- An old Bitcoin privacy protocol has found new relevance with a new design implementation by Chris Belcher.
- CoinSwap allows two or more parties to “swap” coins between each other without publishing the real recipient’s address to the blockchain.
- If it works out in practice as in theory, this could make Bitcoin much more fungible and private—but, as always, there are a few catches.
A Bitcoin developer just resurrected a dormant privacy protocol that could be the silver bullet for Bitcoin’s anonymity issue. And it can be put into action without changing Bitcoin’s source code.
Chris Belcher, a UK-based developer with hundreds of commits across various Bitcoin projects like Electrum and JoinMarket, this week released an implementation proposal for CoinSwap, a seven-year-old privacy protocol he believes will “massively [improve] Bitcoin privacy and fungibility.”
With CoinSwap transactions, though it might look like a user sends funds from address A to address B, “in reality her coins end up in address Z, which is entirely unconnected to either A or B,” Belcher wrote.
CoinSwap was originally conjured up in 2013 by Greg Maxwell, co-founder of Blockstream and the creator of CoinJoin, CoinSwap’s spiritual predecessor. But Maxwell’s idea was too technically challenging to implement and was left to gather dust.
Belcher’s proposal, however, uses the same smart contract trick that makes Bitcoin’s Lightning Network tick, making it easier to implement. Belcher told Decrypt the protocol could be ready for testing in six to eight months, and Maxwell has praised Belcher’s implementation as an “extensive and well written high level design.”
This could solve Bitcoin’s major anonymity issue. Since Bitcoin’s addresses are public and pseudonymous, it’s fairly easy for blockchain analytics companies to trace Bitcoin addresses to IP addresses. Anonymity protocols, such as CoinJoin, already exist, but they can be difficult to navigate and only work when strict instructions are followed.
How CoinSwap improves privacy
With CoinJoin—CoinSwaps’s predecessor—groups of users send equal amounts of Bitcoin together (for example, five users each send one BTC), which the protocol then processes in batches to obscure the origin of transactions. Because transactions are grouped together in batches, they all have a shared history and all look identical.
One of the nuisances with CoinJoining is that each user must input an equal amount of Bitcoin into the batched transaction for it to work properly. If you joined a server for a one BTC CoinJoin and you accidentally sent two, then the privacy of your input (and whoever interacts with it in the CoinJoin) would be compromised.
CoinSwap solves this problem by eliminating the need for like-amount payments. Instead of jumbling a bunch of coins together, CoinSwap (as its name suggests) lets users swap coins by sending them to an intermediate wallet first.
Should Alice and Bob want to CoinSwap, Alice would kick things off by sending Bitcoin to a multi-signature address (i.e., an address they both hold keys to). At the same time, Bob sends Bitcoin to another multi-signature address. Since both Alice and Bob have keys to both wallets, they can then withdraw the coins to their own wallets.
A cryptographic trick used in atomic swaps and the Lightning Network, called hash-time-lock contracts, prevent either party from filching funds from the other. To complete the swap, Bob withdraws Bitcoin from the first multi-signature address and Alice withdraws Bitcoin from the second one.
These multi-signature addresses use another cryptographic trick to make the transactions look “just like a regular single-sig instead of a multi-sig,” Chris Belcher told Decrypt. “The swap isn't visible by anyone examining the chain so privacy is improved,” he explained further.
Belcher highlighted in his post that a well-functioning CoinSwap market would be resistant to a Sybil attack, where an attacker could overpower the network and identify its participants.
To achieve this, Belcher said that it’s necessary to use the same so-called “fidelity bonds” that keep actors honest in JoinMarket, one of the largest CoinJoin hubs in Bitcoin, With these bonds, the participants fulfilling a CoinSwap request (the market takers) must stake Bitcoin as collateral before they can participate in a swap.
This would make it too expensive for, say, a blockchain analysis company to spam the network and work out who is using CoinSwap. For a Sybil attacker to be successful, Belcher estimates that it would require "roughly 55,000 BTC (around $500 million) to be locked up for 6 months."
Given the JoinMarket clientele’s appetite for CoinJoins, if CoinSwap scales, Belcher envisions that people could one day make CoinSwaps for “sizes up to about 200 BTC.”
Adam Ficsor, the co-founder of Wasabi Wallet, another privacy-preserving Bitcoin wallet, told Decrypt that the proposal is “very exciting,” but that he is still “trying to figure out if its practical implementations would take away the magic of the idea or not.”
Wasabi's CoinJoin markets are user-run, so sometimes people have to wait for other peers to join a CoinJoin server before mixing. For CoinSwap, though, Wasabi would likely need to stake Bitcoin in fidelity bonds and provide liquidity itself to defend against DoS attacks, Ficsor said, which could be very costly for the wallet
To facilitate CoinSwaps through its platform, Wasabi would need to deposit Bitcoin in fidelity bonds to keep it Sybil resistant. (Ficsor joked that he would have to cut half of Wasabi’s staff to make it work.)
Ficsor emphasized that he’s still evaluating the proposal so his concerns could be “completely misguided.”
In any case, Belcher wants to take a different approach. Instead of having wallets or other services bankroll liquidity for CoinSwap, Belcher hopes it will evolve much like JoinMarket, where the free market’s various actors will keep the money coming in. So long as there’s a wide array of users and a deep pool of liquidity, the new protocol could keep Sybil (and deanonymization) attacks at bay.
At least, that’s how Belcher imagines it playing out. And if it does, it could be a significant win for Bitcoiners in the war on privacy.
Editor's note: This article was updated after publication to clarity how Wasabi's wallet facilitates the CoinJoin privacy protocol.