Chaumian coinjoin
Coinjoin protocol using Chaum's blind signatures to ensure participant privacy.
A coinjoin protocol that utilizes David Chaum's blind signatures and Tor for communications between participants and the coordinator's server. The goal of a Chaumian coinjoin is to ensure participants that the coordinator cannot steal bitcoins, nor link the inputs and outputs together.
To achieve this, users submit their input and a cryptographically blinded reception address to the coordinator. This address, once unblinded, is intended to receive the bitcoins as an output from the coinjoin. The coordinator signs these tokens and returns them to the users. The users then reconnect anonymously to the coordinator's server with a new Tor identity and reveal their output addresses in plaintext for the transaction construction. The coordinator can verify that all these reception addresses come from legitimate users, as he has previously signed their blinded version with his private key. However, he cannot associate a specific output address with a given input user. Therefore, there is no link between the inputs and outputs, even from the coordinator's perspective. Once the transaction is constructed by the coordinator, he sends it back to the participants who sign it to unlock their input, after verifying that their output is indeed in this transaction. The participants send the signature to the coordinator. Once all signatures are collected, the coordinator can broadcast the coinjoin transaction on the Bitcoin network.
This method ensures that the coordinator can neither compromise the anonymity of the participants nor steal the bitcoins during the entire coinjoin process.
It is difficult to determine with certainty who first introduced the idea of coinjoin on Bitcoin, and who had the idea to use David Chaum's blind signatures in this context. It is often thought that Gregory Maxwell was the first to discuss it in a message on BitcoinTalk in 2013:
"By using Chaum blind signatures: Users connect and provide inputs (and change addresses) as well as a cryptographically blinded version of the address to which they wish to send their private coins; the server signs the tokens and returns them. Users reconnect anonymously, unmask their output addresses, and return them to the server. The server can see that all the outputs have been signed by him and that, therefore, all the outputs come from valid participants. Later, people reconnect and sign."
Maxwell, G. (2013, August 22). CoinJoin: Bitcoin privacy for the real world. BitcoinTalk Forum. https://bitcointalk.org/index.php?topic=279249.0
However, there are other earlier mentions, both for Chaum's signatures in the context of mixing, as well as for coinjoins. In June 2011, Duncan Townsend presented on BitcoinTalk a mixer that uses Chaum's signatures in a way quite similar to modern Chaumian coinjoins. In the same thread, there is a message from hashcoin in response to Duncan Townsend to improve his mixer. This message precisely presents what most closely resembles coinjoins. There is also a mention of a similar system in a message from Alex Mizrahi in 2012, while he was advising the creators of Tenebrix. The term "coinjoin" itself would not have been invented by Greg Maxwell, but it would come from an idea by Peter Todd.
TermDefinition
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Adaptor signature
A cryptographic technique linking a signature to a secret, such that publishing the signature reveals the secret. Useful for atomic swaps without a trusted intermediary.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Adaptor signature
A cryptographic technique linking a signature to a secret, such that publishing the signature reveals the secret. Useful for atomic swaps without a trusted intermediary.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.