How Does This Bitcoin Privacy Improvement Compare with CoinJoin and CoinShuffle?
Note: This article is part of a three-part series of articles on TumbleBit. You can read part one here.
TumbleBit is a recently announced Bitcoin improvement that could potentially benefit the peer-to-peer digital cash system in the areas of privacy and scalability. Many privacy-improving Bitcoin enhancements have been proposed over the years, but TumbleBit can be deployed on the current version of the Bitcoin protocol. In that regard, the proposal falls under the same category as CoinJoin and CoinShuffle.
“I think a . . . sensible comparison would be to something like CoinJoin, which is also something that works on top of bitcoin and involves participants communicating off-chain according to a separate protocol (but then going back to the blockchain in the end),” Blockstream Mathematician Andrew Poelstra told CoinJournal when asked to compare TumbleBit to Bitcoin privacy improvements and privacy-preserving altcoins.
Compared to CoinJoin
CoinJoin is a method of improving anonymization in Bitcoin that was first proposed by Blockstream CTO and Bitcoin Core contributor Greg Maxwell. As the name indicates, the basic idea behind CoinJoin is to obfuscate the ownership of bitcoins by joining them with other bitcoins in a single transaction.
Instead of seeing Bob’s address sent money to Alice’s address on the blockchain, the movement of coins is essentially put into a pool of other transactions taking place at the same time. The pool of transactions is then published to the blockchain as one transaction with a number of different input and output addresses, but there is nothing linking the to and from addresses to each other from the perspective of an outside observer (when best practices are used).
One potential drawback of how CoinJoin is typically used today is that at least one party involved in the mixing transaction usually has access to the mapping between inputs and outputs. For example, the initiator of a CoinJoin transaction made via JoinMarket has access to this information, and he pays for the privilege of knowing his counterparties don’t also have access to that information. It is also possible to do CoinJoin transactions in ways that prevent any participant from learning which inputs are connected to which outputs. CoinShuffle is one example of a CoinJoin implementation that achieves this goal.
“It’s directly comparable to a scheme where people send their coins to some central party, then withdraw them from that party (and the central party doesn’t link what comes in or what goes out),” said Poelstra. “The user experience here is pretty much the same but there’s huge privacy and trust benefits to this scheme. The tumbler can’t steal, and the tumbler doesn’t even know the mapping between what goes in and what goes out.”
According to Poelstra, another benefit of TumbleBit over CoinJoin is “each interaction with the tumbler is isolated.”
“If the recipient screws around, his own receipt gets delayed or doesn’t happen,” explained Poelstra. “If the sender screws around, her own send gets delayed or doesn’t happen. They can’t stall an entire round or affect other users.”
In contrast, CoinJoin transactions require cooperation among the parties who wish to mix their coins. “A bad apple can screw up a round for everybody,” said Poelstra. “Then they get banned and the round gets restarted — not the end of the world, but it’s annoying. I think probably you could implement CoinJoin in a way that this wouldn’t happen, but it gets complicated.”
One of the possible downsides of TumbleBit pointed out by Poelstra is the tumbler must front the money for the mixing transactions — albeit in a safe way that does not put the tumbler’s money at risk.
Compared to CoinShuffle
As mentioned above, CoinShuffle is a CoinJoin implementation that prevents any of the involved parties from mapping transactions between users. The destination addresses aren’t even known to the senders.
“The best CoinJoin-based privacy tool which has been proposed is CoinShuffle,” TumbleBit co-author Ethan Heilman told CoinJournal. “Since CoinShuffle is a Bitcoin tumbler we can compare it directly to TumbleBit’s classic tumbler mode.”
Heilman went on to acknowledge that both TumbleBit and CoinShuffle offer theft protection and k-anonymity to users without the need for a third party. However, he also explained some tradeoffs between the two privacy options.
“CoinShuffle and TumbleBit in classic tumbler mode represent different trade-offs between speed and anonymity,” explained Heilman. “Coinshuffle can perform a tumble in only one block but the anonymity set provided is limited by quadratically increasing communication costs (CoinShuffle tested a tumble of 50 users). Using TumbleBit as a classic tumbler takes at minimum two blocks but it does not face any limitations on its anonymity size (we tested a tumble of 800 users on Bitcoin’s Blockchain).”
“In general, I would say that anonymity in Bitcoin is a hard problem and no single protocol or service is sufficient to provide it,” Daniel Krawisz, who created a CoinShuffle implementation called Shufflepuff, told CoinJournal. “Instead, people will need to use every trick in the book. I would like to see people treating all these anonymity ideas as primitives that can be combined and built upon than as ultimate solutions.”
Solving a Lingering Problem
One problem that CoinJoin, CoinShuffle, and TumbleBit all have in common has to do with the amounts used in mixing transactions. The amounts used in mixing transactions have the potential to deanonymize users because someone looking at the blockchain can match the input amounts with the output amounts. For example, if Bob sends Alice five bitcoins and Carol sends Steve ten bitcoins, then it’s easy to connect Bob’s five bitcoins to Alice’s five received bitcoins (the same goes for Carol and Steve).
“That still applies to TumbleBit,” said Poelstra. “It’s a bit better than with CoinJoin in that the tumbler has to agree to all the amounts, so it can just say,’I’ll only deal with 1 BTC [transactions],’ which reduces some room for user error or people deliberately trying to do bad mixes.”
Confidential Transactions is a proposal for encrypting the amount of bitcoins sent in a transaction, but it requires a change to the Bitcoin protocol. “It’s not obvious to me that you can just add Confidential Transactions [to TumbleBit] without more [crypto] magic,” said Poelstra.
Poelstra also mentioned Byzantine Cycle Mode as another possible solution to this issue. “It’s a bit technical, but basically what it does is lets people restructure a series of payments with different amounts into a bunch of small sets of payments, with each set having equal-amount outputs,” he explained.
Going Off the Chain
One last important point to make about TumbleBit when compared to CoinJoin and CoinShuffle is that TumbleBit works as a payment channel hub. “TumbleBit, when used as a payment hub, can make payments in seconds but requires first setting up a payment channel with the payment hub.” said Heilman.
Most Bitcoin users will be familiar with payment channels and hubs in relation to the Lightning Network, which is viewed by many as a key aspect of Bitcoin’s ability to scale over the long term. The Lightning Network allows what are essentially instantly confirmed transactions to take place at almost zero cost to the user.
Correction: The original version of this article claimed that CoinJoin requires the use of a central server, which would have access to the mapping between inputs and outputs. This is false, as pointed out by JoinMarket developer Chris Belcher on Reddit. Although Gibson provided assistance with this piece, he was not offered a chance to review it before publication. Therefore, the blame for the errors in the original piece lies with the author and not anyone who provided comments or feedback on the topics discussed. The piece has been updated to correct the factual errors and misunderstandings.