The U.S. blacklisting of Ethereum addresses connected to the Tornado Cash mixing service raises uneasy questions about Bitcoin’s immunity to government meddling.
The oldest and most valuable cryptocurrency network has faced down the threat of transaction censorship before. In May 2021, Marathon Digital Holdings, a U.S.-based bitcoin mining firm, said it would exclude from the blocks it mined any transactions involving addresses sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). The initiative proved highly controversial and ultimately short-lived. Marathon CEO Fred Thiel eventually announced that the company would revert to traditional mining, the kind that doesn’t discriminate between users, and reaffirmed his commitment to the Bitcoin ethos of decentralization and censorship resistance.
But OFAC’s action against Tornado Cash raises the stakes. Rather than sanctioning an individual or an organization tied to terrorism or drug trafficking, the agency has made it a crime for otherwise law-abiding users to use privacy-enhancing software to cover their tracks on the Ethereum blockchain.
Read more: ‘People Will Get Burned’: Matt Odell on the Long Road to Bitcoin Privacy
What if OFAC similarly sanctioned one of Bitcoin’s decentralized mixing protocols? Miners operating in the U.S. or jurisdictions where Washington holds sway might have a stronger incentive to block transactions sent to or from these mixers, the way Marathon briefly censored transactions involving sanctioned entities.
This is a problem Bitcoin developers have been working on for over a decade. Not only are they improving obfuscation techniques, but they are working on ways to make it harder to distinguish between a “regular” bitcoin transaction and one that has interacted with a mixer after the fact.
Bitcoin’s many mixers
Most bitcoin transactions are publicly available for all to see, and anyone with a block explorer, a software tool that provides information on cryptocurrency transactions, can review practically any bitcoin transaction that has ever taken place.
Mixers are software programs or protocols designed to thwart such snooping. When a transaction is sent through a mixer, it’s jumbled up with other transactions in order to sever the connection between sender and receiver.
Read more: Bitcoin Mixers: How Do They Work and Why Are They Used?
Just as a bank protects its customers’ financial activities, privacy tools like mixers are designed to protect Bitcoin users’ activities from prying eyes. Sure, some people take advantage of mixers for illicit purposes, but others just want to keep their financial activities, like charitable and political donations, for example, private. (Remember the Canadian truckers?)
Mixers provide that privacy, but they aren’t perfect. While it’s extremely difficult to trace the history of a mixed coin’s transactions before it got to the mixer, it is still fairly simple after the fact to see that a coin has been through a mixer. And that is where the censorship happens.
When users send their coins through a decentralized mixer, the process of mixing often generates a distinctive transaction output that makes it obvious a mixer was used. Questions about illicit activity naturally come up if regulators (or regulated entities like cryptocurrency exchanges) see too many of these quirky mixer transactions.
Decentralized mixers provide software for people to interact peer-to-peer. There is no centralized entity that holds the mixed funds, and so there is no one target for regulators to home in on. Instead, it is the resultant transactions themselves that are vulnerable to sanctions and censorship.
One solution is straightforward (but not always simple): Make mixer transactions look like regular transactions so that they can’t be targets for censorship.
Here are some of the techniques that bitcoiners are able to use in order to protect their privacy through coin mixing.
CoinJoins
CoinJoins are a way of mixing multiple bitcoin transactions to enhance privacy. Users send bitcoin into a pool where the coins are mixed with other bitcoin. Upon withdrawal, users receive the same amount of bitcoin as they sent in, but the origin of that bitcoin has been obfuscated by the mixing activity.
CoinJoins can be performed independently by a group of individuals through a wallet like Samourai or Wasabi that uses a centralized CoinJoining service or via a decentralized CoinJoining marketplace like JoinMarket.
The pitfalls: Although CoinJoins obfuscate a bitcoin’s transaction pathway, snoopers can readily determine a CoinJoin has taken place by looking at the Bitcoin blockchain. This raises censorship concerns as certain entities may choose to censor CoinJoin transactions in order to comply with regulatory mandates.
