Edward Snowden: Privacy is not about something to hide, rather privacy is about something to protect.

Co-writer: Aviv Milner

Wasabi’s prime directive: Privacy

Why do we care about privacy?

At first glance, it may appear as though only criminals would benefit from good privacy. However, consider the implications of a passive bystander being able to answer these questions about you:

How much money do you have?

What is your salary?

How much do you pay your employees?

Whether you are a business person working in the Bitcoin space, or simply an individual using Bitcoin — privacy is something you should care about. Even if a criminal may see the utility in privacy, the need for privacy goes far beyond criminals.

Recently, while I was travelling abroad, I had to pay a merchant with a 500 Euro banknote. When it was my turn to pay, I had to try and hide the note from others, as such a large amount of cash can easily jeopardize my finances and act as an incentive for a criminal to defraud me. When dealing with Bitcoin, the amount you reveal in a single transaction may be far larger than my 500 Euro banknote and the transaction I signed is available to a lot more prying eyes. Thus the stakes in the case of Bitcoin can be much higher.

Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.

Eric Hughes — A Cypherpunk’s Manifesto (1993)

The Holy Grail of Privacy: Perfectly Fungible Coins

Often when we think of privacy, we think of our own personal privacy. But what if I told you that when you improve your own privacy, you inadvertently benefit the privacy of those around you? In this sense, privacy is not an individual task — it requires those around you to take it seriously as well.

The ultimate goal of perfectly fungible Bitcoin!

The above tautology is more than just a boring exchange rate, it is a description of a fundamental property of good money. Good money must, at its’ core, be acceptable, portable, durable and divisible. But equally as important, good money must be fungible.

Fungibility is the property of money that guarantees its’ interchangeability. In other words, it is the property that makes a single euro, and another euro equal. 1 EUR = 1 EUR. Regardless of where my euro came from, who has held it, what activities they were involved in (whether legal or illegal) my euro is as good as your euro, or any euro for that matter. The fungible nature of my euro is what prevents a merchant, bank or individual from saying “I will accept his euro, or her euro, but not yours!”

Cash (both the physical and digital kind) as a form of money has a unique property that it cannot be spent twice. If a person gets robbed of their cash, they can no longer spend it. They may try to reclaim the stolen cash from the thief, but spend-ability of the cash remains in the holder of the cash. And once you are robbed of your cash, you cannot demand that a merchant who has accepted the cash from the thief return the cash to you. The cash is valid as soon as it has switched hands. We are already very used to the concept of fungibility with respect to cash — otherwise, how would we go about using it? Imagine having to check a centralized list of all clean and dirty cash transactions every time you want to accept a payment — it would never scale! In the Bitcoin space, we see more and more companies actively trying to destroy the cash-like property of coins through forensic analysis. These companies jeopardize the fungible nature of Bitcoin. The result of these forensics companies can be seen in the following examples:

‘Clean’ or newly minted coins, like the kind miners receive, are regularly being sold at a premium.

On the other hand, ‘tainted’ or ‘dirty’ coins, coins which retain a history that may be linked to illicit uses, are being blacklisted from exchanges and merchants.

If our goal with Bitcoin is to build a digital money, we will fail to do so without fungibility.

Privacy implies fungibility, and fungibility is necessary for good money

How can we improve on privacy?

The following is a list of 7 key behaviors to better privacy, much of which is the result of the work of Adam Gibson.

Adam Gibson, a cryptographer and advocate of privacy solutions in Bitcoin, is most well known for his work as the lead developer of JoinMarket, alongside Chris Belcher.

#1 Address reuse

The problem of address re-use as it affects user privacy has been known since the publication of the Bitcoin Whitepaper. Although many have described Bitcoin as being anonymous, even Satoshi clarified that a user is only as anonymous as their public keys. Thus many have resorted to a privacy label with a critical caveat — pseudonymity, not anonymity. The distinction is crucial: under a cryptographic pseudonym, your behavior, or more specifically, the behavior of your pseudonym, can still be tracked. Bitcoin addresses are pseudonyms and users should dispose of these pseudonyms after they have been used.

