CIW'19 Wasabi Wallet Abstract.

1. CIW'19 Wasabi Wallet Abstract.
2.  
3. I. Motivation, Application and Challenges.
4.  
5. Motivation. Euclid's book: Elements has seen the second most editions since the invention of the printing press, right after the Bible. His marketing strategy was to present 5 simple axioms to the reader in the beginning of the book and and he or she can deduct the rest of the 600 pages from them.
6.  
7. Bolyai Janos changed one of it and a new geomery was born. A small change resulted in far reaching consequences.
8.  
9. Similarly in money we have such axiomatic knowledge, too: the properties of good money, first described by another Greek: Aristotle.
10.  
11. Durability, portability, divisibility, scarcity, acceptability and fungibility.
12.  
13. Similarly to Eclid's axioms, changing any of these properties will result in far reaching, hard to foresee consequences. However economics is not math, we are not living in a perfect world, therefore we are not able to perfectly implement these properties, we must find the right balance.
14.  
15. Bitcoin's weakest points are acceptability, portability and fungibility. The most common approach of building an altcoin or a Bitcoin company is to maximize one of these properties in expense of the others. Wasabi Wallet intends to improve upon Bitcoin's fungibility with minimal trade-offs regarding other properties and their means, like decentralization. This is why it is important that Wasabi to succeed for the success of Bitcoin and this is why I am personally motivated to spread the word and talk about it in as many forums as I am accepted to.
16.  
17. Application and Challenges. Wasabi is an open-source, desktop Bitcoin wallet, working on Windows, Linux and OSX, written in .NET Core (C#), which is cross platform and open source .NET. Wasabi uses NBitcoin as its Bitcoin library, to which Wasabi developers are frequent contributors: @lontivero, @nopara73. Wasabi uses Avalonia library as its UI framework where Wasabi developer @danwalmsley is a maintainer. Wasabi does not support and does not plan to support other currencies in the future.
18.  
19. Wasabi comes with built-in Tor. Tor is an anonymity network. All communication with Wasabi's backend server goes through Tor. Wasabi also utilizes multiple Tor identities where applicable. For example, registration of coinjoin inputs and outputs is done through different Tor identities to avoid linking.
20.  
21. Wasabi's backend is used to facilitate Chaumian CoinJoin coordination between the mixing participants and to serve Golomb-Rice filters to the clients, similarly to BIP158. The design choice of building a light wallet with BIP158 filters was made because such a wallet can attract orders of magnitude more users compared to a wallet on top of a full node, and more users means larger and faster coinjoins. Historically, all light wallets were vulnerable to some kind of network observer due to unprivate utxo fetching. A few years ago, the only type of wallet that wasn't vulnerable was a full node, like Bitcoin Core. The first iteration of Wasabi was HiddenWallet, which was a full-block SPV wallet that aimed to leverage usability without compromising privacy through the omission of initial blockchain downloading compared to a full node. In theory, it was a light wallet. In practice, it was hard to compete with Bitcoin Core's micro-optimizations and it was still painful to wait for wallet synchronization every time the wallet was opened.
22.  
23. After loading the wallet, the user can generate a receive address. Some important design choices were made here. First, Wasabi had to be a Segregated Witness only wallet, so the registration of unconfirmed coinjoin outputs into a new coinjoin round is done to prevent malleability attacks. However, the developers of Wasabi decided to make the wallet native segwit (bech32) only, not supporting wrapped segwit. This way, the backend server can leverage this and only generate filters regarding bech32 addresses. This makes Wasabi's filter size a few megabytes today, instead of >1GB. At first glance, this may be seen as hazardous to privacy, however Wasabi user utxos can be identified as Wasabi utxos by the huge coinjoins that only Wasabi does anyway, so no additional privacy loss happens there. In the future, as more and more wallets adopt bech32, Wasabi developers will have to look at how to scale the performance and network usage of the wallet. Failing that, Wasabi's initial sync will slow down.
24.  
