Bitcoin Q&A: Coin selection and privacy

“Privacy and coin selection algorithms.
Fungibility isn’t optimal at the moment, with
all addresses and transactions publicly visible,
and the rise of blockchain analytics firms.
One area that seems to be of interest, while
we wait for Confidential Transactions and
other privacy enhancing implementations,
is improved coin selection algorithms.
Could you explain how Samourai Wallet
and other privacy-focused services
choose their coin selection algorithms?
What UTXO selection and change address creation
best preserves privacy?
Is there anything you can do yourself
to obfuscate your transactions,
or are mixing services the easiest / best way to go?”
This is a great question.
At the moment there aren’t that many privacy-focused
I think Samourai deserves credit for being
the most privacy-focused wallet.
And it’s one that I use quite regularly, because
I really do like some of the features.
Up to now, Samourai was using a technique
called BIP 126, which had to do with
how you organise change addresses and coin selection
to maximise privacy.
As of maybe two days ago (May 3rd),
they announced a change in that strategy,
a new method for organising
transactions called STONEWALL.
This is something they’ve introduced.
STONEWALL is a mechanism for evaluating the
entropy of every transaction and
looking for potential information leaks
within that transaction.
Every wallet leaves behind a signature, in
some way.
The way that a wallet selects coins can leave
behind various signatures that coin analytics firms…
can use very effectively to do correlation
between different transactions.
The Samourai team, as far as I can tell,
have been working on this problem.
Evaluating the entropy, or the randomness,
of each transaction in order to see if the
wallet is inadvertently creating a signature that can lead
to the identification of the source of these transactions.
Together with that, they’ve implemented some
techniques that make a regular payment that
you make with your wallet,
look like a CoinJoin transaction.
This means that your wallet will use a
number of inputs and a number of outputs,
by effectively creating fake change.
If you add a number of outputs to a transaction that
pay change back to other addresses that you control
from the outside that transaction
(with lots of inputs and outputs)
looks like a CoinJoin transaction.
By varying the values in the inputs and outputs,
carefully selecting the coins, the wallet can…
make this transaction look like it’s a mixture
of multiple transactions from different people.
That better preserves your privacy.
I do know that even in the past, Samourai
was one of the wallets that is very careful
about how it selects change and receive addresses
from your UTXO set, in order to make sure
that it doesn’t associate things that should
not be associated with each other.
Like associating one UTXO set with another
by putting them together in a transaction,
when previously they came from
two different transactions.
Obviously if you receive two payments to two
different addresses, then your wallet takes
those two payments and uses them in the same
transaction as inputs, that’s advertising…
to the entire world that those two addresses
belong / are controlled by the same person,
which then allows people to correlate the
two previous transactions to each other.
So Samourai [fixes] some of that.
Another technology used within privacy-focused
wallets, including Samourai, is called Ricochet.
This is a specific term that Samourai uses,
but the concept is really simple.
Most chain analysis firms do something called
tainting, where they track coins that
they believe are involved in “bad” transactions.
For example, they may track coins that have
been used in a gambling site, sex-related
site, or whatever else the morality police
is currently considering “evil.”
Obviously if your coins come from a wholesome
source, like selling weapons to the Saudi government?
Not a problem whatsoever.
But if it comes from an unwholesome source,
like purchasing a sex toy in Texas – oh dear me!
That’s going to get blacklisted.
What these “services” do is track these “evil” coins.
If you do a transaction that previously came
from a transaction that previously came from
someone who did something naughty…
Then you might find that your exchange account
gets blocked, locked, completely shut down,
or your funds seized in some cases.
This is a dangerous practice, of blacklisting.
The way some privacy-focused wallets get around
that is by ensuring that, if analysis firms
are checking four or five transactions back,
you add extra hops by making transactions
between your own controlled addresses.
Instead of sending directly to an exchange,
you send from you to you, to you, to you…
to you etc., and then to the exchange.
Chaining these transactions together.
When the exchange checks five or six addresses
back, they find an address that is not blacklisted
because it’s clean, never been used before.
The funny thing about this cat-and-mouse game:
if the chain analysis firms go six hops back,
the privacy wallets can go seven hops; if
the chain analysis firms go seven hops,
the privacy wallets can go eight hops.
We continue like this.
But the problem is, this is asymmetric for
the chain analysis firms.
If they start looking eight hops back, they
start pulling in all addresses in the Bitcoin space.
At ten hops back, everything could be related.
I don’t know if you remember the old meme
of “six degrees of separation from Kevin Bacon,”
it’s the same concept at work here.
If you go far enough back, if you check enough
hops back, every coin has touched almost…
every other coin unless it comes directly from
a coinbase transaction (part of the mining process).
If you keep pushing the chain analysis firms
to incorporate more and more hops, eventually
their data becomes horribly polluted.
Every transaction is tainted.
They can’t simply advise the exchanges to
stop accepting all coins because all of them
touched something naughty at some point.
This is a strategy that the analysis firms
are going to lose.
Those are some of the things you need to consider
when you’re doing coin selection in your wallet.
Of course, this is not something the user
[figure out themselves].
Preferably what you should be doing is picking
a wallet that incorporates the privacy principles
that you really care about and then configuring
that wallet by going into the settings.
‘Yes, I want to use Ricochet.’
‘Yes, I want to use STONEWALL.’
‘Yes, I want to mix up my change addresses.’
‘Yes, I want to route everything over Tor.’
Not many wallets offer that today.
You have an opportunity to make choices that
encourage wallet developers who follow these
practices, perhaps even contribute to their
projects with documentation and bug reports.
Or even by giving them a donation, if you
really appreciate the wallet that they’re building.
“Resolving inconsistencies in your stance
on privacy.”
Peter says, “Sometimes you say that Bitcoin
is good because it achieves privacy…
or at least future implementations will
achieve full financial privacy.
I’ve also heard you dismiss the pedo / Nazis
argument against Bitcoin by pointing out that
blockchains actually help trace back transactions
once you have suspect’s IP address or bitcoin address.
These propositions are not really compatible.
Could you be more specific about the level
of privacy you would like to see in Bitcoin?”
Thank you, Peter, for this opportunity.
First of all, let me disclaim this fanciful
idea that all of my thoughts, opinions, and
ideas are 100% internally consistent and provable.
I will use the Gödel defense and say that
either my statements are incomplete or they’re
inconsistent, but they can never be both,
because that would violate Gödel’s theorem.
Let me try and be more specific.
I think the fundamental difference here is
a matter of scale.
I believe that we should have privacy in Bitcoin
that allows every individual to maintain their
financial privacy against broad-based, blanket,
indiscriminate, surveillance by central parties.
Broad-based, blanket, warrant-less, unconstitutional,
in violation of the charter on human rights.
That kind of unconstitutional, illegal, immoral
surveillance that violates human rights
should be impossible to do in Bitcoin.
On the other hand, if someone is doing something
involving criminal activity, it’s not going to be
broad-based surveillance that catches them.
That’s a fallacy and it’s fallacy that’s being
sold to us primarily to persuade us that
as long as we give a little more power, give
up a little more privacy, crime will finally be beaten!
Terrorism will end and pedophiles will no longer exist!
Abuse of children will stop!
All of the “bad things” will go away.
All you have to do is trust a few people in
power to have ultimate control over your privacy,
your life, your human rights, and everything
Then it will all be okay.
That authoritarian lie is basically designed
to give more and more power.
In the end, it doesn’t make the world a better place.
Arguably, it makes the world a terrifying,
fascist autocracy.
What do you do about crime?
The truth is that the vast majority of crime is solved
by investigation and primarily through human factors.
The person who is committing these crimes
(abusing children, committing fraud, stealing
money, extorting people) or whatever else
you might be thinking of as one of these…
horrible things that will be committed with money
on blockchains, like they’re committed with
every other currency in the world…
Most of the time, there’s going to be a trail
of evidence.
It’s going to be on their computer, evidence
that their co-conspirators know about.
I think law enforcement has traditional tools
that they can use in the case of a crime,
where there is probable cause, where you can get
a magistrate to sign a warrant,
and that person can be investigated.
Their privacy [should only] be stripped under
due process of law.
That evidence will be sitting right there
on their computer.
Not only will they leave a trail, but their co-conspirators
will know about this and can be flipped.
All of the traditional law enforcement techniques.
Once you have their computer, their private
keys, and various other things that you got
through due process and a properly signed
warrant, now you have forensic evidence
on the blockchain that they committed a crime.
My stance on privacy is simple: I am against
blanket, indiscriminate, warrant-less, unconstitutional
surveillance that violates human rights and
gives enormous power to centralised actors
who will abuse that power, ultimately erode
and destroy democracy.
I don’t believe that criminals should have
privacy, but in order to strip someone of privacy
and declare them a criminal,
you need due process of law.
You need a warrant.
The idea of stripping everyone of privacy
in order to protect against crime, means that
in the end only criminals will have privacy.
They’ll simply break the law that requires them
to only use the currency that’s under surveillance.
None of us will have privacy, except the criminals.
Crime will never go away, because crime has
nothing to do with the currency or computer or tool.
It’s just a fundamental part of human nature.
Claim your privacy.
There’s a difference between indiscriminate,
broad-based, warrant-less surveillance, and
the appropriate application of justice through
due process, properly signed warrants, and
the protections we have under all of the human
rights charters, in every civilised place on earth.
“Bitcoin will never add default privacy or
Ari Paul believes that it is highly unlikely
that Bitcoin adds default privacy or fungibility,
because this would likely tank the price since
it means that all institutional and regulation-conscious
money will have to dump it.”
Apparently this is quoting Ari Paul.
I don’t know if this is an accurate quote
or if it is paraphrased, so please take that
with a pinch of salt.
The question continues, “There are many other
reasons why people might not support
a default privacy update as well.
Realistically, do you think it is in any way
plausible for the main chain to add default privacy,
or will there inevitably be a separate
cryptocurrency that provides the fungibility use case,
whether it be the result of a contentious hard fork or a
[completely] separate cryptocurrency such as Monero?
Honestly, I disagree.
To me, Bitcoin has never been about the investment and
use by institutional and regulation-conscious money.
Institutional, regulation-conscious money
already has plenty of investment avenues,
plenty of currencies to choose from.
If the addition of privacy and fungibility
features actually did reduce the price of bitcoin,
I’m okay with that.
To me, it’s more important that this is a
currency that is usable by the vast majority
of human beings who do not have access
to stable, reliable, private currencies.
Because they don’t have access to stable,
reliable, and democratic institutions;
or stable, reliable, and non Mafioso-run bankers.
Quite honestly, I don’t give a damn what institutional
and regulation-conscious money does.
I certainly don’t think the developers who
are involved in implementing these features,
the cypherpunks of Bitcoin, really give a
damn about what institutional money does.
There will be additions of privacy and fungiblity.
They are very much on the roadmap.
If that causes regulation-conscious money
to leave bitcoin, that’s a very good indication
that those privacy and fungibility technologies
are effective and working correctly.
They’re going to have to find some other kind
of surveillance coin that they can pump-and-dump
for get-rich-quick schemes.
Ripple sounds like a [good fit for that],
maybe they could go to that one.
Let Bitcoin do the privacy things that it
needs to do to serve the other six billion people
who are not interested in playing this
game of crony surveillance capitalism.
Thank you very much, bye bye!

