Coin Control Is Must Learn If You Care About Your Privacy In Bitcoin
No matter how much you mix, if you don’t learn to use coin control you are going to be deanonymized.
First, I will show the coin control feature of Bitcoin Core, then talk about Bitcoin mixing in general, finally I introduce my implementation of a privacy oriented coin control feature, which was just merged yesterday and will get into the next version of HiddenWallet.
Simple Bitcoin Transaction
This is how a simple Bitcoin transaction looks like. You send some coins from one address to another address, and you get back the change to the same address.
Avoid Address Reuse
The concept is the same, but instead of getting the change to the same address, your wallet software internally generates a third address where you receive the change. This highlighted another problem, with how you store so many addresses in a wallet. Hierarchical Deterministic wallets solved this issue, but this is outside the scope of this article. You will most often make transactions like this with your Bitcoin wallet:
But what happens if your wallet doesn’t have enough money on one address? It will join together more addresses to add up the transaction input:
Note, this is an oversimplified, slightly incorrect explanation, but good enough to move forward.
Almost all Bitcoin wallets today use this model. Now, wouldn’t it be great if we could prevent our wallets to join together coins? This is what coin control feature is for:
In the end of this article I will show you how I did coin control in HiddenWallet, which I sincerely hope will make the correct usage of this feature easier.
Let’s talk a bit about Bitcoin mixers. I am going to show you that, without using coin control feature you are going to be deanonymized, even if you use Bitcoin mixers.
Examples: Centralized Mixers, SharedCoin
Theory: 1. coins go in, 2. coins come out -> you are anonymous.
If it would be that simple. The transactions related to Bitcoin mixers can be easily identified and based on amount analysis the parties can be quite simply deanonymized:
Round Based Mixers
Examples: CoinShuffle, TumbleBit, ZeroLink
What is the solution? Using multiple rounds and every round has a common denomination:
It’s simple and it works well. Because the denomination is fixed, nobody can figure out which output belongs to who. But let’s recognize Bitcoin transactions, when not whole coins are spent generate changes:
It allows us to know who participated in how many rounds. However we still cannot figure out the outputs of the mixes, or can we? No, if we are looking at single transactions, but if we start examining transaction chains, we can denonymize the mixes:
The problem is, when later the participants start joining their own inputs together, the mixes can be deanonymized. For example, we know that Satoshi was the only one, who participated in all three rounds, so the one, who joins together outputs from all three rounds can only be Satoshi. Here’s where Coin Control comes in!
If users don’t join together outputs after the mix, then we built anonymous Bitcoin. But come on, that’s a huge restriction! Yes, it is. Indeed it is, but privacy oriented wallets should somehow push the users into this direction. Or build the clusterfuck wallet, which basically does so many types of transactions that blockchain analysis cannot find reliable patterns about the meaning of the transactions. This will likely be a future project of mine, but for now, we must try to prevent joining inputs together. So what did I come up with in HiddenWallet?
Coin Control In HiddenWallet
So how’s this better and worse than Bitcoin Core’s coin control feature? It’s worse, because it’s slightly less customizable, for example I still don’t have proper labeling in place, however its learning curve is drastically reduced.
You can see, first you build a transaction, then you can modify the transaction in order to make it more private. An added plus is the donation option, which is a technique the clusterfuck wallet uses. It misleads blockchain analysis.
If the transaction generates a change, the following privacy suggestion will pop up:
One can decide to spend the whole coin into their destination, however if one decides to donate the change output, then an interesting thing will happen. The transaction would look like this on the blockchain:
Since the second output is a known donation address, blockchain analysis would think someone is donating some money to HiddenWallet, and gets back the change. However there is no change. What blockchain analysis think is the change, it’s actually the active output, and it’s not part of the wallet anymore.
Coin control was the last missing piece of ZeroLink implementation that will enable the usage of Bitcoin in an anonymous way. Some days of internal testing, then a huge public testnet testing will follow. Finally, if all goes well I will release a buggy alpha version on the Bitcoin mainnet and start the stabilization work from there on..