Coin Mixing and CoinJoins Explained
Introduction
Bitcoin is often referred to as digital cash, but this is a questionable comparison. If Alice pays Bob ten dollars in cash, Bob has no idea where the money came from. If he later goes on to give it to Carol, she will be unable to deduce that Alice was once in possession of it.
Bitcoin is different because of its inherent public nature. The history of a given coin (more precisely, an unspent transaction output or UTXO) can be trivially observed by anyone. It’s a bit like writing the transaction amount and names of participants on a bill every time it’s used.
That said, the pseudonymity of a public address ensures that users’ identities are not easily revealed. Still, Bitcoin is not completely private. Blockchain analysis grows increasingly sophisticated and is capable of linking addresses to identities more and more efficiently. Alongside other surveillance techniques, a dedicated entity can deanonymize cryptocurrency users. To remedy this, techniques to unlink transactions have surfaced over the years.
What is coin mixing?
Broadly speaking, coin mixing could refer to any activity that involves the obfuscation of funds by substituting them with others. However, in the cryptocurrency space, coin mixing commonly denotes a service provided by a third-party. Typically, the service providers take users’ coins (and a small fee), and return coins that have no link to the sent ones. These services are also known as tumblers or mixers.
The security and anonymity of such centralized services are questionable, of course. Users have no guarantee that their money will be returned to them by the mixer or that the coins returned aren’t tainted in some way. An additional aspect to consider when using a mixer is that IP and Bitcoin addresses might be logged by a third party. Ultimately, users give up control of their funds in the hopes of receiving unlinked ones back.
An arguably more interesting approach exists in the form of CoinJoin transactions, which create a significant degree of plausible deniability. That is to say that, after a CoinJoin, no evidence can link a user with certainty to their previous transactions. Many CoinJoin solutions provide a decentralized alternative to mixers. Though there may be a coordinator involved, users don’t need to sacrifice custody of their funds.
What is a CoinJoin?
CoinJoin transactions were initially proposed by Bitcoin developer Gregory Maxwell in 2013. In his thread, he gives a brief overview of how these transactions are structured and how massive privacy gains can be achieved without any changes to the protocol.
In essence, a CoinJoin involves the combination of inputs by multiple users into a single transaction. Before we explain how (and why), let’s take a look at the structure of a basic transaction.
Bitcoin transactions are made up of inputs and outputs. When a user wants to make a transaction, they take their UTXOs as inputs, specify the outputs, and sign the inputs. It’s important to note that each input is signed independently, and users can set multiple outputs (going to different addresses).
If we look at a given transaction made up of four inputs (0.2 BTC each) and two outputs (0.7 BTC and 0.09 BTC), there are a few different assumptions we can make. The first is that we’re watching a payment take place – the sender is sending one of the outputs to someone, and returning some change to themselves. Since they’ve used four inputs, the larger output is probably for the recipient. Note that we’re missing 0.01 BTC from the outputs, which is the fee given to the miner.
It’s also possible that the sender wants to create a large UTXO out of smaller ones, so they consolidate smaller inputs to get the desired 0.7 BTC outcome.
Another assumption we can make is based on the fact that each input is signed independently. This transaction could have up to four different parties signing the inputs. And therein lies the principle that makes CoinJoining effective.
How does a CoinJoin work?
The idea is that multiple parties will coordinate to create a transaction, each providing inputs and desired outputs. As all of the inputs are combined, it becomes impossible to say with certainty which output belongs to which user. Consider the diagram below:
Here, we have four participants that wish to break the link between transactions. They coordinate amongst themselves (or via a dedicated coordinator) to announce the inputs and outputs that they would like to include.
The coordinator will take all of the information, craft it into a transaction, and have each participant sign before broadcasting it to the network. Once users have signed, the transaction can’t be modified without becoming invalid. Therefore, there is no risk of the coordinator running off with the funds.
The transaction serves as something of a black box to mix coins. Remember that we effectively destroy UTXOs to create new ones. The only link between the old and new UTXOs that we have is the transaction itself, but, of course, we can’t distinguish between participants. At best, we can say that a participant provided one of the inputs and is maybe the new owner of a resulting output.
But even that is by no means guaranteed. Who’s to say, when looking at the above transaction, that there are four participants? Is this one person sending their funds to four of their own address? Two people making two separate purchases and returning 0.2 BTC each back to their own addresses? Four people sending to new participants, or back to themselves? We can’t be sure.
Privacy through deniability
The very fact that CoinJoin implementations exist is enough to cast doubt over the methods used to analyze transactions. You can deduce that a CoinJoin has taken place in many cases, but you’re still none the wiser as to who owns the outputs. As they grow in popularity, the assumption that inputs are all owned by the same user is weakened – a massive leap for privacy in the broader ecosystem.
In the previous example, we say that the transaction had an anonymity set of 4 – the owner of an output could be any of the four participants involved. The larger the anonymity set, the less likely it is that transactions can be linked to its original owner. Fortunately, recent CoinJoin implementations make it trivial for users to trustlessly merge their inputs with dozens of others, providing a high degree of deniability. Recently, a 100-person transaction was successfully executed.
Closing thoughts
Tools for mixing coins are an important addition to the arsenal of any user serious about their privacy. Unlike proposed privacy upgrades (such as Confidential Transactions), they’re compatible with the protocol as it is today.
For those that trust the integrity and methodology of third parties, mixing services are an easy solution. For those that prefer a verifiable and non-custodial alternative, CoinJoin alternatives are superior. These can be done by hand for technically-proficient users, or by using software tools that abstract away the more complex mechanisms. Already, there are a handful of these tools that only continue to grow in popularity as users strive for greater privacy.