CoinJoin is a privacy protocol that protects Bitcoin transaction privacy by allowing multiple parties to send funds within a single transaction without the risk of theft.

Description

The CoinJoin protocol allows multiple Bitcoin clients, once matched up with each other, to create a jointly signed transaction that includes funds from all of the clients' wallets. This allows for "trustless" mixing, meaning that clients can join into an anonymity set but without any risk of stolen funds. An anonymity set is created through the careful selection of input and/or output values.

ip_bitcointalk_org.png

Researchers have proposed various extensions and embellishments to the protocol, such as order book matchmaking (JoinMarket) for improved economic incentivization, cryptographic blinding for improved privacy (CoinShuffle, Chaumian Blinded Signatures), and denial of service resistance (CoinShuffle).

Origin

CoinJoin was first proposed in 2013 by Gregory Maxwell.
gmaxwell.jpg

Motivation

Traditional banking provides a fair amount of privacy by default. Your inlaws don't see that you're buying birth control that deprives them of grand children, your employer doesn't learn about the non-profits you support with money from your paycheck, and thieves don't see your latest purchases or how wealthy you are to help them target and scam you. Poor privacy in Bitcoin can be a major practical disadvantage for both individuals and businesses.

Even when a user ends address reuse by switching to BIP 32 address chains, they still have privacy loss from their old coins and the joining of past payments when they make larger transactions.

Privacy errors can also create externalized costs: You might have good practices but when you trade with people who don't (say ones using "green addresses") you and everyone you trade with loses some privacy. A loss of privacy also presents a grave systemic risk for Bitcoin: If degraded privacy allows people to assemble centralized lists of good and bad coins you may find Bitcoin's fungibility destroyed when your honestly accepted coin is later not honored by others, and its decentralization along with it when people feel forced to enforce popular blacklists on their own coin. (citation)

Effect on Non-CoinJoin Transactions

Transactions that look sufficiently similar to CoinJoin transactions will gain a degree of analysis ambiguity by virtue of being indistinguishable from multi-party transactions with an anonymity set against passive blockchain observers. This provides a social incentive within the Bitcoin ecosystem to propagate the use of CoinJoin, and to make non-CoinJoin transactions indistinguishable whenever possible.

Implementation Details

The original CoinJoin protocol leaves several design decisions unspecified, such as imposing rules on what amounts can be joined, how bootstrapping takes place, and how joining parties exchange information before signing a transaction.

Qualifying Amounts

CoinJoin implementations must prescribe constraints on the amounts allowable as inputs and/or outputs during a CoinJoin; otherwise, an anonymity set will not be created, and the transaction will not provide any privacy.

The simplest example is the following. Two CoinJoin participants each input 1 bitcoin and receive an output of 1 bitcoin. For simplicity, assume a 0 bitcoin mining fee.

Trivial ex.
input index input amt output index output amt fee
0 1 BTC 0 1 BTC
1 1 BTC 1 1 BTC
0 BTC

Conversely, some inputs and desired outputs are incompatible to create an anonymity set. Consider the following example:

Broken ex.
input index input amt output index output amt fee
0 1 BTC 0 1 BTC
1 2 BTC 1 2 BTC
0 BTC

TODO: Non-trivial examples

Additionally, it is advisable to construct CoinJoin transactions in such a way that non-CoinJoin transactions can be constructed to appear indistinguishable. This creates additional ambiguity for attackers that passively observe the blockchain, both for CoinJoin participants and non-participants.

TODO: Explain how to construct CJ txs such that they can be emulated by non-CJ txs.

Mining Fees

Most Bitcoin transactions pay a fee to miners in order to ensure confirmation. In the absence of this fee, transactions may be slow to confirm, or may get stuck indefinitely in a pool of unconfirmed transactions. Given that CoinJoin is a multi-party protocol, there are a couple ways to address the payment of fees:

Split fee

Parties can split the fee evenly. For example:

input index input amt output index output amt fee
0 1 BTC 0 0.99995 BTC
1 1 BTC 1 0.99995 BTC
0.0001 BTC

Alternating fee

If parties agree to engage in multiple rounds of CoinJoin transactions, they can alternate paying fees. However, since this agreement cannot be enforced within the atomic assurances of a single transaction, additional extensions to the CoinJoin protocol would need to be enforced in order to ensure that each party pays their fair share of fees.

Implementations

There are several implementation of anonymous Bitcoin transactions inspired by CoinJoin: SharedCoin, Dark Wallet, DarkSend in the altcoin Dash, and JoinMarket.

SharedCoin

TODO

Darkwallet

darkwalletlogo.png

Darkwallet is a privacy-centric Bitcoin wallet created by unSYSTEM.

TODO: More details

DarkSend

TODO

JoinMarket

TODO

CoinJumble

TODO: https://github.com/chris-belcher/coinjumble

sx command-line tool

TODO: https://github.com/spesmilo/sx

Protocol Extensions

CoinShuffle

CoinShuffle is a decentralized extension of the CoinJoin protocol that allows requires no orchestrating third party, blinds peers from one another, and includes a blame phase to remove denial of service attackers. More details are included in the CoinShuffle page.

Attacks

There are various attacks that can weaken or defeat the privacy guarantees offered by CoinJoin

Denial of Service

An attacker can seek out other parties wishing to engage in a CoinJoin and refuse to complete the protocol with them.

Denial of Service Countermeasures

Some extensions to CoinJoin offer mitigations against this attack, such as CoinShuffle.

Sybil Attack

An attacker can seek out other parties wishing to engage in a CoinJoin, and complete the protocol, but retain the knowledge of his own inputs and outputs. Using this information he can make statistical inferences about the mapping between inputs and outputs for the other CoinJoin parties.

Sybil Attack Countermeasures

If a single party can masquerade as multiple parties within a CoinJoin without detection by a Sybil attacker, the party can deny knowledge from the Sybil attacker's nodes.

Increasing the pool of available parties increases the resources a Sybil attacker must expend to be successful.

Matching parties randomly for CoinJoins makes it more difficult for a Sybil attacker to target any one node.

Incompatible Amounts

Incorrect selection of output amounts based on the input amounts provided can result in decreased privacy. Kristov Atlas deemed this type of attack CoinJoin Sudoku in his analysis of the SharedCoin service in 2014.

Countermeasures to CoinJoin Sudoku

TODO… need more research here.