When Bitcoin launched, cypherpunks were keenly aware of its
scaling and
privacy limitations. The
whitepaper covers privacy in section 10 and mentions that generating a new address for each transaction is the minimal first step. It further explains how this precaution is undermined when multiple inputs are spent together in the same transaction (known as the
common input ownership heuristic). Additionally, if the value of the sender’s inputs is greater than the value of the payment, the recipient can track future transactions made by the same sender (since they must create a
change output to store their leftover BTC).
Example: Common input ownership -
33254c388e0cb27e753e848e84c8bcebd9aec62d1ceb58c9266f2bc57d4d77419 different addresses were used as inputs, so this transaction reveals a link between all 10 payments.
Example: Change output -
d18de758ef0b821373a71354f471dfe25bf313912016e39572749a35fbb01729The receiver learns that the sender owns an additional 0.3 BTC and can track these coins when they are spent in the future.
Example: 1 input/1 output -
164e28ea2d128c829cba63efea8952d671d35fc432e84a0e9434943789bc55edThis transaction leaks the least amount of information compared to the others, but it’s still not fully private: The receiver can track where the sender’s coins originally came from (bc1q6ys...pqmu3kj) and the sender can track where the receiver spends their coins next (166k2cnA...kCHFnGK).
_____________________________________________________________________________
Bitcoiners did not give up on this challenge and raised a
bounty to incentivize development for privacy enhancing transactions called
coinjoins. A coinjoin contains inputs and outputs from multiple users and leverages partially signed Bitcoin transactions (PSBT) to prevent participants from stealing from each other. However, the naive approach of aggregating payments does not
guarantee privacy, since the values of inputs and outputs may reveal the flow of funds for each user within the coinjoin transaction.
To solve this problem, coinjoin protocols were designed so that participants create outputs that match each other. Even though the amounts are visible, each equal value output could belong to any participant.
Example: Equal output coinjoin -
9256332b9ca52cbcb06f57296dfd982d8da3f7d4696b4c10cf9bb93dae6edf58_____________________________________________________________________________
Unfortunately, this example transaction is not a practical representation of how users behave in the real world: It would be a miracle if all participants started with equal sized inputs instead of arbitrary amounts.
If a user has inputs that are smaller than the coinjoin’s equal value output, they will reveal common input ownership. If a user has an input that is larger than the coinjoin’s equal value output, they will create change. Here is an example of a real coinjoin using the ZeroLink protocol, which was introduced in Wasabi Wallet 1.0 -
Example: ZeroLink coinjoin -
a89dc79081bd250be190e0822f0bfe17e9d48e2663c19381c75a3152652db591All 11 participants received an anonymous output for 0.02013500 BTC. Bob and Charlie each revealed common input ownership. Bob, Dave, Frank, Gary, and Karl each created a “toxic” change output that can be attributed to their inputs.

This is a significant first step since participants are able to create a private output that they can spend in a later payment. However, this path ultimately leads to a dead end: Change outputs created from postmix payments will not have a high enough value to be coinjoined again.
_____________________________________________________________________________
Wasabi Wallet 2.0 introduced the WabiSabi coinjoin protocol, which eliminates the limitation of fixed output sizes. This allows users to consolidate inputs privately within coinjoin transactions and avoid leaving behind any “toxic” change outputs.

The privacy calculation becomes double sided, and computing the number of outcomes reaches
impossibility as the size of the coinjoin grows.
Example: WabiSabi coinjoin -
79f19887f2b1df5c3f77064509d656477cbd7726129c6aa6251999788c8a9474This flexibility enables end to end privacy for every payment. Mission accomplished.
_____________________________________________________________________________
Some critics are not satisfied with this math, because human behavior leaks additional metadata. This concern is not unfounded, as there are many transaction fingerprints that can cause an individual to stand out in the crowd. When coinjoin outputs are spent, here’s what an observer is able to measure:
- The fee rate of the transaction
- The age of the inputs
- The number of inputs consolidated (and the coinjoin txs they originated from)
- The value of the sender’s change output (and the coinjoin tx it gets remixed in)
- Locktime, version, and RBF flag
Wasabi Wallet 2.8.0 eliminates these remaining concerns: If you are spending your coins, why not make the payment
inside a coinjoin? A receiver of a coinjoin payment has no starting point to attack from:
- The fee rate is chosen by the coordinator
- The age of the sender’s inputs is now an upper & lower bound instead of an exact timestamp
- The number of inputs consolidated and their origin txs are hidden
- The receiver does not learn how much leftover change the sender has, or its output address
- Locktime, version, and RBF flag are the same for all participants
- The sender can batch multiple payments in a single transaction without revealing a common origin
In addition to the privacy gains, payments in coinjoin use less block space so users can also save on fees. Input anonymization, spending, and change anonymization all happens in a single transaction instead of three. This saves ~750 vbytes for a single payment, reducing fees by 55%.