wasabiwallet on Nostr: Including toxic change in coinjoins has efficiency and UX tradeoffs, making it hard ...
Including toxic change in coinjoins has efficiency and UX tradeoffs, making it hard for users to handle.
Not ideal.
Isolating this change before the coinjoin is another option presented by Whirlpool. How does it work and is it a good idea?
Whirlpool relies on 4 pools, namely 0.5 BTC, 0.05 BTC, 0.01 BTC & 0.001 BTC. Multiple pools carries the inherent issue of splitting liquidity which can lead to delays + lower privacy.
If a user has one 0.17 BTC coin, they have to do a “Tx0”: a way to exclude the change before a Whirlpool coinjoin.
Here’s how it works. Assume the user chooses the 0.05 BTC pool to coinjoin. Before the user gets into the coinjoin, they break the 0.17 BTC input into 3 standard ~0.05 BTC outputs and a ~0.02 BTC change output, plus pay the coordinator fee.
The three ~0.05 BTC outputs are then expected to coinjoin in the 0.05 BTC pool, while the remaining ~0.02 BTC is sent to a different, automatically-generated sub-wallet to hold the “doxxic change.” It is technically accurate that Whirlpool coinjoins do not have toxic change, but change is still created and can be followed. It's just in the Tx0 before the coinjoin.
Tx0 isolating the toxic change output in a self spend transaction before a coinjoin is worse for privacy than having it included in the coinjoin since there are no other potential owners of the change output created. The user’s change is alone and traceable.
Wait, really?
Isolating toxic change from private coinjoin outputs may initially sound good, but it comes with inherent downsides regarding cost and UX. So, how does a user manage their isolated toxic change outputs? Change may be a lot of money, such as ~0.02 BTC above. The user can send the toxic change to a smaller pool, pay new coordinator fees, but there would still be leftovers. This would link 2 Tx0s, which connects the user to these 2 seemingly unrelated txs.
Using a sub wallet for change hinders legitimate edge cases in which a user could be willing to consolidate a UTXO from a coinjoin with a change output, like when a new user realizes with surprise that the wallet has sent his XPUB to the wallet servers by default.
Change output isolation also creates a burden on the user as they have to deal with another non-standard sub-wallet. Creating a separate sub-wallet to isolate change outputs from coinjoin transactions is, at best, an experiment or a total privacy sacrifice that has proven quite blockspace inefficient, and therefore expensive for users.
While some vocal proponents praise it, Tx0 seems to be a naive attempt at handling toxic change in coinjoins. Wasabi 1.0 & JoinMarket, where change is included in coinjoins, are better at protecting user privacy in terms of usability, blockspace efficiency and fees.
On KYCP & OXT websites, 2 closed-source chain analysis tools, Whirlpool coinjoins look "prettier" than JoinMarket & Wasabi coinjoins since the change output is created in the previous transaction. However, doing this offers no privacy advantage & is blockspace inefficient.
In Wasabi 1.0 & JoinMarket, change is in the coinjoin, making it blockspace efficient but “ugly” since not all outputs are equal. In the inclusion strategy with multiple users, even the change may not be clearly connected to its input. In Tx0, change is 100% clear.
Whirlpool users have to choose which pool they want to participate in and have to take part in at least two transactions, which is a Tx0 to isolate the change, followed by an equal output coinjoin transaction. Not ideal.
The design of Whirlpool limits the number of inputs & outputs to five each, so a user looking to hide in a large crowd must coinjoin quite a few times due to their small size, adding further delays.
Is there a better way to manage toxic change in coinjoins apart from isolation or inclusion? One strategy is to flip the problem on its head: Instead of trying to manage toxic change by isolating or including it in coinjoins, why not just get rid of it?
Eliminating toxic change from coinjoins is the next evolution in bitcoin privacy. Next, we will analyze how Wasabi 2.0 and its new coinjoin protocol, WabiSabi, works to eradicate this privacy concern in the Zerolink protocol. OHint: it’s about arbitrary-amount coinjoins)
If you want to read more on the full topic, TheBitcoinConf (npub1t8a…56yu) has the full article available here:
https://bitcoinmagazine.com/technical/toxic-change-wabisabi-bitcoin-coinjoin-privacy
Not ideal.
