TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub

Frank Wang
Oct 7, 2016 · 3 min read

Ethan Heilman from Boston University gave a talk on TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub. I’ll present an overview of the work, and you can refer to his paper for more details.

The two technical challenges facing Bitcoin are privacy and scalability. We know from past research that Bitcoin is not really anonymous, and past payment history is saved to the blockchain and stays there forever. Scaling is also an issue. It takes 10 minutes to confirm a transaction, and Bitcoin can handle about 7 transactions a second compared to Visa, which handles about 2000 transactions per second on average and up to 56,000 at peak times. The limiting factor in Bitcoin is the space in the blockchain. TumbleBit is designed to address these challenges by providing privacy and scalability without introducing trust.

TumbleBit is private — it provides unlinkable Bitcoin payments and k-anonymous mixing. It is untrusted, so no one can steal or link payments. It is a scalable transaction hub, so it scales to transaction velocity and volume. Finally, it is compatible with today’s Bitcoin protocol.

One main tool in TumbleBit is RSA puzzles. Below, we show how RSA puzzles work.

Overview of RSA Puzzles

The insight is that Alice (payer) pays Bob (payee) with RSA puzzles. For example, Tumbler sells Alice a solution to an RSA puzzle of her choice for 1 Bitcoin. If Bob finds the solution to this RSA puzzle, he will receive 1 Bitcoin.

Overview of TumbleBit

We can use RSA puzzles to hide the link between payers and payees, but how do we ensure that the Tumbler does not cheat?

There is a puzzle-promise protocol where Tumbler convinces Bob the solution to the RSA puzzle is a certain value, which allows him to claim the 1 Bitcoin. Similarly, there is a puzzle-solver protocol where the Tumbler convinces Alice the preimage X where Hash(X) = Y will allow her to learn the blinded RSA solution value. These protocols work despite a malicious Tumbler, and the probability that the Tumbler successfully cheats is very low. The protocol is fairly involved, so I won’t describe it here. Please look at the paper for more details.

Overview of Puzzle-Promise Protocol

They wrote a proof-of-concept implementation, and the source code is available here. They “tumbled” 800 addresses to 800 address. In their paper, they provide links to runs on Bitcoin’s blockchain. Their implementation is performant. It takes about 326 KB of bandwidth, and about 0.3–0.6 seconds in computation time. The total time depends on the network latency.

TumbleBit helps to trustlessly scale Bitcoin while using unlinkable Bitcoin payments to provide user privacy. Here, I just provide an overview, but for more information, please take a look at his paper.

MIT Security Seminar

Summary of talks from the MIT security seminar

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store