By Bitcoin 杂志 - 1 年前 - 阅读时间:12 分钟
浏览不同的 CoinJoin 实现
How does one cut through the noise and confusion to find the optimal way to utilize CoinJoins and obscure their bitcoin 交易?
This is an opinion editorial by Thibaud Maréchal, a contributor to privacy-focused Bitcoin wallet project Wasabi Wallet.
“Divide and conquer” is a battle-tested military strategy to fracture a group of people by making them disagree and fight each other instead of joining together against a common enemy. Wasabi and Samourai, two popular bitcoin wallets with different CoinJoin implementations have been fighting for many years. JoinMarket, a third CoinJoin implementation, has also been involved in colorful debates with other privacy developers.
了解一下 bitcoin privacy and CoinJoins has become quite hard with ongoing drama. Who to trust? How can one verify for themselves? It’s all very unclear. What does it bring for precoiners, casual bitcoin and purists alike? Confusion, fear, uncertainty and doubt (FUD). The state of bitcoin privacy is embarrassing with all this perpetual drama scaring away new users. Precious time is wasted by developers, educators and regular users who would probably be better off doing anything but trying to keep up with the drama.
It is obvious that no one agrees on “how to do CoinJoins right,” let alone, how CoinJoins should be implemented to optimize user privacy and block space efficiency on the Bitcoin network? What are the tradeoffs between different implementations? Are some implementations outright flawed? How do CoinJoins “cross the chasm” from early adopters to mainstream users when billions of people will turn to bitcoin in the coming years?
现在让我们通过提出一些基本问题并提出一些假设来构建某种心智模型来了解 CoinJoins,这将有助于在以后的文章中评估不同的实现。
并非所有的 CoinJoin 都是平等的
Blockspace efficiency should be considered to make sure CoinJoin transactions scale as Bitcoin gets used by more people across the world. This is rarely discussed as a top priority. Any CoinJoin design that ignores blockspace scarcity is unnecessarily spamming the block chain while accumulating technical debt, which will be difficult to pay back as more users CoinJoin in the future. Having a minimal footprint on the block chain is one goal that seems very reasonable to aim for: a small number of transactions to get to an acceptable level of anonymity sounds ideal.
What is an acceptable level of anonymity? What does anonymity even mean in the context of bitcoin privacy?How are particular CoinJoin designs dealing with blockspace scarcity?收回您的隐私
匿名 bitcoin would mean that there are no outstanding or unusual features that would make a given transaction remarkable from other transactions on the ledger. That, of course, is not by design on the Bitcoin network, which is a pseudonymous system where coins (UTXOs, which stands for Unspent Transaction Output in technical terms) are by default not fungible due to having unique transaction histories.
CoinJoins add a level of anonymity to the bitcoin network by breaking links between transaction inputs and outputs primarily making resulting UTXOs indistinguishable from each other. There are other heuristics that chain analysis companies use to watch the bitcoin network, such as common input ownership, self-spending, round amounts or timing analysis to name a few, which may or may not be obscured by CoinJoins.
CoinJoins help bitcoin reclaim their privacy but are not the solution to everything. If privacy is understood as the choice to share information about oneself, great privacy can be achieved through CoinJoins but picking the right implementation is essential.
What is my privacy goal using CoinJoins? Which heuristics does a CoinJoin implementation protect me against?What are the risks that I want to avoid?参加人数
现有的 CoinJoin 实现具有非常不同的改善隐私的方法。 不管每个 CoinJoin 实现设计如何,匿名集(匿名级别的一种度量)似乎是评估一个人从 CoinJoin 获得多少隐私的最传统方法。 还有其他方法将在其他文章中讨论。 假设是通过大型 CoinJoin 交易实现高匿名集,或者通过多个较小的 CoinJoin 交易实现。 这两个参数都很重要,但有一个比另一个更重要吗?
就区块空间效率而言,假设是通过具有许多参与者的单个非常大的交易实现大型匿名集优于具有少数参与者的多个非常小的交易。
Is one single large CoinJoin or multiple small CoinJoins better for privacy?How can that be verified truthfully and rigorously? How small is too small for a CoinJoin? What is the right metric to evaluate how much privacy you can get from a CoinJoin? What is the most blockspace efficient when it comes to the size and number of CoinJoins to reclaim your privacy?Is it realistic to expect coins to participate in multiple CoinJoins over time as more people start using CoinJoins? How many CoinJoin rounds is enough or too much?In simple terms, CoinJoins allow bitcoin to reclaim their privacy by giving them plausible deniability. Plausibility is a measure of probability. How likely is it that your bitcoins were spent or simply moved to another address you still control? How likely is it that one input is linked to a given output?
Obviously, the smaller the probabilities across many options, the better plausible deniability you get as a hodler. Plausible deniability is hard to preserve because errors are easy to make. Change outputs are often problematic for bitcoin who care about privacy and are often a source of contentious discussions and criticism. Why is change output such a controversial topic in CoinJoins?
