Chaumain CoinJoinIn 2013, Gregory Maxwell presented the idea of CoinJoin, an

1. Chaumain CoinJoin
2.  
3. In 2013, Gregory Maxwell presented the idea of CoinJoin, and suggested a couple of ways to implement it.
4. https://bitcointalk.org/index.php?topic=279249.0
5. One of his suggestion was the following:
6. "Using chaum blind signatures: The users connect and provide inputs (and change addresses) and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants. Later people reconnect and sign."
7. While the idea was great, it never got traction, because the discussion went into two different direction.
8.  
9. (1) How to decentralize the server?
10.  
11. To which his comments were the following:
12. "Does the totally private version need to have a server at all? What if it gets shut down?
13. No. The same privacy can be achieved in a decentralized manner where all users act as blind-signing servers. This ends up needing n^2 signatures, and distributed systems are generally a lot harder to create. I don't know if there is, or ever would be, a reason to bother with a fully distributed version with full privacy, but it's certainly possible."
14.  
15. As a followup CoinShuffle and CoinShuffle++ emerged and later an implementation was attempted by Mycelium, called ShufflePuff. The works on ShufflePuff was abandoned, since.
16. http://crypsys.mmci.uni-saarland.de/projects/CoinShuffle/coinshuffle.pdf
17. https://crypsys.mmci.uni-saarland.de/projects/FastDC/draft-paper.pdf
18. https://github.com/DanielKrawisz/Shufflepuff
19.  
20. Decentralized systems are hard to get right, require various tradeoffs and open the door for various attacks. Updating/upgrading them are also not an easy job.
21. Furthermore, because Chaumain CoinJoin does not has the risk of coin stealing, nor the risk of privacy breaching, distributing the server might not be fully justified from a practical point of view.
22.  
23. (2) In order to successfully execute a privacy preserving CoinJoin everyone needs to send the same amount, how to overcome this?
24. JoinMarket took the lead and introduced the maker-taker concept, where market makers are waiting until a taker wants to execute a CJ transaction and asks market-makers to provide liquidity for his CoinJoin for a small fee.
25. https://github.com/JoinMarket-Org/joinmarket
26. This approach in the ever growing Bitcoin fee environment is getting costy.
27.  
28. To my knowledge Chaumain CoinJoin has never seen any implementation, nor detailed specification.
29.  
30. TumbleBit's Classic Tumbler mode has the same "common denomination" issue as CoinJoin.
31. https://eprint.iacr.org/2016/575.pdf
32. In NTumbleBit we solve it by starting a tumbling process, that runs until all the coins are tumbled.
33. For example if the user has 8.3 bitcoins and the denomination is 1 bitcoin, then we do 8 rounds of tumbling in a row, and 0.3 bitcoin will not be tumbled. We leave the job of not joining tumbled outputs together to the output wallet to handle.
34. https://github.com/NTumbleBit/NTumbleBit
35. This results in paying 8 times transaction fees. Since every round consists of 4 transactions, this is 8x4 times normal transaction fees.
36. A tumbling round will also take from 2 hours to 1 day.
37.  
38. Maxwell's Chaumain CoinJoin idea could be used the same way, however it will take instead of 8x4 txfees, only 8x txfees and instead of measuring a round in hours and days, we would measure the round in minutes, maybe seconds.
39. In TumbleBit we could potentially achieve thousands of anonimity set, however
40. (1) you get the users for that
41. (2) the tumbler must hold thousands of coins in order to cover the escrow, supposing 1btc denomination.
42. In Chaumain CoinJoin only the first issue stands, but it is easier to achieve, because of the drastically faster speed and cheaper fees.
43.  
44. In CoinJoin the limit of the anonimity set is the maximum standard transaction size, which is 100k byte.
45. Because the most common transactions we are concerned with are 1 input, 2 outputs and the second most common are be 2 input 2 output transactions.
46. The sizes of these transactions are about 220 byte and 360 byte, therefore the maximum achievable anonimity set would go from 270 to 450 (100k/360=270, 100k/220=450).
47. I don't know if Segregated Witness would elevate the signature size out of the calculation, by that resulting +30% anonimity set, or not, but when Schnorr signatures will be introduced they will definitely do that.
48.  
49. It is also worth to note if Confidential Transactions are intorduced, there would not be a need to do rounds, since it hides the amounts in the transactions. Altough CT would result in higher transaction sizes, which will be later an issue to consider.
50.  
51. The only disadvantage of Chaumain CoinJoin is that if someone doesn't sign the final transaction, which likely can be handled by simple input banning.
52.  
53. How does Chaumain CoinJoin work in a nutshell?
54. First we must define Alice and Bob as the same client, but the server does not know about that. For example they are on different Tor circuits.
55.  
56. 1. Many Alices register their utxo (as the input of the CoinJoin), desired change address, and a blinded output address to the server.
57. Alices also prove that they own control the private key of the registered utxo.
58. Alice Server Bob
59. blind(outputAddr)=A'
60. ----utxo, changeAddr, A', proof--->
61.  
62. 2. The server checks if the utxo is indeed unspent, has enough money, and Alice indeed control it, then sign the blinded output address.
63. Alice Server Bob
64. check(utxo)
65. check(proof)
66. sign(A')=signedA'
67. <-----------signedA'---------------
68. 3. Alices unblind the output address, they change their identity to Bob and register their signed output addresses to the server.
69. Alice Server Bob
70. unblind(signedA')=signedA
71. -----------------------------signedA----------------------------------->
72. <-----------signedA--------------
73.  
74. 4. The server constructs the transaction, gives it out to Alices for signing.
75. Alice Server Bob
76. buildTx->tx
77. <-----------tx----------------------
78. sign(tx)
79.  
80. 5. Alices send back their signatures, the server combines them and propagate the transaction.
81. Alice Server Bob
82. ------signature--------------------->
83. combineSignatures
84. broadcastTx
85.  
86. As noted before if an Alice refuses to sign, her input can be banned and restart the round.