One of the first things people think they learn about Bitcoin is that it is some sort of system for completely anonymous payments on the Internet; however, the reality is that all transactions are logged on a public ledger for the whole world to see. Having said that, researchers have made strides in improving Bitcoin privacy. One of the most widely-known Bitcoin privacy tools is CoinJoin, which is a way of mixing transactions together with other users on the network. But this method of achieving better privacy doesn’t actually work that well. As Saarland University’s Tim Ruffing put it at the recent Scaling Bitcoin workshop at Stanford, “I can tell you why mixing actually sucks.” During one part of his presentation, Ruffing covered the three key reasons as to why current mixing techniques are problematic, in addition to a workable solution to these issues.

All Participants Don’t Have the Same Amount of Bitcoin

According to Ruffing, the first major problem with bitcoin mixing is that current solutions assume all participants in the mix have the same amount of bitcoins. Ruffing provided an example where one user, Bob, is attempting to mix 1.2 bitcoins with two other users who both have 1 bitcoin each to mix. Since Bob has a different amount of coins than the other two users (Alice and Carol) it’s extremely easy to figure out where his bitcoins ended up by taking a quick glance at the blockchain. His 1.2 bitcoin input is obviously attached to the 1.2 bitcoin output. Ruffing pointed out that change addresses are sometimes used in an attempt to get around this issue. For example, Bob could mix 1 bitcoin and then send 0.2 bitcoins back to himself as change. Unfortunately, this setup also doesn’t really work. “The problem with that is now Bob has 0.2 bitcoins that are not anonymized, and he doesn’t know what to do with it because he can’t spend it because it’s still linked to his identity,” explained Ruffing. “Maybe he could do a new CoinJoin, but then probably he would be left with another change address, so it doesn’t really solve the problem.”

Issues with Spending While Mixing

According to Ruffing, more problems pop up if Bob attempts to pay someone else and mix his coins in the same transaction. “In the end, you don’t only want to get privacy for your money; you want to spend it,” said Ruffing. Due to the way in which P2P CoinJoins are coordinated, Bob is effectively forced to do two transactions — first a mix and then a send — if he wants to spend his bitcoins in a manner that won’t leak sensitive transaction data via a potential attack vector. This increases Bob’s transaction costs. “Even that is not great because now Bob has two weird change addresses,” added Ruffing.

Lost Privacy Via Combined Change Addresses

One final issue pointed out by Ruffing during his talk is that privacy can be broken if Bob spends two outputs from separate change addresses that came from the same original mix together. “If he now, for some reason, has the idea to use these two change addresses together, it actually breaks privacy again,” said Ruffing. “It even breaks the privacy of the past transactions.”

What is the Solution?

Near the end of his talk, Ruffing explained that the root of all evil in these issues with bitcoin mixing is the fact that the values involved in the transactions are public. If the transaction values were not public, an observer would learn much less from blockchain analysis. A solution to this problem has been proposed in the past, and it’s known as Confidential Transactions. Ruffing uses Confidential Transactions in his and Purdue University’s Pedro Moreno-Sanchez’s solution for better on-chain privacy in Bitcoin, which is known as ValueShuffle (PDF). With this proposal, Confidential Transactions is combined with a P2P mixing protocol to mask the amounts and participants involved in on-chain Bitcoin transactions.