[bitcoin-dev] Design for a CoinSwap implementation for massively improving Bitcoin privacy and fungibility

Chris Belcher belcher at riseup.net
Wed Jun 10 11:15:03 UTC 2020 

Hello Lee,

Thanks for the review.

On 10/06/2020 01:43, Mr. Lee Chiffre wrote:
> 
>>
>> === Combining multi-transaction with routing ===
>>
>> Routing and multi-transaction must be combined to get both benefits. If
>> Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this is
>> easy with this configuration:
>>
>>              Alice
>>     (6 BTC) (8 BTC) (1 BTC)
>>        |       |       |
>>        |       |       |
>>        v       v       v
>>               Bob
>>     (5 BTC) (5 BTC) (5 BTC)
>>        |       |       |
>>        |       |       |
>>        v       v       v
>>             Charlie
>>     (9 BTC) (5 BTC) (1 BTC)
>>        |       |       |
>>        |       |       |
>>        v       v       v
>>             Dennis
>>     (7 BTC) (4 BTC) (4 BTC)
>>        |       |       |
>>        |       |       |
>>        v       v       v
>>              Alice
>>
> 
> 
> 
> 
> 
> 
> Great work Chris and you have my respects for your contributions to
> Bitcoin. A concern I have with bitcoin is scalability and privacy. Both
> are important. The reasons people bash on Monero is also the same issue
> Bitcoin has. The very large transaction size to achieve acceptable privacy
> on a distributed financial network. Im not shilling Monero here. I am only
> saying that bitcoin transactions with similar privacy properties are at
> least equally as large as Monero transactions. Coinjoin on Monero can be
> compared to ring signatures in Monero from the view of using decoys to
> help conceal the source. From this proposal is this to say that
> transactions will be at least 12 times larger in size to achieve the
> property of privacy that bitcoin is currently missing?
> 
> Another thing to consider is that if coinswaps cannot be sent as a payment
> then a coinswap needs to take place after every transaction to keep the
> privacy and unlinkability from your other bitcoin transactions.
> 
> I always thought that CoinSwap would be and is a very much needed thing
> that needs developed. The ability to swap coins with other people in a
> trustless way and way that is not linkable to the public blockchain. But
> how can this be scalable at all with the multiple branches and layers?
> This is a good idea in theory but my concern would be the scalability
> issues this creates.
> 
> Do you have any comments on this?
> Thank you
> 

You are right to be concerned about scalability.

Here's a few of my thoughts on this:

An issue with Monero (or any cryptocurrency based on the ring signature
input signing scheme) isn't just that transactions are bigger in bytes.
Monero full nodes can't know when a TXO has been spent, so pruning is
impossible in Monero and the list of TXOs perpetually grows, this is
unlike in bitcoin where full nodes know if a UTXO has been spent and so
can delete it in pruning. The storage space needed for Bitcoin's UTXO
set sometimes actually gets smaller.

Note that Monero software actually has a feature called "pruning" so
sometimes the terminology gets confused when people say "wait, Monero
_does_ have pruning". But this pruning doesn't do the same thing as
Bitcoin's pruning, the disk space still grows as O(TXOcount) which is
much faster compared to Bitcoin's O(UTXOcount).

And when designing this CoinSwap system I've been careful to make sure
it doesn't break pruning (or other resources saving features, for
example CoinSwap can be made to work with the blocksonly feature of
Bitcoin Core). So bitcoin-with-CoinSwap's scalability isnt anywhere near
as bad as Monero's.

You're right to talk about decoys. Decoys are not a good way to obtain
privacy because they can be broken by repeated interactions.. I really
like this talk about why decoys are not a good solution to privacy in
many cases:

talk: https://www.youtube.com/watch?v=YgtF7psIKWg&feature=youtu.be&t=3701
transcript:
https://tokyo2018.scalingbitcoin.org/transcript/tokyo2018/how-much-privacy-is-enough

Equal-output CoinJoins also work with decoys. Like in JoinMarket you
could analyze those CoinJoins to say that the inputs and outputs of the
makers in a CoinJoin are actually just decoys. Fixed-denomination
CoinJoins like in Wasabi or Samourai also use much more block space
because of the reduced divisibility, for example Wasabi coinjoins can
only be done with about 0.1 BTC, so if you want to mix 1 BTC then you
have to do 10 such CoinJoins, costing 10 times the block space.

CoinSwap doesn't work by adding decoys, it improves privacy in the same
way as Lightning: by moving information off-chain.

You could perhaps analyze CoinSwap as using decoys if you say that the
decoys are almost every other bitcoin transaction happening on the
blockchain, and that can be almost as big as you want. One full block
has about 3000 outputs, so if you wait a day between the CoinSwap
funding and spending transactions then that's 144*3000 = 432000 decoys
(this calculation is simplified, but it's a good starting point). If
CoinJoin or Monero transactions had that many decoys they would be
hundreds of MB each.


Because CoinSwap transactions can look exactly the same as regular
transactions, they would improve the privacy of users even if they don't
use CoinSwap.

So on twitter sometimes I see people talking about "making every spend a
CoinJoin". The suggestion would be very costly in block space, and isn't
necessary for CoinSwap. I think perhaps 5% of transactions being
CoinSwaps or PayJoin-with-CoinSwap (as long as they were spread roughly
equally across the economy) would be enough to destroy the transaction
graph heuristic and common-input-ownership heuristic. Then anyone
analyzing the blockchain couldn't be sure when they see coins going from
address A to B that the ownership actually went from A to B, or that if
they see multiple inputs they don't know whether those inputs are
actually owned by the same entity.

Also, CoinSwaps could be used as payment. For example take this 1-hop
CoinSwap where Alice owns 10 BTC and wants to deposit 5 BTC into her
exchange account.

      (3 BTC) -->     (5 BTC) --> Exchange
Alice (1 BTC) --> Bob (4 BTC) --> Alice change1
      (6 BTC) -->     (1 BTC) --> Alice change2

So on the last hop Alice sends 5 BTC as payment to the exchange (to
deposit) and the remaining outputs go back to Alice as change. The
exchange can't see Alice's UTXOs that she just spent, and also can't see
Alice's change outputs.


Additionally, even in the example you use where 12 times as much block
space is used as normal, this is still cheaper than Equal-Output
Coinjoins. For example with JoinMarket a single CoinJoin is
approximately 12 times bigger than a regular bitcoin transaction, and to
get good privacy using JoinMarket's tumbler algorithm the user typically
creates 7-15 of those CoinJoins. And even then those CoinJoins are very
obvious and don't improve the privacy of people who don't use them,
meaning we have to advocate the expensive and impractical slogan "make
every spend a CoinJoin". And they also don't provide as much privacy as
CoinSwap would, because their anonymity set is smaller than CoinSwap's.


Finally, we know that blockchains don't scale, and so its widely
expected that most day-to-day bitcoin transactions will happen off-chain
on something like Lightning network, which also brings us privacy.
CoinSwap then is mostly useful for the situations where on-chain
transfers are still needed, and also because good on-chain privacy is
necessary for Lightning to really be private, because otherwise the
on-chain channel UTXOs can be tracked.

More information about the bitcoin-dev mailing list