- Public payments made private?See https://bitcoin.org/en/bitcoin-paperTransactions on the Bitcoin blockchain have infamously bad privacy. Every historical transfer of coins is recorded publicly and permanently, providing a link between the public keys used as inputs and outputs. Satoshi noted this in section 10 of the whitepaper titled “Privacy”:
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
Consolidating inputs indicates common ownership when you spend your coins alone, but it’s not
necessarily revealing since a multiparty transaction can be constructed containing inputs (and outputs) from others. This type of transaction is called a
“Coinjoin”.Different types of coinjoins provide different privacy guarantees, but they are all inherently non custodial. Various specifications and protocols have been designed to facilitate coinjoins depending on the scenario. Please note that these descriptions target the protocol level, wallet level implementation details are not applicable to these explanations:
- PayjoinSee https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-August/021868.htmlA payjoin is a coinjoin that a sender and recipient construct together. This provides marginal privacy gains to each participant by combining their histories while also saving on the receiver’s future cost of block space. Since an output is already being created for the merchant receiving funds, the receiver can opportunistically consolidate their inputs at the same time. A notable advantage of payjoins is that they blend in with regular on chain transactions, as opposed to equal output coinjoins which have a distinct footprint. Another advantage is that the value of the payment is obscured since neither output created matches the amount of value transferred between participants.
In the context of Lightning, this two party interaction is known as “Dual Funding”, where two peers can open a payment channel using inputs from each user. Additionally, new funds can be “spliced in” to the channel without indicating which peer consolidated the input. On chain payments can be “spliced out” that could have been sent by either channel participant while leaving the channel open as the change output.
- Can payjoins be traced? Not from the outside. However, the disadvantage of payjoins compared to other coinjoins is that the sender and receiver are completely aware of the coins owned by the other participant, which introduces a trusted single point of failure. In theory, a payjoin could be composed with inputs from more than two parties, however, this introduces a time element since some parties must pause their transaction and wait for others to join instead of paying instantaneously.
- JoinMarket CoinjoinsSee https://nixbitcoin.org/orderbook/JoinMarket is a peer to peer marketplace for coordinating coinjoins using “Makers” and “Takers”. Instead of a payjoin where the sender collaborates directly with the recipient who provides their own liquidity, senders using JoinMarket collaborate with anonymous strangers on the marketplace and buy their liquidity.
The privacy of JoinMarket coinjoins is produced by having each peer create an output of equal value, making it unattributable to their originating inputs. There is a minimum of 0.00027300 BTC required to participate, and no maximum. JoinMarket is the most flexible coinjoin protocol since private payments can be made on demand by takers, and privacy can be gained passively on the coins sitting in the wallets of makers.
- Can JoinMarket be traced?Not as a taker. Since takers choose the equal value output size, they can make coins from incoming payments anonymous or anonymize their change at any time without trusting anyone. Fidelity bonds help protect takers against makers performing Sybil attacks.
However, makers trust their information with the taker of any individual transaction, the coinjoin only provides privacy from outside observers. Makers generally only gain privacy on the equal value output, producing change. Makers reveal the ownership of their UTXOs to takers who propose an offer, but ring signatures are used to help protect makers from revealing their funds to malicious takers that do not complete the offer.
- WabiSabi CoinjoinsSee https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020202.htmlWabiSabi is a centrally coordinated coinjoin protocol that utilizes keyed verified anonymous credentials and a timed round for gathering liquidity. Each user can register multiple inputs directly to the coinjoin transaction anonymously without indicating common ownership, and change outputs are not created (if there is sufficient liquidity). This model allows a “smart client” to choose matching output amounts based on the input amounts registered in the start of the round instead of having the coordinator dictate the values allowed to “dumb clients”.
The advantage of WabiSabi is that the coinjoin structure completely eliminates the links between your addresses when sending or receiving transactions without needing to pay attention to the labels or values of your inputs. WabiSabi is highly block space efficient since input consolidation, mixing, and payment batching can all be performed in the same transaction without premixing or postmixing.