Bitcoin WP, Ch. 10. Privacy

… a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

A pseudonym is like a mask, and the Bitcoin network is like a masquerade party. Those who use an address are putting on a pseudonymous “mask” in order to interact with other Bitcoin users. If a Bitcoin user decides to re-use an address, it is akin to using the same mask at every masquerade party. Sooner or later, that user may compromise their pseudonym, and by the nature of the public ledger — everything they have ever done on the network in the past becomes revealed. Even without address reuse you are compromising yourself at least 2 times.

When you send your address to receive a payment. When you spend Bitcoin from the address.

The issue of address re-use is not insignificant. According to Chris Belcher, in a recent talk at Breaking Bitcoin, as many as 40% of transactions in the past years involve addresses that are re-used more than twice (the minimum number of times). Wasabi automatically removes used addresses.

#2 Separate profiles

The idea of separating your accounts into various profiles is not new. In fact, you likely already do it on a daily basis when you separate your professional (work) profile from your personal or social profiles. Bitcoin allows for precisely the same separation of profiles with multiple accounts, a feature from BIP32 compatible wallets. This separation of profiles can be useful when you want to keep the payments from one business distinct from another. Although most wallets hide the unspent coins in your possession and instead simply show a total balance, the result is that your financial activity (e.g. your salary, donations and lambo rentals) is blurred into one ‘wallet’. The result can be quite embarrassing when you end up paying for a cup of coffee with your entire salary! A consequence of most wallets automatically selecting inputs on behalf of users. Many Bitcoin users are unaware of the UTXO model of accounting, and thus the idea of ‘coin control’ becomes less intuitive. However, Bitcoin doesn’t ‘accounts’ like a bank, rather, Bitcoin users have (unspent) coins. Deciding on which ‘coin’ to spend is akin to carefully selecting the correct mask for the next masquerade.

Forensics companies use metrics like **wallet clustering** in order to cluster addresses on the network that belong to the same individual. The effectiveness of wallet clustering as a metric stems from the strong heuristics that can be applied against Bitcoin users. It has even be said by Jonas Nick -

“Give me one of your SPV wallet addresses and I will give you back 70 percent of your wallet addresses. “

What this means for users is that any interaction with another person, whether you are receiving money or sending money, can expose a majority of past behavior and net worth. This is pretty scary. But how does it work?

It’s simple — Heuristics! Heuristics are generalities about the type of transaction behavior that are done by wallets! One of the most powerful heuristics is the Common-owner-input heuristic. Look at the following transaction:

A transaction vulnerable to the common-input-ownership heuristic

When we consider the logic of this transaction, we observe that three coins are being spent, in order to create two new coins. Since multiple coins are being spent within the same transaction, it is reasonable to assume that they share a common owner. When we consider the logic of this transaction, we observe that three coins are being spent, in order to create two new coins. Since multiple coins are being spent within the same transaction, it is reasonable to assume that they share a common owner. The common-input-ownership heuristic creates a wallet cluster around addresses A, B and C, which means if you reveal to someone only your C address, it inadvertently reveals the whole cluster.

Wasabi doesn’t hide your coins behind the balance of your ‘account’, instead it has CoinControl feature. Every coin you own is visible, and separated by the labels you keep for yourself.

Wasabi CoinControl feature GUI

Coins in Wasabi are labeled by amount, privacy level (anonymity set) and by cluster. Clusters are a way for you to see the connections between coins, so that you can avoid revealing connections before they happen. Every time a coin is received or sent, a mandatory label is required in order to build these internal clusters that wouldn’t be easy to intuit. Wasabi automatically combines labels and transaction graph history to present a coin-specific history for each coin in your wallet.

The advanced CoinControl feature allows any Wasabi Wallet user to decide for themselves which coin(s) will be most appropriate for spending, in the context of the amount and the source/recipient.

Start labeling today, your privacy will thank you tomorrow!

#3 P2P Trade

The main idea regarding P2P trades is to leverage the P2p Bitcoin network directly. When you use and run your own full node as opposed to a third-party service, you avoid creating and broadcasting transactions through a central server that may record your financial activity. With your own node, you are truly not asking for anyone’s permission — it’s just you and the rest of the Bitcoin network.

