Navigating The Different CoinJoin Implementations

This is an sentiment editorial by Thibaud Maréchal, a contributor to privacy-focused Bitcoin wallet task Wasabi Wallet.

“Divide and conquer” is simply a battle-tested subject strategy to fracture a radical of radical by making them disagree and combat each different alternatively of joining unneurotic against a communal enemy. Wasabi and Samourai, 2 fashionable bitcoin wallets with antithetic CoinJoin implementations person been warring for galore years. JoinMarket, a 3rd CoinJoin implementation, has besides been progressive successful colorful debates with different privateness developers.

Learning astir bitcoin privateness and CoinJoins has go rather hard with ongoing drama. Who to trust? How tin 1 verify for themselves? It’s each precise unclear. What does it bring for precoiners, casual bitcoiners and purists alike? Confusion, fear, uncertainty and uncertainty (FUD). The authorities of bitcoin privateness is embarrassing with each this perpetual play scaring distant caller users. Precious clip is wasted by developers, educators and regular users who would astir apt beryllium amended disconnected doing thing but trying to support up with the drama.

It is evident that nary 1 agrees connected “how to bash CoinJoins right,” fto alone, however CoinJoins should beryllium implemented to optimize idiosyncratic privateness and artifact abstraction ratio connected the Bitcoin network? What are the tradeoffs betwixt antithetic implementations? Are immoderate implementations outright flawed? How bash CoinJoins “cross the chasm” from aboriginal adopters to mainstream users erstwhile billions of radical volition crook to bitcoin successful the coming years?

Let’s present instrumentality a look astatine CoinJoins by asking cardinal questions and raising immoderate assumptions to physique immoderate benignant of intelligence models, which volition beryllium utile successful evaluating antithetic implementations successful aboriginal articles.

Not All CoinJoins Are Made Equal

Blockspace ratio should beryllium considered to marque definite CoinJoin transactions standard arsenic Bitcoin gets utilized by much radical crossed the world. This is seldom discussed arsenic a apical priority. Any CoinJoin plan that ignores blockspace scarcity is unnecessarily spamming the artifact concatenation portion accumulating method debt, which volition beryllium hard to wage backmost arsenic much users CoinJoin successful the future. Having a minimal footprint connected the artifact concatenation is 1 extremity that seems precise tenable to purpose for: a tiny fig of transactions to get to an acceptable level of anonymity sounds ideal.

• What is an acceptable level of anonymity?
• What does anonymity adjacent mean successful the discourse of bitcoin privacy?
• How are peculiar CoinJoin designs dealing with blockspace scarcity?

Reclaim Your Privacy

Anonymity successful bitcoin would mean that determination are nary outstanding oregon antithetic features that would marque a fixed transaction singular from different transactions connected the ledger. That, of course, is not by plan connected the Bitcoin network, which is simply a pseudonymous strategy wherever coins (UTXOs, which stands for Unspent Transaction Output successful method terms) are by default not fungible owed to having unsocial transaction histories.

CoinJoins adhd a level of anonymity to the bitcoin web by breaking links betwixt transaction inputs and outputs chiefly making resulting UTXOs indistinguishable from each other. There are different heuristics that concatenation investigation companies usage to ticker the bitcoin network, specified arsenic communal input ownership, self-spending, circular amounts oregon timing investigation to sanction a few, which whitethorn oregon whitethorn not beryllium obscured by CoinJoins.

CoinJoins assistance bitcoiners reclaim their privateness but are not the solution to everything. If privateness is understood arsenic the prime to stock accusation astir oneself, large privateness tin beryllium achieved done CoinJoins but picking the close implementation is essential.

• What is my privateness extremity utilizing CoinJoins?
• Which heuristics does a CoinJoin implementation support maine against?
• What are the risks that I privation to avoid?

Number Of Participants

Existing CoinJoin implementations person precise antithetic ways of improving privacy. Irrespective of each CoinJoin implementation design, the anonymity acceptable (one measurement for the level of anonymity) seems to beryllium the astir accepted mode to measure however overmuch privateness 1 gets from a CoinJoin. There are different ways that volition beryllium discussed successful different articles. The assumptions are that either a precocious anonymity acceptable is achieved with a ample CoinJoin transaction oregon that it is achieved implicit aggregate smaller CoinJoin transactions. These 2 parameters are some important, but is determination 1 that is much important than the other?

