2022-7-19 05:00 |
Whirlpool gives a certain level of privacy when using bitcoin, and forward-looking anonymity sets are a measure of how well hidden you are.
Let’s talk about Whirlpool “forward-looking anonymity sets” — the crowd in which you are hiding in.
To date you may be familiar with the Whirlpool CoinJoin implementation which is available on the Samourai Wallet mobile app, or Sparrow Wallet desktop app. When you participate in a Whirlpool CoinJoin you gain privacy by collaborating in a multiparty transaction which leaves anyone looking on-chain scratching their head while trying to decipher where your bitcoin has gone.
A Whirlpool CoinJoin is just like any other bitcoin transaction, made up of inputs and outputs. However each input is provided by a different bitcoin wallet, and each output is returned to one of the participating wallets. This transaction is organized by Samourai Wallet’s central Whirlpool coordinator, all the time without the coordinator knowing which input belongs to which output (“blinded”), and without you ever giving up custody of your bitcoin.
Let’s say it’s the end of the month and I’ve just been paid by my employer. Before I spend any of my bitcoin I first wish to use Whirlpool to gain some forward-looking privacy. After all, the bitcoin blockchain is a public ledger and I feel it my right for my employer to not know what I get up to in my private life, including them knowing my spending habits.
I enter Whirlpool, providing one of the inputs and participate in a transaction which looks like this:
Observing on-chain it is impossible to determine which one of the five outputs is mine. The reason why it is “impossible” is because all deterministic links are broken between the input and output side of the transaction. So if my sneaky employer were to decide they were going to try and spy on my spending habits after I was paid, they would see that I’ve “entered” Whirlpool and would now have to assume I am hiding in a crowd of five, right? Well I could actually be hiding in a crowd larger than five. Enter Whirlpool forward-looking anonymity sets …
Whirlpool Forward-Looking Anonymity SetsWhen you use Whirlpool, depending on the pool size you choose, your bitcoin is broken up into smaller pieces in one of the following denomination sizes: 0.5 BTC, 0.05 BTC, 0.01 BTC, or 0.001 BTC. Due to Whirlpool’s architecture, outputs which remain in these pool denomination sizes are free to be remixed at no additional cost to the user (more on that later).
After my first mix, if I or one of my mixing peers remixes, the crowd which I am hiding in (forward-looking anonymity set) increases from five to nine.
My equal output UTXO does not need to remix for the crowd in which I am hiding in to grow. Whether it is my UTXO which remixes or one of my mixing peers, there is no way to tell on-chain which UTXO from the first mix has been remixed. There are now nine equal outputs connected to my first mix, so my spying employer would have to assume I could be any one of them.
This next graphic demonstrates how the crowd in which I am hiding can grow without me remixing. After my first mix, my UTXO, the red circle, remains in a Whirlpool pool denomination size and has not been remixed. However two of my mixing peers have continued to remix and there are now four more CoinJoins associated with my first mix. To calculate my new forward-looking anonymity set, here I would count up the equal-output UTXOs (orange circles) plus my own equal-output UTXO (red circle) and I arrive at a crowd of 21.
On-chain the orange circles are indistinguishable from my red circle, therefore my employer would have to pursue all 21 different leads should they wish to track me since “entering” Whirlpool. Even if they were to try to keep tabs, they could not say with any certainty which of the 21 UTXOs I am.
How Is Remixing Free?Before discussing further about forward-looking anonymity sets and looking at some real world examples, for the uninitiated it’s worth breaking down exactly how remixing is free in Whirlpool.
When you first “enter” Whirlpool, your Samourai or Sparrow Wallet broadcasts what is termed the “Transaction Zero,” or Tx0 for short. This is a pre-transaction before “jumping in the pool,” and it does three things:
Have a look here at this real world Tx0 in the following block explorers:
Transaction ID: bcb4d9dfde37215f2ede6142c651981e22f70e549c03cd341a71dffe8b2dce57
kycp.org oxt.me (double-click on the blue circle to expand the transaction, then zoom out)mempool.spaceIn the graphic below note that 3 x premix UTXOs have been created in this Tx0, all owned by the same wallet and destined to each be mixed in the 0.001 pool. Also note each of these UTXOs is of slightly more value than the chosen pool size. Hold that thought!
