TumbleBit is one of the most promising privacy-enhancing technologies being built on top of Bitcoin right now. It allows users to mix their coins fully anonymously, without requiring trust in any third party. An advanced version of the technology, which requires Segregated Witness, can even be utilized as a second-layer payment hub to reduce transaction costs and speed up confirmation times.
After TumbleBit was first proposed in an academic paper and subsequently presented at the Scaling Bitcoin workshops in Milan, NBitcoin lead developer Nicolas Dorier built an early version of the technology. Since then, two wallets are being developed to make TumbleBit accessible for everyday use: Breeze and, more recently, HiddenWallet.
HiddenWallet developer Ádám Ficsór, better known online as “nopara73,” also completed Tor integration this week.
“I estimate that TumbleBit will be usable for the general public within a month or two.” — Ádám Ficsór
TumbleBit lets users connect to a central server, which in turn allows them to establish payment channels that send coins back and forth in such a way that everyone receives as many coins as they sent. Since multiple users can engage at the same time, this allows them to mix their coins, breaking the trail of ownership on Bitcoin’s blockchain.
The key innovation compared to previous mixing models is that TumbleBit uses a combination of nifty cryptographic tricks to make sure that, first off, no one can steal funds. And second, no one — not even the central server — can link any of the sending addresses to any of the receiving addresses.
Yet, one problem remained, as Ficsór explained:
“Users connect to the central server with their own IP address to provide their sending and receiving addresses,” he said. “But this means that the central server could still match sending and receiving addresses based on the IP address that provided them. If one IP address provides both Bitcoin addresses, it’s trivial to link them.”
In other words, the central server could re-establish the traceable chain of coin ownership, defeating the purpose of using TumbleBit in the first place.
Ficsór therefore built a Tor-integration tool for the existing TumbleBit project. With this tool, the sending and receiving addresses of any user are separately provided to the central server through the anonymity network. This removes any link from a user’s IP address to any specific Bitcoin addresses and — importantly — removes the link between sending and receiving addresses as well.
At the same time, Ficsór is developing a new wallet specifically designed for TumbleBit, HiddenWallet, which would even offer increased privacy without TumbleBit.
Essentially all lightweight wallets leak address data to the outside world in some way or another. Most web wallets, mobile clients and some desktop wallets leak this info because they rely on a server that tells them about their balances. This server therefore needs to know all addresses in a wallet and can link them together accordingly.
Alternatively, some SPV clients send out a type of cryptographic “puzzle” (Bloom filters) to the network that requests all data relevant for their balance. But this leaks address data to random nodes on the network … and thus to analytics companies that specifically monitor the network for these puzzles.
“Blockstream’s Jonas Nick claimed in 2015 that if someone were to give him one Bitcoin address, he’d be able to figure out 70 percent of your wallet holdings. This was just one smart guy with limited resources, three years ago. You can imagine what well-funded analytics companies in 2017 are capable of,” Ficsór noted.
This linking of addresses is obviously a problem for TumbleBit users. No matter how much these users mix their bitcoins across their Bitcoin addresses, if all these addresses can be linked together anyway, there’s no point.
The only wallets that avoid this problem, so far, are full-node wallets like Bitcoin Core. These wallets download all transaction data on the network, meaning they don’t need to request specific data that reveals their own addresses. However, full nodes can be a bit resource-intensive, which is a barrier to entry for many casual Bitcoin users.
HiddenWallet therefore introduces a clever model in between the lightweight and full-node wallets, specifically designed to improve privacy.
Like a full node, HiddenWallet connects directly to the Bitcoin network, where it likewise requests all transaction data from random nodes. However, where full nodes verify (and typically store) all of this data, HiddenWallet instead immediately discards any data it doesn’t need. It only verifies and stores transaction data that involve the Bitcoin addresses in the wallet itself and doesn’t care about the rest. This requires far fewer resources than a full node does.
“The privacy benefit is obvious,” said Ficsór. “Since HiddenWallet downloads all transaction data, connected nodes have no idea which data is kept by the wallet and what is discarded. They learn nothing about the addresses in HiddenWallet and can’t link any of them together.”
And Ficsór thinks he may be able to trim resource usage down even further in a next release of HiddenWallet. This upcoming version may cut out all transaction data that would, for analytics companies, obviously not be relevant to the wallet anyway, like old transaction data. Such a modification could potentially make HiddenWallet available even on low-bandwidth mobile connections.
With this progress, it looks like TumbleBit may be usable even before the end of this summer, Ficsór estimates.
“We previously thought we might get the system up and running around this time, but it turned out there was a little bit more to it than we thought. That being said, another big hurdle is now taken: the Japanese company United Bitcoiners is running a tumbling server. Combined with Tor integration and wallets, all pieces of the puzzle are coming together.”
Ádám Ficsór works on TumbleBit without compensation, but accepts donations on 186n7me3QKajQZJnUsVsezVhVrSwyFCCZ