Remix - Whirlpool

This is a question I am often asked. When doing coinjoins with Whirlpool, how many remixes should be done to achieve satisfactory results?

The purpose of coinjoin is to offer plausible deniability by mixing your coin with a group of indistinguishable coins. The goal of this action is to break the traceability links, both from the past to the present and from the present to the past. In other words, an analyst who knows your initial transaction at the entry of the coinjoin cycles should not be able to definitively identify your UTXO at the exit of the remix cycles (analysis from entry cycles to exit cycles).

Conversely, an analyst who knows your UTXO at the exit of the coinjoin cycles should be unable to determine the original transaction at the entry of the cycles (analysis from exit cycles to entry cycles). However, the number of remixes is not a reliable criterion for evaluating the difficulty an analyst would encounter in establishing links between the past and the present, or vice versa. A more relevant indicator would be the size of the groups in which your coin is hiding. These indicators are referred to as "anonsets". In the case of Whirlpool, there are two types of anonsets.

Firstly, we can determine the size of the group where your UTXO is hidden at the exit of the coinjoin cycles, i.e., the number of indistinguishable coins present within this group. This indicator, called "prospective anonset" in French, "forward anonset" in English, or "forward-looking metrics", allows us to assess the resistance of your coin to analyses tracing its path from the entry to the exit of the coinjoin cycles. This metric estimates the extent to which your UTXO is protected against attempts to reconstruct its history from its entry point to its exit point in the coinjoin process. For example, if your transaction participated in its first coinjoin cycle and two additional downstream cycles were performed, the prospective anonset of your coin would be 13: Secondly, another indicator can be calculated to evaluate the resistance of your piece to an analysis from the present to the past. By knowing your UTXO at the end of cycles, this indicator determines the number of potential Tx0 transactions that could have constituted your input in the coinjoin cycles (analysis from the end to the beginning of the cycles). This indicator measures how difficult it is for an analyst to trace the origin of your piece after it has gone through coinjoins. The name of this indicator is "backward anonset" or "backward-looking metrics". In French, I like to call it "anonset rétrospectif". In the diagram below, this corresponds to all the orange Tx0 bubbles: To learn more about the calculation method for these indicators, I recommend reading my Twitter thread on this topic. We are also preparing a more comprehensive article on the Plan ₿ Academy.

I am aware that the provided answer may seem unsatisfactory as you were hoping for a specific number of remixes, and I am directing you to documentation. The reason for this is that the number of remixes is an unreliable indicator for evaluating the anonymity gained in coinjoin cycles. Therefore, it is not possible to define a fixed number of remixes as an absolute and universal security threshold.

It is true that each additional remix of your piece increases its anonymity sets. However, it is important to understand that it is primarily the remixes performed by your peers that contribute to the growth of your prospective anonset. With the Whirlpool model, your transaction can achieve considerable levels of prospective anonset with just two or three coinjoin cycles, solely through the activity of peers involved in previous coinjoins.

The retrospective anonset, on the other hand, is not a concern in our case. In fact, from your initial coinjoin, you benefit from an inheritance of previous pool transactions, immediately giving your piece a high backward anonset, with a marginal increase in each subsequent cycle. It is also important to understand that the creation of plausible deniability is never complete. It relies on the probability of tracing your coin. This probability decreases as the size of the groups concealing it increases. Therefore, you should adjust your objectives in terms of anonsets according to your personal expectations. Ask yourself about the reasons that lead you to use coinjoins and the levels of anonymity necessary to achieve these objectives. For example, if the use of coinjoins is simply aimed at preserving the privacy of your wallet when sending a few sats to your godchild for their birthday, very high levels of anonymity are not necessary. Your godchild is probably unable to perform in-depth chain analysis, and even if they were, the repercussions on your life would not be catastrophic. However, if you are the target of an authoritarian regime where the slightest piece of information can result in imprisonment, your actions will need to be guided by much stricter criteria.

To determine these famous anonset indicators, you can use a Python tool called WST (Whirlpool Stats Tool).

However, it is not always necessary to calculate the anonsets of each of your coinjoined coins. The design of Whirlpool itself already provides you with guarantees. As mentioned earlier, retrospective anonset is rarely a concern. From your initial mix, you already obtain a particularly high retrospective score. As for prospective anonset, you just need to keep your coin in the post-mix account for a sufficiently long period of time. For example, here are the anonset scores of one of my 100,000 sats coins after spending two months in the coinjoin pool: It displays a retrospective score of 34,593 and a prospective score of 45,202. In concrete terms, this means two things:

I hope this answer has shed some light on the Whirlpool model. If you want to learn more about how coinjoins work on Bitcoin, I recommend reading my comprehensive article on this topic: