1
What is CoinJoin?
2
Who created CoinJoin, and when?
3
What problem does CoinJoin solve?
Contrary to a common refrain, bitcoin does not offer full anonymity. Analysis of the public blockchain can link transactions to an individual.
Bitcoin transactions consist of inputs (sending addresses) and outputs (receiving addresses). When a user wants to transact, they select unspent transaction outputs (UTXOs) as inputs, specify outputs and sign the inputs. Each input is signed independently, and users may specify multiple outputs.
Example of a transaction with four inputs and two outputs:
This transaction has four inputs (0.2 BTC each) and two outputs (0.7 BTC and 0.09 BTC). It is obvious to an observer that a payment is being made: the sender pays one output to someone and returns the change to themselves. Because four inputs were used, the larger output is likely the payment to the recipient. A fee of 0.01 BTC is deducted and collected by the miner.
An observer might also infer that the sender is consolidating smaller inputs to create a larger UTXO (0.7 BTC).
Another inference from such a transaction is that each input is signed independently.
CoinJoin addresses the lack of genuine anonymity in bitcoin.
4
How does CoinJoin work?
An analogy for CoinJoin is a group pooling their cash in one wallet before going shopping. Everyone can watch that no one overspends, but purchasers do not necessarily use the very banknotes they contributed.
With CoinJoin, several parties jointly construct a transaction; each provides inputs and desired outputs. Once all inputs are combined, it becomes impossible to say with confidence which output belongs to which user.
Example:
Four participants want to break links between transactions. They coordinate among themselves (or via a dedicated coordinator) and state which inputs and outputs they want included.
The coordinator embeds this information into a transaction, each participant signs it, and the transaction is broadcast. After participants have signed, it cannot be altered; otherwise it becomes invalid. There is therefore no risk of the coordinator stealing funds.
The transaction acts as a black box that mixes coins. The old UTXOs are spent and new ones created. The only connection between the old and new UTXOs is the transaction itself, but its participants cannot be identified. At most, one can know that a participant supplied one of the inputs and may be the new owner of a final output.
5
Are there weaknesses in CoinJoin?
- CoinJoin does not provide complete anonymity: senders and recipients appear on the blockchain. Transactions can also be identified using the CoinJoin Sudoku analysis tool. This can be mitigated by using fixed denominations for outputs (0.1 BTC, 1 BTC, 10 BTC, etc.), but that adds complexity and constraints.
- Creating such transactions requires grouping and coordination among participants.
6
How is CoinJoin evolving?
7
Where and how is CoinJoin used?
As of April 2020, two wallets support CoinJoin: the mobile Samourai Wallet with its Whirlpool feature, and the desktop Wasabi Wallet.
On April 5, 2020, the presumed birthday of Satoshi Nakamoto, the bitcoin community marked the first CoinJoin Day, a day of transaction mixing. To mark the occasion, the Wasabi developers released a new version.
CoinJoin is also used in MimbleWimble, a PoW protocol offering broad scalability and enhanced privacy.
8
What is ZeroLink?
9
Who created ZeroLink, and when?
10
How does ZeroLink work?
ZeroLink addresses a key problem in CoinJoin-style mixing: a third party (an individual, server or wallet) may know the source and destination of each bitcoin, creating a single point of failure.
ZeroLink operates with two types of wallets: pre-mixing and post-mixing. The former holds initial funds; the user sends them to a tumbler, which distributes mixed bitcoins to wallets for subsequent mixing.
ZeroLink users provide inputs and outputs (from and to addresses) from the pre-mix wallet; the outputs are encrypted, so the tumbler does not know the final recipients of the coins it receives. This encryption is known as “blinding”.
The tumbler then cryptographically signs the blinded output using a blind signature. Thus, the transaction data can be verified at each step, confirming that the blinded data correspond to what was sent originally.
Users then connect to the ZeroLink tumbler via Tor or a similar network and provide the tumbler with unblinded outputs. These are signed using the same blind-signature scheme and compared with the initial blinded outputs to confirm their legitimacy.
Once validated, the tumbler adds the outputs to a large CoinJoin transaction and sends it to users, who confirm it with their private keys.
After confirmation, the tumbler publishes the transaction, which miners include in a block. As a result, all bitcoins are “cleaned” and become fungible again.
11
Where is the ZeroLink protocol used?
12
What is Stonewall?
13
Who developed Stonewall, and when?
14
What are Stonewall’s features?
Stonewall does not use CoinJoin but creates the appearance that it does. In essence, Stonewall transactions are ordinary payments: one user sends bitcoin to another. The trick is that users combine their transactions into one, adding an arbitrary number of inputs and outputs to a standard bitcoin transaction. To an outside observer, it resembles a CoinJoin transaction, making standard blockchain analysis less effective.
Stonewall transactions exhibit higher entropy than standard bitcoin transactions, raising the cost of automated chain analysis and hindering transaction-graph analysis. They are constructed to receive a Boltzmann score above zero (Boltzmann is a script that returns a transaction’s entropy, providing a system of metrics for input–output linkability via blockchain-analysis mapping techniques).
Stonewall is less effective than other techniques such as Confidential Transactions (CTs), but it reduces the amount of information available to blockchain analysts.
15
Where is Stonewall used?