Started by Bitcoin, Mar 27, 2023, 10:55 am
0 Members and 1 Guest are viewing this topic.
Wasabi Wallet's WabiSabi protocol is designed to eliminate change outputs from CoinJoins, better protecting Bitcoin users' privacy.
This is an opinion editorial by Thibaud Maréchal, a contributor to privacy-focused Bitcoin wallet project Wasabi Wallet.
Much ink has been spilled on the privacy horrors of change outputs for Bitcoin. It is now widely understood that Bitcoin is a pseudonymous network, where all users are identified by the addresses they use. When making a bitcoin transaction, instead of only sending the exact amount that is needed -- like in traditional, account-based payment systems -- you send all the sats from the original address into new ones. This creates a change output, which is the amount you get back when making a payment.
Such a change output is quite bad for privacy, as most users underestimate, or sometimes completely ignore, how easy it makes it for someone to track all related payments.
Let's examine why the change output is often referred to as "toxic" and bad for privacy.
In the above picture, we can see that everything from the address on the left got moved into two addresses on the right, while a third, small part was spent as a Bitcoin network transaction fee.
Outsiders don't necessarily know at this point which output was the payment and which one went back to the sender as change. Only the sender and the receiver know without a doubt which one is which. However, the receiver can now track the change output, and see where the payment comes from. As pointed out by many Bitcoin privacy researchers, a change output is a privacy nightmare that can undo many years of diligent UTXO management.
There is a type of collaborative bitcoin transaction that enables you to group up your UTXOs with other people's coins to gain privacy, without ever losing custody of them, called a CoinJoin. Sometimes, hundreds of participants join their coins together, making it hard to track the flows of funds, including change outputs in some cases.
CoinJoin includes multiple inputs and outputs from many different users, making it hard for outsiders to know who owns what after the CoinJoin is done. The commonly used method is to create multiple outputs of equal denominations that are indistinguishable from each other. This creates a high level of obscurity for all participants. CoinJoins usually have minimum-amount requirements that users must meet in order to participate and most implementations still produce a change output. In theory, the amount could be anything but because of the threat of denial-of-service (DoS) attacks, most CoinJoin coordinators require a rather high amount to make it difficult for a bad actor to disrupt the CoinJoin round.
When you make a payment with private UTXOs from a CoinJoin, the intent is that the receiver of your funds won't be able to know your coins' past transaction history. That is a great improvement to the original situation, where all of your previous transactions could be tracked, but there is still one problem to solve: The recipient can still follow your change output. For this reason, it is recommended to CoinJoin before and after a payment is made.
How do different CoinJoin implementations such as Wasabi, Samourai and JoinMarket manage change outputs? Are CoinJoins the definitive solution to get rid of the change output problem? Is there a better way to deal with toxic change within CoinJoins?
There are many considerations when looking at change-output management in CoinJoins. Let's explore the three main ways that exists currently:
Wasabi 1.0 CoinJoin. Source.
In this option, change outputs are included in a CoinJoin. This strategy can be referred to as "change output inclusion" and it is used in Wasabi Wallet 1.0 and JoinMarket.
Wasabi 1.0 requires around 0.1 BTC to participate in CoinJoins, while in JoinMarket, many different denominations are available. The high 0.1 BTC requirement of Wasabi 1.0 makes it impossible for many people to use. JoinMarket makes it a bit more reachable with custom denominations, though the difficult user experience is a barrier for most. In JoinMarket, you have to find or become a maker who provides liquidity. Makers decide the values for a CoinJoin, but it will still create some change outputs as takers have different amounts. On JoinMarket, a maker can choose a CoinJoin denomination that would not create a change output for them but the taker would most likely have a change after participating in the transaction. In JoinMarket, it is not that likely that both makers and takers participate in a CoinJoin without creating any toxic change output as their input amounts will likely differ.
In both cases, change outputs are present in the CoinJoin transaction, making it sometimes possible for an outside observer to link the change output to the input, especially if a user is not careful to avoid consolidations in the future. In a CoinJoin, change outputs get plausible deniability if there are enough users in a round to provide cover. Multiple inputs and multiple outputs in a transaction would make it more difficult to figure out which input a change output corresponds to. The larger the transaction, the more difficult and costly is the analysis to link a given output to an input. The user can register multiple different inputs of small amounts, as long as they add up to at least the minimum for a given CoinJoin round. That being said, because only one transaction is required, it is quite simple and cheap for a user to participate in CoinJoins.
