WabiSabi is a novel communication protocol for creating bitcoin coinjoin transactions with arbitrary amounts. It is a concept with roots going back to the early days of bitcoin, even the earliest beginnings of digital payments. Over the last two years, we have researched, designed and implemented this protocol. Now that we have finally released Wasabi Wallet 2.0, here is the history of this monumental advancement in bitcoin privacy.
Wasabi Wallet 1.0 solved a lot of difficult problems out of the box. Tor was natively integrated, protecting user IP addresses. Block filters were used to synchronize wallets without anyone else learning about the transaction history. The best available zerolink coinjoin protocol with Chaumian blind signatures provided privacy on the blockchain.
However, the Chaumian blind signature protocol had limitations that lead to a bad user experience and excessive blockspace usage. The minimum denomination was too large for many users, denying them access to the service. But for others it was too small, resulting in many coins in the wallet, which is expensive. If a user wanted to consolidate many inputs in the same coinjoin transaction, he had to tell the coordinator which belonged together. Even though the coordinator could not link the inputs of one user to the equal amount output he received, it was public knowledge which non-equal change output the user received.
Some of these concerns were improved with marginal upgrades to the protocol during the Wasabi 1.0 life cycle. However, in order to truly solve these issues, a fundamental solution was required. But at this point, we did not know what technology existed that could be applied at scale.
A group of developers, cryptographers and enthusiasts got together in the Wasabi Research Club, a weekly meeting to define, discuss and solve this complex problem. Initially, a different academic paper was chosen as the topic for each week. We invited the authors of each paper to join us, and many did, giving ample opportunity to ask questions. One of the researchers, usually Aviv Milner, started the call with a short presentation to introduce and summarize the paper. The recordings of these calls are available on the Wasabi Wallet YouTube channel.
A breakthrough moment was when Jonas Nick suggested that keyed verified anonymous credentials might be a great fit for our specific use case. There are numerous different cryptographic schemes in this category, like Brands’ credentials, Mercurial signatures, anonymous credentials light and keyed verified anonymous credentials. The specific paper Jonas brought to our attention was The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption, written by Melissa Chase, Trevor Perrin and Greg Zaverucha.
This cryptography allows a central server to issue tokens which can have many attributes. Each of these attributes can be blindly committed to, then selectively revealed at a later point. These tokens can be transferred anonymously. The trick we use in WabiSabi specifically, is that one attribute of these credentials is a blinded value of sats. Pedersen commitments are used so that the coordinator never learns how many sats one token has attributed, but he can still ensure that nobody is creating more money than he spent.
These anonymous digital bearer certificates are the access rights to the new bitcoin transaction that is being built. The coordinator issues tokens and gives it to anyone who provides an input. And later, any anonymous user who provides such a token, can write an output address and amount to the transaction. These tokens ensure nobody is writing more outputs than inputs, without the users having to sacrifice their privacy to the central server.
At this point, we had a pretty solid idea of the problem and how flexible anonymous eCash tokens can be used to solve it. This was a sufficient advancement to document in a new paper, WabiSabi: Centrally Coordinated CoinJoins with Variable Amounts, which was peer reviewed and published. This paper was finalized mainly by Adam Ficsor, Yuval Kogman, Lucas Ontivero and István András Seres.
A crucial next step was to implement the cryptography that makes the system possible. Lucas Ontivero, Yuval Kogman and David Molnar dedicated months to building, testing and reviewing this critical part of the codebase. An independent security firm was hired to audit the code base and several outside contributors have reviewed it as well. In the following months, Wasabi’s client and server code were upgraded and sometimes entirely rewritten to support this new protocol.
With the protocol designed, the cryptography implemented and the client and server code well on its way, we realized that some of the most difficult questions are still unanswered. Now that the coordinator no longer dictates the minimum value of inputs and what output values to register, what exactly should the client do now? With great power, comes great responsibility. For the first time in the history of bitcoin coinjoin, the client can basically do whatever it wants. This turned out to be rather uncharted territory, with conflicting ideas of how to approach the subject.
Anonymity likes company meaning that it’s a good idea to hide in a crowd. So a coinjoin transaction should have many coins with the exact same amount of sats. However, every transaction should have many different equal amounts. One of Yuval’s many insights was to use low Hamming weight standard denominations. Only a few of these amounts are required to sum up to any arbitrary value. Specifically, these standard denominations are powers of two, powers of three, and 1, 2, and 5 times the powers of ten. Between 5000 sats and 1 bitcoin, there are 41 of these standard denominations. If all clients prefer to create outputs in only those standard denominations, then there are going to be a higher number of equal amount inputs and outputs.
These developments are why Wabisabi has improved upon the original Zerolink protocol of Wasabi 1.0 and how Wasabi 2.0, powered by Wabisabi are breaking records everyday for facilitating some of the largest coinjoins ever while provided even the newest Bitcoin user access to the highest level of privacy.