PayJoins
PayJoins are similar to CoinJoins and are based on the same principle: Two individuals mix their bitcoin, obfuscating the distinction between sender and receiver.
PayJoins and CoinJoins can be used together. In fact, CoinJoin wallets like Wasabi and Samourai also support PayJoins. A list of compatible wallets can be found on a PayJoin adoption Bitcoin Wiki page.
The pitfalls: The main catch with PayJoins is that they can be conducted only between two parties. That limits the number of PayJoin use cases. In fact, only a handful of wallets with fully functional PayJoin implementations exist. A limited number of implementations also means a smaller pool of fellow “PayJoiners” to collaborate with.
CoinSwaps
CoinSwaps allow two or more users to swap bitcoin by creating a set of transactions that (to an outsider) look like unrelated payments. Like their CoinJoin cousins, CoinSwaps confer privacy by obfuscating a bitcoin’s transaction pathway.
“Imagine a future where a user Alice has bitcoins and wants to send them with maximal privacy, so she creates a special kind of transaction. For anyone looking at the blockchain her transaction appears completely normal with her coins seemingly going from address A to address B. But in reality her coins end up in address Z which is entirely unconnected to either A or B,” developer Chris Belcher wrote in his initial CoinSwap design proposal.
Read more: Now You Can Try ‘Teleporting’ Bitcoin for Greater Privacy With CoinSwaps
The pitfalls: CoinSwap transactions currently look like multisignature transactions (instead of standard single signature transactions). This makes them conspicuous and vulnerable to potential censorship – a drawback they share with CoinJoins.
Privacy improvements are coming
Bitcoin’s Taproot upgrade in November 2021 introduced features that have the potential to tackle many of the pitfalls mentioned above. Primarily, it will help to make coin-mixing transactions less obvious to anyone trying to filter them out.
Schnorr Signatures
Schnorr signatures were introduced in Bitcoin’s Taproot upgrade, which took place in November 2021. They are a simpler and more efficient alternative to the Elliptic Curve Digital Signature Algorithm (ECDSA) signatures that are commonly used today. Schnorr signatures allow a group of users to combine their signatures so that only one signature is used (a process called aggregation). From a privacy perspective, multiple signers make it difficult to accurately determine the identity of each signer.
MuSig2
Another benefit of Schnorr signatures is the ability to combine multiple public bitcoin addresses (public keys) into a single address. This can be achieved by using a signature scheme called MuSig2. When bitcoin is sent to these composite MuSig2 addresses, it resembles standard bitcoin transactions rather than multisig transactions. This is yet another way to enhance privacy by obfuscating the source of a transaction and by making a multisig transaction look like a regular single signature transaction.
MAST
The Taproot upgrade also integrated Merkelized Alternative Script Trees (MAST). MAST integration reduces transaction size and increases transaction privacy. This is done by concealing transaction spending conditions. Bitcoin has a feature called a timelock script that allows a sender to specify conditions under which funds can be spent (e.g. 1 bitcoin can be spent three days after receipt). These instructions are included in the transaction data, which potentially undermines privacy. MAST allows for better privacy by combining, hashing and thereby concealing these spending instructions.
Cross-input signature aggregation (CISA)
Cross-input signature aggregation is an exciting Bitcoin enhancement that hasn’t been implemented yet but is in the works. It’s a feature that will allow multiple inputs in a bitcoin transaction to share a single signature. Currently, each input in a bitcoin transaction requires its own signature.
The primary privacy benefit is it will make mixing activities like CoinJoins and PayJoins cheaper. With CISA, the fees for a CoinJoin are the same as the fees for a single transaction. Since CoinJoins are performed by groups, the fee for each member of that group is only a fraction of the total fee. In fact, the cost of a bitcoin transaction drops as the size of the CoinJoin group grows.
The hope is that cheaper CISA transactions will increase the use of CoinJoins, and the resulting increased use of CoinJoins will ultimately increase privacy for everyone.
Read more: Most Influential 2021: The Developers Who Wrote Bitcoin’s Taproot Upgrade