In Wasabi 1.0, if a user has, for example, one UTXO worth 0.17 BTC, they can participate in a CoinJoin round to get a roughly 0.1 BTC private coin, but they also get a roughly 0.07 BTC change output. This is the case because it cannot be assumed that there are going to be multiple 0.17 BTC inputs or 0.07 BTC outputs to provide cover (an adequate anonymity set), even though this can happen by coincidence. In the Wasabi 1.0 interface, CoinJoin UTXOs are labeled as private with a green shield, while the non-private change outputs are labeled with a clearly-visible red shield. If a user tries to consolidate by spending them together, they will see a warning discouraging the consolidation, though it can still be done.
In some cases, it is thus still possible to link a change output in Wasabi 1.0 and in JoinMarket to other inputs and outputs, which makes the change inclusion strategy in these CoinJoins not that robust over time.
Let's consider other alternatives.
Whirlpool CoinJoin. Source.
In this option, change outputs are excluded and isolated before a CoinJoin happens. This strategy can be referred to as "change output isolation" and it's the one that Samourai Wallet uses for its Whirlpool implementation.
Whirlpool relies on four CoinJoin pool sizes of different denominations, namely 0.5 BTC, 0.05 BTC, 0.01 BTC and 0.001 BTC, but it comes with the inherent tradeoff of splitting the liquidity, which can lead to delays and lower privacy.
In Samourai, if a user also has one coin worth 0.17 BTC, they first have to participate in a preparation transaction called "Tx0." Tx0 is a proposed way to get rid of change before a Whirlpool CoinJoin.
Let's assume the user now chooses the 0.05 BTC pool to CoinJoin in. Before the user gets into the CoinJoin, they break the 0.17 BTC input into three standard, roughly 0.05 BTC outputs and a roughly 0.02 BTC change output and pay the coordinator fee. Those three outputs of about 0.05 BTC each are then expected to CoinJoin in the 0.05 BTC pool at some point, while the remaining roughly 0.02 BTC is sent to a different, automatically-generated sub-wallet that they own, often referred to as the "bad bank" holding "doxxic change." Even though it is technically accurate that Whirlpool CoinJoins do not have a toxic change output, they are still creating one that can be followed; it's just in the Tx0 before it. Tx0 isolating the toxic change output in a user sub-wallet before a CoinJoin is worse for privacy than having it included in the CoinJoin, as there is no one to provide cover for the change output.
In Whirlpool, if the user wanted to consolidate and spend change with CoinJoin outputs together, it would be very difficult as they belong to different sub-wallets. This may initially sound good but it comes with an inherent downsides regarding cost and user experience. A user may still want to use the isolated toxic change output as it represents an important amount of money. They could put the change in the smaller pool and pay another coordinator fee for it but there would still be meaningful leftovers. There are also legitimate edge cases in which a user could be willing to consolidate a UTXO from a CoinJoin with a change output, like when a new Samourai Wallet user realizes that the wallet sends his XPUB to Samourai servers by default.
Change output isolation also creates a burden on the user as they now have to deal with another non-standard sub-wallet. This sub-wallet also makes recoverability of funds more difficult with other wallets, which creates some form of vendor lock-in with Samourai, despite it being a non-custodial wallet.
Creating a separate sub-wallet to isolate change outputs from CoinJoin transactions is, at best, an experiment that has proven quite blockspace inefficient, and therefore expensive for users. While many Samourai supporters praise it, Tx0 seems to me to be a naive attempt at handling the problem of change-output management in CoinJoins.
Inclusion strategies such as those with Wasabi 1.0 and JoinMarket, where change outputs are included in CoinJoins, are better at protecting user privacy in terms of usability, blockspace efficiency and fees. Although both inclusion and isolation can also be quite bad for user privacy if poorly handled due to consolidation risk.
If a user consolidates different Tx0 toxic change outputs together to enter another CoinJoin pool, it would be clear that all of the different change outputs and Tx0s were made by the same person, which is a privacy leak. As we can see on the KYCP and OXT websites, which are closed-source chain analysis tools built by Samourai, Whirlpool CoinJoins look "prettier" than JoinMarket and Wasabi CoinJoins, since the change output is not included in the transaction. As previously discussed, in Wasabi 1.0 and JoinMarket CoinJoins, the change output is in the CoinJoin, making it blockspace efficient but "ugly," since not all outputs are equal. In the change inclusion strategy, if there are multiple users, even the change output might not be clearly connected to its original input. In Tx0, it is always 100% clear.
