In the quest for privacy and fungibility in Bitcoin, two researchers (from Saarland University in Saarbrücken, Germany and Indiana’s Purdue University) presented a promising privacy enhancement proposal last week. ValueShuffle, as the protocol is called, describes a method to mix bitcoins and at the same time hide the amounts involved in the mixing process.
It’s a potent combination, as Tim Ruffing, one of the researchers, explained:
Then follow us on Google News!
“The combination of these two privacy-enhancing technologies, while not requiring any trusted third party, is what makes ValueShuffle unique.”
CoinJoin and CoinShuffle
Ruffing wrote the ValueShuffle draft white paper with Pedro Moreno-Sanchez; these are the same two researchers who previously proposed the CoinShuffle protocols, along with their PhD advisor, Aniket Kate, then at Saarland University.
Leveraging CoinJoin, first proposed by Bitcoin Core and Blockstream developer, Gregory Maxwell, CoinShuffle is a method to merge several transactions into one, with no need for a trusted party. As such, a single Bitcoin transaction can send bitcoins from many people to many people. This potentially obfuscates the trail of coins, as it’s no longer clear exactly who paid whom.
The obfuscation is only potential, however, because the amount of coins involved in a transaction can be a giveaway. If one transaction sends five bitcoins from address to address, and another transaction sends seven bitcoins from address to address, merging these into one transaction would not obfuscate much. Simply matching the amounts reveals who sent bitcoins to whom.
“With our initial CoinShuffle proposals, this can be solved if everyone uses the same amounts,” Ruffing explained. “If everyone involved in the mix sends exactly one bitcoin, the sending and receiving addresses can no longer be matched. But this is also quite a limiting factor. Any remaining coins must go to some change address without being anonymized, which is cumbersome, and may even break privacy if not used properly. And for technical reasons it also means you cannot use CoinShuffle to make a payment directly; you can only send bitcoins back to yourself.”
With ValueShuffle, the problem of matching amounts is solved by hiding the amounts involved in a transaction.
This is accomplished using another proposal designed to increase privacy in Bitcoin: Confidential Transactions. Developed by Blockstream, Confidential Transactions is currently implemented in Blockstream’s Elements Alpha sidechain, which is active on Bitcoin’s testnet.
Using clever cryptography, Confidential Transactions ensures that no one can see how many bitcoins are involved in a transaction, nor how many were sent from which address to which address. Nodes can, however, verify that the total number of bitcoins sent matches the total number of bitcoins received. As such, they can be sure no bitcoins were created out of thin air.
The combination of CoinJoin and Confidential Transactions has long been considered a powerful solution. As CoinJoin obfuscates which addresses sent bitcoins to which addresses, Confidential Transactions obfuscates the amounts, to break all links. With ValueShuffle, all this can be done without requiring a trusted party to merge the different transactions into one.
“Plus, it allows users to make payments directly through ValueShuffle, rather than having to send themselves mixed bitcoins first,” Ruffing said.
Thus far, however, the Confidential Transactions building block is not part of the Bitcoin protocol.
“But it may be in the future,” Ruffing said. “It can be rolled out with a backward compatible soft fork, which would be even easier if Segregated Witness is activated first. On top of that, ValueShuffle could benefit from Segregated Witness in other ways. Since Confidential Transactions are relatively expensive compared to normal transactions, the witness “discount” will help. And if Schnorr signature aggregation is deployed through Segregated Witness as well, that would be another boon for efficiency.”
If Confidential Transactions does become part of the Bitcoin protocol — either through Segregated Witness or as an independent soft or hard fork — not much stands in the way of ValueShuffle. The solution would not require additional protocol changes; it would just require wallets to implement the solution. And, ideally, a server to host the mixing protocol.
“Technically, it can be done without a central server, but it wouldn’t be very practical. And keep in mind that a central server wouldn’t need to be trusted with users’ private keys or privacy, and they’re easily replaced if something goes wrong.” Ruffing said. “As for wallets, Mycelium has already implemented a version of CoinShuffle. And ValueShuffle is even easier to implement, because it’s based on the simpler and more efficient CoinShuffle++ protocol.”