- Can WabiSabi be traced?Not unless you are the biggest whale in a coinjoin round with insufficient liquidity. Even outputs that do not have matching amounts cannot be traced to an owner on the input side - it’s even possible that the output changed hands as a payment to someone who did not own any funds on the input side at all:
you don't need to be a "whale" at all in order to receive absolutely zero privacy from a Wasabi coinjoin.
Okay then, I'll call your bluff again- Here's 20 non whale non matching outputs from WabiSabi coinjoins, try to identify the inputs owned by even a single one of the 20 outputs (which would be 5%):
01 bc1q032caguldmlrrztmrwhv5wqveyywdu2rtmd740
02 bc1q6vgwhsfkg343mmh27vc6prg3clsd4xu3p68vyd
03 bc1qre8jjpu8p9taw8j44r39z56vfr4sw64d4wyaj4
04 bc1qarharg76gfcrvskfw46f67vtqzd6hxa9pnspp5
05 bc1q4sexgt2p96x3ytnjjttp59w6mkj00kedal3xze
06 bc1qwrf50wpjws5mhdg2rhdu5hy7nqdtl8z94lp75n
07 bc1qz0tal2udfpr20x793fdw6v8lzp2qze7z5zje64
08 bc1qqw2h7fa3n8vyxgqru664fmft2trl9sqh9kz3fp
09 bc1qsud748whmum4gpt2qu52z8gqlgzcjyvhd5w2a5
10 bc1qctvxddyvxupjj8w82m8w5grzn59arstlrnaauw
11 bc1qq2fl05cmmhkr3pzg8elyr859v2fpcltynrk2j5
12 bc1qvwkrd3aecrvql5j8mqkmketvw6g6qwzt4juprq
13 bc1qhc2565fac4lrgyfq6n0mzc0l86jeptfnv2um9x
14 bc1qat6445gutyl3qdz3zhmdng9cdt92mevjlvaljs
15 bc1qk5f3mz0fetccey4nyyjedlrmqstkz2hmun96ha
16 bc1q4tpvm378a9d4n0xcnjtwfwujtr8eatjzvru8dx
17 bc1qd5epyjpj6vuejdppj24wew5n4n5rzepjx2xnay
18 bc1qgafud63me5mffn00g90ch08jjn5h20umzwxd62
19 bc1q5u3f2ldrtqa7ea79a8hcd8kssgw2gmalk4uej9
20 bc1qa6n7g7r4j3nv78gzgzmuvg56em4guppckqpz7r
Whirlpool is a centrally coordinated coinjoin that implements the ZeroLink coinjoin protocol with a privacy restriction that limits the anonymity you can gain. This restriction is called “tx0”, it is a self spend transaction prior to the coinjoin that allows the trusted coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinator’s fee is confirmed, they allow the outputs created from the premix tx0 to be added to their liquidity pools. There are 4 different liquidity pools with fixed output values:
0.5 BTC
0.05 BTC
0.01 BTC
0.001 BTC
The coordinator then chooses between 5 and 8 participants for a coinjoin round who use blind signatures to create an equal sized output whose origin input is anonymous to all parties. In order to incentivize liquidity, these participants are composed of new entrants (takers of liquidity) and remixers (makers of liquidity). The mining fee for the block space used by remixers is paid for by the new entrants, so the value a user receives from their first round does not change after they are selected to remix in future rounds.
