What do you mean đź‘‹ Unlink Bitcoin đź‘‹
Why make deterministic links at all?
by Dan Gould
Stripe: Increasing the GDP of the internet. That’s a concise mission if I’ve ever heard one. Committing to such a mission turned every decision into one that either hurts or helps for everyone who joined the cause. The number of factors to consider converged to one.
On my mission to make bitcoin censorship resistant, I’ve spent hundreds of hours looking for a GDP analog. To mark progress. “Forward and backward looking anonymity set,” “link probability matrix,” “non-derived sub-transactions,” “boltzmann entropy,” “CJA score,” and other quantities leave my tongue in knot and my brain in a tizzy. Even colleagues on the mission ask “…who are you writing this for?” when I use that jargon to make a point to them. Censorhip resistance requires privacy. But how much exactly?
The privacy section of The White Paper made it plain: “The public can see that someone is sending an amount to someone else, [by looking at the blockchain,] but without information linking the transaction to anyone.” Money in equals money out*. But almost everyone we transact with can, in practice, link the chain back to us. Whether they’re the financial intermediaries bitcoin set out to avoid, untrusted business counterparties, or even friends we’re getting back for spotting us lunch, they see the coins came from us. That’s how they deliver what they’re paid for. Since they can link our id to activity, all of which is chained together for easy tracking, sometimes they discriminate. We’re better off having control over who we choose to see our receipts.
In a concrete sense, bitcoin serves a humanitarian need when some financial authority decides who gets to use money and who does not. In Afghanistan, women use bitcoin where male permission is required to bank. In North Korea, private property is banned by the state, so bitcoin buys refugees resources to fund escape. Canadian protesters turned to bitcoin after their access to dollars was shut down. In the Canadian case, the wrong assumption that naive bitcoin transfers have privacy against discrimination came back to haunt dissidents with further financial repercussions. They had their bank acconts shut down for sending money to other protesters. Canada’s got liberal values. Some would call it developed. Imagine what disaster awaits those in places that don’t value human rights.
Because amounts and identities are unlinked on chain, the experts may take care to keep their identity separate from public record. Today they might do this by working together. They collaborate so that each one outputs a common sized “equal amount” coin from a new transaction. That way an each one’s history looks the same. This is called a CoinJoin. Such coordination takes around an hour to find peers, and only then can one transfer up to, but not more than, that one coin to the sensitive destination. Otherwise a snoop can see links between to track someone’s activity. Money in equals money out. There is no simple, mindless way to send an arbitrary amount. Doing so means even more steps than above. And this example is still flawed. If one’s collaborators aren’t experts too, they will make mistakes later that erode any ambiguity the equal amount splitting earned.
Though a crowd of coins with equal lets one blend in, any inputs greater than that common amount comes back as so-called toxic change. That sticks out. The change of a CoinJoin plus the equal amount equals the original input amount. Don’t spend toxic change at the same time as equal coin. That links the sum together. And when that sum gets linked, one coin’s equality erodes away. say there were Six ambiguous coins before a link. Now only five others’ history look the same. That’s why it’s toxic. So what we do? Two things. Stop making toxic change. And clean up the sludge that already exists
Understand where ambiguity comes from is the key to quitting toxic change. It’s not just making equal amounts per se. Money in equals money out. The problem generalizes to subset sum. Where subsets of in coins sum up to subsets of out coins, they’re indistinguishable. When there are multiple subset sum solutions there is ambiguity. Money out could have come from more than one place. Let’s walk through an example.
In a pure tumbler style transaction, where everyone putting money in gets the same amount of money out, Alice might input 10 and Ben just 5. They make outputs of sizes {1, 2, 3, 4, 5}. Subsets {1 + 4}, {2 + 3}, and {5} could belong to either Alice or Ben, since they total to 5. There are no two equal outputs but the tumble still made many possiblities. Now imagine it’s not a tumble, but a transfer, too. If some outputs could have gone to Yegor, Max, or someone else there’d be even more interpretations. These output splits are more complex to coordinate than equal amounts, but they show promise to rid us of toxic change. But only if transfers can be made in in collaborations. That way some input users never get toxic change back. If not, the toxic change appears again, makes links, and kills the collab.
This ambiguity problem goes further beyond toxic change. Imagine Alice wanted to transfer 8 of whatever her 10 subset sum. The normal way to do that is to link those otherwise ambiguous outputs in one transaction. Spend the whole subset. Ben did everything right, but after that spend he’s got no privacy. The only unlinked subset must be Ben’s. So on top of transfers, we need inputs to be spent together without being linked. One way to do that is with a central coordinator†. And it has to be the norm to protect one another.
Some people swap change coins for monero, consolidate there, and swap back. They pay fees for each step. Still, every single coin needs quarantine control lest leak forevermore. The timing of each move has to look random or else they will be clustered too. What a mess. Some people put toxic change in PayJoins. PayJoins let the payee merge coins with the payer, but they both see certain history.
Big CoinJoins don’t. Once coins have some group ambiguity in their history, they can pass it on in later CoinJoins. Input ambiguity (is this coin from Alice or Ben?) to a CoinJoin gets passed to all the new outupts. Any spend out of the intertwined CoinJoin graph is only one entity and amount out of all of the possible CoinJoin outputs. Therefore a collective interested in privacy should aim to increase the count of input entities and input amounts. CoinJoin input ambiguity is viral just like toxic change is. That makes the pool of possibilities increase over time. Tracking the end of toxic change merges is progress. Enabling transfers is too. We should eliminate toxic creation in the first place.
The most promising source of inspiration such a future could exist is JoinMarket. They recognize different needs. There, equal output CoinJoins get made for arbitrary amounts. A Taker chooses the amount and asks online Makers to make the same together, for their fees. Arbitrary amounts enable transfers. Every party gets coins with an ambiguous history. But problems remain. Making change from those CoinJoins is still toxic. Fragmenting coins is not solved. Merging coins still makes links. The Takers can see which Maker input each coin. But it’s a start. Each role adresses their unique costs. In the zero-knowlege future, Alice may merge toxic inputs without making links. Ben will make a transfer for a fee so he can sleep at night. And Charlie earns a yield for federating his liquidity into a channel with others all in Join go so that whale-sized outputs have ambiguity, too. We’ll know we’ve made it. Each role will get equal treatment in a market setting and we’ll sing Kumbaya.
But where’s that pesky measure? Where’s Gross Bitcoin Privacy? I don’t know that we’ll ever find one. Measuring how many toxic change outs exist is one idea. Count their merges, or clusters identified by change. Maybe it’s the count of ambiguous coins. Please tell me if you know. Our mission depends on it.
Â
* Money in equals money out, minus network fees.