4 hours ago · 2 min read
Guest Post › Bitcoin › Privacy
Bitcoin Privacy 101: Key differences between a CoinSwap and a CoinJoin
As new privacy-enhancing tools are becoming available, Bitcoin can be used more privately now than ever before.
Bitcoin is trustless and permissionless — anyone can use it without having to provide their real-world identity. This leads many people to think of Bitcoin as an anonymous network, where transactions are private, however in reality this is far from the truth. Bitcoin can work without a trusted third party in part because it is radically transparent — the entire transaction history is recorded and verified by everyone (well, every full node) and so is publicly available for anyone to analyze.
This full transaction history provides a structure known as the ‘transaction graph’ which is essentially how transactions are connected together, and shows how the bitcoin has moved between different addresses.
This public information can reveal a lot about the nature of transactions and be used to track the movement of funds and de-anonymize individual addresses. For example, although an individual bitcoin wallet address can be generated and used anonymously, much of the activity on Bitcoin is linked to real-world identities via regulated exchanges and custodians who are required to share customer information with authorities.
Using this information, companies that specialise in blockchain analysis can link any purchases or transactions back to the identity of the person who first purchased the coins.
The public nature of the transaction graph threatens the promise of Bitcoin as a fungible currency, where all coins have equal value, and can be used privately. Fortunately, there are several techniques that can be used to significantly improve the privacy of transacting with bitcoin that work by essentially obscuring and breaking the transaction graph.
What is a CoinJoin?
The most well known of these is called a ‘CoinJoin’ — this is essentially a combination of many separate individual transactions into a single larger one, such that it is not possible to link the transaction inputs (the origin of the coins) to the outputs (the destination addresses of the coins) with the on-chain data.
All the outputs in a given coinjoin transaction are effectively indistinguishable and share the same history. There are several different services and wallets that can perform coinjoin transactions, such as Wasabi and Samourai. Each of these relies on a centralised ‘coordinator’ that enables anonymous strangers to coordinate to build the combined transactions, which charges fees for the service. One important limitation of coinjoins, is that to maintain the indistinguishability of the transaction outputs, every participant must use the same value input.
CoinJoins have been used on the Bitcoin base layer for many years, and a substantial quantity of bitcoin has gained anonymity as a result. However, they are relatively expensive in terms of transaction fees as each coinjoin transaction must be confirmed on-chain. In addition, the ‘anonymity set’ (i.e. the number of coin histories your output could be linked to) is limited to the number of people you have directly been in a coinjoin transaction with (therefore usually requiring many transactions to get a good anonymity set).
What is a CoinSwap?
More recently another privacy-enhancing technique has been gaining attention, so, called CoinSwaps — which are essentially an exchange of coins (i.e. transaction outputs) between owners where no link is created in the on-chain transaction graph. This can be thought of as a transfer of the ownership of coin off-chain — if users can securely swap ownership of coins with different origins without any trace of this on the blockchain, then the assumption of using the transaction graph to track ownership is broken.
One way to imagine this process is that a number of people, each with a specific amount of bitcoin paid to a private key secured on a device (like an OpenDime), could meet, each throws their OpenDime into a pot, shake it up, and then each pick one at random.
Ownership of individual transaction outputs has changed, but is completely off-chain. As in the case of coinjoins, the swapped coins should be of equal value (but interestingly, unlike coinjoins, they don’t need to be equal value for privacy, only coordination).
Off-chain coinswaps are now possible due to the implementation of statechains: a Bitcoin layer-2 protocol that enables the secure transfer of a private key that controls a coin between owners. Currently, the only implementation of statechains, Mercury wallet, is proactively non-custodial, censorship-resistant and verifiable, but does require trust in the statechain entity to enforce atomicity of swaps.
The Mercury wallet operates a Chaumian (blinded) swapping protocol that prevents the server (conductor of the swap) from knowing who swapped with who in a multiparty swap. The fact that off-chain transfers are zero-fee and can be performed hundreds of times means that larger anonymity sets for each on-chain transaction are possible with this approach. The ‘on-chain’ anonymity set (assuming that mercury statecoins are easily identifiable) is the size of all coins of a given value deposited with the statechain entity (i.e. any coin could have been swapped with any other).
Both of these approaches have somewhat different benefits and costs, but as new privacy-enhancing tools are becoming available, Bitcoin can be used more privately now than ever before, and chain analysis/surveillance is becoming ever more futile.