A new kind of mixing service on Bitcoin
Fungibility is a key property that we demand from our currency. I’ve written on the relationship between privacy and fungibility before, and believe that it’s critical to get this right to lay the foundation for the future financial system. The developer community has continued to impress with the innovations and potential solutions that they propose.
Currencies like Zcash and Monero have taken major steps forward to improve privacy. However, Bitcoin remains the most popular cryptocurrency with the largest network effect, most adoption and liquidity, and it has the widest audience that could benefit from improved privacy. Despite Bitcoin’s serious privacy weaknesses, its network effect is too large to ignore. Many developers believe that an anonymity service within Bitcoin would have more impact than launching a new cryptocurrency network.
Ordinary bitcoin transactions leave a very easy to trace transaction graph, revealing information about the sender, recipient, their relationship to each other, as well as potentially hinting at sensitive information about each of them including their spending habits, income and net worth. Obfuscating this transaction graph by mixing transactions together has been the goal of many developers concerned with privacy who wish to create plausible deniability by breaking the clear link between sender and recipient.
Greg Maxwell, former CTO of Blockstream and prolific cryptographic contributor, first proposed CoinJoin as a privacy enhancement for Bitcoin in 2013. The idea is simple, combine many transactions from many users such that which inputs lead to which outputs becomes more ambiguous. It has a few weaknesses such as needing coordination between users wishing to mix. CoinJoin users initially used IRC channels or central servers to find mixing partners. CoinShuffle improves on CoinJoin by introducing a p2p network for finding mixing partners. CoinJoin also has potential Denial of Service attacks. If a mixing partner doesn’t sign their transaction, coins can be held in limbo.
Other mixers, Mixcoin and Blindcoin, use trusted third parties to combine transactions. Users deposit their funds with the third party which would then combine coins into a single pool before forwarding them to the intended recipient. Requiring a trusted third party is not ideal, but these protocols introduced allow users to prove if a mixer misbehaves, acting as a deterrent for bad behavior.
TumbleBit builds on plenty of prior art, and is interesting as both a scalability and privacy improvement to Bitcoin. It was first proposed by researchers from three universities in a 2016 paper, and offers many advantages over other mixing strategies. The paper’s primary author, Ethan Heilman, says the approach is inspired by David Chaum’s seminal 1982 paper, Blind Signatures for Untraceable Payments.
TumbleBit removes the need for mixing partners to coordinate with each other. Rather they can each act independently with the TumbleBit hub within a particular time window, known as an epoch. Epochs can last up to 24 hours. TumbleBit requires a central server, however the server has extremely limited power and no control over funds. The server is not able to de-anonymize transactions. It has no knowledge of the true transaction graph, since it is unable to distinguish between many possible transaction graphs.
How it works
Alice wants to pay Bob without being tracked by observers or the TumbleBit service itself. The crux of the idea is to create a service that solves cryptographic puzzles for bitcoin. These are known as RSA puzzles, and they are as difficult as cracking a RSA public key to retrieve the corresponding private key. This is currently infeasible which is why RSA cryptography is trusted. Further, the puzzles use RSA blinding which prevents it from linking the solution to a particular puzzle. It only knows that it solves one of the puzzles it issued, not which puzzle.
Alice, the payer, puts bitcoin in a payment channel with the TumbleBit hub. The hub gets paid upon the presentation of a solution to her cryptographic puzzle. This arrangement is dubbed the Puzzle-Solver Protocol. The protocol enforces that the server cannot collect until it presents a solution, and if it does present a solution Alice must pay.
On the other end, Bob, the payee, has entered a related agreement with the hub. The tumbler agrees to pay Bob upon the presentation of a solution to the RSA puzzle. This is known as the Puzzle-Promise Protocol.
By using blinding properties of RSA puzzles along with sufficient decoy puzzles, we’re able to break the link between the puzzle solver and the puzzle creator. Thanks to the properties of RSA encryption, the TumbleBit server knows the solution is valid, but it’s not able to determine exactly which puzzle it is solving, effectively obfuscating the relationship between payer and payee.
During the epoch, the protocol works well when many parties will engage with the service, after which it aggregates all transactions into a single transaction that redeems balances to the payees. TumbleBit requires that the transaction amounts are equal to prevent tracing analysis based on the amounts.
It’s worth noting that RSA cryptography does require two very large primes, which is considered a trusted setup and may be an issue for the most paranoid.
TumbleBit is a service that can be built on top of the existing Bitcoin network and doesn’t require changes to Bitcoin itself. This is great news as getting changes merged into Bitcoin has been historically challenging and isn’t likely to get easier.
Unfortunately, while the TumbleBit concept is innovative and useful, progress has been rather slow. The authors have released a proof of concept, BUSEC/TumbleBit, written in Python. The proof of concept has been used to mix 800 inputs.
Slow progress is underway on a .NET production version, NTumbleBit. The furthest along effort comes from a company called Stratis that has released a wallet called Breeze with the TumbleBit protocol integrated. However development updates have not occurred since August 2018.
It will be up to the community to decide if the advantages TumbleBit offer are worth pursuing, or whether alternative approaches such as Schnorr Signature aggregation are more promising low hanging fruit.