Bitcoin as a Privacycoin: This Tech is Making Bitcoin More Private
Aaron van Wirdum
Ever since its inception Bitcoin has never really been private. Although Satoshi Nakamoto’s white paper suggests privacy was a design goal of the protocol, government agencies, analytics companies and other interested parties — let’s call them “spies” — have ways to analyze the public blockchain and peer-to-peer network, to cluster Bitcoin addresses and tie them to IP addresses or other identifying information.
A lack of privacy is a problem. Bitcoin users might not necessarily want the world to know where they spend their money, what they earn or how much they own, while businesses may not want to leak transaction details to competitors — to name a few examples. Additionally, a lack of privacy could lead to a loss of fungibility: the property by which each monetary unit is worth the same as any other, which is an essential requirement for money. If, for example, it can be established that certain coins were at some point used for politically sensitive purposes, some might be less willing to accept these “tainted” coins as payment, harming fungibility for all of Bitcoin.
Fortunately, spying on Bitcoin users is becoming increasingly difficult. Recent months in particular saw the introduction of a number of promising, privacy-enhancing technologies, and several more solutions should be released throughout the rest of the year or the next.
Here’s an overview of some of the most promising projects.
Almost two years in the making, TumbleBit was long among the most highly anticipated privacy solutions to be rolled out on Bitcoin.
TumbleBit is a coin-mixing protocol that uses a (centralized) tumbler to create off-chain payment channels between participants in a mixing session. Through these channels, all participants send coins and receive an equal amount of different coins in return. This process breaks the trail of ownership for all: neither spies nor any of the participants can re-establish who paid who. Further, and importantly, TumbleBit utilizes clever cryptographic tricks to ensure that even the tumbler can’t establish a link between the users.
TumbleBit does require two on-chain transactions per participant (one to open a channel, one to close it). While a trustless solution, this does make it one with somewhat higher fees than the alternatives.
TumbleBit was first proposed in 2016 by an academic research team from Boston University, George Mason University and North Carolina State University, headed by Ethan Heilman and presented at Scaling Bitcoin Milan in the fall of that year. The ball really got rolling when NBitcoin developer Nicolas Dorier implemented an early version of the technology, which was later improved by privacy-focused developer Ádám Ficsór and others, to ultimately be implemented in Stratis’ Breeze wallet.
This Breeze wallet was officially released about a month ago, meaning that TumbleBit is currently available for anyone to use — though usage (and, therefore, the privacy-providing anonymity set) is reportedly still low.
ETA: Available now
Chaumian CoinJoin and ZeroLink
CoinJoin is an old idea by Bitcoin standards, first proposed by Bitcoin Core contributor Gregory Maxwell in 2013. In essence, the trick is to combine several transactions into one bigger transaction, obfuscating which bitcoins are moving from which sending addresses (“inputs”) to which receiving addresses (“outputs”), exactly.
As a simple example, let’s say Alice, Bob and Carol all want to mix their coins with each other. Using CoinJoin, they can create a transaction that sends money back to themselves, using new addresses not tied to their identity. As long as Alice, Bob and Carol use equal amounts of coins, spies can’t tell which of the new addresses belongs to whom. (If they use different amounts of coins it’s obvious which coins moved where.)
CoinJoin transactions have been a reality for years, but for a long time one problem remained: Someone — like Alice, Bob or Carol — needs to construct the transaction. This person must learn exactly which old addresses are sending bitcoin to which new addresses; otherwise, it would be impossible to construct the transaction. If this person is a spy — which is often impossible to know — the effort becomes pointless: The spy could re-establish the trail of coin ownership.
This problem can also be solved, using a trick mentioned by Gregory Maxwell in the same 2013 proposal, dubbed “Chaumian CoinJoin” (after David Chaum’s blind signature scheme).
In short, Alice, Bob and Carol will now connect to a central Chaumian CoinJoin server, perhaps operated by a wallet provider. First, they all give their sending addresses, as well as blinded (cryptographically scrambled) receiving addresses, which are cryptographically signed by the server. Then, Alice, Bob and Carol disconnect in order to reconnect via a hidden connection (like Tor) and provide their unblinded addresses. Utilizing the magic of Chaumian blind signatures, the server can verify that the unblinded addresses match with the blinded addresses. This allows it to verify that the addresses really belong to Alice, Bob and Carol — not to an attacker — without learning which of the addresses belong to whom.
The Chaumian CoinJoin proposal fell by the wayside for about four years after it was first proposed. Then, about a year ago, Ádám Ficsór — while working on Breeze’s TumbleBit implementation — rediscovered the proposal and decided to implement it.