In presumption of blockspace efficiency, the presumption would beryllium that achieving a ample anonymity acceptable with a azygous precise ample transaction that has galore participants is amended than aggregate precise tiny transactions with a fewer participants.

• Is 1 azygous ample CoinJoin oregon aggregate tiny CoinJoins amended for privacy?
• How tin that beryllium verified truthfully and rigorously? How tiny is excessively tiny for a CoinJoin?
• What is the close metric to measure however overmuch privateness you tin get from a CoinJoin?
• What is the astir blockspace businesslike erstwhile it comes to the size and fig of CoinJoins to reclaim your privacy?
• Is it realistic to expect coins to enactment successful aggregate CoinJoins implicit clip arsenic much radical commencement utilizing CoinJoins? How galore CoinJoin rounds is capable oregon excessively much?

In elemental terms, CoinJoins let bitcoiners to reclaim their privateness by giving them plausible deniability. Plausibility is simply a measurement of probability. How apt is it that your bitcoins were spent oregon simply moved to different code you inactive control? How apt is it that 1 input is linked to a fixed output?

Obviously, the smaller the probabilities crossed galore options, the amended plausible deniability you get arsenic a hodler. Plausible deniability is hard to sphere due to the fact that errors are casual to make. Change outputs are often problematic for bitcoiners who attraction astir privateness and are often a root of contentious discussions and criticism. Why is alteration output specified a arguable taxable successful CoinJoins?

Change Output

It’s each astir deterministic links. If bitcoin transactions had a spectrum of privacy, connected 1 extremity would beryllium a transaction with implicit plausible deniability, meaning 0% accidental of knowing the nexus betwixt inputs and outputs. This is besides referred to arsenic randomness oregon entropy successful a CoinJoin. The presumption is that the much random oregon higher the entropy, the better. On the different extremity would beryllium a transaction with 100% deterministic links betwixt its lone input and azygous output.

Unintuitively, a precocious entropy doesn’t needfully mean that a transaction provides bully privacy. A transaction with 3 inputs and 3 outputs of adjacent amounts technically has 100% entropy, meaning determination is nary mode to separate each output from each other; and yet, determination is simply a 33.33% accidental that each input is linked to a peculiar output. High entropy does not needfully mean bully plausible deniability.

Change astir ever has a precise precocious deterministic nexus to its erstwhile transaction. In different words, determination is small uncertainty that a alteration output is not tied to the erstwhile transaction that spent it. That tin beryllium a sizeable privateness contented if a fixed alteration output were to beryllium co-spent with different anonymous inputs pursuing CoinJoins (though exceptions whitethorn use successful definite cases). This is usually referred to arsenic UTXO consolidation and tin beryllium fatal to your privateness if done naïvely.

Change outputs tin de-anonymize outputs that person gained immoderate plausible deniability from CoinJoins if spent together. Errors are commonplace for bitcoiners and sometimes the realization comes excessively late, undoing years of diligent privateness enhancements successful 1 azygous spend. How to get escaped of this alteration output problem?

Existing CoinJoin implementations person 3 ways of dealing with alteration outputs: isolate the alteration into different wallet that is not CoinJoining, see the alteration output successful the aforesaid wallet that is CoinJoining oregon get escaped of the alteration output by not having alteration outputs astatine all. The second seems to beryllium the astir advisable successful presumption of privateness and blockspace ratio but further digging is required to validate oregon cull this assumption.

• Is a precocious entropy people capable to suffice a CoinJoin arsenic bully for your privacy?
• Is it amended to isolate alteration outputs successful different wallet oregon should it beryllium removed entirely?
• Is a alteration output ever atrocious for your privacy?

Coin Denominations

Getting escaped of alteration outputs successful CoinJoins requires that coin denominations beryllium adaptable successful a CoinJoin. In different words, the inputs registered successful a fixed CoinJoin cannot person a fixed size similar 0.1 BTC, different it becomes intolerable (or astatine slightest precise hard) to devour inputs without creating alteration outputs arsenic astir UTXOs don’t person circular numbers (i.e. 0.19572394 BTC wherever 0.09572394 BTC would beryllium the alteration successful a 0.1 BTC fixed coin denomination CoinJoin).

