TumbleBit vs CoinJoin

Showdown

I have been working on TumbleBit for quite a long time now. While CoinJoin is an old, well-understood, production tested technique with multiple implementations such as JoinMarket, ShufflePuff, DarkWallet, and SharedCoin, modifications and/or improvements like CoinShuffle, CoinShuffle++, none of that can be said about TumbleBit. It is a new technique, with a single protocol implementation, NTumbleBit, and its precursor proof of concept implementation, BUSEC/TumbleBit. In fact, so far my work concentrated around grasping the basic concepts and explaining them to wider audience, Understanding TumbleBit 1, 2, 3, 4, 5, building TumbleBit enabling technologies such as HBitcoin, DotNetTor, HiddenWallet, BreezeWallet, and procrastinating on smaller issues. I was not quite sure about the practical limitations of the concept. Now that I am in the middle of integrating TumbleBit into HiddenWallet, this has just changed and I am now able to properly write this long article about Bitcoins’ two biggest and/or most hyped hopes of achieving privacy on-chain: TumbleBit and CoinJoin.

On-chain Privacy

TumbleBit can operate in multiple modes: Payment Hub mode and Classic Tumbler mode. Today NTumbleBit almost completely implements its Classic Tumbler mode, which is what I am concerned with in this article. Its Payment Hub mode, as the name suggest is not completely on-chain privacy solution. Comparing it to CoinJoin is kind of silly, at the very least I would have hell of a harder job.
For the same reason I will not touch Mimblewimble or the yet, non-existent privacy centric altcoin sidechain implementations and second layer privacy techniques, which will be built on top of the Lightning Network.
I will not talk about CoinSwap either, because in its basic form it did not gain much traction and to my knowledge, despite its age, no implementation of it exists. I need to mention TumbleBit at least partially built on it and with Segregated Witness and the new opcodes, it is probably a great idea for someone to revisit the CoinSwap protocol.
Of course, I will not talk about traditional Bitcoin tumblers, because they can steal your money and breach your privacy.

I will talk about Confidential Transactions and Schnorr Signatures, because they are complementary technologies to both TumbleBit and CoinJoin, and I will tell you which one benefits more from them and how.

The Basics

Bitcoin transaction

This is how a simple Bitcoin transaction looks like. You send some coins from one address to another address, and you get back the change to the same address. Of course, this model provides terrible Bitcoin privacy, therefore change addresses were introduced.

Change addresses

The concept is the same, however instead of getting the change to the same address, your wallet software internally generates a third address where you receive the change. This highlighted another problem, with how you store so many addresses in a wallet. Hierarchical Deterministic wallets solved this issue, however this is outside the scope of this article.

What happens if your wallet does not have enough money on one address? If it has enough on another one, it will join together more addresses to add up the transaction input:

Actually, my explanation is not entirely correct. The inputs are not address-balance pairs, rather address-amount pairs, or more correctly signature-amount-index trios, however let us not concern ourselves with such details.

Almost all of Bitcoin wallets today uses this model. Of course, it still has many privacy problems.
Would not it be great if people could just join together their inputs with other people and make one big transaction?

SharedCoin

SharedCoin was a method, used by Blockchain.info. The service was both great and terrible.

It is a great concept, because it further hardens the job of blockchain analysis companies, however, simple amount analysis, CoinJoin Sudoku, can tell a lot about who sent money where.

It was a terrible service, because somehow the general public was under the impression “SharedCoin is good enough” and we did not even talk about the fact that Blockchain.info itself was able to simply reestablish the links. Blockchain analysis was not the whole story here.

Since then the company stopped providing this service, I suppose for legal reasons. However I can guarantee you, when Schnorr signatures are introduced they will start providing this service again, because that will dramatically lower the fees of these kind of transactions. In fact, every wallet with decent liquidity will start doing this in order to offer cheap transactions, although I am getting ahead of myself.