Below are 3 common examples of wallet infrastructure.

Typical wallet operation schemes

In the first example, the keys to your wallet are stored on a central server. The user simple ‘logs in’ to the service provider’s wallet application and the server does all of the execution. In other words, the real owner of the coins is not you, but the service provider who has total information and complete control. These kinds of wallet services (most common among exchanges like Coinbase) are prone to theft and locked funds, in addition to offering users little privacy from the service provider.

In the second example, a user’s wallet might be stored on a local device, but their wallet queries information from a 3rd party server. A typical example is using the electrum mobile wallet, which relies on public electrum servers in order to query information. Although private keys may be stored on your phone, the relationship between client and server may still be subject to sybil or man-in-the-middle attacks. Unfortunately, both of these have happened over the past few weeks, as a malicious user sent client’s a false ‘update’ message, which one the user’s would install, would result in the loss of funds. In addition, privacy is also at risk in this model.

In the 3rd example, a user may run a full node on their local device and still be prone to privacy risks by other malicious bitcoin nodes in the network that might record the IP address of the transaction.

So, what makes Wasabi better?

Wasabi’s transaction broadcasting mechanism.

First, Wasabi never gives any information with respect to user addresses. Instead Wasabi relies on full nodes to query entire blocks, which will then be parsed to confirm coins in the wallet. If a user has a local Bitcoin node running, Wasabi will attempt to query blocks from there. If no full node is detected, Wasabi will query from a random peer over Tor, to query a single block at a time. The same is true for sending transactions. If Wasabi cannot broadcast a transaction locally or through a random node over Tor, it will (in the last resort) send the transaction to the coordinator backend for broadcasting.

Once a block is queried or a transaction is sent, Wasabi will always open a new Tor circuit with a new random node on the network, in order to avoid giving away too much information to one party. When you send two consecutive transactions via Wasabi, you can be sure that they appear in two very different places on the network.

The import thing to understand is this — you don’t need financial institutions, central servers and trusted third parties in order to transact in Bitcoin, Bitcoin is a permission-less P2P network, which means you can directly interact with a merchant or buyer without compromising your privacy. Instead of relying on exchanges that demand to know all of your personal information, consider buying or selling coins with friends and family, or through decentralized services like Bisq.

#4 Run your own full node (and use Tor!)

Using your own full node protects you against many of the privacy and security vulnerabilities, in particular, against network analysis. With Wasabi, your wallet attempts to connect to your own node by default, without any configuration! If you own a full node, but not locally (for example, if you have a Casa node at home), you can connect your Wasabi wallet to the node via the config file. When querying your own trusted full node, you will have the best privacy protection against sybil nodes that log information about your queries. Further, your Wasabi wallet does not ask for particular transactions or addresses, as is the case with most SPV style wallets. These methods have been demonstrated to hurt user privacy in the form of malicious nodes clustering transactions and addresses. Even if a malicious server doesn’t know your location, repeated transactions through the same server allows for clustering that can still hurt your privacy. For this reason, nearly all light wallets today are considered vulnerable to network analysis.

Wasabi minimizes the information revealed to third parties through client-side filtering. When you first run your Wasabi application, your wallet requests block filters from every block. The coordinator sends all Wasabi wallets the same filters, so there is no personal data. Your wallet proceed to check which blocks may have relevant transactions, and then queries those blocks from the network.

This clever reversal of client and server filtering gives the control of information back to the user. When a user believes there is a relevant transaction in a block, it get’s the whole block from a random node, revealing very little personal information. Even if the node were to spy on your wallet, it would only know that you may or may not have a single transaction from a single block — that’s not going to be easy to cluster, as there are thousands of transactions in a single block.

#5 Use CoinJoin

So far, we have discussed the challenges around network level privacy, and how Wasabi uniquely addresses these problems in order to mask your wallet cluster, and your location. However, we have yet to talk about an equally important kind of privacy — blockchain level privacy. When we thinking about blockchain level privacy, remember — the transaction chain is your enemy.