Embedded in the ZeroLink framework Ficsór has since designed, Chaumian CoinJoin is now implemented in Ficsór’s new privacy-focused Wasabi Wallet, which was recently released in beta. Even more recently, privacy-focused Samourai Wallet announced it will soon release a mobile ZeroLink implementation, called Whirlpool. Yet another, newer wallet by the name of Bob Wallet is also developing a ZeroLink implementation.
ETA: Available now (beta)
Schnorr Signatures for CoinJoin and More
While CoinJoin — including Chaumian CoinJoin — was always possible, and first proposed years ago, it’s never caught on in a big way so far. For a long time, no popular wallet offered the feature, which may be because CoinJoin transactions add complexity, with little upside for those who don’t care about privacy as much.
Named after its inventor Claus-Peter Schnorr, Schnorr signatures are considered by many cryptographers to be the best type of cryptographic signatures in the field. Perhaps the biggest concrete advantage for Bitcoin is that multiple signatures can be aggregated into a single signature. This means that one signature can prove ownership of multiple sending addresses (inputs). Therefore, only one signature is ever needed per regular transaction, no matter how many sending addresses (inputs) are included.
CoinJoin transactions, of course, always include multiple sending addresses as well, at least one for each participant and possibly more. Schnorr signatures could, therefore, add a new benefit to using CoinJoin: They enable all participants, not only to combine their transactions into one, but also to combine their signatures in that transaction into one. This would make the CoinJoin transaction smaller in size than the individual transactions combined would have been which, in turn, means that miners should charge a smaller processing fee.
With Schnorr, there would be a cost benefit to using the most private option, which might just provide the right incentive for wallets to implement it and make it the go-to option for everyone.
In addition, Schnorr signatures’ mathematical properties will benefit a brand new class of more complex, smart contract-like solutions with names like “scriptless scripts,” “Taproot” and “Graftroot.” Interestingly, these solutions would appear like regular Bitcoin transactions on the Bitcoin blockchain. This could for example enable futures markets, decentralized exchanges or insurance contracts without spies being able to identify anything but regular-seeming transactions.
ETA: Optimistically, 2019
Another CoinJoin-related privacy measure was introduced by Samourai Wallet in May 2018 as a replacement for a similar but inferior solution. Called STONEWALL, the trick doesn’t actually utilize CoinJoin — but makes it seem that it does.
STONEWALL transactions are, in effect, regular transactions: They send bitcoin from one user to another. However, STONEWALL transactions do something odd: They include an unnecessary number of sending addresses (inputs) and change addresses (outputs). This makes the transaction look a lot like a CoinJoin transaction — a transaction where two people are combining their transactions into one — even though, in reality, it isn’t. (More details here.)
The idea behind STONEWALL is to break (indeed, stonewall) the assumptions that spies presumably make when analyzing the Bitcoin blockchain. If these spies can’t tell for sure whether transactions are really CoinJoin transactions or not, any conclusions based on this transaction data is worthless.
Samourai Wallet will soon also deploy 2-wallet STONEWALL, which are real CoinJoin transactions, shared between two users that trust one another with their privacy.
ETA: Available now; 2-wallet STONEWALL to follow in the next month or two
A very different method to deanonymize Bitcoin users is through analysis of the peer-to-peer network. More specifically, spying nodes could monitor the Bitcoin network to try and find out where transactions originate: The first node to transmit a transaction is probably the one that created it.
Dandelion is a solution proposed by a team of academic researchers from Carnegie Mellon University, the University of Illinois and MIT. It was recently presented at the Building on Bitcoin conference in Lisbon by Carnegie Mellon University professor Giulia Fanti.
The solution counters network analysis by changing how transactions are spread over the peer-to-peer network. Instead of immediately broadcasting and forwarding a new transaction to as many peers as possible, the Dandelion protocol initially sends a new transaction to only one peer node. This node randomly decides whether it also forwards it to only one peer — or not. If forwarded to only one peer, the next node will randomly decide what to do as well. (And so forth.) If not forwarded to only one peer, the node transitions to broadcasting the transaction to as many peers as possible, and all receiving peer nodes follow suit. This should make it significantly harder for spies to pinpoint where a transaction originated.
A version of Dandelion has already been implemented by the research team, and the general proposal has received a positive response within Bitcoin’s development community. As such, it seems likely to be included in an upcoming Bitcoin Core release (though the very next release, 0.17.0, will come too soon).
BIP 151 Encryption
Another older proposal to limit network analysis is BIP 151, authored by Bitcoin Core maintainer and Shift developer Jonas Schnelli. BIP 151 is a somewhat straightforward solution: It would let Bitcoin nodes encrypt traffic (hence, transaction and block data) between them.
