docs(coinjoins): write primer on bitcoin privacy and coinjoins #10
Conversation
Co-authored-by: Yuval Kogman <[email protected]>
|
|
||
| ## Routing Transaction | ||
|
|
||
| - Should use Tor |
There was a problem hiding this comment.
joinmarket, electrum personal server and wasabi support broadcasting by connecting to a random node over tor.
there are also well known broadcast services, such as blockstream.
more details on the section on tor broadcasting on the bitcoin wiki Privacy page
note that broadcasting with bitcoin core is potentially problematic for privacy, especially before the recent rebroadcast improvements.
|
|
||
| - Should use Tor | ||
| - Research Dandelion | ||
| - If an attacker has enough nodes in the network it can determine the location of where the transaction was broadcasted. |
There was a problem hiding this comment.
rebroadcast attacks also interact with dust attacks here, by dusting old addresses spy nodes that aggressively connect can increase likelyhood of broadcast being linkable via network level information.
Cc @amitiuttarwar - see twitter search for talks, PR reviews on rebroadcast work
and also block lists (e.g. AWS IP ranges etc), a number have circulated
|
|
||
| ##### Rounds | ||
|
|
||
| - Role of the coordinatior |
There was a problem hiding this comment.
JoinMarket doesn't have a coordinator (technically the taker does the same job as the coordinator, i.e. putting together a transaction, but the privacy model is different)
perhaps a better typology is centralized coinjoins, using blind signatures like Samourai and wasabi, and peer to peer as in JoinMarket. I'm not aware of other implementations being in use.
…ence Co-authored-by: Yuval Kogman <[email protected]>
There was a problem hiding this comment.
coinjoins/process.md describes how WabiSabi based CoinJoins could work but that is not fully implemented yet and not a deployed system.
There are currently 3 deployed and operational systems for doing CoinJoins on Bitcoin to my knowledge:
- JoinMarket
- IRC based announcements, makers use ephemeral IDs to offer UTXOs for mixing
- takers select makers and initiate a CoinJoin transaction, the taker determines the value of the outputs and all parties may produce change outputs as necessary
- privacy best practice is to tumble as both taker and maker, and avoid consolidating to close to sum of input amounts especially for large amounts
- variety of scripts for scheduling tumbling, and sending payments (as taker or maker), as well as running maker role
- Chaumian CoinJoin
- WhirlPool - RSA blind signatures, several separate fixed denomination pools with CoinJoins involving 2 fresh inputs (outputs of a tx0) and 3 mixed inputs (outputs of prior coinjoins) producing 5 mixed outputs with the same amount. Fees paid in preparatory tx0 and by slightly larger first generation inputs to CoinJoins. tx0 may produce change
- Wasabi - Schnorr blind signatures, denomination slowly decreases, CoinJoins take arbitrary inputs and produce denomination and multiplier outputs as well change.
The two Chaumian systems are similar in their basic elements like using blind signatures as a DoS protection for anonymous output registration, and have a similar coordination structure (e.g. registration phases) but are very different in terms of how the interaction proceeds, as well as differences in the mechanism design (fees, incentives) and the resulting transaction graph.
Co-authored-by: Yuval Kogman <[email protected]>
Co-authored-by: Yuval Kogman <[email protected]>
Co-authored-by: Yuval Kogman <[email protected]>
No description provided.