- Public payments made private?See https://bitcoin.org/en/bitcoin-paperTransactions on the Bitcoin blockchain have infamously bad privacy. Every historical transfer of coins is recorded publicly and permanently, providing a link between the public keys used as inputs and outputs. Satoshi noted this in section 10 of the whitepaper titled Privacy:
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
Consolidating inputs indicates common ownership when you spend your coins alone, but its not
necessarily revealing since a multiparty transaction can be constructed containing inputs (and outputs) from others. This type of transaction is called a
Coinjoin.
Different types of coinjoins provide different privacy guarantees, but they are all inherently non custodial. Various specifications and protocols have been designed to facilitate coinjoins depending on the scenario. Please note that these descriptions target the protocol level, wallet level implementation details are not applicable to these explanations:
- PayjoinSee https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-August/021868.htmlA payjoin is a coinjoin that a sender and recipient construct together. This provides marginal privacy gains to each participant by combining their histories while also saving on the receivers future cost of block space. Since an output is already being created for the merchant receiving funds, the receiver can opportunistically consolidate their inputs at the same time. A notable advantage of payjoins is that they blend in with regular on chain transactions, as opposed to equal output coinjoins which have a distinct footprint. Another advantage is that the value of the payment is obscured since neither output created matches the amount transferred between participants.
In the context of Lightning, this two party interaction is known as Dual Funding, where two peers can open a payment channel using inputs from each user. Additionally, new funds can be spliced in to the channel without indicating which peer consolidated the input. On chain payments can be spliced out that could have been sent by either channel participant while leaving the channel open as the change output.
- Can payjoins be traced? Not from the outside. However, the disadvantage of payjoins compared to other coinjoins is that the sender and receiver are completely aware of the coins owned by the other participant, which introduces a trusted single point of failure. In theory, a payjoin could be composed with inputs from more than two parties, however, this introduces a time element since some parties must pause their transaction and wait for others to join instead of paying instantaneously.
- JoinMarket CoinjoinsSee https://nixbitcoin.org/orderbook/JoinMarket is a peer to peer marketplace for coordinating coinjoins using Makers and Takers. Instead of a payjoin where the sender collaborates directly with the recipient who provides their own liquidity, senders using JoinMarket collaborate with anonymous strangers on the marketplace and buy their liquidity.
The privacy of JoinMarket coinjoins is produced by having each peer create an output of equal value, making it unattributable to their originating inputs. There is a minimum of 0.00027300 BTC required to participate, and no maximum. JoinMarket is the most flexible coinjoin protocol since arbitrary amounts can be made fully private on demand by takers, while partial privacy can be gained passively on the coins sitting in the wallets of makers.
- Can JoinMarket be traced?Not as a taker. Since takers choose the equal value output size, they can sweep their coins from incoming payments or their change from outgoing payments at any time without trusting anyone. Fidelity bonds help protect takers against makers performing Sybil attacks.
However, makers trust their information with the taker of any individual transaction, the coinjoin only provides privacy from outside observers. Each maker in the coinjoin gains privacy on the equal value output and inherits a trackable change output. Makers reveal the ownership of their UTXOs to takers who propose an offer, but ring signatures are used to help protect makers from revealing their funds to malicious takers that do not complete the offer.
- WabiSabi CoinjoinsSee https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020202.htmlWabiSabi coinjoins gather liquidity from participants during timed rounds led by a coordinator. The coordinator waits for inputs in the first phase, collects outputs in the next phase, and ensures all inputs have signed in the final phase. Each user can register multiple inputs or outputs to the coinjoin transaction anonymously without indicating common ownership. This model allows a smart client to choose matching output amounts based on the input amounts registered in the start of the round instead of having the coordinator dictate the values allowed to dumb clients.
The advantage of WabiSabi is that the coinjoin structure completely eliminates the links between your addresses when sending or receiving transactions without needing to pay attention to the labels or values of your inputs. WabiSabi is highly block space efficient since input consolidation, mixing, and payment batching can all be performed in the same transaction without premixing or postmixing.
- Can WabiSabi be traced?Not unless you are the biggest whale in a coinjoin round with insufficient liquidity. Users who have a far larger value of coins than their peers will require multiple rounds to split them. For example, here's a 600 BTC input entering a coinjoin -
https://mempool.space/address/bc1q0057mqa8agyzjw6k5wz3dprf8yzfwq4aua00tcIt took 4 transactions to create enough private outputs:
600 BTC in, 558 BTC out:
https://mempool.space/tx/7bf4cb6df85ea2f6706eed9e937b6a14ffb4ab8223d1f6bad6ba91af93523676558 BTC in, 214 BTC out:
https://mempool.space/tx/3a714beec26b254d4e0b63257993bc28679531a2e802f9f687c3219f5f5447b7214 BTC in, 160 BTC out:
https://mempool.space/tx/dee52064a3d894b830581aa0034e3304e0a3bf4fb877f72747a507e97a25477b160 BTC in, no obvious change output:
https://mempool.space/tx/fe03eed1af4dd52164306327572a0afcf62099d9d19cb9062e209386f1431157- Whirlpool CoinjoinsSee https://bitcoinmagazine.com/technical/how-bitcoin-anonymity-sets-workWhirlpool is a centrally coordinated coinjoin that implements the ZeroLink coinjoin protocol with a privacy restriction that limits the anonymity you can gain. This restriction is called tx0, it is a self spend transaction prior to the coinjoin that allows the coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinators fee is confirmed, they are trusted to add the outputs created from the premix tx0 to their liquidity pools. There are 4 different liquidity pools with fixed output values:
0.5 BTC
0.05 BTC
0.01 BTC
0.001 BTC
The coordinator then chooses between 5 and 8 participants for a coinjoin round who use blind signatures to create an equal sized output whose origin input is anonymous to all parties. In order to incentivize liquidity, these participants are composed of new entrants (takers of liquidity) and remixers (makers of liquidity). The mining fee for the block space used by remixers is paid for by the new entrants, so the value a user receives from their first round does not change after they are selected to remix in future rounds.
