Philip Glazman

Recent Notes

Bitcoin Privacy

5 min read

Papers

Foundations of Coin Mixing Services
Teleport Transactions
A Fistful of Bitcoins: Characterizing Payments Among Men with No Names
AToM: Active Topology Monitoring for the Bitcoin Peer-to-Peer Network
Anonymous Multi-Hop Locks
On the Difficulty of Hiding the Balance of Lightning Network Channels
TumbleBit
Bitcoin over Tor isn’t a good idea
Deanonymizing Tor Circuits
Privacy Wiki
snowball presentation at ldn bitdevs

common input hueristic: “different public keys used as inputs to a transaction as being controlled by the same user”original paper on blockchain analysis

coin join wiki
Bitcoin vs “privacy coins”

CoinJoins

“So a world where”basically everyone uses CoinJoin” is cool for privacy, but could end up pretty bad for scalability, because these transactions are in addition to the normal payments.” - waxwing

  1. PayJoin

    payjoin by waxwing PayJoin is coinjoin + payment

    “Let Bob do a CoinJoin with his customer Alice - he’ll provide at least one utxo as input, and that/those utxos will be consumed, meaning that in net, he will have no more utxos after the transaction than before, and an obfuscation of ownership of the inputs will have happened without it looking different from an ordinary payment.”

    “the main point is with PayJoin - we break the heuristic without flagging to the external observer that the breakage has occurred.” … unlike coinjoins

    “snowball effect” … payjoin/p2ep reduces utxo set and receiver’s utxo gets bigger after each payment txn.

    who pays for the fee? “every payment to the merchant creates a utxo, and every one of those must be paid for in fees when consumed in some transaction.”

    real world implementation is samourai wallet

    join market

  2. Pay To EndPoint (P2EP)

    p2ep blockstream “The basic premise of P2EP is that both Sender and Receiver contribute inputs to a transaction via interactions coordinated by an endpoint the Receiver presents using a BIP 21 compliant URI.”

    Steps:

    1. Receiver generates a BIP 21 formatted URI with an additional parameter that specifies their P2EP endpoint.
    2. The Sender initiates interaction with the Receiver by confirming that the endpoint provided is available. If not, the transaction is broadcast normally, paying to the Receiver’s BIP 21 regular Bitcoin address. If the Receiver’s endpoint is available, the Sender provides a signed transaction to the Receiver as proof of UTXO ownership.
    3. The Receiver then sends a number of transactions to the Sender for them to sign. Out of these transactions, only one includes a UTXO that is actually the owned by the Receiver, the rest can be selected from the pool of spendable UTXOs.
    4. Receiver obtains a signed transaction that corresponds to their UTXO they can sign and broadcast the transaction, which will now contain inputs from both the Sender and the Receiver.

    Example: If Alice wants to pay Bob 1 BTC:

    1. Alice inputs 3 BTC to a transaction.
    2. Bob inputs 5 BTC to the same transaction.
    3. Alice receives 2 BTC (as her change).
    4. Bob receives 6 BTC (as his change, plus the 1 BTC payment from Alice).

    Disadvantages: Receiver and Sender must be online. Interactive. More Cons/Pros listed in blogpost.

BIP-79

link to bip

CoinSwaps

maxwell on coinswapswaxwing on coinswaps

“We can use a cryptographic commitment scheme to create atomicity that binds two, independent Bitcoin transactions”

Make a random x, hash it. Make a p2sh output that is spendable with proving hash(x) is hash in scriptpubkey and pubkey owns output.

Other party can see x and then solve for their p2sh with their pubkey.

great explainer on cross-chain swaps

problem here is that x is revealed and a connection exists between both parties.

HTLCs with presigned transactions can help avoid revealing x.htlcs wiki

“An advantage of Coinswap over Coinjoin is a potentially bigger anonymity set (a lot more could be said)”

visual guide

implementation

new coinswap implementation

TumbleBit

waxwing on tumblebitoriginal paper

“A blind signature is allows a central authority to sign data which is hidden from them”

“Chaumian cash” is a central mint authorised to blind-sign transfers of this cash

” At a very high level, it’s using commitments - I promise to have X data, by passing over a hashed or encrypted version, but I’m not yet giving it to you - and interactivity - two-way messaging, in particular allowing commitments to occur in both directions.”

blind signatures

SNICKER

link to bip

SNICKER (Simple Non-Interactive Coinjoin with Keys for Encryption Reused)

allowing the creation of a two party coinjoin without any synchronisation or interaction between the participants.

PaySwap

dev mailing list

More Cryptography

  1. Adaptor Signatures

    explainer using atomic swaps “An”adaptor signature” is a not a full, valid signature on a message with your key, but functions as a kind of “promise” that a signature you agree to publish will reveal a secret, or equivalently, allows creation of a valid signature on your key for anyone possessing that secret.”

  2. Schnorr

    waxwing on schnorr sigsscriptless scripts and schnorr

    multiparty schnorr coinshuffle

  3. Ring Signatures

    waxwing on ring sigs

Chain Analysis

Peel chains are strings of transactions commonly used for money laundering, in which entities send funds through several wallets in quick succession, usually breaking off small amounts to cash out at each step and sending the majority on to the next wallet.

Backlinks