Decentralizing Privacy for Bitcoin: The Breeze Wallet, TumbleBit and the Future of Scaling

Stratis Group Ltd has just released the mainnet beta of the Breeze Wallet, a decentralized, in-wallet privacy solution for Bitcoin. It is an implementation of TumbleBit, a privacy protocol which uses a trustless tumbler that cannot steal BTC and cannot undermine the anonymity of the parties involved.

The Breeze Wallet uses a Stratis Masternode server to provide users with a very high anonymity set (and, therefore, privacy with regards to their activity) and to make BTC fungible.

A later version of the Breeze Wallet may also provide a robust scaling solution for Bitcoin itself. In building the Breeze Wallet, Stratis have made a resounding commitment to improving the cryptocurrency space. This article aims to throw some light on how all of this is achieved.

Breeze at a Glance

Very high degree of anonymity, determined by the number of participants in each tumbling cycle

Cycle time of 117 blocks, or 19.5 hours

Tumbling fee of 1.55%, plus the standard network fee chosen by the user

The Case for Privacy in Bitcoin

Would I want to make my bank statements public? I’m not doing anything illegal with my money, but I still don’t want all my financial activity visible to anyone who wants to look. Protection of privacy from arbitrary interference is a fundamental human right.

All Bitcoin transaction history is recorded in a public ledger called the blockchain. Early on, blockchain analysis of Bitcoin was very simple: one address led to another and the path of a Bitcoin user’s activity was easy to follow.

Techniques were introduced to make cursory analysis harder, but they could not make tracing the history of a Bitcoin user’s activity impossible. Sophisticated analysis of the blockchain is a big business and companies offering ways of undermining people’s right to privacy are raising a lot of money.

All BTC Are Equal, But Some BTC Are More Equal Than Others

Bitcoin is money. The Bitcoin privacy problem extends beyond personal privacy and actually prevents Bitcoin from achieving one of the features of good money: fungibility.

Anything which is interchangeable is said to be fungible. I can swap a kilogram of gold with a second kilogram of gold and there will be no difference in what I can buy with it. Even if the first kilogram of gold was from newly-mined ore and the second kilogram had previously been used to fund illegal deforestation, when I use the gold, no one would treat the 2 kilograms differently.

This is because it is very difficult to follow the history of the gold. Similarly, when handed change in a shop, we don’t look up the serial number of the note to check it against some database containing its transaction history on the off-chance that it’s been used for some nefarious purpose.

We would accept cash which had previously been used to buy drugs just the same as we would accept new cash hot from the press. Gold and cash are fungible. They can be interchanged because their history does not taint them. This is not the case with BTC.

Bitcoin transactions are broadcast publicly and all transactions are recorded on a publicly accessible ledger. As stated previously, these transactions can be linked up and the transaction history of Bitcoin can be known quite easily. Once BTC have been used for some black market purpose, they are tainted by that transaction history forever.

There are service providers who will not accept BTC with a transaction history that has been tainted by a particular occurrence. Similarly, there are blacklisted addresses (and by extension, any addresses linked by transaction history) from which service providers and even individuals will not accept incoming transactions. This is because they are tainted by their transaction history.

So-called clean BTC are untainted. These BTC are more sought after than unclean (tainted) BTC.

People will pay mixing services (we’ll get into these in a bit) to make their BTC clean, or will seek out newly-mined BTC specifically to ensure that they are getting clean BTC. Good money cannot have equally-sized units where one unit is more sought after by the user than another.

Fungibility is an essential property of good money and right this minute, Bitcoin is not fungible.

The privacy debate is not about people being able to buy illegal things: it’s about the future of Bitcoin itself.

Fortunately, there is hope. In fact, as we will see, an anonymity solution to Bitcoin’s fungibility problem is making great strides towards solving another of the big problems facing Bitcoin. It turns out that anonymous transactions may become more economical than transparent transactions and provide far greater throughput.

Anonymity By Any Other Name…

Bitcoin has a kind of anonymity; namely, Bitcoin has pseudonymity.

