Bitcoin privacy 101: An introduction to CoinJoin
In the bitcoin whitepaper, Satoshi Nakamoto outlined two main ways bitcoiners could protect their privacy:
1) Don't connect your identity with your bitcoin.
2) Don't reuse addresses.
While this advice is still true and relevant, the proliferation of blockchain analysis services over the last several years has necessitated the development of tools like CoinJoin and other strategies for bitcoin privacy. CoinJoin can help bitcoiners obfuscate their holdings from public surveillance. Here's how it works:
First, what is a coin?
Unlike physical cash, bitcoin doesn't have strict denominations like 1¢, 5¢, $10, $20, etc. They can theoretically be any amount between one satoshi (the smallest unit) or 21 million bitcoin (the total supply). Spendable coins are called unspent transaction outputs or UTXOs. When you look at your wallet balance, that number is the sum of the value of all UTXOs you can spend, using your private key(s). You can think of bitcoin addresses as pockets in your wallet that hold a collection of these UTXOs.
When you create a transaction, your wallet picks UTXOs from your addresses that add up to the amount you want to spend. If your UTXOs don't add up to the exact amount, then you will have change left over, just as if you gave a shopkeeper a $10 bill to purchase a $5 item. This excess money is spent back into your own wallet as a change output, a new UTXO.
Transaction data on the bitcoin blockchain is public, which means you can follow the trail of coins from address to address and assume that coins being spent together in a transaction are owned by the same person. Or can you?
The guessing game
Imagine you and two other people have three balls, all the same color and size. Everyone closes their eyes. Someone (the coordinator) hides each ball under a cup, mixes the three cups around for a while, and then lifts the cups. Maybe it's possible that you can guess correctly which ball was yours, but there is no sure-fire way to prove you're right, because the balls all look the same. Either way, the three of you will get a ball back that looks exactly like the one you put in. And the more times you participate in this mixing, the less you can be sure that you could be holding the same ball you originally put in.
In a CoinJoin transaction, a group of bitcoiners coordinates and agrees to sign a transaction that spends their coins together.
How does joining coins from multiple people achieve privacy? As we know, blockchain data including payment amounts is public. Therefore, “privacy” in this sense is not about hiding something but increasing uncertainty about the ownership and history of a given coin.
In most CoinJoins, users contribute UTXOs that are uniform in denomination and/or size, rendering them indistinguishable from one another. The most common denomination is 0.1 BTC, but they can be set to any amount. Furthermore, the best practice is for outputs from a CoinJoin transaction to go out to new addresses, so they cannot be linked back to any particular participant in the mix.
A face in the crowd
This brings us to the concept of an anonymity set, or "anon set" for short. The greater the number of bitcoin being mixed in this game, the greater the number of potential interpretations for where coins went in the mix and the harder it is to guess correctly who originally owned which bitcoin.
This is why CoinJoin wallets set a target for the set, or minimum number of participants, which is usually somewhere between 5 and 100. This means that, to a blockchain analyst, any given 0.1 output from the CoinJoin transaction could have 5 to 100 possible owners, or whatever the anon set is. As they say, there is strength in numbers.
However, there is one obvious problem with this type of transaction: it is easily identifiable as a CoinJoin. Most bitcoin transactions use a couple UTXOs of variable size, not dozens that are equal in size. So, while you are helping to obscure the ownership and history of your coins, you are doing so in a noticeable way. Your coins are, in a sense, being tagged as belonging to someone who is interested in privacy!
If enough bitcoiners regularly used CoinJoin, this wouldn't be a big deal. Unfortunately, some custodial exchanges and wallets who see (or have been told to see) financial privacy as a bad thing have been selectively blocking and/or closing the accounts of users they suspect have participated in CoinJoins, although it is ambiguous to what extent they are actually obligated to do so.
Payments as CoinJoin
Luckily, there is a type of CoinJoin that improves privacy without obviously being a CoinJoin. PayJoin is a two-person CoinJoin that masquerades as a typical transaction, where one person pays another and gets some change back. In a PayJoin, the receiver is actually a participant in the transaction and pays themselves with some of their own coins. If done correctly, this would also obscure whether an output is the payment or the change.
Because this type of CoinJoin not only improves privacy but makes it harder for blockchain analysts to tell whether a privacy tool is even being used, it has great potential. Several wallets and merchant services are working to integrate a PayJoin feature.
We hope that you now understand the basics of CoinJoin and how it can help protect your financial privacy. Mix and mingle!
🔒 Lock up your bitcoin now
The holidays are a prime time for security attacks, but you don't have to worry. Casa Gold helps HODLers keep their bitcoin safe. Our 2-of-3 multisig protects your bitcoin with multiple keys to eliminate your risk of theft or accidental loss.
👉 Try free for 30 days.
📰 Get updates on bitcoin privacy and security
Our weekly Casa Security Briefing newsletter has a rundown of recent security and digital privacy news, tips, and expert analysis. Sign up below and stay informed.