CoinJoin

The premise of CoinJoin (CJ) is that the users will have to send the same amount. For example, when a CJ happens everyone has to send let us say 1 Bitcoin somewhere with a big combined transaction and then nobody can tell who sent coins and where. Of course, this is only true if you are looking at single transactions and not transaction chains. This notion makes privacy in Bitcoin kind of lame, however let us not concern ourselves with this now. It is hard enough to find enough people who want to send transactions at the same time, and now you want to find people who want to send the same amount of transactions at the same time? Possibly no wallet has so much liquidity in the first place.
Confidential Transactions, if introduced in the future will solve this issue, since they hide the amount of the transactions. However, they produce bigger transactions therefore the fees will be higher. Those transactions will be ten times bigger if I am not mistaken, although I am getting ahead of myself again.
I would like to note that this brings up a whole new set of issues regarding how the parties coordinate privately, however let us dismiss them for now.

JoinMarket

Here comes the idea of JoinMarket (JM) in. In the transaction I inserted there are three outputs with 2.32386728 BTC. Even if you can figure out which inputs corresponds to which change outputs you cannot figure out the destination. Note, your anonymity set in this case is three. 
So how did JM solve the liquidity issue of CoinJoin? It introduced the maker-taker concept, where market makers are waiting until a taker wants to execute a CJ transaction and asks market-makers to provide liquidity for his CJ for a small fee. Now you must realize if a normal Bitcoin transaction is $1, then if you want to send money through JM with three makers, then you must pay $3 transaction fees. What if you want 100 as your anonymity set? Then you must pay $100.

CoinShuffle, CoinShuffle++, ShufflePuff

I must admit I am not entirely familiar with these concepts, however the basic premise is that they solved the coordination issues in a decentralized way. At least that is what they claim.
CoinShuffle was the precursor of CoinShuffle++, and ShufflePuff was the implementation by Mycelium wallet. This has never seen production, because it was the part of their successfully failed crowd sale, which is another story. Basically, they raised a lot of money from people. They promised a bunch of new features. They may or may not spent the money on development and failed to deliver every new feature. One of these promised new features was ShufflePuff. Unfortunately, the last commit on their GitHub was seven months ago, it is pretty much a dead end, until someone picks it up. Furthermore, let us dismiss the fact that Mycelium is a terrible platform to build any privacy technique on top of. It matters little if you can tackle blockchain analysis, when you are inherently weak against network analysis.

TumbleBit: Classic Tumbler mode

TumbleBit is entirely different from CoinJoin’s concept. In TumbleBit’s Classic Tumbler mode basically you have two distinct identities: Alice and Bob in the eyes of the Tumbler and you are mixing money to yourself.

The workflow is:
1. Open a payment channel to the Tumbler with your Alice identity and Bob identity.
2. Crypto magic.
3. Close the two payment channels.

For now, note that those are two payment channels: four transactions.
What happens under the crypto magic stuff is that many other users, who additionally opened channels tells the Tumbler to tunnel through money to their desired output, however in a way the Tumbler cannot tell who sends money to whom. Seems impossible, huh? You either trust me with this or read more about it.

We are not that concerned about how it works, since the purpose of this article is a comparison and not an introduction. Let us take a look at its parameters: 
How fast is it?
Two channel opening transactions, two channel closing transactions, those are two blocks: twenty minutes. Great!
What are the costs?
Four transactions. They are bigger than normal ones, then maybe at $1 bitcoin fees you would pay $10. Plus, Tumbler fees. Let us say 1%. That is a little problematic, however considering huge the anonymity set, it is probably feasible.
What is the achievable anonymity set?
The sky is the limit. Well, the white paper’s proof of concept implementation achieved 800 anonymity sets, therefore let us go with that.

This was the theory, let us see the practice.

  • Unfortunately, there is a great and terrible property of payment hubs. It must hold a lot of bitcoins in order to cover the mixes. It is great because this pushes the Bitcoin price to the roof, and it is bad because it is exposed to the possibilities of different attacks.
  • Sadly, TumbleBit needs fixed denominations just like CoinJoin, consequently the same set of problems applies here.
  • Regrettably, some timing attacks are possible by the Tumbler in order to deanonymize the users.

Fortunately, all these problems are solved in TumbleBit, therefore you do not need to worry about them. Unfortunately, all these solutions made a tumbling cycle longer, which ended up at the very best around two hours, often times even half a day. Recently a one day long standard cycle was proposed, just to be sure.