It should be noted, however, that in bare form BIP 151 is no panacea for privacy. For one thing, the Bitcoin blockchain is public anyway, and, more importantly, nodes could connect to and share data with the very same spies they’d prefer to hide from. Still, BIP 151 could be a stepping stone to counter several types of attacks, including attacks on privacy (such as man-in-the-middle attacks).
And even in bare form, the solution is arguably better than nothing. Specifically, particular use cases and scenarios would benefit from peer-to-peer encryption; for example, ISPs or open wifi networks would no longer be able to monitor Bitcoin traffic.
While BIP 151 dropped off the radar a little bit for a year or two after it was first proposed, Schnelli recently picked up the project again and re-drafted an “official” BIP to be discussed and potentially included in Bitcoin Core.
Compact Client-Side Block Filtering
To use Bitcoin without needing to download and verify the entire blockchain, many people use light clients, like mobile wallets. Unfortunately, almost all of these light clients have weak, if any privacy protection. They typically share their addresses with either a central server or a random node on the network, both of which can be spies or be spied on.
Many of the light clients that (effectively) share their addresses with a random node on the network use a trick called Simplified Payment Verification (SPV). These SPV clients typically use “Bloom filters” to request the transactions potentially relevant for them — if there are any. While such a filter will return false positives, which means the SPV client will request more transactions than strictly needed, these are few compared to downloading all transactions.
Unfortunately, SPV wallets do effectively reveal all their addresses to the nodes they request this data from as well. To tackle this problem, Lightning Labs developers Olaoluwa Osuntokun and Alex Akselrod, along with Coinbase developer Jim Posen, proposed a new solution called “compact client-side block filtering.”
Compact client-side block filtering was originally designed for Lightning Labs’ Lightning-focused Neutrino wallet but can be used by regular Bitcoin wallets as well: the Wasabi Wallet already implemented the solution in its beta release.
Compact, client-side block filtering essentially inverts the trick that current SPV wallets use. Instead of SPV wallets requesting transactions relevant to them by creating and sending out a Bloom filter, full nodes create a similar filter. SPV wallets then use this filter to establish that relevant transactions did not happen. If the filter does produce a match, Neutrino fetches the relevant block to see if the match really concerns the exact transaction, instead of a false positive.
Since SPV wallets using compact, client-side block filtering no longer request anything specific from any node, to instead receive a one-size-fits-all filter, they also reveal nothing about their transaction history.
ETA: Available now (beta)
Liquid and Confidential Transactions
Liquid is the first commercial sidechain developed by blockchain development company Blockstream. Its main purpose is to establish transaction channels between exchanges and other high-volume Bitcoin companies (like brokerages), allowing them to send bitcoin and other assets between them much faster than the Bitcoin blockchain would allow. In the future, regular users (most obviously traders) should be able to access the sidechain too, with special Liquid wallets.
One feature implemented on Liquid is Confidential Transactions (CT). CT is a trick that blinds (hides) the sending and receiving amount(s) in transactions. This is possible because clever cryptography allows math to be performed on the blinded amounts. All Liquid users can verify that the receiving amount(s) did not exceed the sending amount(s). In other words, they can check that no bitcoin was created out of thin air — even if they don’t know exactly how much money changed hands.
In the context of Liquid, this means (among others things) that exchanges can move funds between them without anyone being able to tell how much was moved. The process offers privacy, and competitors will, for example, be unable to tell how much money is held in the exchanges. Meanwhile, traders can no longer use such information to trade on, which is effectively a form of front running possible today due to the public nature of Bitcoin’s blockchain.
As Liquid becomes available to regular traders later on, these users could, most obviously, utilize the protocol to keep their balances hidden from spies, even after withdrawing funds from an exchange to temporarily hold it on the sidechain or move it to a different exchange. In addition, CoinJoin types of solutions could be developed for Liquid wallets, for a particularly powerful combination of privacy technologies. (As several transactions are merged into one and amounts are hidden, establishing links between the addresses becomes virtually impossible.)
Even further out, CT may also be implemented on the main Bitcoin protocol. There are some ideas for how to accomplish this through a backward-compatible soft fork already, but, while technological innovation is advancing, such upgrades would still come with significant detriment for scalability and are probably still far from becoming a reality.
ETA: Available for exchanges and other high-volume Bitcoin companies any day now; regular traders later and mainnet users maybe one day.
Author’s note: This article specifically focuses on new and upcoming privacy technologies; older solutions also include stealth addresses, using a Bitcoin full node as a wallet, Coin Control, JoinMarket and other existing CoinJoin solutions, Ricochet, PayNyms, the Lightning Network’s Spinx, Monero-swapping, centralized mixers (at your own risk) and more.
This cover story was inspired by Ádám Ficsór’s recent tweetstorm on the same topic. Bitcoin Magazine does not endorse any of the products or services mentioned in this article. Always do your own research before sending or storing bitcoin anywhere.