Whirlpool users have to choose which pool they want to participate in, and have to take part in at least two transactions, which is a Tx0 to isolate the change, followed by an equal output CoinJoin transaction. The design of Whirlpool limits the number of inputs and outputs to five, respectively, so a user looking to achieve privacy must CoinJoin quite a few times due to their small size, adding further delays.
What would be a better way to manage change outputs in CoinJoins, if not isolation or inclusion?
Wasabi 2.0 CoinJoin (Mempool.Space is currently limited to showing a maximum of 150 inputs and outputs each, while Wasabi Wallet 2.0 CoinJoins can include up to 400 each). Source.
In this last option, toxic change outputs are outright eliminated during a CoinJoin. Since we cannot properly manage change outputs, we must get rid of them. No more change outputs. Reviewing the evolution of CoinJoins, having one standard denomination per pool seems quite static, and invites consolidation and toxic change, which is bad for privacy. With single-denomination CoinJoins such as with Wasabi 1.0, JoinMarket and Samourai (Whirlpool), the problem of change outputs cannot be eradicated.
The ZeroLink protocol that Nopara73, the founder of Wasabi Wallet, designed and developed along with others, was not optimized for multiple-denomination CoinJoins, so a redesign was required. Enter the WabiSabi protocol with arbitrary-amount CoinJoins, allowing multiple denominations, which successfully gets rid of the problematic change outputs in single denomination CoinJoins.
After almost three years of research, the Wasabi team invented a novel way of doing CoinJoins by using key-verified anonymous credentials (KVACs) and a specific type of amount organization, maximizing privacy and efficiency while eliminating change outputs. The new cryptographic protocol was named WabiSabi, which is a Japanese word for finding beauty in imperfection, and the re-design of the Wasabi Wallet that utilizes WabiSabi was named Wasabi 2.0.
With WabiSabi, instead of having to consolidate inputs to meet a minimum denomination, each input (with a maximum of 10, as specified by the Wasabi 2.0 client) gets registered separately, resulting in no connection between different inputs registered in a CoinJoin round. The minimum denomination in the WabiSabi protocol that Wasabi 2.0 uses is only 0.00005000 BTC (5,000 sats), which means that now, everyone is able to reclaim their privacy and participate in CoinJoins.
The user can register up to 10 inputs and get up to right outputs, with randomization. Inputs may be broken down into multiple smaller outputs or consolidated into fewer large outputs, or both. A large list of predetermined output amounts enables having multiple equal amount outputs of different denominations, without creating a change output. Even if there is an unequal amount output whose value is only close to the other outputs, it is practically impossible to know which input or output it is linked to due to having so many possibilities.
A user may decide to CoinJoin multiple times (known as a remix) to get better plausible deniability, but one transaction can already provide sufficiently good privacy. Generally, no matter how much bitcoin a Wasabi 2.0 user has, they may be able to CoinJoin all of their UTXOs in one single transaction, often without creating a toxic change output. With Wasabi 2.0 CoinJoins, there are no deterministic links between input and outputs, with the exception of whales who have much larger inputs than all the other participants', which therefore require additional rounds of CoinJoins to reclaim their privacy entirely.
In Wasabi 2.0, you can manually adjust your UTXO selection to avoid creating a change output in your payment. In its change-avoidance feature, Wasabi 2.0 recommends options to slightly modify your payment amount in order to avoid creating undesirable change. Even if you do end up creating a change output from sending previously CoinJoined bitcoin, it can be automatically registered in another CoinJoin for free.
A new era of digital privacy has begun with CoinJoins for bitcoin, and the WabiSabi CoinJoin protocol used in the Wasabi Wallet 2.0 seems to have fixed a major design tradeoff of the Bitcoin UTXO model. Change outputs can now be eliminated from CoinJoin transactions, which has huge implications for bitcoin wallets in terms of privacy and usability. Bitcoiners using CoinJoins don't need to worry about change outputs being a privacy risk or outright liability anymore.
"Change output?" you ask. What change output? There is no change output.
This is a guest post by Thibaud Maréchal. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
Page created in 0.043 seconds with 17 queries.