- Can Whirlpool be traced?Yes, the common input ownership heuristic and change output heuristics are revealed by the premix tx0, creating a 100% link between a Whirlpool user’s addresses. Any UTXO that does not
precisely add up to a multiple of 0.5, 0.05, 0.01, or 0.001 (+fees) cannot gain complete privacy. There are no advanced calculations required to determine these links between addresses, they are visible to the naked eye:
Okay, here's all the payments that can be tracked from the two new participants of the Whirlpool coinjoin transaction:
Entrant 1: bc1q03c0443ausjjdxl2h6ud5m8c0dux0zyg3dqdj7 created 0.00170417 BTC in unmixed change sent to bc1q3fduld0l3r8nclyt5p3r7ak675tekurstn55tl. Since this UTXO is not private, the sats were marked as unspendable and have not been recovered by the wallet owner
Entrant 2: bc1qzc8zku26ej337huw5dlt390cy2r9kgnq7dhtys created 0.00191247 BTC in unmixed change sent to bc1qjlltxr443uy236wl4xhpxlr6dgsu0zltlv3m44. This UTXO was used in a second tx0 transaction, creating a huge trail of transactions that could be traced to each other
The 2nd tx0 transaction created 0.00076348 BTC unmixed change which was sent to bc1qehd7gy8rza9mnzm9wnfjhgw82rp47wmqt7vpgy
Since this unmixed change is below the .001 pool minimum, it was consolidated in a 3rd tx0 with 3 other addresses owned by the same wallet:31x8GPqrhzdaxiBJa9N5UisuoxbX1rAnHa
16Gw5WKjbxZmg1zhZQs19Sf61fbV2xGujx
3LZtsJfUjiV5EZkkG1fwGEpTe2QEa7CNeY
The 3rd tx0 transaction created .00200317 in unmixed change which was sent to bc1q2p7gdtyahct8rdjs2khwf0sffl64qe896ya2y5
This was spent in a 0.00190000 payment to 3B8cRYc3W5jHeS3pkepwDePUmePBoEwyp1 (a reused address)
That payment left .00008553 in change that was tracked to 3Dh7R7xoKMVfLCcAtVDyhJ66se82twyZSn and consolidated with two other inputs in a 4th tx0 transaction:
bc1qeuh6sds8exm54yscrupdk03jxphw8qwzdtxgde
3ByChGBFshzGUE5oip8YYVEZDaCP2bcBmZ
This 4th tx0 created .00533406 in unmixed change which was sent to bc1qzh699s75smwukg9jcanwnlkmkn38r79ataagd9 which was consolidated with 3 more addresses into a 5th tx0:
3F2qiWQJKQjF7XFjEo8FUYP3AU5AC6RqX8
3HAYYVKUpYbr2ARMdZJr9yVu8xi8UcxtPz
3GQtwwRK31wwCc22q6WS5sCgixUHsG5KaT
The 5th tx0 created 0.00058494 BTC in unmixed change that was sent to bc1qvh2zjcwwkj9y70xulla2semvlav3lty0p3l3w3
This was spent in a .00047290 payment to bc1qvzg8jq6wqtr5navn4e3ps4qrkk9r6n4h98gjck
That payment left .00008411 in change that was tracked to bc1qg6j0f0wfhpktt2l8uzdn48ct3um2xyur40eyzd and consolidated with another input into a 6th tx0 transaction:
31iZLXWfoywhuMZTPGxTkpzphzh2NXshpP
The 6th tx0 created .00753775 in unmixed change that was tracked to bc1qgfll2apc27yct6h2c8r8wq4kqhxjsfrudhhn5q
This was spent in a .00737000 payment to bc1q5emzer2t0sq5dez0zsrqgh6scvwn0n24xsladp (a reused address)
This payment left 0.00010896 BTC in change which has not been spent yet, but the payment only took place 11 days ago, so I assume it will eventually be spent, allowing the Whirlpool user to be tracked even further.
Postmix transactions can be traced to premix funds when outputs from child rounds of the same premix transaction are consolidated. Consolidation of mixed outputs from the initial round may be unavoidable since users do not have control over whether or not they remix:
The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.
The flat pool entry fee structure is designed to incentivize worst privacy practices. Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually. Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.
Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases. Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC -
https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aaNotice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction:
https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392dbWhen many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool. Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable:
https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da