When I buy some BTC and move it around, this activity is operated by two identities: a real life identity and my blockchain counterpart. There is the real me, sitting behind my computer and making decisions about where to send my BTC, and there is a blockchain identity, visible on the public ledger, who can be seen moving BTC around from place to place.

My blockchain identity counterpart has no privacy. I, on the other hand, have privacy; the people tracing the BTC moving around have no idea that it is my activity that they are following. I have privacy because I have a degree of anonymity through my pseudonymity.

My privacy breaks down when there is a link between me and my pseudonymous blockchain identity. It is almost impossible to buy or sell BTC without the vendor requiring some kind of KYC (Know Your Customer) information. As soon as there is a link between me and my blockchain identity, the pseudonymity is undermined and my privacy breaks down.

We can measure the anonymity provided by a system in degrees of anonymity, commonly called the anonymity set.

Consider a teacher who comes into a classroom of 20 children and sees that one of the students has drawn a rude picture on the blackboard. The perpetrator is anonymous, but the teacher knows for a fact that the perpetrator is 1 of the 20 children in this room.

Thus, the perpetrator has an anonymity set of 20: their guilt is hidden among 20 equally suspect nodes (we can model the children in this situation as nodes of a network under the teacher’s investigation). The perpetrator is safer in a classroom of 20 children than in a classroom of 5 children. They want to maximize their anonymity set and an anonymity set of 20 makes the teacher’s job of identifying them much harder than an anonymity set of 5.

Obviously, if they only have an anonymity set of 1 then they are as good as caught (this would mean it was only them alone in the classroom, after all). This measure of anonymity also tells us something about the notion of “true” or “complete” anonymity: to achieve complete anonymity, you would need an infinite anonymity set provided by an infinite network of infinite nodes. Something which is, of course, not possible.

Mixing With the Right People

How can I regain my privacy once there is a link between me and my pseudonymous blockchain identity? Well, I would need to create another blockchain identity with no link to me and somehow transfer my BTC in a way in which the two identities can’t be linked by an Observer.

It doesn’t seem possible, but it is.

We’ll give the 2 blockchain identities names: Alice and Bob. Both these identities are actually me; they are my pseudonyms. Alice is compromised as there is a known link between me and that pseudonym. I want to find some way of transferring the BTC held by Alice to my new, clean, pseudonymous identity, Bob.

Before we go into the details, we should look at what information is available to the Observer.

When BTC is moved, 3 pieces of information are committed to the blockchain: the amount sent, the address the BTC was sent from and the address the BTC was sent to.

Notice that there is no identifier for the BTC itself which is being sent. This means that the Observer can see how much BTC was sent, where it was sent from and where it was sent to, but they can’t tell which BTC were sent (when you look at Bitcoin at a low enough level, you can see that “which BTC were sent” doesn’t make sense; you can read about that in more depth about UTXOs here, if you wish).

What I can do is send Alice’s BTC to a service along with a bunch of other people’s BTC so that all the BTC is blended together and then have an amount of BTC equal to Alice’s amount sent to Bob by the service. This is known as mixing.

If there are k people involved in this mixing process, then Bob will have an anonymity set of k (10 people mixing will give Bob an anonymity set of 10).

It should immediately be obvious that this presents a few problems of its own: how do you ensure Bob receives the right amount of BTC? How can Bob prove to the service that it should receive Alice’s BTC in such a way that the service can’t link Alice and Bob together? How can you be sure the service doesn’t steal the BTC outright?

There are a few solutions to these problems and you can find a good discussion of their pros and cons in the whitepaper of the most successful solution to date: TumbleBit.

Tumbling Down the Rabbit Hole

TumbleBit is a trustless, unlinkable privacy solution for Bitcoin.

It uses an untrusted intermediary called a Tumbler to enhance anonymity. It is trustless because the Tumbler cannot steal BTC and cannot send BTC to itself, and it enhances anonymity by mixing k people in such a way that it cannot link any of the people involved.

The Tumbler can learn nothing about the relationship between anyone involved in the tumbling process.

