JoinMarket Lead On Bitcoin Mixing Future

In a recent interview with Adam Gibson, aka Waxwing, lead JoinMarket maintainer and expert on CoinJoining, we talked about the exciting changes that we will see within CoinJoin transactions, how the processes of CoinJoin works in its current state and his outlook on further innovation. But first, let’s talk about what a CoinJoin transaction consists of in its current state.

Keep in mind, when I say “current,” this is in reference to methods actually being used today. This distinction is important because Taproot activation does not mean that new methods now available are actually currently being used.

What Is CoinJoin?

When I asked Gibson to give a simplified explanation of CoinJoining, he gave this response:

“In simple terms, CoinJoins are transactions where more than one person contributes inputs. They don’t require trust because each person only signs the transaction if it pays to the outputs they expect. They’re mainly used today to improve privacy by invalidating the assumption that all the inputs in a transaction are from one person — an assumption that blockchain analysis uses to try to trace the history of coins.”

“Transactions where more than one person contributes inputs,” he said.

Well, what’s an input? Contrary to the user interface found in most exchanges that shows you holding a specific amount of bitcoin at all times, in order to spend bitcoin, it is more like handing over dollars you have to the gas station for your cup of coffee. Bitcoin transactions add up all of your UTXOs (unspent transaction outputs) until they meet the necessary amount for the transaction, verifying that you actually have the units you are trying to spend. These prior transaction outputs totaling up to the amount of bitcoin you have are called “inputs.”

A CoinJoin transaction happens when multiple people are trying to provide the amount of bitcoin they have to finalize a transaction in a more private way. But, you do not by design sign the transaction unless the “output” is paying exactly what you expect to receive. Unspent outputs are simply units of bitcoin that have provably not been spent. If the output is proved to not be spent, then the person on the other side of the transaction can spend that bitcoin, which results in that bitcoin being sent to your wallet. Unless you are paid exactly what you expect, you don’t sign the transaction, preventing it from being completed.

Invalidating the input ownership assumption occurs when multiple people have inputs and outputs of the same amount creating a clear level of privacy to transactions. This can also be accomplished through a process called “signature aggregation,” which was not applicable before Schnorr signatures were implemented in Bitcoin and can make transactions cheaper by allowing all participants to use one single signature.

But what is signature aggregation, and why does it matter?

What Is Signature Aggregation?

When I asked Gibson how he would summarize signature aggregation, this was his answer:

“Since Taproot has been activated, in Bitcoin we can make single signatures that are actually multiple signatures ‘under the hood.’ This makes multi-signatures way less bulky and more private.”

The inception of Schnorr signatures allows for signature and key aggregation. Previously, a verifier would need to validate each signature in a transaction. Once these signatures are aggregated, or combined into one, the verifier only needs to validate the one signature. This comes with a cost savings in processing and resources spent when zoomed out to the entire blockchain. But is privacy enough incentive for people to adopt CoinJoining? We’ll return to this point later, but Gibson thinks we can go further.

This process allows for obvious privacy increases while possibly incentivizing more people to CoinJoin by saving on fees, as each transaction is basically molded with all of the rest, making it far harder to discern where each input/output is going, or coming from. So how does this process work without Schnorr being implemented? I asked Gibson that question, and here is his outline to creating a CoinJoin transaction:

The Process Before Schnorr

“I’ll try to do it as a numbered list,” Gibson said, preceding the incoming information dump that followed, breaking it down for plebs like me.

But before we get into it, we’re going to learn what a “change output” is, in Gibson’s words:

“Basically, forget CoinJoin for a minute and say you’re making a payment for a coffee. you want to pay $5 in bitcoin, but you only have one UTXO available in your wallet, and its value is $20 in bitcoin. So, you make the transaction have two outputs: one for $5, one for $15 (ignore fees for now). The coffee vendor’s address gets the $5 and the other address is one that belongs to your wallet, and you assign it $15. That’s the ‘change output.’”

If your inputs only add up to a larger sum than required, you simply subtract the difference of your purchase from your input, and what is left over comes back to you, while what was spent goes to the person you made an output for. Simple, right? Alright, let’s get into it.

Again, Gibson:

“One, a group of people/nyms gets together and agrees on an output amount, let’s say 0.5 BTC. (This is the hard part! Coordinating anons!).”

Let’s say ten people, or anonymous users (anons), all get together and say we all want to be paid this specific amount. They need to agree on that specific amount, because if the transactions are simply batched (combined without meeting an agreed output they all want), then “they can easily be separated from within that big CoinJoin transaction, just by looking at the numbers,” Gibson explained.

“Two, each person prepares enough inputs to cover at least the 0.5 BTC; just the same way as a normal wallet does when they want to make a payment of 0.5 BTC,” Gibson continued.

You and those ten other people agree to an output of 0.5 BTC. This means that each individual participating in the transaction needs to hold enough inputs to equal that amount. (Simply put, if the expected output is 0.5 BTC, then you need to hold 0.5 BTC to participate.)

“Three, each nym also, as for a normal payment, needs to prepare, a) an output address that they own, where the 0.5 BTC will go and, b) a change address for whatever is left over,” Gibson said.

