An old privacy trick could solve Bitcoin’s privacy problem

A Bitcoin developer just resurrected a dormant privacy protocol that could be the silver bullet for Bitcoin’s anonymity issue. And it can be put into action without changing Bitcoin’s source code.

Chris Belcher, a UK-based developer with hundreds of commits across various Bitcoin projects like Electrum and JoinMarket, this week released an implementation proposal for CoinSwap, a seven-year-old privacy protocol he believes will “massively [improve] Bitcoin privacy and fungibility.” 

With CoinSwap transactions, though it might look like a user sends funds from address A to address B, “in reality her coins end up in address Z, which is entirely unconnected to either A or B,” Belcher wrote. 

CoinSwap was originally conjured up in 2013 by Greg Maxwell, co-founder of Blockstream and the creator of CoinJoin, CoinSwap’s spiritual predecessor. But Maxwell’s idea was too technically challenging to implement and was left to gather dust. 

Belcher’s proposal, however, uses the same smart contract trick that makes Bitcoin’s Lightning Network tick, making it easier to implement. Belcher told Decrypt the protocol could be ready for testing in six to eight months, and Maxwell has praised Belcher’s implementation as an “extensive and well written high level design.” 

This could solve Bitcoin’s major anonymity issue. Since Bitcoin’s addresses are public and pseudonymous, it’s fairly easy for blockchain analytics companies to trace Bitcoin addresses to IP addresses. Anonymity protocols, such as CoinJoin, already exist, but they can be difficult to navigate and only work when strict instructions are followed. 

How CoinSwap improves privacy

With CoinJoin—CoinSwaps’s predecessor—groups of users send equal amounts of Bitcoin together (for example, five users each send one BTC), which the protocol then processes in batches to obscure the origin of transactions. Because transactions are grouped together in batches, they all have a shared history and all look identical.

One of the nuisances with CoinJoining is that each user must input an equal amount of Bitcoin into the batched transaction for it to work properly. If you joined a server for a one BTC CoinJoin and you accidentally sent two, then the privacy of your input (and whoever interacts with it in the CoinJoin) would be compromised. 

CoinSwap solves this problem by eliminating the need for like-amount payments. Instead of jumbling a bunch of coins together, CoinSwap (as its name suggests) lets users swap coins by sending them to an intermediate wallet first.

Should Alice and Bob want to CoinSwap, Alice would kick things off by sending Bitcoin to a multi-signature address (i.e., an address they both hold keys to). At the same time, Bob sends Bitcoin to another multi-signature address. Since both Alice and Bob have keys to both wallets, they can then withdraw the coins to their own wallets. 

A cryptographic trick used in atomic swaps and the Lightning Network, called hash-time-lock contracts, prevent either party from filching funds from the other. To complete the swap, Bob withdraws Bitcoin from the first multi-signature address and Alice withdraws Bitcoin from the second one.

These multi-signature addresses use another cryptographic trick to make the transactions look “just like a regular single-sig instead of a multi-sig,” Chris Belcher told Decrypt. “The swap isn't visible by anyone examining the chain so privacy is improved,” he explained further.

Money troubles

Belcher highlighted in his post that a well-functioning CoinSwap market would be resistant to a Sybil attack, where an attacker could overpower the network and identify its participants. 

To achieve this, Belcher said that it’s necessary to use the same so-called “fidelity bonds” that keep actors honest in JoinMarket, one of the largest CoinJoin hubs in Bitcoin, With these bonds, the participants fulfilling a CoinSwap request (the market takers) must stake Bitcoin as collateral before they can participate in a swap.

This would make it too expensive for, say, a blockchain analysis company to spam the network and work out who is using CoinSwap. For a Sybil attacker to be successful, Belcher estimates that it would require "roughly 55,000 BTC (around $500 million) to be locked up for 6 months."

Given the JoinMarket clientele’s appetite for CoinJoins, if CoinSwap scales, Belcher envisions that people could one day make CoinSwaps for “sizes up to about 200 BTC.” 

Privacy Evolved

Adam Ficsor, the co-founder of Wasabi Wallet, another privacy-preserving Bitcoin wallet, told Decrypt that the proposal is “very exciting,” but that he is still “trying to figure out if its practical implementations would take away the magic of the idea or not.” 

Wasabi provides liquidity to keep its CoinJoining pools running smoothly and privately. Putting its own money into the CoinJoin helps Wasabi obscure who’s CoinJoining with whom, and means that there's always someone to CoinJoin with. But it’d need to stake a lot more Bitcoin to implement CoinSwap, Ficsor said. 

To facilitate CoinSwaps through its platform, Wasabi would need to deposit Bitcoin in fidelity bonds on top of the Bitcoin it’s providing for the CoinSwaps, every time its users enter a trade. Ficsor joked that he would have to cut half of Wasabi’s staff to make it work).

Ficsor emphasized that he’s still evaluating the proposal so his concerns could be “completely misguided.” 

In any case, Belcher wants to take a different approach. Instead of having wallets or other services bankroll liquidity for CoinSwap, Belcher hopes it will evolve much like JoinMarket, where the free market’s various actors will keep the money coming in. So long as there’s a wide array of users and a deep pool of liquidity, the new protocol could keep Sybil (and deanonymization) attacks at bay. 

At least, that’s how Belcher imagines it playing out. And if it does, it could be a significant win for Bitcoiners in the war on privacy.