Change outputs tin beryllium unsafe for your privacy, remember? Having aggregate sizes for inputs and outputs successful a CoinJoin seems to beryllium a atrocious thought arsenic it brings america person to deterministic links betwixt inputs and outputs, right? Well, yes and no. It depends. If a CoinJoin has a tiny fig of participants (meaning fewer inputs and fewer outputs), past antithetic denominations are a atrocious idea. But what if a ample fig of inputs and outputs are included successful a fixed CoinJoin?

In a ample CoinJoin, aggregate denominations tin bring a precocious level of plausible deniability to each resulting output without creating alteration outputs and requiring further transactions, which is simply a highly businesslike usage of blockspace. It seems that galore boxes could beryllium ticked astatine this point.

• Is it amended to person fixed oregon adaptable coin denominations successful a CoinJoin?
• How large should a CoinJoin beryllium for adaptable denominations to marque sense?
• Are adaptable coin denominations the champion mode to get escaped of alteration output successful CoinJoins?

It goes without saying that CoinJoin rounds interconnectivity should not beryllium tolerable successful immoderate circumstances careless of whether coin denominations are antithetic oregon if the CoinJoin is simply a ample oregon tiny transaction, right? Well, present again, determination is an important nuance to understand.

Coinjoin Rounds Interconnectivity

It is claimed that registering inputs from past shared CoinJoins into caller CoinJoins is ill-advised successful each cases. Participants from mutually shared past CoinJoins bash not look to payment from mixing unneurotic successful different CoinJoins. It seems harmful to privacy, and is often criticized.

What if a CoinJoin is ample and immoderate registered inputs travel from aggregate different CoinJoins, each being besides downstream from aggregate different CoinJoins? In specified a case, participants remixing unneurotic are inactive improving their privateness contempt coming from a shared past CoinJoin. If each CoinJoin is ample enough, the participants are not required to remix aggregate times, though they tin if they privation to further summation their anonymity sets.

If galore ample intertwined CoinJoins are involved, the resulting anonymity acceptable should supply plentifulness of plausible deniability, contempt sharing past CoinJoins arsenic root of funds.

• Is CoinJoin rounds interconnectivity, which is sharing communal past CoinJoins, a atrocious happening connected its own?
• How ample should a CoinJoin beryllium for remixing with different past inputs to beryllium considered safe?

Personal Full Node

Should you tally your ain bitcoin afloat node erstwhile participating successful CoinJoins? On the surface, it seems similar a large idea, and it usually is. Some CoinJoin implementations let that, portion others outright necessitate it. Others won’t let you to adjacent usage your ain afloat node. Is that to condemn absolutely? If you’ve work until now, you should cognize that the reply is nuanced and opens up a heavy rabbit spread to beryllium explored later.

Running your ain afloat node comes with usability tradeoffs, and whitethorn not adhd overmuch privateness extortion if not each users bash it. Running your ain node whitethorn adjacent springiness you a mendacious consciousness of information and privateness if fewer CoinJoin participants bash it, which tin beryllium profoundly harmful. If Tor is utilized arsenic an anonymous mode to CoinJoin (and we’ll permission it arsenic that for now), past utilizing a trusted afloat node to broadcast the CoinJoin transaction tin beryllium good arsenic the default. Lots of nuances, and of course, don’t trust, verify.

There are immoderate indispensable questions to inquire truthful arsenic to not autumn successful the trap of privateness virtuousness signaling.

• Does the CoinJoin implementation let to tally afloat nodes, necessitate them by default oregon don’t let them?
• If idiosyncratic afloat nodes are not mandatory, what are the privateness shields successful place? i.e. Tor, artifact filters, etc…
• If I tally my ain afloat node, but expect astir users to usage a default trusted node to CoinJoin, however does that impact my privacy? Can the coordinator de-anonymize me?

With privateness concerns, it is ever important to recognize what you’re trying to protect, and against whom. Running a afloat node and utilizing it with your ain wallet is the close mode to usage bitcoin arsenic it allows you to verify your wallet equilibrium and broadcast transactions to the web without trusting anyone. But erstwhile it comes to CoinJoins, determination is usually a coordinator successful charge. What does the coordinator bash and however is it selected? Read on.

