[bitcoin-dev] Hiding CoinSwap Makers Among Custodial Services

ZmnSCPxj ZmnSCPxj at protonmail.com
Fri Jul 17 06:02:03 UTC 2020

Good morning Chris,

> On 13/06/2020 15:06, ZmnSCPxj wrote:
> > Good morning Chris,
> >
> > > Would it be fair to summarize the idea in this way:
> > > CoinSwappers can slow down the CoinSwap process which will give an
> > > opportunity for makers to use batching.
> >
> > I think so.
> > Regards,
> > ZmnSCPxj
> It's definitely a good idea. As well as improving privacy by pretending
> to be a service provider which uses batching, it may also be practical
> just because CoinSwap takers will want to slow down the process for
> greater privacy so that an adversary would have to search more of the
> blockchain to attempt to deanonymize them. Also, by being prepared to
> wait longer the takers will also save miner fees.

Despite the subject title, I have realized belatedly that the same kind of batching can be done by the taker as well.

For example, the taker can contact two makers in parallel to setup separate CoinSwaps with them.
Then the taker produces a transaction spending its funds and sending them out to two outputs.

If the taker uses P2PKH for receiving and change, and we use (via 2p-ECDSA) P2PKH 2-of-2 to anchor the swaps, then if both CoinSwap operations are successful, the transaction looks exactly like an ordinary pay-to-someone-and-get-back-change transaction.

Indeed, each of the two makers contacted, if they are not themselves colluding with each other, cannot really differentiate this from somebody doing a CoinSwap only with them, since the other output is indistinguishable from change.

I am uncertain how much extra privacy (or cheapness) this buys the taker, however.


More information about the bitcoin-dev mailing list