Onchain Coinjoin for Litecoin

[wangxinxi]

Introduction
CoinJoin provides a useful, non-intrusive, and convenient way for anonymizing transactions by mixing users' inputs and outputs in one transaction and thus obfuscating the source and destination of each individual user's transaction. Although current CoinJoin protocol can work in a decentralised way, it becomes convenient only when there is a central server. However such centralised service faces potential legal issues and service maintenance time, which limit its availability.

In this article, we introduce a fully decentralised and always available onchain CoinJoin service based on the Litecoin blockchain.

Method
The main idea is to use the always online Litecoin blockchain to facilitate communication between users that want to conduct CoinJoin together. It works as the following.

Phase 1
Each user submits their request including the source address and the amount of Litecoins they want to mix to the Litecoin blockchain. This can be done by sending to the blockchain an OP_RETURN transaction with a mark indicating that this is a CoinJoin request. The source Litecoin address of the OP_RETURN transaction needs to be the one containing the Litecoins to be mixed.

In order to collect enough requests, phase 1 ends after a fixed number of Litecoin blocks are generated, e.g. 5 blocks.

Phase 2
In this phase, an unsigned transaction including all inputs and outputs need to be created. To break the tie, this is done by the one who sends the last request in Phase 1.

Please notice that in Phase 1, each user does not need to include the destination Litecoin address in the OP_RETURN data. This is because once the address is included, everyone will be able to see the destination, and thus it defeats the purpose of CoinJoin.

To solve the problem, the transaction creator generates an address for each user, and makes sure this user is also the only one knows the private key of the newly generated address. This can be done in the following way:

Suppose Litecoin's elliptic curve base point is G, and the public key of this user's Litecoin address is P. The transaction creator randomly chooses a random non zero integer a and calculate aG + P, which is the pub key of the new address, and then takes HASH160 of the pub key and gets the new address.

Please also notice that if the original private key for P is x, i.e. P = xG, the private key for the new address is then x + a, because (x+a)G = P + aG.

To tell this user his/her new address, the transaction creator still needs to send him/her a in a secrete way. This can be done by encrypting a using the user's public key first and then including the encrypted a in a OP_RETURN output immediately after the normal output for this user.

This phase should be fast because it only requires an OP_RETURN transaction containing the unsigned transaction including all users' inputs and outputs and all encrypted as. Suppose the number of blocks this phase takes is 1.

If after one block there is no transaction created, to avoid DDoS attack, the one before the last one should create the transaction excluding the last one's input and output. This should continue until the transaction is seen on the blockchain.

A small fee can be paid to the transaction creator to motivate the user to complete the whole process.

Phase 3
Every user checks whether he/she is included in the outputs with the correct amount or not. If everything is OK, the user signs the transaction and send the partially signed transaction to the blockchain using another OP_RETURN transaction.

This phase can take 1 block. If anyone refuses to sign, to avoid DDoS attack, his/her input and output should be excluded from the transaction and a new transaction should be created in the next block. This continues until everyone signs the transaction.

Phase 4
The user who created the transaction in Phase 2 collects all signed transactions and combine them into a complete signed transaction and broadcast it to the Litecoin network. Actually this step can be done by anyone, so no DDoS attack is possible.
For this phase, one block should be needed.

Discussion
In the above description, one round starts immediately after the end of the previous round. However, pipelining and parallelism can be used to boost the throughput of this protocol. The length of each phase can be modified accordingly during implementation.

Confidential transactions (CT) do not hide the source of a transaction, while this onchain CoinJoin can. Therefore, the two can complement each other and can be used together to enhance privacy.

[wangxinxi]

no feedback?

[vlom]

i need plain english to give a feedback. e.g i don't know what  OP_RETURN means.
and this "elliptic curve base point" thing....

and i don't know coinjoin.

i will read it again and will let you know if i understand it better.

[kelsey]

no feedback?

seriously, your mindset is as a developer is to develop, the last thing litecoin needs is bells and whistles. KISS.

very concerning for us longterm holders that someone like you is pushing the stuff you push without even understanding what the average user wants.

litecoin needs adoption not 'innovation' to sell snake oil development. goto one of the 1001 scamcoins if thats what you want to do.

going the anon route will decrease the likelihood of average users adopting litecoin and many business will avoid. inviting the sort of behavior that has giving crypto a bad name in the eyes of the media and therefore public.

and fyi anon is about the user not the system, not point in anon in crypto leads noobs to a false sense of security and people who know what that are doing any currency whether it be fiat or crypto is equally anon.

[wangxinxi]

no feedback?

seriously, your mindset is as a developer is to develop, the last thing litecoin needs is bells and whistles. KISS.

very concerning for us longterm holders that someone like you is pushing the stuff you push without even understanding what the average user wants.

litecoin needs adoption not 'innovation' to sell snake oil development. goto one of the 1001 scamcoins if thats what you want to do.

going the anon route will decrease the likelihood of average users adopting litecoin and many business will avoid. inviting the sort of behavior that has giving crypto a bad name in the eyes of the media and therefore public.

and fyi anon is about the user not the system, not point in anon in crypto leads noobs to a false sense of security and people who know what that are doing any currency whether it be fiat or crypto is equally anon.

I just don't buy your logic. Privacy is important to many other people although it may not be important to you. But how do you handle fungibility? You don't need fungibility as well?

[EnacDomains]

really? i totally agree

[shyliar]

and many business will avoid.

Could you give some examples of businesses that would want to avoid privacy? I'm under the impression that businesses would not appreciate their competition knowing the financial details of the business. While not that important right now, if cryptocurrency ever was adopted it would be. If adoption happens what business wouldn't want privacy?

[spartacusrex]

I  like.

But - why not just use the coinshuffle++ technique on chain..  since this technique uses the least amount of communication between the different parties ?

Or - how many 'messages / txns' do you see being used using this technique vs the same using coinshuffle ? Both on chain.

..

I always thought the easiest thing would be to simply coinshuffle coins with the peers you are connected to, off chain. This would be a client option.. no soft fork required.

But on chain gives access to many more potential coinjoiners.. which, as I said, I like.
 

[dwgscale11]

I like where your head's at.  We need this.