The Coordinator

The CoinJoin coordinator is successful complaint of having each subordinate registry their inputs and outputs, and motion the collaborative transaction earlier broadcasting it. Most CoinJoin implementations default connected a cardinal coordinator, which is simply a azygous constituent of failure. Up until now, this has been an accepted tradeoff successful astir bitcoin communities. Can a cardinal CoinJoin coordinator fail? Absolutely. Other implementations let anyone to beryllium a coordinator for each antithetic CoinJoin, though determination are different sets of commercialized offs present that volition beryllium discussed later.

Coinjoins being non-custodial, nary nonaccomplishment of funds could hap if immoderate coordinator would fail. The coordinator should ne'er cognize much than what everyone knows publically connected the bitcoin network. Why? If a coordinator knows much than what is publically available, a CoinJoin coordinator becomes a honeypot with highly delicate information that tin beryllium exploited against bitcoiners trusting the service.

You should ne'er spot a CoinJoin coordinator. If a CoinJoin coordinator cannot beryllium evil, good. If it tin beryllium evil, it volition beryllium eventually, retired of errors, omissions, coercion oregon outright dishonesty.

An illustration of delicate idiosyncratic information would beryllium XPUBs, which undeniably leak each the accusation astir a wallet, its addresses, including past, existent and aboriginal bitcoin transactions. Another illustration would beryllium the ratio betwixt users moving their ain afloat nodes and users trusting the coordinator’s afloat node to broadcast CoinJoins, arsenic it could de-anonymize users moving their ain nodes, and truthful deterministically cognize the links betwixt their inputs and outputs. This is yet different nuanced topic, which would necessitate further probe and discussion.

• Does the coordinator cognize much than what is publically disposable connected the bitcoin network?
• Do users leak delicate information to the coordinator, specified arsenic their XPUB oregon whether oregon not they tally their ain afloat nodes?
• Does the coordinator assertion that users should spot them utilizing ineligible defence mechanisms? (i.e. warrant canaries, regulatory arbitrage, etc…)

Fees

Bottom line, who pays for what successful CoinJoins? These bitcoin transactions tin beryllium costly and sometimes interest structures are unclear for bitcoiners. It’s hard to cognize however overmuch bully privateness volition outgo you oregon adjacent if you are getting immoderate privateness retired of it. Some CoinJoin implementations let a azygous input to bargain its privateness from different inputs who lone enactment for escaped to summation their ain anonymity set. Getting paid to CoinJoin? With patience, yes.

Some models trust connected shared fees wherever lone immoderate UTXOs wage fees portion others don’t. Other models trust connected inviting an ever increasing fig of caller wide inputs (not mixed yet) to money the existing CoinJoins for remixing inputs that bash not person precocious capable anonymity levels. Some models look unsustainable implicit the agelong word portion others are naïve, oregon mode excessively costly for astir users.

And what fees are we talking about? Well usually, inputs participating successful CoinJoins wage some a coordinator interest oregon taker fee, (the work interest to get immoderate level of anonymity) and the bitcoin web fees. In peculiar CoinJoin models, these fees get waived successful definite circumstances. The economics of CoinJoins is simply a heavy rabbit spread which requires further probe for a overmuch deeper understanding.

• Who pays for what successful a CoinJoin? What are each the fees?
• What are the incentives of the CoinJoin coordinator?
• Are each CoinJoin rounds paid for oregon is determination immoderate escaped remix?

Having work frankincense far, the anticipation is that bitcoiners buying astir for CoinJoins would not needfully person each of the answers, but the close questions to ask. A intelligence exemplary oregon model to measure antithetic CoinJoin implementations tin beryllium rather adjuvant for anyone who is considering utilizing CoinJoins to reclaim their privateness connected bitcoin. Sorting done the sound of societal media requires intelligence honesty and the close valuation strategy rigorously applied.

This is simply a impermanent station by Thibaud Maréchal. Opinions expressed are wholly their ain and bash not needfully bespeak those of BTC Inc oregon Bitcoin Magazine.