,
23 tweets,
7 min read
Read on Twitter
Why do we need coinjoin?
Breaking deterministic links, creating uncertainty, and multiple transaction interpretations.
Breaking deterministic links, creating uncertainty, and multiple transaction interpretations.
Last week I got ahead of myself with this thread on Entropy as a method for evaluating bitcoin transaction "privacy".
I failed to establish the reason for coinjoining in the first place.
I also didn't cover the core metric for calculating entropy.
I failed to establish the reason for coinjoining in the first place.
I also didn't cover the core metric for calculating entropy.
I'm going to fix that in this thread.
So why do we need coinjoin?
So why do we need coinjoin?
Mumbles....
something something blockchain...
something something open....
something something "privacy"....
No. Technically.
As specifically as possible why do we need coinjoin?
something something blockchain...
something something open....
something something "privacy"....
No. Technically.
As specifically as possible why do we need coinjoin?
Most bitcoin transactions do not create any uncertainty on the blockchain.
They only have a single interpretation based on the number inputs/outputs and the BTC of each input/output.
A single interpretation makes the flows of bitcoins easy to monitor.
bitfury.com/content/downlo…
They only have a single interpretation based on the number inputs/outputs and the BTC of each input/output.
A single interpretation makes the flows of bitcoins easy to monitor.
bitfury.com/content/downlo…
The "flow" of bitcoins in a transaction can be used as a mental model for determining the relationship between inputs and outputs.
The relationships or links between inputs and outputs being pipes.
The relationships or links between inputs and outputs being pipes.
For example this transaction only has one interpretation aka one pipe:
Input 0 paid output 0.
This transaction has one DETERMINISTIC link and one INTERPRETATION.
Input 0 paid output 0.
This transaction has one DETERMINISTIC link and one INTERPRETATION.
Transactions with multiple inputs and outputs can have many deterministic links.
If every relationship between inputs and outputs is deterministic, the transaction is still only has one interpretation.
If every relationship between inputs and outputs is deterministic, the transaction is still only has one interpretation.
Definition:
A deterministic link is a definite link between an input and output of a transaction based on all combinations of the amounts of BTC in each input and output.
A deterministic link is a definite link between an input and output of a transaction based on all combinations of the amounts of BTC in each input and output.
Kirstov Atlas created Coinjoin Sudoku to evaluate a transaction for determinisic links during his review of BC.i's SharedCoin "coinjoin" protocol.
coinjoinsudoku.com/advisory/
coinjoinsudoku.com/advisory/
He was able to take this mess and establish deterministic links between inputs and outputs. Even for outputs of identical amounts.
A real coinjoin transaction aims to break these deterministic links by using IDENTICAL sized outputs.
Breaking DETERMINISTIC links between inputs & outputs creates multiple INTERPRETATIONS of a transaction (many pipes in the thermo model).
^^ this is why you coinjoin ^^
Breaking DETERMINISTIC links between inputs & outputs creates multiple INTERPRETATIONS of a transaction (many pipes in the thermo model).
^^ this is why you coinjoin ^^
A transaction with some identical sized outputs can still have deterministic links, even among the identical sized outputs. (See SharedCoin example above)
The easiest way to prevent deterministic links is to have EVERY output be IDENTICAL.
The easiest way to prevent deterministic links is to have EVERY output be IDENTICAL.
But if the input/output links aren't deterministic how can we evaluate them? They are still linked after all.
Enter PROBABALISTIC LINKS, defined by LaurentMT.
gist.github.com/LaurentMT/d361…
Enter PROBABALISTIC LINKS, defined by LaurentMT.
gist.github.com/LaurentMT/d361…
There are assumptions and simplifications that go into determining the probabalistic links between inputs and outputs.
But the link probability matrix (LPM) is a pretty good way of evaluating the number of interpretations of a transaction.
But the link probability matrix (LPM) is a pretty good way of evaluating the number of interpretations of a transaction.
As I said in my original thread, I like to think of a transactions "privacy" in terms of how computationally expensive it is to evaluate.
The more interpretations, the more expensive to evaluate, the more "private".
The more interpretations, the more expensive to evaluate, the more "private".
The LPM directly evaluates coinjoin best practices. When these are violated it reduces the interpretations/cost of the analysis.
The LPM:
Directly penalizes address reuse ⇒ sets a an entire col/row = 1 (100% link)
Directly penalizes deterministic ⇒ links [m,n] = 1
The LPM:
Directly penalizes address reuse ⇒ sets a an entire col/row = 1 (100% link)
Directly penalizes deterministic ⇒ links [m,n] = 1
These metrics certainly aren't perfect and are subject to change based on known information outside of the info on the blockchain.
There are no perfect privacy measures. But they can provide an indication of coinjoin quality.
There are no perfect privacy measures. But they can provide an indication of coinjoin quality.
To summarize (for constant inputs/outputs):
↓ no. deterministic links ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy
more equal the input/output amount ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy
↓ no. deterministic links ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy
more equal the input/output amount ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy
I'm not smart enough to come up with this stuff.
But I figure this simplified-ish explanation will be be helpful to many of you when thinking of coinjoins.
But I figure this simplified-ish explanation will be be helpful to many of you when thinking of coinjoins.
If you want to better understand this, you really should read through the gists by LaurentMT on Boltzmann.
github.com/Samourai-Walle…
github.com/Samourai-Walle…
To really grok this, check out the back and forth between Adam Gibson (JoinMarket) and LaurentMT in the comments section of this gist.
/end
gist.github.com/LaurentMT/e758…
/end
gist.github.com/LaurentMT/e758…
@threadreaderapp unroll plz