How Does TumbleBit Work? A Crude Analogy for the Classic Tumbler Mode

TumbleBit actually has two modes of operation: Payment Hub Mode and Classic Tumbler Mode. You can read more about the Payment Hub Mode at the end of the main article, but for this section we’ll concentrate on the Classic Tumbler Mode.

There are 3 parties involved in tumbling: a group of N payers, a Tumbler and a group of N payees (there has to be the same number of payers and payees).

Following on from the body of the article, Alice is a payer and Bob is a payee. A number of escrows, known as 2-of-2 escrows (which are between 2 parties and require that both parties agree to release the escrowed BTC) are also involved.

To try to make this clearer, we’ll use an analogy. Imagine the payers (including Alice), the payees (including Bob) and the Tumbler are all real people. Here’s the situation: every payer is in their own room across the hall from a room with a payee in it (so that each payer has a payee in the room opposite, i.e. Alice is opposite Bob). The Tumbler is free to move around between them; however, he can only interact with one person at a time.

The tumbling plays out in 3 stages (called epochs) and works like this:

Before Tumbling:

Let’s say there are 10 payers and 10 payees; each payer (including Alice) has 0.1 BTC, the Tumbler has 1 BTC and each payee (including Bob) has 0 BTC.

Epoch 1: Escrow Phase

The Tumbler goes to every payer’s room and sets up a separate, timelocked* 2-of-2 escrow with each one. Alice and the other payers all send their 0.1 BTC to their separate escrows with the Tumbler.

The Tumbler then goes to Bob and the other payees and sets up separate, timelocked 2-of-2 escrows with each of them. The Tumbler sends 0.1 BTC to each of these escrows.

Bob and every other payee have a different colored piece of paper. While the Tumbler is busy with the payers, the payees rip their pieces of paper into 3 pieces and give one piece to the Tumbler when the Tumbler comes to do their escrow. The Tumbler holds on to all of these pieces of paper and keeps them safe.

Epoch 2: Payment Phase

At the start of this phase, each payee opens their door, crosses the hall and slips a second piece of their paper under the door to their payer before heading back to their room (thus Bob slips a piece of his paper under Alice’s door and goes back to his room opposite). The payers all pick up the piece of paper that’s been slipped under their door and memorize what color it is before hiding it away.

The Tumbler then goes to each of the payers one at a time and shows each of them his collection of all the payees bits of paper that they gave to him. One at a time, the payers check that in the Tumbler’s collection there is a piece of paper of the same color as the one that had been slipped under their door.

Once they’ve verified that the Tumbler has a matching piece of paper, they open their door and slip their piece of paper back under the door of the payee opposite, ensuring that the Tumbler never sees what piece of paper they had.

Epoch 3: Cash Out Phase

The Tumbler now comes to every payer’s room and each payer signs a transaction to release their escrowed BTC to the Tumbler (if they’ve followed the above steps and verified the color of paper and slipped it back to the payee), the Tumbler agrees to receive the escrowed BTC by signing the transaction also. Once the transaction has been signed by both parties, the escrowed 0.1 BTC are released to the Tumbler. This is done for each of the 10 escrows the Tumbler has with the payees. Once Alice and the other payers have done this, her part in the process is over.

The Tumbler goes to every payee and signs a transaction to release the 0.1 BTC he has in escrow with each payee. If the payee received the piece of paper back from their payer, they sign a transaction to receive the escrowed 0.1 BTC. The Tumbler does this with all 10 of the escrowed 0.1 BTC he has with the payees. Thus Bob receives 0.1 BTC.

After Tumbling:

The 10 payers (including Alice) have 0 BTC, the Tumbler once again has 1 BTC and the 10 payees (including Bob) have 0.1 BTC each.

*The escrows have a timelock on them: if the escrow is not signed off by both parties by a certain time, the escrowed BTC is released back to the party which sent it to the escrow in the first place. This means that if, for whatever reason, the tumbling process is halted, user’s BTC will never be lost.

This is a crude analogy in a number of ways. In the above situation, there are many opportunities for the Tumbler to link payers to their payee, Alice to Bob. In TumbleBit, it is not possible for the Tumbler to link Alice and Bob unless there is collusion between Alice and the Tumbler.