It’s worth mentioning here a highly important aspect of a Tx0; management of Doxxic change. Doxxic change is your bitcoin which still holds any previously associated history, however is too small to be Whirlpooled1. The Tx0, by design, returns the Doxxic change to a different area in your wallet than your bitcoin which has been mixed. This means it is impossible to shoot yourself in the foot by accidentally creating a transaction in the future where you spend your mixed bitcoin in the same transaction as your Doxxic change. Doing so would unwind the privacy benefits of CoinJoining.
Now you’re ready to mix. One by one your pre-mix UTXOs are selected by the Whirlpool coordinator to participate in their first CoinJoin. One of your pre-mix UTXO will be one of five inputs in the CoinJoin transaction.
The Whirlpool coordinator also organizes a second pre-mix UTXO to participate (“peer pre-mix UTXO”)2. This additional peer pre-mix UTXO is from another user’s wallet which has just gone through the same process you have when you entered Whirlpool. Remember how when you create your transaction zero your bitcoin is broken up into multiple pool-size denominated UTXOs, plus a little extra? Well if you add up the “little extra” of the pre-mix UTXO and the peer pre-mix UTXO, that is what pays the miner fees for the CoinJoin transaction. In the graphic below the amount to be paid to the bitcoin miners is 907 sats plus 907 sats, totaling 1,814 sats.
Now it’s the remixer’s time to shine. The Whirlpool coordinator selects at random three remixing UTXOs which have already undergone their first mix. The three remixing UTXOs are sat in their respective wallets and importantly remain in Whirlpool’s “unspent capacity” as they have not been spent by their owners. So long as their associated wallet is online communicating with the Whirlpool coordinator, they are eligible for remixing.
So to recap:
Your pre-mix UTXO: pays for CoinJoin miner feesPeer pre-mix UTXO: pays for CoinJoin miner feesRemixing UTXOs: participates in the CoinJoin for free (also termed a “freerider”)Once the CoinJoin has been organized between five separate wallets, the transaction is broadcast to the Bitcoin network automatically. Five inputs into the transaction have been destroyed, creating five fresh indistinguishable equal outputs. All equal outputs are now eligible for remixing if their owners so please.
Although remixing UTXOs are termed “freeriders,” they are integral to Whirlpool’s architecture not only in providing forward-looking anonymity for the pre-mixers who are paying the CoinJoin transaction miner fees, but they are also increasing the forward-looking anonymity set for their previous mixing peers.
It is also important to note that your UTXOs (whether a pre-mix one, or remixing one) will always be mixed in their own CoinJoin transaction. Multiple UTXOs in your wallet will never be mixed in the same Whirlpool CoinJoin transaction together, as this provides the best anon-set guarantees and also prevents users or entities Sybil attacking Whirlpool.
TLDR: The new liquidity “entering” Whirlpool covers the mining fee for every Whirlpool CoinJoin transaction. Those UTXOs who have already “entered” Whirlpool and have undergone their first mix (paying the fixed pool fee plus miner fee) do not pay a single satoshi more to participate in remixes, so long as they remain in their pool denomination size / unspent capacity.
Whirlpool Forward-Looking Anonymity Sets ContinuedTheory is all well and great, but how can you as a Whirlpool user calculate the size of the crowd you are hiding in? Try using OXT’s transaction graph visualizer to search for your first mix CoinJoin transaction, then:
Add up the orange lines to get your forward-looking anonymity set (33 in this example below).
This works well for smaller numbers, but Whirlpool mixes occur frequently (average of 211 mixes per day in the 0.001 pool so far during 2022). Manually counting forward-looking anonymity sets can quickly become impossible. Queue Whirlpool Stat Tool ...
Whirlpool Stat ToolWhirlpool Stats Tool was made by the Samourai Wallet developers to allow users to verify themselves the anonymity sets which are achieved by using Whirlpool. Using a set of python scripts, it quickly calculates the forward-looking anonymity set for you. Enter in a transaction ID for your first mix and it'll tell you the size of the crowd you're hiding in since your Whirlpool CoinJoin occurred.