Isolating this change before the coinjoin is another option presented by Whirlpool. How does it work and is it a good idea?
Whirlpool relies on 4 pools, namely 0.5 BTC, 0.05 BTC, 0.01 BTC & 0.001 BTC. Multiple pools carries the inherent issue of splitting liquidity which can lead to delays + lower privacy.
If a user has one 0.17 BTC coin, they have to do a “Tx0”: a way to exclude the change before a Whirlpool coinjoin.
Here’s how it works. Assume the user chooses the 0.05 BTC pool to coinjoin. Before the user gets into the coinjoin, they break the 0.17 BTC input into 3 standard ~0.05 BTC outputs and a ~0.02 BTC change output, plus pay the coordinator fee.
The three ~0.05 BTC outputs are then expected to coinjoin in the 0.05 BTC pool, while the remaining ~0.02 BTC is sent to a different, automatically-generated sub-wallet to hold the “doxxic change.” It is technically accurate that Whirlpool coinjoins do not have toxic change, but change is still created and can be followed. It's just in the Tx0 before the coinjoin.
Tx0 isolating the toxic change output in a self spend transaction before a coinjoin is worse for privacy than having it included in the coinjoin since there are no other potential owners of the change output created. The user’s change is alone and traceable.
Wait, really?
Isolating toxic change from private coinjoin outputs may initially sound good, but it comes with inherent downsides regarding cost and UX. So, how does a user manage their isolated toxic change outputs? Change may be a lot of money, such as ~0.02 BTC above. The user can send the toxic change to a smaller pool, pay new coordinator fees, but there would still be leftovers. This would link 2 Tx0s, which connects the user to these 2 seemingly unrelated txs.
Using a sub wallet for change hinders legitimate edge cases in which a user could be willing to consolidate a UTXO from a coinjoin with a change output, like when a new user realizes with surprise that the wallet has sent his XPUB to the wallet servers by default.
Change output isolation also creates a burden on the user as they have to deal with another non-standard sub-wallet. Creating a separate sub-wallet to isolate change outputs from coinjoin transactions is, at best, an experiment or a total privacy sacrifice that has proven quite blockspace inefficient, and therefore expensive for users.
While some vocal proponents praise it, Tx0 seems to be a naive attempt at handling toxic change in coinjoins. Wasabi 1.0 & JoinMarket, where change is included in coinjoins, are better at protecting user privacy in terms of usability, blockspace efficiency and fees.
On KYCP & OXT websites, 2 closed-source chain analysis tools, Whirlpool coinjoins look "prettier" than JoinMarket & Wasabi coinjoins since the change output is created in the previous transaction. However, doing this offers no privacy advantage & is blockspace inefficient.
In Wasabi 1.0 & JoinMarket, change is in the coinjoin, making it blockspace efficient but “ugly” since not all outputs are equal. In the inclusion strategy with multiple users, even the change may not be clearly connected to its input. In Tx0, change is 100% clear.
Whirlpool users have to choose which pool they want to participate in and have to take part in at least two transactions, which is a Tx0 to isolate the change, followed by an equal output coinjoin transaction. Not ideal.
The design of Whirlpool limits the number of inputs & outputs to five each, so a user looking to hide in a large crowd must coinjoin quite a few times due to their small size, adding further delays.
Is there a better way to manage toxic change in coinjoins apart from isolation or inclusion? One strategy is to flip the problem on its head: Instead of trying to manage toxic change by isolating or including it in coinjoins, why not just get rid of it?
Eliminating toxic change from coinjoins is the next evolution in bitcoin privacy. Next, we will analyze how Wasabi 2.0 and its new coinjoin protocol, WabiSabi, works to eradicate this privacy concern in the Zerolink protocol. OHint: it’s about arbitrary-amount coinjoins)
If you want to read more on the full topic, TheBitcoinConf (npub1t8a…56yu) has the full article available here:
https://bitcoinmagazine.com/technical/toxic-change-wabisabi-bitcoin-coinjoin-privacy