Breeze Wallet: Decentralized TumbleBit

Tumbling is hard to perform successfully. Coordinating that many people and ensuring they follow the process correctly requires a sophisticated service.

However, these tumbling services are not the best solution. There is always a risk that any closed source third-party service will steal your BTC or simply not work. There is also one case in which the Tumbler can link Alice and Bob, when Alice colludes with the Tumbler itself*.

Following on from the analogy in the section above, if Alice tells the Tumbler what color her piece of paper is, the Tumbler will be able to link Alice to Bob. If the tumbling is centralized, i.e. a third-party service providing a Tumbler, it makes it easier for collusion to be performed.

This is where the Breeze Wallet comes in.

Breeze is open-source, so anyone who wishes to do so can audit the code to verify that it is safe and does what it says on the tin. It makes the tumbling process as easy as possible by providing the service fully in-wallet: download the wallet, follow the setup process and you can be tumbling your BTC in no time.

The real kicker is that Breeze is decentralized. The tumbling itself is performed by Stratis Masternodes.

When you elect to start a tumbling cycle, Breeze will broadcast the attempt to connect to the tumbling Masternode server and it will establish which Masternodes meet the requirements (denomination – how much BTC you want to tumble, elected fee, collateral, etc.) and then randomly chooses a valid Masternode to perform that tumbling cycle.

This means that there cannot be collusion between the tumbling participants and the Tumbler.

Each cycle provides the participants with an anonymity set equal to the number of participants. If 99 people are tumbling with you, you’ll have an anonymity set of 100. This is beyond what is achievable with most privacy solutions for Bitcoin and also better than other altcoin solutions (for example, Monero achieves an anonymity set of between 2 and 10).

*Given how TumbleBit works in reality, it is actually collusion between Bob and the Tumbler which can undermine the anonymity of Alice. However, for the sake of consistency with the analogy, we’ll talk about it in terms of collusion between Alice and the Tumbler.

Looking Forward: Breeze, Scaling and Stratis

At the moment, the Breeze Wallet is a multi-chain wallet that lets a user hold both BTC and STRAT, but only allows them to tumble BTC. Stratis Group Ltd are working on support for STRAT tumbling as well, which will bring the tumbling cycle time down to just around 2 hours, rather than BTC’s 19.5 hours.

The Breeze Wallet is an implementation of NTumblebit, a C# implementation of of TumbleBit.

As things stand, the Breeze Wallet supports the Classic Tumbler Mode of TumbleBit; however, work is being done to support the Payment Hub Mode also. The Payment Hub Mode works with just two on-chain transactions and then introduces anonymity through a series of off-chain payments (similar to the Lightning Network). This also facilitates significant scaling potential for Bitcoin itself.

These are early days, but TumbleBit has what it takes to make big waves in the Bitcoin scaling debate.

Why Stratis?

The Breeze Wallet was a big undertaking. Stratis Group Ltd wanted to build this privacy protocol for Bitcoin for a number of reasons.

Firstly, Stratis has a close relationship with Bitcoin. Stratis is itself a port of the Bitcoin Core architecture, and so improvements brought to Bitcoin can be more easily brought to Stratis as well. Stratis Group Ltd has plans to support tumbling of STRAT as well as BTC. This would bring down the tumbling cycle time to just 2 hours.

Secondly, the Stratis company is targeting enterprises with their Blockchain as a Service. Many enterprises want a level of privacy that Bitcoin cannot afford them. The Breeze Wallet is Stratis’ solution to lowering this particular barrier to enterprise adoption.

Thirdly, the Breeze Privacy Protocol Masternodes (which perform the tumbling service) are a way of rewarding STRAT holders. They require a collateral of 250,000 STRAT plus 5 BTC and pay the node operator the tumbling fees inherent to the TumbleBit protocol.

Contributed by Alex Elliott

Alex Elliott moved from a degree in Physics and Philosophy to a life at the intersection between philosophy and technology. Besides evangelizing crypto in real life, Alex spends most of his time as Acetmesis on crypto forums.

Related: Blockchain and the Future of Digital Privacy: Why Privacy Must Go Beyond Transactions