34 thoughts on “Bitcoin Q&A: Coin selection and privacy

  1. A Question I'd like you to address. What happens when we have zero point energy, or something close to it, and the cost of securing the Bitcoin blockchain goes to 0? I would assume the need to change from POW to POS. Interesting to think about though. Keep up the good work!

  2. if everyone sells btc at $20,000 in all exchanges, wouldn't that raise the value to $20,000? it's decentralized, right? it's valued $6,000+ right now because somebody is willing to sell it at that price. i guess if all of the holders don't sell below $20k, the price will be $20k. it's like a Hermes bag, what's in that bag that made it so expensive? Nothing. Just the name. They sell it $10k-$50k that's where the price where people will buy it, thus, that's the value of it.

  3. With FIFO accounting No amount of degrees of separation matter because the first coins into an account or mixing pool are considered the first coins out. British common law has long had an answer to this dilution problem.

  4. WELL SAID!!! The man! Andreas once again coming at it with the wisdom greater than an owl! Andreas you are among the truly enlightened ones, Keep up your valiant work Friend!! The people deserve to know what honors you have to preach! Well done!

  5. Is a coin like Bitcoin Private a waste of time (a privacy coin)? BTCP plans on rebasing to BTC's codebase. Currently, it uses ZCL's codebase. In a few months, BTCP will be Bitcoin but with zksnarks for privacy. Should the BTCP team just push a pull request to bring this technology to Bitcoin rather than develop a new coin? Many think BTCP is a "shitcoin" due to no value returned after the fork. A rebase to BTC codebase should provide more value.

  6. as always, very good disection of privacy coin features! it would be great to feature some of the top privacy coins like deeponion, spectrecoin, samourai, verge, zcash, monero, etc and compare them in terms of level of security. people should be well informed because privacy coins will play a major role in crypto currency in the near future.

  7. Cubits sales guy told me that their chain analysis gites back 1000 hops and that they work with the US Government to assign scores to coins. Not sure how true it is, after all he is a sales guy. ..

  8. Samurai has really great features (best I saw so far), but wouldn't recommend to use it in current version if privacy matters: The weak point (which unfortunately more than destroys all gained privacy) is that you have to trust the servers of the operating company. The wallet is not a full Bitcoin node so it connects to a full Bitcoin node (own node remotely currently only working if your android phone has a static IP address or is in the same network). The connected node can easily find out all 100+ Bitcoin addresses in the HD wallet and knows they belong to the same entity (similar or same principle like the bloom filter leakage for SPV wallets). Although I assume that the operators don't collect these data, it could be that they sell the business tomorrow to someone doing it or a hacker/employee access data without authorisation. If central parties are involved, you don't know always who they are. Look at this privacy example:
    To increase your privacy you need to connect a wallet with a trusted full Bitcoin node, for example your own node.
    I'll look if the missing feature will be added in a smooth way into future releases. Then I'll be a supporter of the wallet! Anyway already today the creators have my respect for the sophisticated features!

  9. The ending is gold! As a trader I see that alts are actually a way to go on the next pumpfest. And I think that even if institutions dump their bitcoin it would help the retail adoption as it spreads among more people. Let it be what it was supposed to be.

  10. If crypto exchanges want to ban "naughty" coins however many transactions back, then it looks like those exchanges are employing the wrong kind of people, as they seem more in tune with the fiat world and its government/big corp moral policing.

Leave a Reply

Your email address will not be published. Required fields are marked *