- Can Whirlpool be traced?Yes, the common input ownership heuristic and change output heuristics are revealed by the premix tx0, creating a 100% link between a Whirlpool users addresses. Any UTXO that does not
precisely add up to a multiple of 0.5, 0.05, 0.01, or 0.001 (+fees) cannot gain complete privacy. There are no advanced calculations required to determine these links between addresses, they are visible to the naked eye:
Okay, here's all the payments that can be tracked from the two new participants of the Whirlpool coinjoin transaction:
Entrant 1: bc1q03c0443ausjjdxl2h6ud5m8c0dux0zyg3dqdj7 created 0.00170417 BTC in unmixed change sent to bc1q3fduld0l3r8nclyt5p3r7ak675tekurstn55tl. Since this UTXO is not private, the sats were marked as unspendable and have not been recovered by the wallet owner
Entrant 2: bc1qzc8zku26ej337huw5dlt390cy2r9kgnq7dhtys created 0.00191247 BTC in unmixed change sent to bc1qjlltxr443uy236wl4xhpxlr6dgsu0zltlv3m44. This UTXO was used in a second tx0 transaction, creating a huge trail of transactions that could be traced to each other
The 2nd tx0 transaction created 0.00076348 BTC unmixed change which was sent to bc1qehd7gy8rza9mnzm9wnfjhgw82rp47wmqt7vpgy
Since this unmixed change is below the .001 pool minimum, it was consolidated in a 3rd tx0 with 3 other addresses owned by the same wallet:31x8GPqrhzdaxiBJa9N5UisuoxbX1rAnHa
16Gw5WKjbxZmg1zhZQs19Sf61fbV2xGujx
3LZtsJfUjiV5EZkkG1fwGEpTe2QEa7CNeY
The 3rd tx0 transaction created .00200317 in unmixed change which was sent to bc1q2p7gdtyahct8rdjs2khwf0sffl64qe896ya2y5
This was spent in a 0.00190000 payment to 3B8cRYc3W5jHeS3pkepwDePUmePBoEwyp1 (a reused address)
That payment left .00008553 in change that was tracked to 3Dh7R7xoKMVfLCcAtVDyhJ66se82twyZSn and consolidated with two other inputs in a 4th tx0 transaction:
bc1qeuh6sds8exm54yscrupdk03jxphw8qwzdtxgde
3ByChGBFshzGUE5oip8YYVEZDaCP2bcBmZ
This 4th tx0 created .00533406 in unmixed change which was sent to bc1qzh699s75smwukg9jcanwnlkmkn38r79ataagd9 which was consolidated with 3 more addresses into a 5th tx0:
3F2qiWQJKQjF7XFjEo8FUYP3AU5AC6RqX8
3HAYYVKUpYbr2ARMdZJr9yVu8xi8UcxtPz
3GQtwwRK31wwCc22q6WS5sCgixUHsG5KaT
The 5th tx0 created 0.00058494 BTC in unmixed change that was sent to bc1qvh2zjcwwkj9y70xulla2semvlav3lty0p3l3w3
This was spent in a .00047290 payment to bc1qvzg8jq6wqtr5navn4e3ps4qrkk9r6n4h98gjck
That payment left .00008411 in change that was tracked to bc1qg6j0f0wfhpktt2l8uzdn48ct3um2xyur40eyzd and consolidated with another input into a 6th tx0 transaction:
31iZLXWfoywhuMZTPGxTkpzphzh2NXshpP
The 6th tx0 created .00753775 in unmixed change that was tracked to bc1qgfll2apc27yct6h2c8r8wq4kqhxjsfrudhhn5q
This was spent in a .00737000 payment to bc1q5emzer2t0sq5dez0zsrqgh6scvwn0n24xsladp (a reused address)
This payment left 0.00010896 BTC in change which has not been spent yet, but the payment only took place 11 days ago, so I assume it will eventually be spent, allowing the Whirlpool user to be tracked even further.
Postmix transactions can be traced to premix funds when outputs from child rounds of the same premix transaction are consolidated. Consolidation of mixed outputs from the initial round may be unavoidable since users do not have control over whether or not they remix:
The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.
The flat pool entry fee structure is designed to incentivize worst privacy practices. Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually. Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.
Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases. Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC -
https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aaNotice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction:
https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392dbWhen many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool. Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable:
https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da
