TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub
Ethan Heilman from Boston University gave a talk on TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub. I’ll present an overview of the work, and you can refer to his paper for more details.
The two technical challenges facing Bitcoin are privacy and scalability. We know from past research that Bitcoin is not really anonymous, and past payment history is saved to the blockchain and stays there forever. Scaling is also an issue. It takes 10 minutes to confirm a transaction, and Bitcoin can handle about 7 transactions a second compared to Visa, which handles about 2000 transactions per second on average and up to 56,000 at peak times. The limiting factor in Bitcoin is the space in the blockchain. TumbleBit is designed to address these challenges by providing privacy and scalability without introducing trust.
TumbleBit is private — it provides unlinkable Bitcoin payments and k-anonymous mixing. It is untrusted, so no one can steal or link payments. It is a scalable transaction hub, so it scales to transaction velocity and volume. Finally, it is compatible with today’s Bitcoin protocol.
One main tool in TumbleBit is RSA puzzles. Below, we show how RSA puzzles work.
The insight is that Alice (payer) pays Bob (payee) with RSA puzzles. For example, Tumbler sells Alice a solution to an RSA puzzle of her choice for 1 Bitcoin. If Bob finds the solution to this RSA puzzle, he will receive 1 Bitcoin.
We can use RSA puzzles to hide the link between payers and payees, but how do we ensure that the Tumbler does not cheat?
There is a puzzle-promise protocol where Tumbler convinces Bob the solution to the RSA puzzle is a certain value, which allows him to claim the 1 Bitcoin. Similarly, there is a puzzle-solver protocol where the Tumbler convinces Alice the preimage X where Hash(X) = Y will allow her to learn the blinded RSA solution value. These protocols work despite a malicious Tumbler, and the probability that the Tumbler successfully cheats is very low. The protocol is fairly involved, so I won’t describe it here. Please look at the paper for more details.
They wrote a proof-of-concept implementation, and the source code is available here. They “tumbled” 800 addresses to 800 address. In their paper, they provide links to runs on Bitcoin’s blockchain. Their implementation is performant. It takes about 326 KB of bandwidth, and about 0.3–0.6 seconds in computation time. The total time depends on the network latency.
TumbleBit helps to trustlessly scale Bitcoin while using unlinkable Bitcoin payments to provide user privacy. Here, I just provide an overview, but for more information, please take a look at his paper.