25. Wasabi also maintains a connection to the Bitcoin P2P network. After Wasabi receives the filters from the backend, it can download the required blocks (there are false positives, too) one block from one peer. This does not currently happen over Tor since the NBitcoin library we use to do the job does not support Tor yet. Sensitive information leak is already unlikely here, as the only information a node can learn is that "one wallet may (false positive) have a transaction in one block that someone fetched from me." Wasabi then stores the block in its entirety on disk so it won't fetch it again. A possible privacy leak can happen if a wallet is being recovered, so more work on Tor support is required in the future. Furthermore, storing blocks on the disk may take up too much space when the wallet is used extensively. There is room for improvement there as well.
26.  
27. Wasabi receives incoming transactions from the nodes it is connected to. This is, while privacy preserving, a relatively insecure way of handling this, and should be improved in the future. Generally, unconfirmed transactions are considered to be insecure regardless.
28.  
29. Unlike in other Bitcoin wallets, generating a label for each Bitcoin address is not optional, but required. That is because Wasabi has an intra-wallet blockchain analysis tool built into it, which tries to cluster utxos (Wasabi calls them coins). Based on these clusters, the user can make an educated decision on which coins to merge.
30.  
31. Unlike other Bitcoin wallets, the user cannot spend from Wasabi without selecting coins, since "Coin Control Is Must Learn If You Care About Your Privacy In Bitcoin", at least for today. The label field of the Send tab is also compulsory.
32.  
33. The Bitcoin fee rates are fetched from the backend server, the source of these fees are Bitcoin Core's estimatesmartfee's CONSERVATIVE output. Every fee query happens over Tor with a new Tor identity. When clicking send, the wallet will broadcast the transaction to the Backend over Tor. This is sub-optimal, but because there's no Tor support for NBitcoin yet, broadcasting transaction P2P over the clearnet would be more dangerous. While NBitcoin P2P Tor support should be an interest of future work, it is a smarter long-term objective to implement Dandelion from a broadcasting point of view when the Bitcoin network adopts it.
34.  
35. Coins in Wasabi have Privacy and History properties. The anonymity set is just a momentary estimation, however, by examining the mixes and other people's transactions we will be able to show accurate values. The History is the calculated clusters from the labels based on typical Blockchain analysis heuristics. For example, if the user joins together a "foo" labeled coin with a "bar" labeled coin at sending, then the change coin history will show "change of (foo), change of (bar)". From this, users are able to make educated decisions as to which coins not to join together at any cost. Human input is invaluable.
36.  
37. II. Novelty and Alternatives.
38.  
39. As for the blockchain level privacy, there are also JoinMarket, Stratis’ Breeze Wallet.
40.  
41. Like Wasabi, JoinMarket also uses CoinJoin, but a different kind. In fact, CoinShuffle, TumbleBit or other round based mixing techniques are better comparable to Wasabi’s Chaumian CoinJoin than JoinMarket, since they are all round based. Compared to JoinMarket, Wasabi has higher anonymity set, but it comes with the cost of mixing speed.
42.  
43. Breeze is a TumbleBit implementation, it has similar user experience and characteristics to Wasabi’s Chaumian CoinJoin. I worked on the project myself. However my research on ZeroLink and Chaumian CoinJoin indicated that the latter approach is more performant and practical than TumbleBit’s Classic Tumbler mode. TumbleBit's Classic Tumbler mode uses about 4 times more block space than a Wasabi CoinJoin round and its rounds take hours instead of seconds, like a Wasabi round. TumbleBit's Payment Hub mode has never been explored.
44.  
45. On the network level, full nodes, full SPV nodes and Neutrino nodes are acceptable for privacy. Wasabi is the latter, JoinMarket is the former, it uses Bitcoin Core, and Breeze is a hybrid, it is a full SPV node.
46. Regarding light wallets, unfortunately, because of the way they fetch addresses, all of the users' addresses are connected together by a third party.
47.  
48. III. Evaluation.
49.  
50. Wasabi is a privacy focused Bitcoin wallet that is based on the ZeroLink Fungibility Framework. While statistical privacy can be achieved today with it, the cost, convenience, intuitiveness and strength of this privacy can be greatly improved. Wasabi must also improve its accessibility and its general Bitcoin wallet features. Furthermore Wasabi should look into ways of extending the scope of its privacy protection to other, not closely Bitcoin related fields, such as end-to-end encrypted messaging. Finally, Wasabi also needs to concentrate on its stability, performance, UX and code quality.