Of course, I was aware of these extremely long mixing times, however all this just did not make sense for me and I was hoping that when I get there I can come up with something and make it as fast as possible. Now I am there and I cannot make it fast, no matter what I do, it just ruins something else. I am still not convinced if optimization cannot make it considerably faster, although now I know it is not as easy as I initially thought.
This made me question what is the anonymity set we are hoping to achieve if the cycles takes so long?

I do not have an answer, however I would guess ten to fifty. Initial liquidity has to be gained in the first place, the later we launch the higher the Bitcoin fees will be, which as I detailed above, a ten times multiplier applies to TumbleBit transactions. The worst thing is that you do not even send the amount you want to send. Wait, I did not mention what our is solution for that.

For comparison see my brief explanation of what JoinMarket’s solution was for that, the maker-taker concept. Of course, we cannot use the same, because that multiplies the fees by your anonymity set, and in TumbleBit the fees are high in the first place.

We figured you can mix to yourself. If you want to send 8.3 BTC and the Tumbler denomination is 1 BTC, then you must do 8 rounds of TumbleBit cycles and you will not be able to mix out the remaining 0.3 BTC.
These 8 rounds although multiply the fees, $80, considering $1 bitcoin fees. Luckily you do not need to wait for the completion of every round, because the rounds can overlap.

Authors’ note: I did not and I do not think anyone else ever thought through TumbleBit’s Classic Tumbler’s economics as I did now, in a high Bitcoin fee environment where we are inevitably going towards. In fact, $1 Bitcoin fee, which I was assuming all along is today’s reality and can be hardly considered to be high fee environment.
To be completely honest, after I wrote all these down I became pretty disillusioned.

CoinJoin vs TumbleBit

The comparison is hard because the coordination issues in CoinJoin are pretty tricky. Preventing Sybil attacks brings a whole new set of issues as well.
For this I will compare NTumbleBit’s Classic Tumbler mode with both CoinJoin as envisioned and JoinMarket, as the only today’s working implementation of CoinJoin. Unfortunately, I cannot add TumbleBit as envisioned comparison, because my envision is what is implemented and I cannot see how to overcome its limitations.

While I am using rough estimates, I think I got it right.

Conclusion? If CoinJoin as envisioned existed it would be the winner. However, it does not exist and therefore it is better to use TumbleBit for high anonymity transactions, and JoinMarket for the low ones.

Now let us try to figure out the future, shall we?

Confidential Transactions

CT simply (not that simply) hides the amount of a transaction and in theory if Bitcoin gets CT both TumbleBit and CoinJoin can utilize it at a cost of about 9 times transaction fee increase. However, JoinMarket cannot utilize it in any meaningful way, because it has already solved the fixed denomination problem. How does CT modify the economics?

As you can see CT both in TB and CJ would lower the cost of mixing out bigger amounts and it would increase the costs of mixing out smaller ones.

Schnorr Signatures

The red ones are the input, the green ones are the output and Trump signs the inputs. Schnorr enables us to use only one signature for every transaction. This cannot be significantly utilized in TumbleBit however, it can be in JoinMarket and CoinJoin as envisioned.
How much do they gain? I will go with a rough estimation here, using this Bitcoin Stackexchange answer as my data source:

71 bytes signatures on average
Size of P2SH/P2PKH Transaction = in * 146 + out * 33 + 10

The most frequent transaction we are concerned about has one input and two outputs, which are about 233 bytes. The signature data is about 30% of the transaction. Assuming Schnorr signatures are about the same size (they are not) Schnorr saves at least 30% of every CJ transaction fees. However, there is one signature that needs to be added to the transaction, so a two participant CJ costs at least 15% less, a three participant CJ costs at least 22% and as the numbers grow higher they reach close 30%.

Conclusion

TumbleBit’s Classic Tumbler mode works for huge anonymity set. 
Today’s CoinJoin: JoinMarket does not work for huge anonymity set.
TumbleBit’s Classic Tumbler mode is slow, CoinJoin is fast.
CoinJoin as envisioned would be economically more feasible for huge anonymity sets than TumbleBit’s Classic Tumbler mode.

The questions of the future are:
Will TumbleBit in production find the liquidity it needs to achieve huge anonymity sets? Can CoinJoin solve its coordination issues and achieve huge anonymity sets?