Admittedly, this part confused me and I asked for a further explanation of what a change address is and how BTC could be “left over” from a transaction. This is the “change output” mentioned above.

Gibson continued:

“Four, this information from two and three is gathered together: a full list of all the inputs from all the nyms, and all the output addresses and change addresses. Different CoinJoin implementations do this differently.”

The information from steps two and three are combined.

“Five, once that info is gathered in one place, the transaction can be assembled.”

How is the transaction assembled?

“The inputs to the transaction are all the input UTXOs from all the nyms, and the outputs are: a) all the ‘output’ addresses, each assigned 0.5 BTC and, b) all the change addresses, where the amounts must be calculated by subtracting 0.5 BTC from the total of all the inputs from that nym,” Gibson said. “This transaction is unsigned, i.e., it has all the information except the signatures, so it can’t yet be broadcast to the Bitcoin network, of course.”

Simply put, all of the information we have gathered thus far is combined into a transaction, and the only thing it needs are the signatures.

Gibson:

“Six: Now that the unsigned transaction is prepared, it is sent to every one of the nyms.”

The unsigned transaction is sent to all parties in the CoinJoin transaction, and then, as Gibson explained:

“Seven, each individual nym signs each input that belongs to them,” and “Eight, each nym sends back their valid signatures on their inputs.”

Everybody sends their signatures back to finalize the transaction, verifying their inputs equal the necessary amount for the transaction.

“Nine, the coordinator gathers all of the signatures from eight. When they have one valid signature for every input in the transaction, they can just insert them into the transaction, and make a fully-valid, signed transaction, and broadcast it.”

Once all signatures are collected by the coordinator, the transaction is broadcasted to the Bitcoin blockchain.

Notes On The Process

“Obviously crucial is that each nym carefully checks the full list of inputs and outputs, to make sure they are not being cheated: the output amounts are what they expect, and their inputs are what they expect,” explained Gibson. “Notice they don’t need to care about everyone else’s inputs and outputs, as long as they get back what they expect.”

As mentioned earlier, the signature should not be given if the output does not match your expected outcome. It is, at current, the responsibility of the involved party to make sure that the transaction lines up.

Now, we can all be forgiven for thinking that the process above sounds a bit heady. Innovation requires patience. Much like the original versions of the web that were largely read-only with horrible user interfaces, eventually we were able to evolve to Web 2.0. Regretfully, this technological innovation has become largely centralized, but it does allow us to see that the pain of founders can eventually be soothed with further innovation. This brings us to JoinMarket.

The Basics Of JoinMarket

Being multifaceted, we will briefly talk about just one of the applications JoinMarket currently runs.

“Joinmarket-Qt is a GUI application which allows users to create wallets and send coinjoins,” according to Bitcoin Wiki. “It is essentially a simple GUI bitcoin wallet with sendpayment and tumbler scripts wrapped inside.”

A GUI (graphical user interface) is just a way to make a webpage or program simple to use. Instead of seeing read-only code that no one can understand, or operating on a command line, which can prove difficult for new users, JoinMarket seeks to make the process of CoinJoin easier and more accessible.

As you can see, a lot of effort is being spent for this particular innovation, and there are other platforms working on this as well. As difficult as it may sound, it’s really quite easy comparatively, as long as all parties can agree on the output. But why is all of this effort being thrown at this particular problem?

Why Does CoinJoin Matter?

This is the exact question I asked Gibson, and he told me:

“[CoinJoin] is a technique to make it impossible for a person, looking at a transaction that you created (example: you are paying them for goods or services), to be able to deduce things about your money (how much you have; what its history is, etc.). This is a big advantage for your security.”

Bitcoin is always about privacy and making sure your funds are kept safe. At the core of every change that happens within Bitcoin, privacy and security remain supreme. Gibson went on to compare the process of CoinJoining with the legacy system:

“Compare with the legacy system: your recipient almost never sees any information about your money/account, except in certain edge cases, while your bank and the government that controls it, might be able to see everything (all history).”

CoinJoining is putting private ownership of your money back in your hands. With Schnorr signatures and signature aggregation in the future, you can interact with others looking to secure privacy, and help lower fees at the same time, all while no financial institutions or centralized governments have any control over your money. Gibson’s closing remarks on this process summarize the need for this innovation, and also the necessity of further innovation.

“A person can certainly try to look at the history of your money or how much you have, directly on the blockchain,” he said. “CoinJoin is one of a number of techniques that ‘makes it impossible’ (except, that is not entirely true, it tries to do that, but it is by no means perfect, so ‘impossible’ is not the right word).”

What Comes Next?

The answer depends on your time preference. In the short term, work can be done to close up the efficacy of CoinJoining to get us closer to that point of imperviousness. Privacy isn’t enough reason for widespread adoption of CoinJoining tactics, that requires other incentives, because some might not care as much about privacy and won’t do the extra leg work just to get there.

One interesting thought is cross-input signature aggregation (CISA). On this, Gibson seems quite bullish. It’s worth noting that while this particular method can create incentives, it does not necessarily do so for private CoinJoins. While private CoinJoins will be incentivized, there will not be a requirement for private CoinJoins to achieve the savings in fees, meaning all CoinJoin transactions will be private.