Coinjoin
Mixing technique where several users combine their transactions to blur the tracing of bitcoins.
Coinjoin is a technique used to break the traceability of bitcoins. It relies on a collaborative transaction with a specific structure of the same name: the coinjoin transaction. Coinjoin transactions help improve the privacy protection of Bitcoin users by making it more difficult for external observers to analyze transactions. This structure allows for mixing multiple coins in a single transaction, making it difficult to determine the links between input and output addresses.
The general operation of coinjoin is as follows: different users wishing to mix deposit an amount as input of a transaction. These inputs will come out as different outputs of the same amount. At the end of the transaction, it is impossible to determine which output belongs to which user. There is technically no link between the inputs and outputs of the coinjoin transaction. The link between each user and each UTXO is broken, in the same way that the history of each coin is.
To allow for coinjoin without any user losing control over their funds at any time, the transaction is first constructed by a coordinator and then transmitted to each user. Each one then signs the transaction on their side after verifying that it suits them, and then all the signatures are added to the transaction. If a user or the coordinator attempts to steal the funds of others by modifying the outputs of the coinjoin transaction, then the signatures will be invalid and the transaction will be rejected by the nodes. When the recording of the participants' output is done using Chaum's blind signatures to avoid the link with the input, this is referred to as "Chaumian coinjoin".
This mechanism increases the confidentiality of transactions without requiring modifications to the Bitcoin protocol. Specific implementations of coinjoin, such as Whirlpool, JoinMarket, or Wabisabi, offer solutions to facilitate the coordination process among participants and enhance the efficiency of the coinjoin transaction. Here is an example of a coinjoin transaction:
323df21f0b0756f98336437aa3d2fb87e02b59f1946b714a7b09df04d429dec2
It is difficult to determine with certainty who first introduced the idea of coinjoin on Bitcoin, and who had the idea of using David Chaum's blind signatures in this context. It is often thought that Gregory Maxwell was the first to discuss it in a message on BitcoinTalk in 2013:
Using Chaum blind signatures: Users connect and provide inputs (and change addresses) as well as a cryptographically blinded version of the address to which they wish to send their private coins; the server signs the tokens and returns them. Users reconnect anonymously, unmask their output addresses, and send them back to the server. The server can see that all the outputs have been signed by it and that, consequently, all the outputs come from valid participants. Later, people reconnect and sign.
Maxwell, G. (2013, August 22). CoinJoin: Bitcoin privacy for the real world. BitcoinTalk Forum. https://bitcointalk.org/index.php?topic=279249.0
However, there are earlier mentions, both for Chaum signatures in the context of mixing, as well as for coinjoins. In June 2011, Duncan Townsend presents on BitcoinTalk a mixer that uses Chaum signatures in a way quite similar to modern Chaumian coinjoins. In the same thread, there is a message from hashcoin in response to Duncan Townsend to improve his mixer. This message presents what most closely resembles coinjoins. There is also a mention of a similar system in a message from Alex Mizrahi in 2012, while he was advising the creators of Tenebrix. The term "coinjoin" itself was not invented by Greg Maxwell, but it came from an idea by Peter Todd.
TermDefinition
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Adaptor signature
A cryptographic technique linking a signature to a secret, such that publishing the signature reveals the secret. Useful for atomic swaps without a trusted intermediary.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.
51% attack
An attack where a malicious actor controls more than half of the mining hash power, allowing them to manipulate transactions, notably by performing double spends.
Account
In an HD wallet, a derivation level (depth 3) allowing hierarchical organization of keys and addresses.
Activation method
The process by which the Bitcoin community decides to activate a soft fork, seeking consensus among miners and users to avoid a blockchain split.
Adaptor signature
A cryptographic technique linking a signature to a secret, such that publishing the signature reveals the secret. Useful for atomic swaps without a trusted intermediary.
Addr
An old Bitcoin network message that allowed communicating IP addresses of nodes accepting connections. Replaced by addrv2 (BIP155) to support longer address formats.
Addr.dat
An old file in Bitcoin Core that stored information about network peers. Replaced by peers.dat since version 0.7.0.
Address reuse
A discouraged practice of using the same Bitcoin address multiple times to receive payments, which harms privacy by allowing funds to be traced.
Address spoofing
An attack where a malicious actor creates an address closely resembling the victim's to deceive them and divert their payments.
Addrv2
A new network message format (BIP155) allowing the broadcasting of Bitcoin node addresses. Supports longer addresses such as Tor v3 or I2P.
Agorism
A libertarian political philosophy advocating economic action outside of state control (counter-economy) to progressively undermine state power.
Air cooling
A cooling system for mining machines using fans to dissipate heat. The most widespread and least expensive method.
Altcoin
Designates any cryptocurrency other than Bitcoin. A contraction of alternative and coin.
Aluvm
A virtual machine designed for deterministic execution of smart contracts, notably within the context of the RGB protocol on Bitcoin.
Analysis heuristic
An empirical method used to trace Bitcoin flows on the blockchain based on observable characteristics within transactions.
Ancestor mining
A principle whereby a miner selects transactions taking into account the fees of parent transactions, not only their own fees. Also called CPFP.
Anchor
In the RGB protocol, a set of data proving the inclusion of a commitment in a Bitcoin transaction, without publicly revealing its content.
Anchor outputs
A mechanism on Lightning allowing adjustment of the fees of a commitment transaction after its creation, to ensure quick channel closure.
Anchors.dat
A Bitcoin Core file storing IP addresses of nodes the client was connected to before shutdown, to facilitate reconnection on restart.
Anonsets (anonymity sets)
Indicators measuring the degree of privacy of a UTXO by counting the number of indistinguishable UTXOs in a set, typically after a coinjoin.
Anyprevout (apo)
A proposal (BIP118) adding new SigHash flags allowing the creation of signatures that do not cover any specific input of the transaction.