2022-5-20 01:30 |
The feud between bitcoin mixing services Wasabi and Samourai should not come down to the latter’s Transaction Zero feature.
Wasabi Wallet versus Samourai Wallet has been one of the longest running feuds in this ecosystem. Privacy on Bitcoin is a very vital property, with a lot of work having gone into providing solutions to date, as well as a lot of work left to do in improving it.
I personally think the feud and the consequences of it are a rather sad state of affairs, on both sides there have been personal attacks, inaccurate statements made about the other project and consistent attempts at marketing rooted in both of those things. It has done quite a lot to set back an understanding of how to achieve privacy using Bitcoin, as well as the adoption of privacy tools among the wider Bitcoin community.
Disentangling all of the fallout and misconceptions resulting from this feud would probably take a small novella, but there is a single technological difference between the two projects that I would like to concentrate on here. Each project utilizes a different transaction structure and flow when engaging in CoinJoining. Wasabi elects to create very large transactions to include a substantial amount of inputs and outputs, creating a larger anonymity set per transaction. Samourai elects to engage in much smaller transactions with structured interactions across them and compound anonymity across many successive transactions.
Samourai’s TX0Part of the design of Samourai is Transaction Zero (TX0). This is a kind of setup transaction preceding the actual CoinJoin transactions. It splits up the original, unmixed input into individual mix-denomination outputs, the change outputs, and is where Samourai collects its mixing fee for coordinating the CoinJoins.
Breaking the original unmixed output into mix-denomination outputs firstly allows all of them to join the queue for mixing at once because, remember, Samourai coordinates many smaller CoinJoin transactions in parallel and much more quickly. TX0 allows your coins to take advantage of these parallel mixes more quickly, otherwise you would have to wait until you shave off a mix-denomination output one by one and receive your change back inside the CoinJoin transaction itself to use as an input in the next one. Given that Samourai has many CoinJoins occurring in parallel, this would be a very inefficient design.
One of the longest running talking points in the feud between the two projects is that TX0 provides a fundamental privacy improvement over not having a TX0. The claim traditionally made is that by removing and isolating the change output in the pre-CoinJoin transaction instead of the first CoinJoin transaction, mixed UTXOs are made more private. That is totally inaccurate.
To break through why, I'm going to go through how things look on-chain for both a Samourai and Wasabi mix.
Transaction Graph CorrelationsThe whole purpose of a CoinJoin is to obscure the connections between the inputs and outputs of a Bitcoin transaction. By structuring a transaction involving multiple people that takes inputs and creates outputs of the same denomination, recycling them in future rounds if users choose to, you can create Bitcoin transactions where outside observers cannot be certain which inputs correlate to outputs in terms of ownership. If five people provide inputs of any value, and all receive outputs of the same denomination (say 0.01 BTC), then an outside observer cannot be certain which owner of any given input owns any resulting output of the mix denomination (0.01 BTC).
So let's sit through and think about what happens when you first go to mix with Samourai. You take 1.1 BTC and go to mix with Whirlpool in the 0.5 pool, the first thing that happens is your TX0. Your 1.1 BTC is broken up into two outputs of 0.5 BTC, and then the change output of 0.1 BTC.
At this point, it is still clear that all of these outputs are owned by the same person. You then queue up the two 0.5 BTC outputs into the mix pool, and they eventually take part in the first actual CoinJoin transaction. At this point, an outside observer knows the initial 1.1 BTC input is owned by one person, that the 0.1 BTC change output is still owned by that person, the first coinjoin transaction that each 0.5 BTC output took part in, and the fact that the observed person owns one of those transaction outputs (though not which specific output).
The only way that the 0.1 BTC change output can in any way damage the privacy of the two 0.5 BTC mixed outputs is if it is spent and combined with them in a single transaction, or in some other way tied together with them on the blockchain (like sending the change output to the same address that you have sent a mixed output to).
Let's think about what happens when you mix with Wasabi. You take the same 1.1 BTC input, and queue it for a mix. These days, Wasabi supports a few different mix denominations, but for simplicity's sake, let's just assume they only support mix denominations of 0.1 BTC. That input is queued, the CoinJoin occurs, and you receive a 0.1 BTC mix denomination output, and a 1.0 BTC change output. What does the outside observer see? They see that the owner of the 1.1 BTC input still controls a 1.0 BTC change output, they see the first CoinJoin transaction they took part in, and they know that person owns one of the 0.1 BTC mix denomination outputs in that transaction (though not which specific output that is).
They learn the exact same information that they learn observing a Whirlpool mix. If the Wasabi user repeats the process with their change output, nothing changes. The observer learns the correlation between the unmixed input and the change output, and the fact that one of the mixed outputs is owned by that person, but not which one. As long the change output is not connected with a mixed output on chain, it presents no privacy leak for the user. TX0, and peeling off the change prior to the CoinJoin transaction itself, makes absolutely no difference in the level of privacy.
So what is TX0? It's an optimization for a CoinJoin implementation that coordinates many CoinJoin transactions in parallel, which makes no sense to implement for a CoinJoin implementation that coordinates a single CoinJoin transaction one at a time. In Whirlpool, breaking coins up ahead of time makes sense, because there are many different CoinJoins happening in parallel that each pre-divided output can take part in. In Wasabi, there is only one at a time, so fragmenting your coins beforehand makes no sense in terms of efficiency.
Samourai does have stronger safeguards than Wasabi in regards to handling change, but this has nothing at all to do with the transaction structure of what is occurring on chain. It is its isolation of change outputs into a separate set of addresses and its warnings in the wallet and safeguards that prevent spending change outputs together with mixed outputs.
I'm sure that by the time you are reading this, many Samourai users and developers will be screaming that I am spreading FUD. I encourage readers to really sit down and think about the facts as I've laid them out, and analyze things logically. Everything that I have said is entirely factual, and verifiable just through reasoned thinking.
At this point with Wasabi's recent actions regarding censoring specific "tainted" inputs from registering for CoinJoins with their coordinator, I would never recommend using it purely on ethical grounds. I think the action its team has taken without any legal or regulatory requirement to do so is frankly cowardly and showing weakness that will encourage government entities to push harder in attacks on privacy.
That said, I think that when it comes to privacy tools, users should be making informed decisions based on how things actually work, and not simply marketing slogans and claims. Both Wasabi and Samourai can provide privacy to users when used correctly. Samourai absolutely does have many more safeguards to ensure it is used correctly, but these are all integrated merely as warnings in the wallet software and in how addresses for mixed and unmixed outputs are generated separately. TX0 has nothing to do with it, and provides no additional privacy benefits on its own.
This is a guest post by Shinobi. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
Similar to Notcoin - Blum - Airdrops In 2024