The concept of Coinjoins was first introduced on BitcoinTalk by George Maxwell in 2013: ‘CoinJoin: Bitcoin privacy for the real world’. They are a special type of bitcoin transactions, which enhance privacy by breaking the common-input-ownership heuristic. To understand how Coinjoins work you first need to understand how a bitcoin transaction is built and how it is analysed by chain analysis software.
A bitcoin transaction is composed of a set of inputs called UTXOs (or Unspent Transaction Outputs) and a set of outputs. It is very similar to a cash transaction. You can think of UTXOs as being the different bills and coins in your wallet which you use to pay the merchant.
In some situations your UTXOs don’t sum to the exact amount you wish to pay in which case one of the transaction outputs will be sent back to you. This is aptly called the transaction change.
For example, let’s say Alice wants to send 1.5 BTC to Bob. She combines her two UTXOs of 1 BTC and will receive a transaction change of 0.5 BTC. To use the cash analogy again, this is similar to only having two $10 bills to pay for a $15 meal.
Example of Bitcoin transaction
In a normal bitcoin transaction all the UTXOs in the input set belong to the same person. When chain analysis software looks at a transaction it generally assumes the above holds true. From there, it attempts to link the inputs to the outputs to be able to follow the trail of UTXOs across transactions and keep track of your spending activity. Those links are said to be deterministic when the software can be certain that a given input is linked to a certain output.
In our previous example with Alice, all links are deterministic since there is only one way in which the inputs can be combined to yield the correct outputs. The two 1 BTC inputs had to be combined to generate the 1.5 BTC and 0.5 BTC outputs. In a transaction with many inputs and outputs the links are slightly less straightforward but still, most of the time, deterministic links can be found by using deductive reasoning. It’s a bit like a Sudoku where deductive reasoning is used to fill in the missing numbers.
Deterministic links are great for chain analysts as they create a clear trail of UTXOs. That trail reveals the full history of an UTXO. Therefore, generally speaking, any privacy enhancing feature aims to make it harder for chain analysts to establish those deterministic links. When a link cannot be determined with certainty, it is said to be probabilistic in which case chain analysts have to establish several possible scenarios for the ownership of certain UTXOs.
A Coinjoin is essentially the collaboration of two or more people to create a transaction together that breaks deterministic links. A common Coinjoin has the following characteristics:
The first point breaks the common-input-ownership assumption made by chain analysis software that we mentioned above. The second point is what makes the links between inputs and outputs probabilistic. To understand this second point, let’s illustrate it with an example.
Let’s say that Alice collaborates with Bob to create a Coinjoin transaction, with equally sized outputs. They each contribute two UTXOs to the input set: Alice, contributes 1.1 BTC and 0.9 BTC, for a total of 2 BTC and Bob contributes 0.3 BTC and 0.7 BTC for a total of 1 BTC. In total the outputs should sum to 3 BTC and be equally split. Therefore the output of the transaction will be six 0.5 BTC UTXOs.
Example of Coinjoin transaction with two participants and equally sized outputs
When a chain analyst looks at this transaction he won’t know which input is linked to which output. Indeed, any input could be linked to any of the 0.5 BTC outputs with a probability of ⅙. A transaction that successfully avoids any deterministic links is sometimes also called a 0-link transaction. To ensure a successful 0-link coinjoin transaction, some wallets, like the Samourai Wallet also create it with equally sized inputs and as many participants as there are inputs, thus making the uncertainty of the links much greater.
You might also hear 0-link transactions as having 100% entropy which is used in reference to the entropy in information theory. Entropy is often measured in bits. If you’re unfamiliar with the concept just remember a higher entropy is better.
Note: the above example is slightly simplified. In reality the transaction has an additional output being the mining fee. Each UTXO in the input set contributes an equal amount to the mining fee to prevent giving away some hints that could be used to link inputs and outputs again.
##What is Mixing?
Some bitcoin wallets such as Samourai and Wasabi offer you the option to coordinate a Coinjoin with other users. This service is often referred to as mixing. Note this is very different from tumblers! Tumblers are a custodial service where you “exchange” your coins with someone else’s. Mixing is non-custodial, you always stay in control of your coins and don’t inherit someone else’s.
The implementation of Coinjoin changes slightly from a wallet to another with the main difference being the number of collaborators involved in the transaction, called the “anonymity set”. If you collaborate with 50 people to create a Coinjoin transaction, the transaction will have an anonymity set of 50. Usually, a larger anonymity set is considered better because it means you are “hiding” amongst more people. However in reality, the anonymity set is a dynamic number and greatly depends on the future behavior of the said collaborators. If the identity of a collaborator is revealed through a future transaction (for example, by sending them to an exchange with KYC) then the anonymity set of all other collaborators is reduced by one.
No, there is a special type Coinjoins, often referred to as Payjoin or P2EP (pay-to-end-point), which makes a Coinjoin look like any other transaction while keeping the privacy enhancement. This is achieved by making both the sender and receiver of a transaction collaborate in the inputs and thus obfuscating the real amount sent in the transaction.
Imagine, for example, that Alice wants to pay 1 BTC to Bob but wants to hide the real amount of the transaction. Alice then places 2 BTC in the input set and Bob places 4 BTC. The outputs of that transaction will be 1 BTC (to Alice) and 5 BTC (to Bob), effectively increasing Bob’s balance by 1. When a chain analyst looks at this transaction he cannot tell whether Alice paid 5 BTC and got 1 BTC in change or whether two people collaborated in a Payjoin to make a 1 BTC payment. They therefore have to consider both options, increasing the complexity of the analysis and hence your privacy.
Example of Payjoin transaction
Coinjoins are a great privacy tool which breaks the common-input-ownership heuristic used by the chain analysis software. They do not require any changes to the bitcoin protocol meaning they can be implemented straight away in any bitcoin wallet. Keep in mind Coinjoins are not a silver bullet for privacy. As we hinted above, the correct behaviour of users after the Coinjoin is what maintains the privacy gains. Soon we will be releasing our detailed review of the popular privacy-focused Samourai Wallet. The review will also contain some privacy best-practices so make sure to keep an eye on our blog!