Coin Control Is Must Learn If You Care About Your Privacy In Bitcoin
UPDATE: This article was written in Nov 29, 2017 and was updated in March, 06, 2019.
No matter how much you mix, if you don’t learn to use coin control you are going to be deanonymized.
First, I will show you the coin control feature of Bitcoin Core. Then talk about Bitcoin mixing in general. Finally I introduce my implementation of a privacy oriented coin control features, in HiddenWallet and in Wasabi Wallet. Quick context here: The latter is the successor of the former.
Naive Bitcoin Transaction
This is how a simple Bitcoin transaction looks like. You send some coins from one address to another address, and you get back the change to the same address.
Avoiding Address Reuse
This is the very first privacy technique originating all the way back from the Bitcoin whitepaper. The concept is the same, but instead of getting back the change to the same address, your wallet software internally generates a third address where you receive the change. This highlighted another problem, with how you store so many addresses in a wallet. We solved this issue with Hierarchical Deterministic wallets, but this is outside the scope of this article. You will most often make transactions like this with your Bitcoin wallet:
But what happens if your wallet doesn’t have enough money on one address? It will join together more than one addresses to add up the transaction input, with that exposing ownership of two of your wallet addresses, and their histories!
Most Bitcoin wallets today use this model. Now, wouldn’t it be great if we could prevent our wallets to join together coins? This is what coin control feature is for:
I recall I found this window quite challenging when I first started figuring out what the heck this “Coin Selection” option is for. I kept this memory to guide me later on when I implemented my own coin control features, which will be presented at the end of this article. However I did not fully made the case yet for the importance of coin control, so let’s not jump to that part just yet.
Let’s talk a bit about Bitcoin mixers. I am going to show you that, without using a coin control feature you are going to be deanonymized, even if you use Bitcoin mixers.
Examples: Centralized Mixers, SharedCoin
Theory: 1. coins go in, 2. coins come out -> you are anonymous.
If it would be that simple. It is not a challenge to identify the transactions related to Bitcoin mixers and based on a simple subset-sum analysis the parties can be deanonymized:
Round Based Mixers
Examples: CoinShuffle, TumbleBit, Chaumian CoinJoin (Wasabi Wallet)
What is the solution? To use multiple rounds where every round has a fixed denomination.
It’s simple and it works well. Because the denomination is fixed, nobody can figure out which mixed output belongs to who. But let’s recognize that Bitcoin transactions, when not whole coins are spent generate changes:
It allows us to know who participated in how many rounds. However we still cannot figure out the outputs of the mixes, or can we? No, if we are looking at single transactions, but if we start examining transaction chains, we can denonymize some mixing parties:
The problem is, when later the participants start joining their own inputs together, with that exposing common ownership, the mixes can be deanonymized. For example, we know that Satoshi was the only one, who participated in all three rounds, so the one, who joins together outputs from all three rounds can only be Satoshi.
As later it was pointed out numerous times, the intuition behind this deanonymization is dubious in many real world examples, especially when the mixing rounds are interconnected with constant remixing, yet it is a good idea to try to avoid input merging as much as possible, for example by spending whole coins whenever it is appropriate. And here’s where Coin Control comes in again.
Post-Transaction Coin Control
In HiddenWallet I implemented Coin Control Suggestions. These are post-transaction coin control features, which is less customizable and more annoying than Bitcoin Core’s, but the learning curve is drastically better. You make a transaction, as always, and then the wallet pops up things like “Yo, you’re sending 0.09999999 BTC to this address, but you have a 0.1 BTC coin in your wallet. Why not send the whole coin instead?”
So the workflow is:
1. Build a transaction
2. Adjust the transaction in order to make it more private.
3. Send the transaction.
For example if the transaction generates a change, the following privacy suggestion will pop up:
One can decide to spend the whole coin into their destination, however if one decides to donate the change output, then an interesting thing will happen. The transaction will look like this on the Blockchain:
Since the second output is a known donation address, blockchain analysis assumes someone is donating some money, and gets back the change. However there is no change. What Blockchain analysis think is your change is actually the active output, and it’s not part of your wallet anymore.
Pre-Transaction Coin Control
In Wasabi Wallet we did not implement Coin Control Suggestions. Why? Because we implemented mandatory traditional coin control that can be used to achieve the same things and more those can be done with a post-transaction Coin Control feature. While coin control suggestions would still be beneficial for less experienced users, it is even more beneficial for them if we don’t overcomplicate the user interface. We must be very careful to build a great UX and a post-transaction coin control would add significantly to the clutter. That being said, we are constantly thinkering on how could we do this in a less intrusive way. So how does coin control looks like in Wasabi wallet?
First it comes with a mandatory labeling system. You cannot receive money without labeling the receiving address:
The received coins will appear in your send tab and you’ll have to manually select which coins you’ll want to spend from.
From your labels you can see that making the above transaction would be reckless. You will either want to mix first or spending a coin that is not tied to your identity, since your Know Your Customer procedure on MtGox and Cryptsy is not helping you. Can you even imagine what would happen if later the MtGox exchange would go bankrupt and their database would be been leaked?
You can do better, you can select a coin that you got from a random guy:
Another option would be with Wasabi to decide to mix your MtGox coins on the coinjoin tabs and then send it:
There is a lot more to be said AND TO BE EXPERIENCED about coin control, but I hope I was able to convince you about the importance of it. The importance of you being in control of what happens in your wallet:
If you don’t control your bitcoins, your privacy is out of control, too.