Due to that fact that the Bitcoin blockchain is a transparent ledger, one needs to take additional measures to acquire privacy and fungibility for their transactions. All these techniques are usually given the term “mixing”.
Bitcoin mixing, the act of trying to obfuscate your transactions on the bitcoin network, is an active field of research and seems to be heading into new directions in the coming years.
Early on there were only centralized mixers which could be risky to use due to possible exit scams which would result in losing the money you’ve put in. There was also the risk that the mixer could always be seized by TLA’s. There were also mixers that functioned as a honeypot which would render your privacy worthless. In more recent times new protocols were developed to make the mixing more decentralized and trustless.
In this article we won’t go into the implementation details of all these mixing techniques, we’ll on the other hand try to get a more general analysis of the properties of 2 types of mixing techniques.
First we need to distinguish between “privacy” and “fungibility”: these properties of cash are related, but aren’t the same. Transacting privately we’ll define as not standing out from the crowd. Ideally nobody is able to determine the origin, amount and destination of a transaction. Fungibility we’ll define as “all money is equal”. When you receive a transaction, the history of that money isn’t clear.
These 2 properties don’t necessarily always come together. An example of a non-fungible private transaction is art that is bought anonymously at an auction. An example of a fungible non-private transaction is donating money above the reporting threshold to a political campaign.
Cash transactions on the other hand are private and fungible by default: when you receive cash, you don’t know what the history is of that cash and nobody is able to observe the cash transaction so only the parties involved know the sender, amount and destination.
The first category of mixing I’ll refer to as “clearmixing”: you can easily identify the mixing transactions on the blockchain.
The most popular protocol for this type of mixing is Coinjoin: basically a bunch of users cooperate to create one big transaction. This protocol is currently implemented in the Wasabi-wallet. The mixing protocol implemented in this wallet forces participants to receive equal 0.1 BTC outputs so all UTXO’s from the coinjoin-transaction look the same and you can’t determine which of the participating inputs is the origin of a certain 0.1 BTC output. [There are a lot of attack vectors though, to try to partly deanonymize a specific coinjoin-transaction, but we won’t cover that here]. The anonymity set is limited though to the participating UTXO’s. Still, this results in reasonable fungibility post-mixing as you can’t easily determine the origins of the money. The Coinjoin-transaction did effectively cut the history of the money loose from the now “brand new” 0.1 BTC UTXO.
The second category of mixing I’ll refer to as “hiddenmixing”: these types of mixing protocols try to hide the fact that they are mixing. It’s not easy to identify these transactions as mixing transactions as they look like regular transactions.
A popular protocol in this category that is already implemented in Samourai Wallet and BTCPayServer is “pay to end point” (P2EP) also known as “PayJoin”. With this protocol a payer and payee of BTC work together to create a transaction: both the payer and payee provide an input for the transaction, and both receive an output where the payer receives less money than he put in (this is the payment amount) and the payee receives the a bigger amount than he put into the payjoin. The result is that a regular payjoin transaction will be a transaction with 2 inputs and 2 outputs. A spectator of the blockchain can’t easily identify this transaction to be a payjoin, as a normal spending transaction often has 2 inputs and (almost) always has 2 outputs (payment and change).
Another protocol in this category that is still being developped is CoinSwap: this protocol uses atomic swaps to exchange UTXO’s between the 2 participating users. Both parties send their UTXO(s) to a 2/2-multisig address and cooperate to release the coins to the other party. These transactions will probably look like regular “consolidation transactions” with 1 or more inputs and a single output that is locked in the multisig-address. This transaction will usually be followed by a “claim transaction” that moves the funds from the multisig address to the address owned solely by the participating party, so a 1input/1output-transaction. These types of transactions aren’t as common as normal spending transactions, but maybe with some improvements, it is possible to implement these coinswap transactions in a way that look more like normal spending transactions. There is still ongoing research happening by Chris Belcher, who is funded by the Human Rights Foundation.
There are some issues with both clearmixing and hiddenmixing though: while, as mentioned, clearmixing can provide a reasonable level of fungibility, it’s obvious that the resulting UTXO’s are mixed coins. Users of clearmixing stand out from the crowd. They didn’t mix in private. This behaviour can flag your UTXO’s and when you deposit them at a regulated entity, you may have some additional explaining to do about the origins of the money. It’s also possible that your deposit get rejected and your account will be closed. So clearmixing seems to have some privacy issues.
On the other hand, hiddenmixing seems to be able to hide the fact that a mix happened, which actually provides users of these protocols a good level of privacy. They hide in the crowd, they don’t stand out. But there exists a big fungibility issue: if you mix your coins with a counterparty that obtained his coins in an illegal way, your resulting outputs can become tainted. In the specific case of coinswap, you actually take over the whole liability, as the coins literally are swapped between you and your couterparty. When these tainted coins get connected with your real life identity, you’ll have a very hard time explaining to a judge that it wasn’t actually you who is the drug dealer, but that anonymous guy you swapped your coins with.
The catch-22 is that you can’t have both: you can’t hide in the crowd and try to have no taint at the same time due to the fact that blockchain analysis companies have their heuristics. If you mix by mimicking regular behaviour, these companies will apply their anaylsis tools on your mixing transactions like any other transaction. With clearmixing you at least know your UTXO’s will be treated as mixed coins. With hiddenmixing this isn’t the case, it’s basically a gamble. Each user of mixing techniques should be aware of these trade-offs and chose the situation that likely will result in the most desirable outcome. In my opinion, it doesn’t seem possible for Bitcoin to function as digital cash.
There is one theoretical possibility to “solve” the catch-22: if (almost) everybody would use a form of hiddenmixing all the time, there would be too much false positives when flagging coins, so the heuristics by analysis companies would break. This doesn’t seem likely though for 2 separate reasons:
1) There will likely always be people who want to keep (a part of) their funds in a transparent way and won’t participate in mixing. If you’re just an investor, why risk mixing your coins with an anonymous counterparty? So if you do choose to use mixing techniques, you can accidentally make yourself suspicious.
2) While clearmixing can give you reasonable fungibility, the level of fungibility with hiddenmixing is lower, as there is only one counterparty for each mix. If you want to have a good level of privacy and fungibility, you’ll need multiple rounds of hiddenmixing. This will likely cost you a lot in bitcoin transaction fees over time. Certainly for smaller amounts, it seems that attaining a good level of privacy is not really feasible.
My conclusion is that, as long as mixing isn’t enforced by the Bitcoin network, which would require major code changes and likely a hard fork, bitcoin mixing will probably always have to deal with this catch-22.