CoinJoin is a Bitcoin transaction where multiple users combine their UTXO (Unspent Transaction Outputs) into one large transaction with multiple inputs and multiple outputs. A traditional Bitcoin transaction is usually composed of one sender and one recipient. It is easy to understand, even by an external observer, which inputs correspond to which outputs and vice versa. The purpose of a CoinJoin transaction composed by multiple inputs and outputs is to break blockchain surveillance heuristics.

While Bitcoin it is often wrongly considered as anonymous money, the blockchain underlying it is quite the opposite: an extremely transparent, immutable and verifiable system by anyone. Bitcoin does to money what the Internet has done to information: it provides indiscriminate access to a decentralized financial system.

Bitcoin by default does not provide the privacy we got used to with the traditional financial systems due to its publicly transparent nature. The aim is to have privacy by default while having the option to be publicly transparent at will.

Bitcoins are traceable on the blockchain

Each Bitcoin transaction contains at least one input (where the bitcoins come from) and at least one output (where the bitcoins are sent).

Another feature of Bitcoin transactions is that they must always match the previous transaction. If you receive 1 BTC, but later want to send only 0.4 BTC, you’ll need to make a 1 BTC transaction; 0.4 BTC will be sent as payment, while the remaining 0.6 BTC will be returned to the sender as change.

This means that once a single address is known, there is a trail that allows bitcoins to be tracked. This is a big problem for the privacy of network participants.

Example of Bitcoin transactions, where every input is an output of a previous transaction. Credits: Bitcoin Wiki

CoinJoin as a tool for defense

The most promising way to maintain your financial privacy with Bitcoin is through CoinJoin. CoinJoins can be done in a trustless way, meaning that there’s no risk of funds disappearing or being stolen. Each of the signatures needed to create a valid transaction are created on the participant’s computers, so anyone attempting to connect the signatures will not be able to change the transaction or redirect the funds.

The funds will always be in a Bitcoin address that the user controls and is done in a decentralized way, so that the service does not rely on external third parties or centralized servers.

Services like CoinJoin keeps everyone anonymous, even if the observers are participating in the CoinJoin itself. Unfortunately, however, mathematics cannot be fooled. The problem is that it’s still possible to match inputs and outputs since there are usually only a few possible combinations.

To mitigate the possibility of someone understanding which inputs and outputs belong to each other, the protocol must be standardized in some way. Since inputs cannot be easily standardized, a fix would be to default outputs and set a minimum denomination.

For example, you could limit the outputs to exactly 0.1 BTC. Limiting these outputs to exactly 0.1 BTC would make it impossible to understand which input corresponds to which output and vice versa, as each output will be 0.1 BTC. It will still be possible to track the change, thanks to a particular attack called CoinJoin Sudoku.

The first graphic explanation of a CoinJoin transaction. Credits: gmaxwell, xiph.org

CoinJoin is an extremely discussed Bitcoin implementation, first proposed by the Bitcoin Core developer Gregory Maxwell back in 2013. CoinJoin transactions have been a reality for years, but in all this time, one problem has always remained: someone like Alice, Bob or Carol has to build the transaction starting from 0.
This person must, in fact, know exactly which old addresses send bitcoins to the new addresses, otherwise it would be impossible to generate the transaction.

If this person is a spy, which is often impossible to know for sure, the effort becomes useless: the spy could re-establish the trail of ownership of the CoinJoined coins.

Chaumian CoinJoin

The advanced version of CoinJoin is, again, from Gregory Maxwell and it’s called “Chaumian CoinJoin” (named after David Chaum’s blind signature scheme).

Alice, Bob and Carol connect to a central Chaumian CoinJoin coordinator server. This is the system used by Wasabi Wallet, where the CoinJoin coordinator server is run by zkSNACKs Ltd., the company sponsoring Wasabi Wallet’s development.

Then they (Alice, Bob and Carol) share their sending addresses, together with the blinded receiving addresses, which are signed cryptographically from the server.

Example of a Chaumian CoinJoin with multiple outputs with the same denomination (marked in green) and change outputs. Credit: Wasabi Wallet

Alice, Bob and Carol disconnect from the Chaumian CoinJoin coordinator and then reconnect via a new identity under Tor hidden service and provide their unblinded addresses. Thanks to Chaumian’s blind signatures, the central server verifies the ownership of Alice, Bob and Carol’s addresses without knowing which address belongs to whom.

The Chaumian CoinJoin gained little momentum for several years. Then, in 2017, Ádám Ficsór, while working on TumbleBit, decided to implement it. Initially included in the ZeroLink framework research, Chaumian CoinJoin was then implemented in HiddenWallet, and subsequently in Wasabi Wallet.

WabiSabi and the future of CoinJoins

WabiSabi is a work-in-progress cryptographic protocol based on keyed-verification anonymous credentials, homomorphic value commitments, and zero knowledge proofs (range proof) that allows the creation of many different protocols from Chaumian e-cash, gift cards, utility/access token, reward system, etc.

zkSNACKs, will use it it to coordinate better CoinJoins, as WabiSabi is much more flexible than the current protocol based only on Blinded Schnorr Signatures.
This will allows Wasabi Wallet to build CoinJoin transactions with different denominations and with a better block space efficiency. Thanks to WabiSabi, not only will a CoinJoin participant gain more privacy against the coordinator because it will not know the common input’s ownership, it will also reduce the change outputs.

Summing up, thanks to the combination of these features via the WabiSabi protocol:

  • A Wasabi Wallet user can make transactions with arbitrary amounts by participating in a CoinJoin
  • A much smaller denomination than the actual 0.1 BTC will be required to participate in a CoinJoin
  • The coordinator will no longer be able to link multiple inputs from the same participant and will no longer be able to link inputs to the change output
  • Less UTXOs will be created

A simplified explanation with an informal description by analogy using real world concepts is also provided.
For more information on how the credential scheme can be applied, we also describe a generic protocol (work in progress).