更改输出
It’s all about deterministic links. If bitcoin transactions had a spectrum of privacy, on one end would be a transaction with absolute plausible deniability, meaning 0% chance of knowing the link between inputs and outputs. This is also referred to as randomness or entropy in a CoinJoin. The assumption is that the more random or higher the entropy, the better. On the other end would be a transaction with 100% deterministic links between its only input and single output.
直觉上,高熵并不一定意味着交易提供了良好的隐私。 从技术上讲,具有三个输入和三个等量输出的交易具有 100% 的熵,这意味着无法区分每个输出; 然而,每个输入都有 33.33% 的机会链接到特定的输出。 高熵并不一定意味着良好的似是而非的可否认性。
零钱几乎总是与其之前的交易有非常高的确定性联系。 换句话说,毫无疑问,零钱输出与之前花费它的交易无关。 如果给定的更改输出要与 CoinJoins 之后的其他匿名输入共同使用,这可能是一个相当大的隐私问题(尽管在某些情况下可能适用例外情况)。 这通常被称为 UTXO 整合,如果处理不当,可能会对您的隐私造成致命伤害。
Change outputs can de-anonymize outputs that have gained some plausible deniability from CoinJoins if spent together. Errors are commonplace for bitcoin and sometimes the realization comes too late, undoing years of diligent privacy enhancements in one single spend. How to get rid of this change output problem?
现有的 CoinJoin 实现有三种处理零钱输出的方法:将零钱隔离到另一个不是 CoinJoining 的钱包中,将零钱输出包含在同一个 CoinJoining 钱包中,或者通过根本没有零钱输出来摆脱零钱输出。 就隐私和区块空间效率而言,后者似乎是最可取的,但需要进一步挖掘来验证或拒绝这一假设。
Is a high entropy score enough to qualify a CoinJoin as good for your privacy?Is it better to isolate change outputs in another wallet or should it be removed entirely?Is a change output always bad for your privacy?硬币面额
Getting rid of change outputs in CoinJoins requires that coin denominations be variable in a CoinJoin. In other words, the inputs registered in a given CoinJoin cannot have a fixed size like 0.1 BTC, otherwise it becomes impossible (or at least very hard) to consume inputs without creating change outputs as most UTXOs don’t have round numbers (i.e. 0.19572394 BTC where 0.09572394 BTC would be the change in a 0.1 BTC fixed coin denomination CoinJoin).
更改输出可能会危及您的隐私,还记得吗? 在 CoinJoin 中输入和输出有多种大小似乎不是一个好主意,因为它让我们更接近输入和输出之间的确定性联系,对吧? 好吧,是的,不是。 这取决于。 如果 CoinJoin 的参与者数量很少(意味着输入和输出很少),那么不同的面额不是一个好主意。 但是,如果给定的 CoinJoin 中包含大量输入和输出怎么办?
在大型 CoinJoin 中,多个面额可以为每个结果输出带来高水平的似是而非的可否认性,而无需创建零钱输出和需要额外的交易,这是对区块空间的高效利用。 在这一点上似乎可以勾选许多方框。
Is it better to have fixed or variable coin denominations in a CoinJoin?How big should a CoinJoin be for variable denominations to make sense?Are variable coin denominations the best way to get rid of change output in CoinJoins?不用说,无论硬币面额是否不同,无论 CoinJoin 是大交易还是小交易,在任何情况下都不能容忍 CoinJoin 轮次互连,对吗? 好吧,这里还有一个重要的细微差别需要理解。
Coinjoin Rounds 互联互通
据称,将过去共享的 CoinJoins 的输入注册到新的 CoinJoins 在所有情况下都是不明智的。 来自相互共享的过去 CoinJoins 的参与者似乎并没有从其他 CoinJoins 的混合中受益。 这似乎对隐私有害,并且经常受到批评。
如果一个 CoinJoin 很大并且一些注册的输入来自多个其他 CoinJoin,每个也是多个其他 CoinJoin 的下游怎么办? 在这种情况下,尽管来自共享过去的 CoinJoin,参与者重新混合在一起仍在改善他们的隐私。 如果每个 CoinJoin 足够大,参与者不需要多次重新混合,但如果他们想进一步增加他们的匿名集,他们可以这样做。
如果涉及许多交织在一起的大型 CoinJoins,尽管共享过去的 CoinJoins 作为资金来源,但由此产生的匿名集应该提供大量似是而非的推诿。
Is CoinJoin rounds interconnectivity, which is sharing mutual past CoinJoins, a bad thing on its own?How large should a CoinJoin be for remixing with other past inputs to be considered safe?个人全节点
Should you run your own bitcoin full node when participating in CoinJoins? On the surface, it seems like a great idea, and it usually is. Some CoinJoin implementations allow that, while others outright require it. Others won’t allow you to even use your own full node. Is that to condemn absolutely? If you’ve read until now, you should know that the answer is nuanced and opens up a deep rabbit hole to be explored later.