Because I run a RoninDojo node, Whirlpool Stats Tool is pre-installed and easy to use by following the guide on their wiki.
Using the tool over the last 93 days I have been monitoring the forward-looking anonymity set of this Whirlpool CoinJoin transaction ID:
1fed0d526e89cd3f2ac14be0cfc1fe13e5cb8a772977551f0922f0c6907ab8f3
Let's see how large the crowd its participants are hiding in is:
28 days after mix: forward-looking anonymity set = 1,644
35 days after mix: forward-looking anonymity set = 6,722
93 days after mix: forward-looking anonymity set = 35,214 (as shown in Whirlpool Stats Tool on my RoninDojo below).
Hiding in a crowd of 35,000 it is now impossible (dare I say it) for anyone, including a chain surveillance company, to determine where the original mix participant's bitcoin is. Perhaps they've already left Whirlpool and spent their bitcoin, or maybe they have stuck around to get free remixes.
What I find interesting about this particular transaction ID is that as of the time of writing this article, one of the outputs remains unspent (just like the red circle of the earlier graphic). This unspent output has remained this way since the transaction was confirmed into block 728,735 on March 24, 2022.
Even though this UTXO has not moved, it has benefited from Whirlpool's architecture as three of the other participants went on to remix. This allowed this unspent output of 0.001 BTC to gain a larger forward-looking anonymity set without remixing itself. If none of the outputs from this transaction went on to remix, the forward-looking anonymity set would remain at five.
It's important to remember that all deterministic links are broken after one mix, but you get greater privacy benefits if you, or other peers remix. Let’s look at some more forward-looking anonymity set stats from some CoinJoins ...
More Whirlpool Forward-Looking Anonymity Set ExamplesTransaction ID:
c0f11a33a3f2470bb4252c155ced5eb670aaf0ed2f0eef8674dc90c52905860d
Two days after mix: forward-looking anonymity set = 77
Transaction ID:
5f5631356692b4744413a61b4e91c41c3df5ae376b66990052a8628b570e8353
Seven days after mix: forward-looking anonymity set = 380
Transaction ID:
901f20a383189c496a8774eb8cafeaa956f8c3393ee41701f163c0c2acf54286
Ten days after mix: forward-looking anonymity set = 1,466
Privacy FarmingAfter entering Whirlpool your first mix is quick, and the CoinJoin you have participated in has worked as designed by breaking all deterministic links. Now you’re itching to get some free remixes but wondering “How many remixes can I expect in one week?” This is a common question asked by new Whirlpool users who naively only count their privacy gains in terms of how many mix cycles each of their UTXOs has participated in.
Remixing does of course increase your own forward-looking anonymity set, but don’t forget that other mixing peers who remix increase your forward-looking privacy too.
“But how many remixes can I expect in one week?!” Before answering we need to consider the following:
New users who enter Whirlpool pay for the CoinJoin cycle. So only when new liquidity comes into Whirlpool do you have a chance at remixing.Other users (“freeriders”) are also waiting to get free remixes. The Whirlpool coordinator selects freeriders at random to participate in remixes, so there is somewhat of a competition as everybody wants to be picked.Each Whirlpool pool size has different behavior characteristics.Let’s explore these one by one.
Here are the weekly CoinJoin cycle frequencies per pool size for 2022.
Unsurprisingly the 0.001 BTC pool is the most active pool in terms of cycle count.
How much freerider competition is there in each pool? To get this stat (and many others including cycle frequencies) you can use the Telegram Whirlbot.
For each CoinJoin the Whirlpool coordinator picks three freeriders at random to participate.2
As a freerider there is more competition in the smaller pools, with more frequent CoinJoin cycles. The larger pools have the opposite, less freerider competition, with less frequent CoinJoin cycles.
Finally let’s turn our thoughts to the behavior characteristics of each pool based on historical Whirlpool usage. If you have been a Whirlpool user for some time you’ll have likely noticed the smaller pools are most consistently used on a daily basis with a steady stream of liquidity. If I were to guess, this is because they are the lowest barrier to entry and most likely to be used for everyday spending. The larger pools on the other hand, though almost never quiet, see larger peaks and troughs of new liquidity — and when it rains, it pours.
