Wasabi is an open-source, non-custodial, privacy focused Bitcoin wallet, that implements trustless coin shuffling with mathematically provable anonymity: Schnorrian CoinJoin, it is the first of its kind.

Less detailed video presentation here.

Let’s buy a coffee!

It should be quite clear that in the simple act of purchasing coffee you have exposed your personal identity to the cashier. The situation is pretty much the same if you are doing it online because of the Know you customer policy often shortened to ‘KYC ‘ which requires that the merchant collect identifiable information from customers. So the transaction can be connected to you. If you are using your wallet in the same way you are using your credit card you might have exposed your total balance or some part of it. That is not only an uncomfortable feeling but also dangerous. With the input address your past transactions and with the change output address your future transactions are traceable.

Example: the coffee transaction

Wallet leakage

Last time I used my Coinbase wallet I was required to upload an image of my passport until that my wallet was frozen. They can lock you out until you deanonymize yourself.

If you control the keys it is your bitcoin if you don’t control the keys it is not your bitcoin.

In many wallets you can only see the total balance of your wallet. In reality your balance is fragmented into many coins. With this kind of wallets you are not able to choose which coin goes where it is selected automatically. Why it is a problem? You should be aware the history of the coin which will be used for a transaction, where did it come from. With CoinControl feature you can see every coins you have, you can select which will be used. In addition you can use labels to coins when you are sending or receiving and Wasabi will automatically append the labels according to the path of that coin. Basically it is building the history of a particular coin. For example in that way you can avoid to pay with your full salary for that coffee and expose it to the cashier.

CoinControl feature and labeling system

Let’s say you have found a wallet which is fulfilling the mentioned requirements. How can you verify that? The function of a software is determined by the source-code. If you build (compile) your own executable you can be sure it will work according to the code. Wasabi is 100% open-source software so you don’t have to trust in the developers. Even if you cannot verify it by yourself the trust is distributed among the world’s software developers. If there is something fishy in the code, it won’t be hidden for too long.

Bitcoin Network — Nodes

There is no light wallet that would not fail on the privacy level against network analysis.

With most light wallet, easy to see because mostly it is just querying a web API. For example to determine the total balance you have in your wallet, addresses are queried in the same time from the same source and just connected together.

Jonas Nick has deanonymized a lot of SPV wallets and he said that give me one of your bitcoin address (SPV wallet) and I give back 70 percent of your wallet addresses using heuristic and cluster analysis. That is pretty scary.

These kind of problems can be solved by running a full node which is my recommendation but if you cannot do that because it is resource intensive there is another solution:

BIP158 and BIP157. The idea is instead of requesting addresses you are requesting blocks. In that way an observer cannot tell which addresses are we interested in. With wasabi you have a constant set of filters you get it from some source. The filters are constructed in a way that your wallet can determine which blocks are related. So this is the first light wallet architecture thats truly a light wallet that does not ruin your privacy. Because bitcoin core nodes does not support it yet we have to implement it on our backend. Filters are delivered to the clients through Tor anonymity network and blocks are downloaded from a random node. Bitcoin Core integration: BIP158 is merged but BIP157 is still in progress.

Transaction chain

Transaction chain

At this point many issues have been covered. However one of the most trivial problems remain, that transaction chain is still there and is it traceable. So we have to obfuscate the transaction chain. Let’s try to do some Mixing.

Forever alone mixing

Forever alone mixing

Traditional mixers


CoinJoin transaction with unequal outputs constructed badly

For the first look it is hard to say which output belongs to which input. But if we take a closer look we can make some assumptions. Imagine that the transaction is written in a format of a Sodoku game, the rows are the inputs, the columns are the outputs. Analyzing the amounts and filling the sodoku can reveal the relationship between inputs and outputs in that way deanonymize the participants. Let’s play a game. Try to deanonymize the users. Output with 1 BTC belongs to Alice because she cannot get back more than she gave. Output with 8 BTC can only can only be owned by Eszter because for the same reason. Bob’s outputs can only be 2 and 4 not other combination gives 6 bitcoins. And so on… The more users are deanonymize the easier to do the rest. If we need mathematically proven anonymity we need to have equal outputs regarding the amounts.

Deanonymized CoinJoin transaction

Similar techniques are amount analysis or subset sum analysis. More sophisticated explanation about CoinJoin Sodoku here. How to construct with mathematically provable anonymity?

Use equal outputs! Look at the following CoinJoin transaction:

CoinJoin with equal outputs — “amount analysis protected”

Set up a fixed denomination of 1 BTC. If there is 4 participants in the CoinJoin then you have a quarter probability to tell who is the original owner of that coin. In this case we are saying that the anonymity set is 4. In the reality nobody will register with the exact amount of the denomination so beside the mixed coin there will be a change which is unmixed. With that amount you can participate in another round meaning that with this particular example if you have 8 bitcoins than you will have 8 rounds to anonymize your total amount. Currently (3/20/2019) Wasabi has ~0.1 denomination and 67 anonymity set per CoinJoin round.

Also made an improvement where some of the change outputs are CoinJoined together if possible, the unequal input mixing extension. With this Wasabi gives more anonymity set for the same fee.

Now this transaction have to be constructed by “something”. Wasabi provides the following solution.

Wasabi coordinator

  1. Client connects to the coordinator (backend — run by Wasabi Team).
  2. Collecting information from clients in an anonymous way.
  3. Construct the CoinJoin transaction and send the unsigned transaction to every client.
  4. On client side the transaction is verified and if it is OK then the client returns their input signature to the coordinator.
  5. After all input signature acquired the coordinator builds the final transaction and broadcasts it to the network.

In that way there is no way to steal someones money so it is a trustless solution.

Coordinator tasks

So, does that mean we are in the clear? Not quite. Unfortunately not because if the coordinator is spying on you it will know a lot to deanonymize you so it is has to be constructed in a way that it cannot deanonymize the participants.

First phase: input registration

Alice would like to gain privacy on one of her coins this will be the input. So she selects one or more coins with the CoinControl feature and enqueue them to CoinJoin. Also she generates two additional addresses, one for the mixed coin and another for the change output. Now if she gives output in a plain format the coordinator easily link the input and the output so deanonymize the user. The trick is to blind the output with Schnorr signatures. With this the coordinator cannot see the output address but can sign it and later verify that signature if the output was registered. Small conversation about the security of Schnorr signatures here.

Now the client has a signature for the mixed output address which will be useful later.

Second phase: connection confirmation

Connection confirmation phase. Right side: half constructed CoinJoin transaction.

Third phase: output registration

Output registration: client sends the unblinded output.

Here we have to stop for a while. The communication between the client and the coordinator made through the internet. Wasabi is using Tor anonymity network to increase privacy. Tor basically does two things: hides the source of the traffic and gives end-to-end encryption. At this point nobody on the internet can spy on us BUT! if we would use the same Tor circuit as we used to send the input in the registration phase then the coordinator can link that. So to send the output wasabi uses a different Tor circuit. The coordinator verify the output with the unblinded output signature to make sure it is not a random output from an attacker from the internet.

Wasabi uses more Tor circuit to hide the source from the coordinator.

So now the coordinator has all information to construct the unsigned CoinJoin transaction.

Fourth phase: signing

Final step: acquire the input signatures from the clients.

After every user signed the transaction the coordinator broadcasts it to the nodes.

Final words

In reality the procedure is more complex here are some sources about the details:

If you like videos:

The more users there are, the better your privacy. Now it is YOUR time to contribute. Fire up your Wasabi and start providing liquidity for CoinJoins to bootstrap the system!