运行你自己的完整节点会带来可用性权衡,如果不是所有用户都这样做,可能不会增加太多隐私保护。 如果很少有 CoinJoin 参与者这样做,运行您自己的节点甚至可能会给您一种错误的安全感和隐私感,这可能是非常有害的。 如果 Tor 被用作 CoinJoin 的匿名方式(我们暂时保留它),那么默认情况下使用受信任的完整节点来广播 CoinJoin 交易就可以了。 很多细微差别,当然,不信任,验证。
有一些基本问题需要提出,以免落入隐私美德信号的陷阱。
Does the CoinJoin implementation allow to run full nodes, require them by default or don’t allow them? If personal full nodes are not mandatory, what are the privacy shields in place? i.e. Tor, block filters, etc… If I run my own full node, but expect most users to use a default trusted node to CoinJoin, how does that affect my privacy? Can the coordinator de-anonymize me?With privacy concerns, it is always important to understand what you’re trying to protect, and against whom. Running a full node and using it with your own wallet is the right way to use bitcoin as it allows you to verify your wallet balance and broadcast transactions to the network without trusting anyone. But when it comes to CoinJoins, there is usually a coordinator in charge. What does the coordinator do and how is it selected? Read on.
协调员
The CoinJoin coordinator is in charge of having every participant register their inputs and outputs, and sign the collaborative transaction before broadcasting it. Most CoinJoin implementations default on a central coordinator, which is a single point of failure. Up until now, this has been an accepted tradeoff in most bitcoin communities. Can a central CoinJoin coordinator fail? Absolutely. Other implementations allow anyone to be a coordinator for each different CoinJoin, though there are other sets of trade offs here that will be discussed later.
Coinjoins being non-custodial, no loss of funds could occur if any coordinator would fail. The coordinator should never know more than what everyone knows publicly on the bitcoin network. Why? If a coordinator knows more than what is publicly available, a CoinJoin coordinator becomes a honeypot with highly sensitive data that can be exploited against bitcoin trusting the service.
你永远不应该相信 CoinJoin 协调员。 如果 CoinJoin 协调员不能是邪恶的,那就是好的。 如果它可能是邪恶的,那么它最终将是出于错误、遗漏、胁迫或完全不诚实。
An example of sensitive user data would be XPUBs, which undeniably leak all the information about a wallet, its addresses, including past, current and future bitcoin transactions. Another example would be the ratio between users running their own full nodes and users trusting the coordinator’s full node to broadcast CoinJoins, as it could de-anonymize users running their own nodes, and therefore deterministically know the links between their inputs and outputs. This is yet another nuanced topic, which would require further investigation and discussion.
Does the coordinator know more than what is publicly available on the bitcoin network? Do users leak sensitive data to the coordinator, such as their XPUB or whether or not they run their own full nodes?Does the coordinator claim that users should trust them using legal defense mechanisms? (i.e. warrant canaries, regulatory arbitrage, etc…)费用
Bottom line, who pays for what in CoinJoins? These bitcoin transactions can be expensive and sometimes fee structures are unclear for bitcoin. It’s hard to know how much good privacy will cost you or even if you are getting any privacy out of it. Some CoinJoin implementations allow a single input to buy its privacy from other inputs who only participate for free to increase their own anonymity set. Getting paid to CoinJoin? With patience, yes.
有些模型依赖于共享费用,其中只有一些 UTXO 支付费用,而其他的则不支付。 其他模型依赖于邀请越来越多的新的明确输入(尚未混合)来为现有的 CoinJoins 提供资金,以重新混合匿名级别不够高的输入。 从长远来看,有些模型似乎不可持续,而另一些模型则过于天真,或者对大多数用户来说过于昂贵。
And what fees are we talking about? Well usually, inputs participating in CoinJoins pay both a coordinator fee or taker fee, (the service fee to get some level of anonymity) and the bitcoin network fees. In particular CoinJoin models, these fees get waived in certain circumstances. The economics of CoinJoins is a deep rabbit hole which requires further investigation for a much deeper understanding.
Who pays for what in a CoinJoin? What are all the fees? What are the incentives of the CoinJoin coordinator? Are all CoinJoin rounds paid for or is there any free remix?Having read thus far, the hope is that bitcoin shopping around for CoinJoins would not necessarily have all of the answers, but the right questions to ask. A mental model or framework to evaluate different CoinJoin implementations can be quite helpful for anyone who is considering using CoinJoins to reclaim their privacy on bitcoin. Sorting through the noise of social media requires intellectual honesty and the right evaluation system rigorously applied.
这是 Thibaud Maréchal 的一篇客座文章。 表达的意见完全是他们自己的,不一定反映 BTC Inc 或 Bitcoin 杂志.
原始来源: Bitcoin 杂志