So now you understand that the remixes you’d see in one week depend on new liquidity entering Whirlpool, random selection by the coordinator, and characteristics of which pool size you are using. Based on average Whirlpool usage to date during 2022 your wallet will likely get anything from 5-25 remixes per week. Though coordinator selection is random, so you could in theory get less or more, and that would still be classified as normal.
One way to consider all of this is that awaiting remixes is like yield farming for bitcoin privacy, and those who are patient and continue to keep their bitcoin remixing until they need to spend in the future are being paid interest in the form of increased anonymity. Patience pays.
Be Eligible To Remix 24/7To be a freerider you’ll want your wallet to be in communication with the Whirlpool coordinator 24/7. That way when a mix is about to occur, you have a chance at being picked by the coordinator for inclusion as a remixer. You’ll therefore want to do one of the following:
Leave the Whirlpool service screen open and active on your Samourai Wallet mobile app. This is the least practical and some Android devices can kill background services, so some but not all users have positive results achieving remixes this way.Run the Whirlpool GUI desktop application on your computer (linked to your Samourai Wallet). This is by far the lowest barrier to entry option for Samourai users, and has greater reliability for connections over the Tor network. By leaving your computer turned on, with the Whirlpool GUI desktop application running, you’re eligible for remixing.Run a RoninDojo node. After linking your Samourai Wallet to your node’s backend, you can turn off your phone or computer and you’ll always be eligible for remixing. A slightly larger barrier to entry, but the benefits far outweigh the hurdles.Mix on the Sparrow Wallet desktop application. Sparrow integrated Whirlpool into their wallet software in September 2021, sharing the same liquidity pool as Samourai Wallet users. Sparrow has a wealth of other features and also allows you to mix to cold storage. For remixing eligibility, ensure your computer remains on with the Sparrow application running.Whirlpool Unspent Capacity: A True Measure Of Whirlpool’s Success?Whirlpool unspent capacity is the current amount of bitcoin which has mixed, not been spent and is eligible for remixing. You can monitor this metric in Clark Moody’s dashboard:
You can also get a breakdown of the unspent capacity per pool size using the Bitcoin KPIs website. To me the Whirlpool unspent bitcoin value is interesting, and with it remaining above 4,000 BTC for the last seven months shows a level of confidence in Whirlpool and Samourai/Sparrow’s wallet software. What I find more interesting is the volume coming in and out of Whirlpool over the last 30 days (shown in Clark Moody’s dashboard as “Tx0 Volume” and “Spent Cycle Output” respectively). This is what feeds the privacy gains that Whirlpool provides, for both the new liquidity entering, and the freeriders remixing, even if there is a deficit between the two values. Samourai Wallet is branded “a bitcoin wallet for the streets,” and their founders are advocates of actually using bitcoin rather than “HODLing to the grave.” Monitoring these large flows of bitcoin go in and out of Whirlpool shows there is demand for forward-looking privacy when making on-chain transactions, of which Whirlpool is successful in achieving for its users.
Care About Your Bitcoin Privacy? Read MoreThe Easiest Way To Whirlpool Your Bitcoin And Preserve Privacy – Bitcoin Magazine article by Econoalchemist.
Bitcoin Privacy Series – seven short introductory videos.
Understanding Bitcoin Privacy with OXT – a four-part article series.
Endnotes:
1. for the purposes of describing the Whirlpool flow in this article, this point has been simplified. Change may also be returned to you if the amount which you are attempting to send into Whirlpool goes above the maximum limit enforced by the Whirlpool coordinator. Discounting the coordinator pool fee output, the 0.001 BTC pool has a 25 x UTXO maximum Tx0 limit, and the 0.01 BTC / 0.05 BTC / 0.5 BTC pool has a 70 x UTXO maximum Tx0 limit.
2. for the purposes of describing the Whirlpool flow in this article, this point has been simplified. While it is most common for a Whirlpool CoinJoin transaction to be made up of two pre-mix UTXOs, it is also possible for a Whirlpool CoinJoin transaction to constitute three pre-mix UTXOs.
This is a guest post by Brother Rabbit. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.
Similar to Notcoin - Blum - Airdrops In 2024