Read the success stories of crypto entrepreneurs.

Discussions are fun when we are part of a community.
Login Free Registration

Get 10 AltcoinN Points just by registering on this forums.
Get A Quote

Christocentric Meal (January, 11th) | What Then Is Confession Of Sins?

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; min-height: 14.0px} p.p3 {margin: 0.0px 0.0px 2.0px 0.0px; font: 14.0px 'Helvetica Neue'} span.s1 {color: #dca10d}
Although Satoshi Nakamoto’s white paper suggests that privacy was a design goal of the Bitcoin protocol, blockchain analysis can often break users’ privacy. This is a problem. Bitcoin users might not necessarily want the world to know where they spend their money, what they earn or how much they own, while businesses may not want to leak transaction details to competitors — to name some examples.

But there are solutions to regain privacy, like CoinJoin. Some of the most popular mixing solutions available today use this trick, including Wasabi Wallet (which leverages ZeroLink) and Samourai Wallet (which leverages Whirlpool). In both cases, users chop their coins into equal amounts to mix them with each other. Using equal amounts is considered a crucial step for the mix to be effective.

However, a new mixing protocol called CashFusion, in development for the Bitcoin Cash network, challenges this assumption. The developers behind the protocol claim that CashFusion offers privacy through CoinJoins without the requirement to only mix equal amounts. If true, this might drastically change how we think about privacy in Bitcoin as well.

If true…


Let’s start at the beginning. (Or skip this part if you know what CoinJoin is.)

A typical bitcoin transaction has one or several inputs (basically the addresses coins are sent from) and one or several outputs (basically the addresses coins are sent to). If a transaction has more than one input, it’s usually because the sender used several chunks of his coins (UTXOs) to get to the required amount. If a transaction has more than one output, it’s usually because several people are being paid at once (a batched transaction) and/or the payer is sending money back to one of his own addresses as change (because the chunks didn’t add up to the exact right amount; this is often the case).

Unfortunately, a typical transaction as outlined here reveals a lot. For example, it’s easy to conclude that all input addresses belong to the same person, which allows for address clustering. The transaction also shows from which addresses to which addresses coins are moving, revealing a trail of coins over the blockchain. There can be more (subtle) hints, and all are bad for privacy.

A potential solution to this problem, first proposed by Bitcoin Core contributor Gregory Maxwell in 2013, is called CoinJoin. The idea behind CoinJoin is simple: Several independent transactions are merged into one big transaction. So if two transactions have two inputs and two outputs each, this is combined into a single transaction that has four inputs and four outputs. This at least breaks the assumption that all input addresses belong to the same person and could help break the trail of coins as well.

Why Equal Amounts

It is usually assumed that the privacy gains of CoinJoin as described above would be limited, however. In many cases, the amounts sent in the inputs and the amounts received in the outputs can be puzzled together, to rediscover which individual transactions went into the combined CoinJoin transaction.

For example, let’s take two transactions, one from Alice to Carol and one from Bob to Dave. Alice has two chunks of coins worth 2.3 and 1.4 bitcoin, and she wants to pay Carol 3.2 bitcoin. Bob has chunks of 3 and 2 bitcoin, and wants to pay Dave 4 bitcoin.

Simplified, these transactions look like so:

2.3 + 1.4 = 3.2 + 0.5


3 + 2 = 4 + 1

(The 0.5 BTC and 1 BTC outputs are change.)

Merged together, the CoinJoin transaction would look like so:

3 + 2.3 + 2 + 1.4 = 4 + 3.2 + 1 + 0.5

Although the transactions were merged, it’s trivial to rediscover which inputs paid which outputs, and, therefore, also which inputs can be matched together as belonging to the same sender. Assuming you know that there are two payers, the amounts can be puzzled together with only one potential configuration: the original transactions.

For this reason, popular mixing solutions like ZeroLink and Whirlpool are limited to mixing equal amounts. No matter what amounts are put into a mix as inputs, the mixed outputs are indistinguishable from one another, which means that any participant could have received any fixed-size chunk of coin.

If the fixed amounts are set at 1 BTC, Alice, Bob, Carol and Dave’s CoinJoin would look like so:

3 + 2.3 + 2 + 1.4 = 1 + 1 + 1 + 1 +1 + 1 + 1 + 1 + 0.5 + 0.2

This is a big improvement, since any of the chunks of 1 could be puzzled back together into either of the two original transactions. It’s not clear which of the 1 BTCs belong to Alice, Bob, Carol or Dave, or even to which pair.
However, it’s still not perfect, because there are unequal outputs left. These change outputs, exactly because they don’t have equal amounts, can still be linked to specific inputs: Alice’s. This also means Alice’s inputs can be linked to each other. On top of that, if the unequal outputs are used in combination with the fixed-amount outputs later on, these leaks could ruin the initial mixing process itself.

@ continue to read @