, 23 tweets, 7 min read Read on Twitter
Why do we need coinjoin?

Breaking deterministic links, creating uncertainty, and multiple transaction interpretations.
Last week I got ahead of myself with this thread on Entropy as a method for evaluating bitcoin transaction "privacy".

I failed to establish the reason for coinjoining in the first place.

I also didn't cover the core metric for calculating entropy.

I'm going to fix that in this thread.

So why do we need coinjoin?
Mumbles....
something something blockchain...
something something open....
something something "privacy"....

No. Technically.

As specifically as possible why do we need coinjoin?
Most bitcoin transactions do not create any uncertainty on the blockchain.

They only have a single interpretation based on the number inputs/outputs and the BTC of each input/output.

A single interpretation makes the flows of bitcoins easy to monitor.

bitfury.com/content/downlo…
The "flow" of bitcoins in a transaction can be used as a mental model for determining the relationship between inputs and outputs.

The relationships or links between inputs and outputs being pipes.

For example this transaction only has one interpretation aka one pipe:

Input 0 paid output 0.

This transaction has one DETERMINISTIC link and one INTERPRETATION.
Transactions with multiple inputs and outputs can have many deterministic links.

If every relationship between inputs and outputs is deterministic, the transaction is still only has one interpretation.
Definition:

A deterministic link is a definite link between an input and output of a transaction based on all combinations of the amounts of BTC in each input and output.
Kirstov Atlas created Coinjoin Sudoku to evaluate a transaction for determinisic links during his review of BC.i's SharedCoin "coinjoin" protocol.

coinjoinsudoku.com/advisory/
He was able to take this mess and establish deterministic links between inputs and outputs. Even for outputs of identical amounts.
A real coinjoin transaction aims to break these deterministic links by using IDENTICAL sized outputs.

Breaking DETERMINISTIC links between inputs & outputs creates multiple INTERPRETATIONS of a transaction (many pipes in the thermo model).

^^ this is why you coinjoin ^^
A transaction with some identical sized outputs can still have deterministic links, even among the identical sized outputs. (See SharedCoin example above)

The easiest way to prevent deterministic links is to have EVERY output be IDENTICAL.
But if the input/output links aren't deterministic how can we evaluate them? They are still linked after all.

Enter PROBABALISTIC LINKS, defined by LaurentMT.

gist.github.com/LaurentMT/d361…
There are assumptions and simplifications that go into determining the probabalistic links between inputs and outputs.

But the link probability matrix (LPM) is a pretty good way of evaluating the number of interpretations of a transaction.
As I said in my original thread, I like to think of a transactions "privacy" in terms of how computationally expensive it is to evaluate.

The more interpretations, the more expensive to evaluate, the more "private".
The LPM directly evaluates coinjoin best practices. When these are violated it reduces the interpretations/cost of the analysis.

The LPM:
Directly penalizes address reuse ⇒ sets a an entire col/row = 1 (100% link)
Directly penalizes deterministic ⇒ links [m,n] = 1
These metrics certainly aren't perfect and are subject to change based on known information outside of the info on the blockchain.

There are no perfect privacy measures. But they can provide an indication of coinjoin quality.
To summarize (for constant inputs/outputs):

↓ no. deterministic links ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy

more equal the input/output amount ⇒ ↑ interpretations ⇒ closer to "ideal" coinjoin Tx ⇒ ↑ Tx privacy
I'm not smart enough to come up with this stuff.

But I figure this simplified-ish explanation will be be helpful to many of you when thinking of coinjoins.
If you want to better understand this, you really should read through the gists by LaurentMT on Boltzmann.

github.com/Samourai-Walle…
To really grok this, check out the back and forth between Adam Gibson (JoinMarket) and LaurentMT in the comments section of this gist.

/end

gist.github.com/LaurentMT/e758…
@threadreaderapp unroll plz
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to ∴ Ergo ∴
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!