require them by default? What privacy shields are in place if personal full nodes aren’t mandatory? i.e. Tor, block filters, etc… How does this affect my privacy? Can the coordinator de-anonymize my identity? Privacy concerns are important. It is important to know what you are trying to protect and against whom. A full node can be used with your own wallet. This allows you to verify your balance and broadcast transactions to bitcoin without having to trust anyone. CoinJoins is run by a coordinator. How is the coordinator chosen? Continue reading. The CoordinatorThe CoinJoin coordinator must ensure that all participants register their inputs and outputs and have them sign the collaborative transaction before it is broadcast. Most CoinJoin implementations default to a central coordinator. This is a single point for failure. This has been a common tradeoff in most bitcoin communities. Can a central CoinJoin coordinator fail to function? Absolutely. You can also be a coordinator for any CoinJoin using other implementations. However, there are some tradeoffs that may be required. Coinjoins are non-custodial so no funds can be lost if a coordinator fails. The coordinator should not know more than what is publicly available on the bitcoin network. Why? A CoinJoin coordinator can know more than what is publicly available. This can make it a honeypot with highly sensitive information that can be used against those who trust the service. A CoinJoin coordinator should not be trusted. A CoinJoin coordinator should not be considered evil. If it is possible to be evil, it will eventually be, due to errors, omissions or coercion. XPUBs is an example of sensitive user data. This allows for the leakage of all information about a wallet, including addresses and past, present, and future bitcoin transactions. Another example is the ratio of users running their full nodes and users trusting their coordinator’s node to broadcast CoinJoins. This could de-anonymize users who run their own nodes and deterministically know the connections between their inputs & outputs. This is another complex topic that will require further investigation and discussion. Is the coordinator aware of more than what is publically available on the bitcoin network. Does the coordinator have access to more information than what is publicly available on the bitcoin network? (i.e. (i.e. These bitcoin transactions can be costly and the fees structures can sometimes be confusing for bitcoiners. It is difficult to determine how much privacy you will get or what the cost of privacy is. Some CoinJoin implementations allow one input to purchase its privacy from other inputs, who only participate for free to increase the anonymity set. CoinJoin can get you paid. Yes, with patience. Some models rely upon shared fees, where some UTXOs pay fees and others don’t. Others rely on inviting a growing number of clear inputs (not yet mixed) to finance the existing CoinJoins for remixing inputs with low anonymity levels. Some models are not sustainable over the long-term, while others are too expensive or naive for most users. What fees are we referring to? Inputs that participate in CoinJoins usually pay a taker fee (the service fee to gain anonymity) as well as a coordinator fee. These fees are waived for certain CoinJoin models. The economics of CoinJoins are a complex topic that requires further research to gain a deeper understanding. CoinJoins: Who pays what? What are the fees? What are the incentives for the CoinJoin coordinators? What are the incentives of the CoinJoin coordinator? Are all CoinJoin rounds free or paid for? Anyone who is looking to use CoinJoins to protect their privacy can benefit from a mental model or framework. It takes intellectual honesty and a rigorous evaluation system to sort through the noise of social media. This guest post is by Thibaud Mar’chal. These opinions are not necessarily those of BTC Inc.


Add a Comment

Your email address will not be published. Required fields are marked *