Equal Output CoinJoin with Unequal Input Participation

Here is Alice she has a potentially tainted coin. For example, if the coin she has is her salary for the month, she may feel uncomfortable about her boss being able to track her purchases. Alice would like to break the chain of transactions that ties her money to her boss, without being comprised by heuristics. Now doing something ‘clever’ may be enough, but we must be sure that potentially new heuristics won’t compromise her privacy. SharedCoin failed in precisely this way, by doing a weaker type of CoinJoin that was later de-anonymized in what is now called ‘CoinJoin Sudoku’. So ideally, we would need something which is provable, and thus we have equal-output CoinJoins. The basic idea is this — if all participants receive coins of the same denomination, analysis will not be able to connect inputs to their owners.

If you are interested in a more detailed description of how Wasabi does a CoinJoin, you can read about it here.

Unequal input mixing here or here.

#6 Avoid servers

As I mentioned before This is not a trivial problem to solve this in a trustless way. There were attempts to create centralized mixers but a lot became a scam. There is 3 main problems:

They can steal your money

Can collect information and create wallet clusters

They know the links in the CoinJoin so they can deanomize you later. Wasabi also has a centralized backend but it is constructed in a way that even we cannot deanonimize you.

How? Wasabi uses the ZeroLink fungibility framework, a protocol designed in large part by Adam Ficsór. The protocol describes a series of steps to solve nearly every privacy concern.

For a more detailed description of how Wasabi achieves trust-less CoinJoins, please see the protocol specs here.

#7 Start using lightning network

At this point, it is too early to start leveraging LN in a privacy oriented wallet. However, if Bitcoin is successful in the future, there will be a need to think about these questions, since blockchains don’t scale.

Future ideas and roadmap here.

The CoinJoin Bounty

Proposed by Gregory Maxwell in 2013 to encourage development in CoinJoin implementations, a Multisig donation address (2-of-3 between Maxwell, Theymos and Wuille) has since racked up an impressive 46 Bitcoin bounty!

However, in the past 6 years, not a single implementation was awarded the bounty as the rules were very strict. For the first time since its’ inception, in April (2019) both our team at Wasabi and our good friends at JoinMarket were finally awarded 10 BTC each:

JoinMarket and Wasabi Wallet

A detailed history of claims and funds awarded can be found here by 6012.

Wasabi Wallet fits into the U.S. regulatory framework

Wasabi always plays by the rules. A company called zkSNACKs behind it, it has Terms and Conditions, Privacy Policy and Legal Issues all the documents to operate. However there are inconsistencies regarding the regulations among countries especially on the area of privacy preserving and exchanges. For Wasabi even term was missing as it is not only a non-custodial wallet it has a unique CoinJoin procedure. Now this changed on the 9 of May FinCEN published a guidance. FinCEN is a bureau of the U.S. Department of the Treasury. Collected all rules together and gave a guidance. Define terms, rules and gives some restrictions. For example Bestmixer.io which closed recently was an anonymity service provider so they should use KYC. If the platform simply facilitates the matching of crypto buyers/sellers, and the actual transactions take place off the platform, then it is not a money transmitter. However if the service acts as an intermediary to the transaction and settles trades, then it is a money transmitter subject to the BSA. Wasabi:

Non custodial wallet so called unhosted.

zkSNACKs not holding any BTC just coordinates the users to create the CoinJoin

The ownership of the coins does not change. The users send their bitcoin to their own addresses.

Wasabi is an Anonymizing software provider as described in 4.5.1(b) so it is not a money transmitter, thus not under BSA(Bank Secrecy Act) regulations. Basically we can continue to operate like now and it is compliant.

FinCEN said yes to privacy!

Presentation on Bitcoin2019

Live presentation on this topic: https://www.youtube.com/watch?v=tLOMcU8MhWM

Bitcoin2019conf

Wasabi under the hood

My previous article gives more insight into the technical details especially with respect to CoinJoin: https://medium.com/@molnardavid84/wasabi-wallet-unfairly-private-fdae78bb8cdd

Resources: