Author

Topic: Can Coinjoin transactions be traced? Busting Bitcoin privacy myths! (Read 2028 times)

member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
The text from the image justifies the "maximum mining fee" displayed in the user's client, but it does not explain that even with an acceptable mining fee (e.g., 6.03 for me), the user might still be in the surprising position to pay more than he thought he would. (Because, for example, the decomposer treats a significant amount as dust.) At least that's what I understand.

Although the absolute forfeit maximum is 10,000 sats, the decomposer attempts to waste as little as possible (the simulations from the mailing list post measured <500 sats per round, with performance scaling as you add more participants). You can check the leftover sats forfeited from each round on https://liquisabi.com and compare it to the total mining fees paid for that round, it's normally only 10%-20% of the total cost (depending on the mining fee rate of that round).
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
The text from the image justifies the "maximum mining fee" displayed in the user's client, but it does not explain that even with an acceptable mining fee (e.g., 6.03 for me), the user might still be in the surprising position to pay more than he thought he would. (Because, for example, the decomposer treats a significant amount as dust.) At least that's what I understand.

Quote
If you want to pay specific amounts to selected addresses, you can do so through Wasabi's RPC
I see. I'll try that the next time.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
This is the uncertainty I'm talking about. The user does not know beforehand how much money will be forfeited because the decomposer treats the remainder as dust. Is there a page that explains how this works behind the scenes, ensuring users aren't surprised by paying significantly more than expected?

Yes - https://github.com/WalletWasabi/WasabiDoc/pull/1859

I had found that, but I assume that allows me to send only to Wasabi wallets, correct? I cannot send the joined coins to Sparrow or to a bunch of addresses I select?

Yes, the feature only allows you to move coins from one of your wallets to another wallet you have loaded on the same client.

If you want to pay specific amounts to selected addresses, you can do so through Wasabi's RPC or with BTCPay's coinjoin plugin (via the 'schedule transaction' workflow).
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Yep, assuming your calculations are correct, that means the decomposer forfeited 432 sats worth of dust that couldn't be split into equal sized outputs.
This is the uncertainty I'm talking about. The user does not know beforehand how much money will be forfeited because the decomposer treats the remainder as dust. Is there a page that explains how this works behind the scenes, ensuring users aren't surprised by paying significantly more than expected?

Quote
It's under 'Coinjoin' tab within 'Wallet settings'.
I had found that, but I assume that allows me to send only to Wasabi wallets, correct? I cannot send the joined coins to Sparrow or to a bunch of addresses I select?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I tried to verify those numbers by calculating the fee I paid for my coinjoin. In this coinjoin, I used a segwit input and created two taproot outputs. With 6.03 sat/vb, I should have paid 6.03 * 69 + 2 * 6.03 * 43 = 934.65 sat, but I paid 1366.

Yep, assuming your calculations are correct, that means the decomposer forfeited 432 sats worth of dust that couldn't be split into equal sized outputs.

Where's this "Coinjoin to another wallet" option? I cannot find it in settings or in Wallet Settings.

It's under the 'Coinjoin' tab within 'Wallet settings'. There's a bunch of nested menus that are annoying to navigate, but the devs have bigger tasks to work on than fixing navigation  Undecided
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
It's ~1% bigger in vsize. Spending a P2WPKH coin costs 69 vbytes, creating a P2WPKH coin costs 31 vbytes (100 total). Spending a P2TR coin costs 58 vbytes, creating a P2TR coin costs 43 vbytes (101 total). There's apparently also an extra .5 vbytes somewhere that I don't know how to account for.
I tried to verify those numbers by calculating the fee I paid for my coinjoin. In this coinjoin, I used a segwit input and created two taproot outputs. With 6.03 sat/vb, I should have paid 6.03 * 69 + 2 * 6.03 * 43 = 934.65 sat, but I paid 1366.

Quote
I'm sure there's a way to manually disable a specific script type from the client side. After all, when you use the 'Coinjoin to another wallet' to sweep your hot wallet into your hardware wallet, it will only use the supported script type of your HWW.
Where's this "Coinjoin to another wallet" option? I cannot find it in settings or in Wallet Settings.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Okay, but that makes it less block space efficient. I do not have the exact numbers, however, but if I'm not mistaken the taproot would be 10% bigger in size.

https://github.com/WalletWasabi/WalletWasabi/blob/master/WalletWasabi/Helpers/Constants.cs#L27

It's ~1% bigger in vsize. Spending a P2WPKH coin costs 69 vbytes, creating a P2WPKH coin costs 31 vbytes (100 total). Spending a P2TR coin costs 58 vbytes, creating a P2TR coin costs 43 vbytes (101 total). There's apparently also an extra .5 vbytes somewhere that I don't know how to account for.

Wouldn't it make more sense for the clients to select which script types they rather use? (In addition to the coordinators enforcing their own policy.)

I'm sure there's a way to manually disable a specific script type from the client side. After all, when you use the 'Coinjoin to another wallet' to sweep your hot wallet into your hardware wallet, it will only use the supported script type of your HWW.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Wasabi clients choose both script types randomly.
Okay, but that makes it less block space efficient. I do not have the exact numbers, however, but if I'm not mistaken the taproot would be 10% bigger in size.

Quote
Coordinators can restrict the allowed script types in their config if they want to.
Wouldn't it make more sense for the clients to select which script types they rather use? (In addition to the coordinators enforcing their own policy.)
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Why should there be a ratio? Why not just all segwit or all taproot?

BTCPay clients only support a single script type, and Trezor clients only support Taproot. In order to provide sufficient anonymity for these other clients, Wasabi clients choose both script types randomly.

Coordinators can restrict the allowed script types in their config if they want to.

Is it a bug you and I are just aware of, or is there some Wasabi developer aware as well?

The devs are aware. I suppose I could open an issue for it, but it seems like a pretty harmless bug.

Have you investigated the source code yourself and not found what goes wrong?

I'm not a programmer, so I'm unable to audit the code myself.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
You're not going to like the answer, lol. It's a bug: The ratio should be ~50/50
Now I have several questions.

  • Why should there be a ratio? Why not just all segwit or all taproot?
  • Is it a bug you and I are just aware of, or is there some Wasabi developer aware as well?
  • Have you investigated the source code yourself and not found what goes wrong?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Shouldn't the client give the user control over how many times it can divide an input? For example, one might not prefer to divide their 0.01 BTC into 5 worth of 200,000 sat each, because it's more expensive. And I did experience it as well, if you want some feedback; I felt as if I wouldn't know beforehand how much money would be spent on the transaction fee.

The client is only able to calculate all of the potential output decompositions after the end of the input registration phase, so it's not possible to do this manually with precision. But yes, the "slot machine" aspect can be frustrating if overpaying fees bothers you.

BTCPay Server's coinjoin plugin allows power users to choose a minimum denomination amount, exclude certain denominations, etc so they can avoid surprises.

Is there any particular reason why taproot addresses are preferred over segwit?

You're not going to like the answer, lol. It's a bug: The ratio should be ~50/50 Roll Eyes

If you find the source of the bug in the code and open an issue accurately describing it, I'll award a 50k sat bounty. If you open a PR that fixes it and gets merged, I'll award a 100k sat bounty.

Isn't it less block space efficient?

Taproot is barely less efficient than segwitv0 when measured in vbytes, but it's much more efficient in terms of actual bytes. If the witness discount multiplier were slightly lower than 4, then Taproot would win out in both categories.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
These small standard outputs aren't "change", but they are treated like change by the client due to a lack of other matches. Despite being assigned a weak score, these outputs are completely impossible to attribute to any specific input in practice.
I see. You just don't assign them a metric, because that'd be against the notion of being as rigorous as possible with defining the anonymity score.

Quote
I received 5 same sized outputs from a single round, so the client divided the anon score gain of each of those outputs by 5. While this seems like "waste" from the calculator's perspective, the real world effective privacy gains of allowing this sort of amount skew is massive since analysts have to consider many subsets of possible compositions and decompositions.
Shouldn't the client give the user control over how many times it can divide an input? For example, one might not prefer to divide their 0.01 BTC into 5 worth of 200,000 sat each, because it's more expensive. And I did experience it as well, if you want some feedback; I felt as if I wouldn't know beforehand how much money would be spent on the transaction fee.



Is there any particular reason why taproot addresses are preferred over segwit? Isn't it less block space efficient?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Here's a couple of anecdotal transactions showing some nuances of anonymity score.

In this smaller coinjoin transaction, there were (at least) 4 different standard denominations that received anonymity score 1.

bc1pn5g6wmqs2prld00g5sp4l6837s6xt0lg27smt0zrgdlca9qdkycs3ernz8 - ‎0.00020000 BTC    
bc1pjvng7exw3d6ttu438249yasrpuprfwgc8mz6a55thxmat9hm08csgv6s0v - 0.00016384 BTC    
bc1phwkkwk6n2l75xg64wp3nsevkawzhgc9kpfs3rg99a5cghqw7mssq527s9v - 0.00013122 BTC    

These small standard outputs aren't "change", but they are treated like change by the client due to a lack of other matches. Despite being assigned a weak score, these outputs are completely impossible to attribute to any specific input in practice.

bc1qm2kmhgde2fey05ef2dhj3s35a9ayduke2uhgsu 2.68435456 BTC

Although the largest output appears like a whale created a change output, this amount is actually a standard denomination. The user who received this output was unlucky that the other whales in the transaction randomly allocated their liquidity to 2.00000000 BTC sized outputs instead. Even though this output received anon score 1, it's still difficult to determine which input is responsible for creating this coin (although it's far easier to guess who created an output worth 2.68435456 BTC compared to an output worth 20000, 16384, or 13122 sats).

___________________

Here's another rare anon score outcome I personally experienced -



I received 5 same sized outputs from a single round, so the client divided the anon score gain of each of those outputs by 5. While this seems like "waste" from the calculator's perspective, the real world effective privacy gains of allowing this sort of amount skew is massive since analysts are forced to consider many subsets of possible compositions and decompositions.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
So, what should normally happen? Some other participant creates an output of the same value as mine?

It often requires creating 5 to 6 outputs to efficiently decompose into matching values with other users. Creating less than 3 outputs is a pretty rare outcome.

I thought that output values follow this denomination standard.

Clients automatically filter some potential denominations depending on the inputs present in the round. Here are all of the possible standard values: https://docs.wasabiwallet.io/FAQ/FAQ-UseWasabi.html#what-are-the-equal-denominations-created-in-a-coinjoin-round

I suppose that if outputs have to be those values, then I will always have change in the coinjoin with score 1. (Unless edge cases where the change is exactly one denomination.) I'm just wondering: will it ever display that the privacy progress is 100%? If yes, under which circumstances? For all I understand, it should only approach it.

Clients automatically forfeit small dust amounts that can't be decomposed evenly into standard denominations. It's not a perfect solution, but it's a reality of blockchain scalability that some UTXOs aren't worth creating or spending. Similarly, I opened an issue in Samourai's repository (which the developers deleted  Cry) pointing out how their coinjoin client was forcing the creation of uneconomical dust outputs instead of allocating these sats to the mining fee for the premix transaction or the mix transactions.

Can I put an onion URI in there?

Yes, I'm not quite sure what the correct formatting is though.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Interesting. 0.01 BTC is not large enough to require creating a change output, so I guess you just got really unlucky and no one else decomposed a matching value for your second output?
So, what should normally happen? Some other participant creates an output of the same value as mine? I thought that output values follow this denomination standard. I suppose that if outputs have to be those values, then I will always have change in the coinjoin with score 1. (Unless edge cases where the change is exactly one denomination.)

Quote
You can change it back to 127.0.0.1:8333 if you want to choose random P2P nodes.
Can I put an onion URI in there?

Quote
Although anonymity score is a decent metric, I feel like there are many more properties that should be accounted for besides just the number of matched outputs.
I'm just wondering: will it ever display that the privacy progress is 100%? If yes, under which circumstances? For all I understand, it should only approach it.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
No, I don't think so. I downloaded Wasabi Wallet, latest version v2.3.0, and inserted "https://coinjoin.kruw.io/" in the coordinator URI.

Interesting. 0.01 BTC is not large enough to require creating a change output, so I guess you just got really unlucky and no one else decomposed a matching value for your second output?

By the way, my Bitcoin P2P Endpoint is "Unspecified/Unspecified/Unspecified/3:8333". I changed it with my local node, but it didn't work for some reason, and I undid it. And this is what it displays since then.

Serialization for this field was fixed and will be in the next release: https://github.com/WalletWasabi/WalletWasabi/issues/13530

You can change it back to 127.0.0.1:8333 if you want to choose random P2P nodes.

Okay, that makes sense. "Anonymity score" is a vague factor, and it should be calculated very rigorously. My question then is: why does my client allow splitting the input into two outputs if one of them won't meet the "sufficient score" if I can phrase it that way? Wouldn't it make more sense if the input created only one output?

Gaining anonymity score on part of your balance is preferable to gaining no anonymity score at all. There's two ways to implement the scenario of insufficient privacy gains before signing, depending on whether you want to save mining fees or guarantee privacy. BTCPay Server's implementation will abandon signing the final PSBT if it calculates the outcome would lead to a net loss of score (DoSing the round and waiting out a ban). However, this can leak metadata (failed common input registrations), and could create a positive feedback loop that causes all clients to fail one at a time (in theory).

Although anonymity score is a decent metric, I feel like there are many more properties that should be accounted for besides just the number of matched outputs.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
That seems like an unusual decomposition. It sounds like you were using the BTCPay Server coinjoin plugin?
No, I don't think so. I downloaded Wasabi Wallet, latest version v2.3.0, and inserted "https://coinjoin.kruw.io/" in the coordinator URI.

By the way, my Bitcoin P2P Endpoint is "Unspecified/Unspecified/Unspecified/3:8333". I changed it with my local node, but it didn't work for some reason, and I undid it. And this is what it displays since then.

Quote
Although this unique output is more difficult to track due to the coinjoin, it's unclear how to calculate the amount of privacy it gains, so the client just assumes it is zero and just remixes the coin.
Okay, that makes sense. "Anonymity score" is a vague factor, and it should be calculated very rigorously. My question then is: why does my client allow splitting the input into two outputs if one of them won't meet the "sufficient score" if I can phrase it that way? Wouldn't it make more sense if the input created only one output?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I feel the need to apologize for my earlier statement claiming that WabiSabi coinjoins have weak privacy. Specifically, I argued that WabiSabi coinjoins have a lower Boltzmann score compared to Whirlpool. However, this assertion was both gravely inaccurate and failed to make a valid point. Calculating the Boltzmann score for a WabiSabi coinjoin is infeasible due to its large transaction size. Even if such a calculation were possible, attempting to match inputs with outputs would still amount to mere guesswork.

I also want to apologize for likely making many statements about WabiSabi without giving them proper thought or grounding. It seems I misjudged due to insufficient study on my part.

This is very humble, I appreciate you approaching the subject again.

I recently gave WabiSabi a try, and I have a question. I joined an input worth ~0.01 BTC using your coordinator, and created two outputs. One of them has an anonymity score of 21, the other has 1.

That seems like an unusual decomposition. It sounds like you were using the BTCPay Server coinjoin plugin?

How is this calculated exactly? If it's joined in the coinjoin, shouldn't it be greater than 1? Does this imply it's possible to determine that the 0.01 BTC input created that specific output with high certainty?

"Anonymity score" is a best attempt to measure the privacy gained from a coinjoin round, but it's extremely conservative in order to handle edge cases. If you got an output with a score of 21, that means that there were 20 other outputs created in that round with the same exact value. If your other coinjoin output kept a score of 1, that means it did not match the same value as any other outputs from the round. Although your unique output was made more difficult to track due to the coinjoin, it's unclear how to calculate the amount of privacy it gains, so the client just assumes it is zero and just remixes the coin. This guarantees that whales who create change will eventually break that change down into amounts that blend in evenly with the rest of the pool.

Anonymity score is also divided by the frequency of your outputs. For example, if you created 2 outputs for 0.01062882 BTC out of 22 matches with the same value, then the anonymity score you receive for each coin would be 11.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I feel the need to apologize for my earlier statement claiming that WabiSabi coinjoins have weak privacy. Specifically, I argued that WabiSabi coinjoins have a lower Boltzmann score compared to Whirlpool. However, this assertion was both gravely inaccurate and failed to make a valid point. Calculating the Boltzmann score for a WabiSabi coinjoin is infeasible due to its large transaction size. Even if such a calculation were possible, attempting to match inputs with outputs would still amount to mere guesswork.

I also want to apologize for likely making many statements about WabiSabi without giving them proper thought or grounding. It seems I misjudged due to insufficient study on my part.



I recently gave WabiSabi a try, and I have a question. I joined an input worth ~0.01 BTC using your coordinator, and created two outputs. One of them has an anonymity score of 21, the other has 1. How is this calculated exactly? If it's joined in the coinjoin, shouldn't it be greater than 1? Does this imply it's possible to determine that the 0.01 BTC input created that specific output with high certainty?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I have read the whole thread and it seems to me that there is no perfect solution between these options(?)

I suppose not if your standard of 'perfect' is 100% guaranteed privacy with no thinking involved. However, liquid coinjoins using the WabiSabi protocol create a practically infinite amount of results, you can attempt to trace participants yourself: https://mempool.space/tx/70aad1d92dd3fc6ddbd802ed20ed155472a5752126a0c3489b56fde6e4cf801c
?
Activity: -
Merit: -
I have read the whole thread and it seems to me that there is no perfect solution between these options(?)
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Another Bitcointalk user attempted the challenge of tracing a WabiSabi coinjoin:

wasabi2.0 is a waste of money and fee and doesn't protect users privacy

Ok, prove it then: Show me which specific outputs were created from each input of this coinjoin transaction: https://mempool.space/tx/2248a68222cb0aa591cc00b51bbf3dd13df09622cd8d0061ae6c0df48943b0a5

He failed to produce any results Roll Eyes
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
A new challenger has appeared! dkbit98 claims Bitcoin is not anonymous. However, he was unable to trace a WabiSabi coinjoin:

Bitcoin Is Not Anonymous.

Okay, prove it then. Show me which specific outputs were created from each input of this coinjoin transaction: https://mempool.space/tx/d26a197368167f7ed2e57bd7257d9d353131bd5e7a03fcc91c68828edbb2a210
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Unlike coinjoins with a fixed output size chosen by the coordinator, WabiSabi coinjoins organize output amounts optimistically from the client side. When creating huge rounds with lots inputs, it's easy for clients to match their output amounts with each other. With smaller rounds, the efficiency decreases. For this reason, the default coordinator in Wasabi Wallet requires at least 150 inputs for a round to begin, but other coordinators may require lower input minimums. For example, this WabiSabi coinjoin only has 40 inputs: https://mempool.space/tx/9709771a2dc9a1343327776a1f52e6ae75adb981cabdab449408099d5851baf2
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Whoever stood for the childish arguments Kruw had back then looks pretty silly now when you have Kruw himself running an uncensored coordinator, which is doing the exact opposite of what he said himself, which was that Censorship is the morally correct thing to do.
Oh, yes. The censorship chapter of this saga, unending. "You shouldn't coinjoin if you're a criminal" <-- they've literally said that. If you read that post, you can see Max arguing that Bitcoin is permissioned, and you can send "bad coins" only if you own hashrate or bribe a miner. And we're supposed to trust the skills of these clowns.

Oh, and since I've sent you to that post already, read my favorite part:
Quote
There’s a lot of nuance here, but in general what we can say is: yes—that is another precedent that UTXOs are not fungible, that there is metadata associated to UTXOs that are outside of the consensus implementation. And that’s just super difficult because now you’re gonna have different surveillance companies that have different blacklists and different risk scores associated to it. And now you have competing soft forked clients, basically, that reach a different consensus of which coins are good and which coins are bad. And well—there’s no solution to it.

There is no solution to which coins are good and bad, but let's buy chain analysis crap data and grant them control over who gets to coinjoin and who doesn't.  Grin
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
At this point, any body who reads a discussion in which Kruw has participated and decides Kruw is to be trusted deserves the future consequences of their own stupidity.

You don't have to trust me.

We both know Wasabi is NOT to be trusted and I would definitely have many other options over it.

You don't have to trust Wasabi. It's trustless open source software.
hero member
Activity: 882
Merit: 1873
Crypto Swap Exchange
Aren't you tired already from playing it stupid? I mean, Jesus. Do you think the viewers of your discussions can't tell you're one big hypocrite?
At this point, any body who reads a discussion in which Kruw has participated and decides Kruw is to be trusted deserves the future consequences of their own stupidity.  Such as nodding their head in agreement to Kruw back when he pointed fingers at us for arguing against Censorship.  Whoever stood for the childish arguments Kruw had back then looks pretty silly now when you have Kruw himself running an uncensored coordinator, which is doing the exact opposite of what he said himself, which was that Censorship is the morally correct thing to do.

We both know Wasabi is NOT to be trusted and I would definitely have many other options over it.  Hell.  I would rather trust a Centralized Exchange which says up front that they impose Know Your Customer than some body like Kruw and the Services he advertises.  Particularly when equal or better competitors to Wasabi always get a spit in the face from Kruw with no reason when ever he gets the chance to do it.  I like people being up front.  Particularly when I decide whether to choose their product or not.  Tell me you arbitrarily ask for Know Your Customer and I will be an idiot if I drop my money thinking I will not be asked for it.  But when I ask a question and it always gets derailed, how the hell am I supposed to trust?  When Wasabi claims to be THE solution for Fungibility while differentiating one Bitcoin for another and THE Wallet for Privacy while imposing Censorship, which is very 1984 ish, how am I supposed to trust their product?

I forgot.  'Wasabi is TRUSTLESS!'.  Sure.  How dare I even THINK about trust.  I completely forgot their stance was different.  More like, ignore the red flags, shut up, close your eyes and hand us your Money.  Do not ask questions, or else you are an idiot.  And a Scammer, too.  And probably an Alt of Samourai.

Like I previously said.  Kruw could do astonishingly well as a Politician considering the expertise of avoiding any legitimate question, derailing discussions and talking about apples when asked about pears.  This is a skill no body wants but he proudly showcases at all times.

-----

Yes. Why can't you answer that question?
Why can you not answer so many questions and always answer only what is convenient?  The glasses, Kruw.  We are back to where we started, they are either dirty again or you need to get your eyes checked because they seem to skip so many questions all the time.  I am starting to get really worried!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
You're really asking me to answer why I would rather use Whirlpool over WabiSabi

Yes. Why can't you answer that question?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Aren't you tired already from playing it stupid? I mean, Jesus. Do you think the viewers of your discussions can't tell you're one big hypocrite? You're really asking me to answer why I would rather use Whirlpool over WabiSabi, after all been said for the last two (or three?) years?

Literally everything in these questions has been answered in the past. Anyone still trying to figure out those answers can just use a search engine like ninjastic.space. The tl;dr is that Wasabi is a clown fest. I'd rather not engage in discussions about it anymore, if I may. I think I deserve this. There really isn't anything more to say.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Personally, I combine toxic change with other toxic change where lack of privacy is minimum.

Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?

You do not consolidate your private coins in the the coinjoin, but after it, using a mix partner.

If you are using a second coinjoin to solve the privacy flaw of the initial Whirlpool coinjoin, then why not just perform a single coinjoin that doesn't have the initial privacy flaw so you can cut through these two transactions?

Completely irrelevant and debunked already: https://bitcointalksearch.org/topic/m.63120005.

2 - Tx0 clearly pays the coordinator, and this output is easily identified. The privacy of Whirlpool coinjoins does not depend on this fee payment being secret. It does not matter if you and I both pay to the same coordinator address - there is zero loss of privacy.

So the Whirlpool coordinator's output is easily identified. That's unfortunate...

Let's compare this privacy loss in Whirlpool to a WabiSabi coinjoin where the coordinator fee adds to the anonymity set: Which output is the coordinator fee???  https://mempool.space/tx/74254011886f8bcbc19269030a07d3e63cee242492f7a32818152e51995e6d31

Still waiting for the answers to all of these questions.
jr. member
Activity: 44
Merit: 27
If 5 out of the 6 equal sized outputs created in the coinjoin end up remixing as makers in the future while the remaining equal sized output is spent in a unique way, the first guess someone would make is that the output that didn't remix was created by the taker. But, this is still a guess and not a 100% guarantee since the taker could have switched roles to become a maker, or a maker could have decided to stop remixing and spend their coins. So, you could have scenarios where all 6 of these outputs remix, or all 6 of these outputs are spent, or any combination in between.

You are right you could argue that the maker or the taker switch their roll between coinjoins but joinmarket and whrilpool still would give a false sense of a higher anonset then it leads to believe. So it comes off as the makers being almost pointless and making the transaction fees not worth the effort. IMO I think wabisabi is a much better coinjoin system since all inputs are takers with unpredictable output spending. Wabisabi gets a bad rep for blocking certain UTXO's but I think this is a good thing because coinjoining with sanctioned UTXO's will label all UTXO's in the coinjoin as sanctioned.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I thought joinmarkets were still pretty easy to unmix.

When you look at a single JoinMarket coinjoin, you can often (but not always) determine common input ownership for the participants and track their change. However, this isn't a limitation that ever requires you to compromise your privacy because you can use the taker role to construct a coinjoin where you have only one input and one (equal sized) output.

Here's an example of a JoinMarket sweep transaction: https://mempool.space/tx/9c6479472e1f3b5861c86bc904d11814e715a84c21aa8d0dd0861e635555451f

You can tell this is a sweep instead of an outgoing payment because there are 9 inputs, 9 equal sized outputs, and 8 change outputs that can be easily connected to maker inputs. The taker's input was from bc1q2pcrqv8jshjalxdan9hdm6qsh0njtm7jxydct9, but there is no trace of his output since it could be any of the 9 values for 0.03846033 BTC.

This is the same problem with samurai wallets whirlpool right?

Yes, common input ownership and toxic change are the same problems inherent to Whirlpool coinjoins as well. The main advantage JoinMarket has to defeat this problem is ability to coinjoin arbitrary amounts, so your toxic coins never have to touch each other. Whirlpool is limited to coinjoining fixed amounts (0.5, 0.05, 0.01 and 0.001), so every transaction you send or receive will require you to forfeit up to 100k sats in unmixable change in order to keep full privacy.

The second advantage JoinMarket has over Whirlpool is that Whirlpool cripples the privacy of users by requiring a premix "tx0" transaction. The premix conclusively reveals all the consolidated inputs are owned by the same person and links it with toxic change that can be tracked in future transactions.

JoinMarket mitigates this privacy leak by skipping the premix transaction and consolidating inputs directly in the coinjoin transaction. Here's an example of a 5 person JoinMarket coinjoin that consolidates 297 inputs: https://mempool.space/tx/63b28f5e17e03fef27795e1ea7fbf821e2d5f072098ffcef3d27b8b2d23ca719

This makes it difficult to determine which inputs belonged to the participant that created the 33677 change output and which inputs belonged to the participant that created the 44384 sat change output.

If theres only 1 taker and for example 5 makers in a joinmarket coinjoin it should be pretty easy to unmix them if you watch to see which output get used as inputs for more coinjoins then they are makers and if you can determine which outputs were makers then you can determine which output is the taker by process of elimination.

If 5 out of the 6 equal sized outputs created in the coinjoin end up remixing as makers in the future while the remaining equal sized output is spent in a unique way, the first guess someone would make is that the output that didn't remix was created by the taker. But, this is still a guess and not a 100% guarantee since the taker could have switched roles to become a maker, or a maker could have decided to stop remixing and spend their coins. So, you could have scenarios where all 6 of these outputs remix, or all 6 of these outputs are spent, or any combination in between.
jr. member
Activity: 44
Merit: 27
- Can JoinMarket be traced?

Not as a taker. Since takers choose the equal value output size, they can make anonymous payments or anonymize their change at any time without trusting anyone. Fidelty bonds help protect takers against makers performing Sybil attacks.

I thought joinmarkets were still pretty easy to unmix. If theres only 1 taker and for example 5 makers in a joinmarket coinjoin it should be pretty easy to unmix them if you watch to see which output get used as inputs for more coinjoins then they are makers and if you can determine which outputs were makers then you can determine which output is the taker by process of elimination.

This is the same problem with samurai wallets whirlpool right?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Question for experienced JoinMarket users: How frequently do you participate in a remix as a maker?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
LaurentMT confirms that Whirlpool's incentive model was designed to provide the least amount of anonymity possible: https://twitter.com/LaurentMT/status/1783589807668535563
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
This restriction is called “tx0”, it is a self spend transaction prior to the coinjoin that allows the trusted coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinator’s fee is confirmed, they allow the outputs created from the premix tx0 to be added to their liquidity pools.

Some Whirlpool users were rugpulled because they paid coordinator fees in a separate transaction from their coinjoin: https://mempool.space/address/bc1q6dxnvx3wm40e4rtmye6fwy9zmwnqchnz04pzaa
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

You don't seem to understand: Equal output coinjoins from JoinMarket, Whirlpool, and WabiSabi have a distinct on chain footprint that distinguish them from all other transactions regardless of whether those transactions are ordinals or not.

Mempool.space seems to have applied the "Coinjoin" tag to this Whirlpool tx0 transaction as well: https://mempool.space/tx/97a6b985f48c2faf4a3cb7c1e4b5a0ac230fd59aac33723101de9dd144bd735e
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I believe it's not only about which CoinJoin tool you're using, it's also about HOW you use the tool. Simply, it's not enough to merely CoinJoin. The user has to do a lot more after the CoinJoin.

I wrote a blog describing how WabiSabi clients can avert future consolidation mistakes by preemptively remixing under certain scenarios: https://blog.wasabiwallet.io/exploring-secure-coinjoin-protocols/

This issue explains the assumptions a lazy attacker would make from observing spent coinjoin outputs and how to avoid imitating the known weakness of ZeroLink consolidations: https://github.com/zkSNACKs/WalletWasabi/issues/10565
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Is everyone still fighting over which CoinJoin is the best in Bitcoin Land?

Coinjoining takes time and block space, and since both are limited resources, the debate is consequential. No one wants to waste either.
legendary
Activity: 2898
Merit: 1823
Is everyone still fighting over which CoinJoin is the best in Bitcoin Land?

¯\_(ツ)_/¯

I believe it's not only about which CoinJoin tool you're using, it's also about HOW you use the tool. Simply, it's not enough to merely CoinJoin. The user has to do a lot more after the CoinJoin.

Quote

Something that can never be understated is that Bitcoin's privacy assurances are extremely subpar at the moment. It is possible to transact privately, but it is extremely hard. CoinJoins help a bit, but must be approached tactically. One must consider where their soon-to-be-mixed UTXOs came from, how many UTXOs they are mixing at once using the same service, how many other individuals they are mixing with, where they send the UTXOs post-mix, how they deal with change after spending mixed UTXOs, and co-mingling post-mix UTXOs just to name a few variables. I could go on much longer. The only way to figure out how to do this correctly is to study.

https://tftc.io/issue-599-coinjoin-ergobtc/


Both sides of the debate in the topic are probably right and wrong at the same time depending on the context.
newbie
Activity: 27
Merit: 8
I gave you some merit because at least you are trying smh
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Good reading on the matter "Heuristics for Detecting CoinJoin Transactions on the Bitcoin Blockchain".

They analyzed various implementations of Coinjoin including  JoinMarket,  Whirlpool and Wasabi (from 1.0 to 2.0), applied different heuristics to them and got some success.

Thanks for the resource.  Yes, this paper explains in more detail what I couldn't seem to get DaveF to understand:

Also, worth to read is the following -   "How a 27-year-old busted the myth of Bitcoin’s anonymity". - which shows that all depends on appropriate and adequate obstinacy of investigators,

This one, unfortunately, is not a good resource- It's a Craig Wright style propaganda piece that tries to steal credit from Satoshi and give it to a woman instead:

Quote from: arstechia
Satoshi had hinted at the privacy dangers this introduced. “Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner,” Satoshi wrote. “The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.”

So, as Meiklejohn’s first step, she simply tried the technique Satoshi had inadvertently suggested—across every bitcoin payment ever carried out

Satoshi's identification of this tracking method wasn't a "hint" and it wasn't "inadvertently", it's quite literally titled "Privacy" in the whitepaper. The author is simply trying to deceive readers into thinking this woman made a profound discovery when all she did was read the whitepaper.
hero member
Activity: 714
Merit: 1298
Good reading on the matter "Heuristics for Detecting CoinJoin Transactions on the Bitcoin Blockchain".

They analyzed various implementations of Coinjoin including  JoinMarket,  Whirlpool and Wasabi (from 1.0 to 2.0), applied different heuristics to them and got some success.

Also, worth to read is the following -   "How a 27-year-old busted the myth of Bitcoin’s anonymity". - which shows that all depends on appropriate and adequate obstinacy of investigators,

member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Avoiding my point, as usual.

I guess I didn't catch your point, can you refer to your quote and indicate what is lacking a response?  I'm still waiting for you to respond to my points above:

Personally, I combine toxic change with other toxic change where lack of privacy is minimum.

Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?

You do not consolidate your private coins in the the coinjoin, but after it, using a mix partner.

If you are using a second coinjoin to solve the privacy flaw of the initial Whirlpool coinjoin, then why not just perform a single coinjoin that doesn't have the initial privacy flaw so you can cut through these two transactions?

Completely irrelevant and debunked already: https://bitcointalksearch.org/topic/m.63120005.

2 - Tx0 clearly pays the coordinator, and this output is easily identified. The privacy of Whirlpool coinjoins does not depend on this fee payment being secret. It does not matter if you and I both pay to the same coordinator address - there is zero loss of privacy.

So the Whirlpool coordinator's output is easily identified. That's unfortunate...

Let's compare this privacy loss in Whirlpool to a WabiSabi coinjoin where the coordinator fee adds to the anonymity set: Which output is the coordinator fee???  https://mempool.space/tx/74254011886f8bcbc19269030a07d3e63cee242492f7a32818152e51995e6d31

Because it makes a splash. Whirlpool has maximized the entropy, whereas in Wasabi there is address reuse, possible input and output collaborators, merges-- all of which would reduce the overall entropy.

At this point, I'm putting you back on ignore, because we're going on cycles, and you simply want to just say the last word. There is nothing constructive that I can make out of you.

You simply haven't looked into how coinjoins work at all since you are accusing WabiSabi of creating negative dust when it's clearly Whirlpool that's creating negative dust, and claim WabiSabi's Boltzmann score is worse despite not having calculated the score at all.  Numbers don't lie, but you do.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I don't know what you mean by "A user is not warned from reusing an address", Satoshi very clearly warned that a new address should be used for each transaction
Avoiding my point, as usual.

The only address that a user does not have a choice whether or not they reuse is the address they pay the coordinator fee to.  The bug report submitted to the Whirlpool coordinator detailing the reuse of their receive addresses was deleted without any comment: https://web.archive.org/web/20231025112815/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/462
Completely irrelevant and debunked already: https://bitcointalksearch.org/topic/m.63120005.

If you never calculated the Boltzmann score, then why did you claim the Boltzmann score for a WabiSabi coinjoin is "worse"?
Because it makes a splash. Whirlpool has maximized the entropy, whereas in Wasabi there is address reuse, possible input and output collaborators, merges-- all of which would reduce the overall entropy.



At this point, I'm putting you back on ignore, because we're going on cycles, and you simply want to just say the last word. There is nothing constructive that I can make out of you.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
So, to sum up. A user is not warned from reusing an address in both inputs and outputs of their coinjoin, despite being a complete waste of both money and privacy, because the coordinator does not want to be "malicious" and prevent potentially malicious activity. Makes sense.

I don't know what you mean by "A user is not warned from reusing an address", Satoshi very clearly warned that a new address should be used for each transaction:

I don't work at Samourai, so this is a disclaimer that I have not studied Boltzmann analysis to feel competence and confidence, but it is an attempt to resist against merged input heuristic and to identification of linking between coinjoin inputs and outputs; attacks made by blockchain analysis that you're proudly funding, and which can de-anonymize Wasabi coinjoins as they say. Description of these metrics can be found in Samourai's repo.

If you never calculated the Boltzmann score, then why did you claim the Boltzmann score for a WabiSabi coinjoin is "worse"?

There is an entire analysis technique called Boltzmann score that computes resistance to this potential linking. WabiSabi coinjoin is worse in that matter, as it appears in kycp.org.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
If this request is ignored, then the coordinator would have to propose a 5 input 4 output transaction to the participants that spends the ignored amount on the mining fee instead, or maliciously replace the missing output with their own address.
So, to sum up. A user is not warned from reusing an address in both inputs and outputs of their coinjoin, despite being a complete waste of both money and privacy, because the coordinator does not want to be "malicious" and prevent potentially malicious activity. Makes sense.

That's what I'm asking - I want to see this information that reduces the uncertainty for myself.  Using this coinjoin transaction, what information is revealed from these input and output merges that reduces the uncertainty?
I don't work at Samourai, so this is a disclaimer that I have not studied Boltzmann analysis to feel competence and confidence, but it is an attempt to resist against merged input heuristic and to identification of linking between coinjoin inputs and outputs; attacks made by blockchain analysis that you're proudly funding, and which can de-anonymize Wasabi coinjoins as they say. Description of these metrics can be found in Samourai's repo.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?
Repeated soundbite. I ignore.

I didn't repeat myself, this was the first time I've asked you why you would choose to create toxic change from coinjoining that causes privacy loss instead of choosing not to create toxic change from coinjoining to keep your privacy.

You do not consolidate your private coins in the the coinjoin, but after it, using a mix partner.

If you are using a second coinjoin to solve the privacy flaw of the initial Whirlpool coinjoin, then why not just perform a single coinjoin that doesn't have the initial privacy flaw so you can cut through these two transactions?

Yes, it does. Alice can normally register her bc1qalice input, and the coordinator will refuse to create a bc1qalice output. The attacker can be ignored.

If this request is ignored, then the coordinator would have to propose a 5 input 4 output transaction to the participants that spends the value from the ignored output on the mining fee instead, or replace the missing output with their own address.

I said:
WabiSabi coinjoins literally have identifiable input and output merges

That does not mean I can de-anonymize the outputs with certainty, as I can with a 20 inputs 1 output transaction. I can only say for sure that there is information which can reduce the uncertainty, and which does not appear in Whirlpool. See yourself: https://kycp.org/#/323df21f0b0756f98336437aa3d2fb87e02b59f1946b714a7b09df04d429dec2.

That's what I'm asking - I want to see this information that reduces the uncertainty for myself.  Using this coinjoin transaction, what information is revealed from these input and output merges that reduces the uncertainty?

Probably because Samourai's implementation of Boltzmann score's computation is not optimized; I just cloned their repo, entered a Wasabi transaction, and it's still loading. WabiSabis are very big in size, not even oxt.me has worked it out (TX ENTROPY is N/A in summary). Maybe I optimize it once I find the time.

So you're saying that WabiSabi is too powerful for the Boltzmann analysis technique to handle  Cool
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?
Repeated soundbite. I ignore.

You can't consolidate UTXOs in a Whirlpool coinjoin, there are always an equal amount of inputs and outputs.
You do not consolidate your private coins in the the coinjoin, but after it, using a mix partner.

Having the coordinator ban Alice because Bob registered an output to her input address doesn't solve the DoS issue.
Yes, it does. Alice can normally register her bc1qalice input, and the coordinator will refuse to create a bc1qalice output. The attacker can be ignored.

You claimed before that these input and output merges are "literally identifiable" but you are literally unable to identify any additional information presented by these merges taking place at all.
I said:
WabiSabi coinjoins literally have identifiable input and output merges

That does not mean I can de-anonymize the outputs with certainty, as I can with a 20 inputs 1 output transaction. I can only say for sure that there is information which can reduce the uncertainty, and which does not appear in Whirlpool. See yourself: https://kycp.org/#/323df21f0b0756f98336437aa3d2fb87e02b59f1946b714a7b09df04d429dec2.

It says "no Boltzmann available" for WabiSabi coinjoins on kycp.org.
Probably because Samourai's implementation of Boltzmann score's computation is not optimized; I just cloned their repo, entered a Wasabi transaction, and it's still loading. WabiSabis are very big in size, not even oxt.me has worked it out (TX ENTROPY is N/A in summary). Maybe I optimize it once I find the time.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Personally, I combine toxic change with other toxic change where lack of privacy is minimum.

Why not use WabiSabi instead of Whirlpool so you don't have toxic change and have no lack of privacy at all?

It has been said multiple times already that it allows you to consolidate them with a mix partner. At this point, you're just repeating the same soundbites. WabiSabi != Whirlpool, so yeah, it doesn't allow you to consolidate just as WabiSabi does.

You can't consolidate UTXOs in a Whirlpool coinjoin, there are always an equal amount of inputs and outputs.

No. The coordinator would simply refuse to work on a coinjoin where outputs contain addresses from inputs, just as you've programmed it to refuse "naughty" coins.

Having the coordinator ban Alice because Bob registered an output to her input address doesn't solve the DoS issue.

Nothing is provably revealed, in the sense that I can be 100% sure to ownership identification, just as if I send all of my coins to a single address, you can't tell if it was self-transfer or I spent them to a merchant. But, privacy is about possibilities, and input / output collaborations and merges only worsen uncertainty.

What possibilities were eliminated by the 262 input collaborators and 294 output collaborators in the WabiSabi coinjoin you linked? https://kycp.org/#/710d395ca20709096a0778927cb960a466be675b188a234b9b52ffb88bb97a3e

You claimed before that these input and output merges are "literally identifiable" but you are literally unable to identify any additional information presented at all from these merges taking place.

There is an entire analysis technique called Boltzmann score that computes resistance to this potential linking. WabiSabi coinjoin is worse in that matter, as it appears in kycp.org.

It says "no Boltzmann available" for WabiSabi coinjoins on kycp.org.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
What should users do with their Whirlpool change since they can't spend it to anyone besides the specific source who originally sent them the coins in the first place?
Personally, I combine toxic change with other toxic change where lack of privacy is minimum. I don't use it that much anymore though, because Monero is simply superior than both of you. There is an entire article on what to do with toxic changes, though: https://bitcoiner.guide/doxxic/.

It is Whirlpool's fault because Whirlpool doesn't allow you to consolidate your coins privately like WabiSabi enables.
It has been said multiple times already that it allows you to consolidate them with a mix partner. At this point, you're just repeating the same soundbites. WabiSabi != Whirlpool, so yeah, it doesn't allow you to consolidate just as WabiSabi does.

Your solution would allow Bob to DoS the coinjoin coordinator by choosing an output address that matches one of the input addresses.
No. The coordinator would simply refuse to work on a coinjoin where outputs contain addresses from inputs, just as you've programmed it to refuse "naughty" coins.

What information was revealed from the 262 input collaborators and 294 output collaborators in the WabiSabi coinjoin you linked? https://kycp.org/#/710d395ca20709096a0778927cb960a466be675b188a234b9b52ffb88bb97a3e
Nothing is provably revealed, in the sense that I can be 100% sure to ownership identification, just as if I send all of my coins to a single address, you can't tell if it was self-transfer or I spent them to a merchant. But, privacy is about possibilities, and input / output collaborations and merges only worsen uncertainty. There is an entire analysis technique called Boltzmann score that computes resistance to this potential linking. WabiSabi coinjoin is worse in that matter, as it appears in kycp.org.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Unless the user approves linking the outputs together. Sure, generally speaking it is a bad practice, because you reveal common ownership, but if you mix regularly and receive coins from a specific source, then consolidating toxic change with other toxic change might be acceptable by the user.

What should users do with their Whirlpool change since they can't spend it to anyone besides the specific source who originally sent them the coins in the first place?

The user chose to consolidate a dozen private coins into one. I agree it was a very bad practice, but it is not Whirlpool's fault.

It is Whirlpool's fault because Whirlpool doesn't allow you to consolidate your coins privately like WabiSabi enables.

Yes, do not allow the coordinator to accept creating outputs with the same addresses as the inputs. Why would Bob pay another input of the coinjoin?

Your solution would allow Bob to DoS the coinjoin coordinator by choosing an output address that matches one of the input addresses.

WabiSabi coinjoins literally have identifiable input and output merges, which I agree that they happen on multiple coinjoins that obscure the ownership, but reveal quite a lot of information. See kycp.org/#about on input / output collaborations and merges.

What information was revealed from the 262 input collaborators and 294 output collaborators in the WabiSabi coinjoin you linked? https://kycp.org/#/710d395ca20709096a0778927cb960a466be675b188a234b9b52ffb88bb97a3e
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Whirlpool change should ABSOLUTELY NOT BE SPENT with other change because it will link both payments that created those change outputs together.
Unless the user approves linking the outputs together. Sure, generally speaking it is a bad practice, because you reveal common ownership, but if you mix regularly and receive coins from a specific source, then consolidating toxic change with other toxic change might be acceptable by the user.

You don't seem to understand, This user already Whirlpooled his coins and he was traced anyways
The user chose to consolidate a dozen private coins into one. I agree it was a very bad practice, but it is not Whirlpool's fault.

It's not a software problem:  Can you explain how to fix this "software problem" of an address being reused on both sides of a coinjoin?
Yes, do not allow the coordinator to accept creating outputs with the same addresses as the inputs.

Alice registers an input from bc1qalice
Bob registers an input from bc1qbob
Alice registers an output to bc1qanonalice
Bob registers an output to bc1qalice
Why would Bob pay another input of the coinjoin?

WabiSabi does not share Whirlpool's problem of revealing input consolidation in payments because you can send payments directly to its destination in the coinjoin itself.
WabiSabi coinjoins literally have identifiable input and output merges, which I agree that they happen on multiple coinjoins that obscure the ownership, but reveal quite a lot of information. See kycp.org/#about on input / output collaborations and merges.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
And it is the user's fault to consolidate badbank change with private coins. Change should be spent with other change, and not with private coins, which is the reason why Sparrow doesn't even allow you to mess that up, unless you deliberately combine them in a separate transaction.

It is very avoidable. You simply choose to never combine change and private coins in one transaction.

Whirlpool change should ABSOLUTELY NOT BE SPENT with other change because it will link both payments that created those change outputs together.  Satoshi identified this common input heuristic in the Bitcoin whitepaper:

The Whirlpool user can gather change, and once the amount is sufficient, send them over to Whirlpool.

You don't seem to understand, This user already Whirlpooled his coins and he was traced anyways:

Here's the user's Whirlpool premix transaction: https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa
Here's the Whirlpool postmix transaction where the user was tracked: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

Good, so we agree. The problem with Wasabi 1.0 was that it reused addresses in both sides, which is 100% a software problem.

It's not a "software problem":  Can you explain how to fix this "software problem" of an address being reused on both sides of a coinjoin?

Alice registers an input from bc1qalice
Bob registers an input from bc1qbob
Alice registers an output to bc1qanonalice
Bob registers an output to bc1qalice

Alice's address is being reused on the input side and the output side of the coinjoin.  Clearly, Alice would want to sign this coinjoin transaction if it pays both bc1qalice and bc1qanonalice since she's getting more money than she expected initially.  Can you explain how Alice receiving extra money would be a "software problem"?

The problem with WabiSabi coinjoins is the same as with consolidating Whirlpool private coins without a mix partner; input / output merges, which possibly belong to the same wallet.

WabiSabi does not share Whirlpool's problem because you can send payments directly to its destination in the WabiSabi coinjoin itself without revealing multiple inputs belong to the same wallet.

WabiSabi coinjoins contain lots of them. Have you checked the kycp.org link?

Yes, I already educated you how kycp has identified the remixing that WabiSabi users participate that massively increases their privacy:

Where's the flaw?  All those outputs are private.
There are 262 input and 294 output collaborators

That's called "remixing", those 262 inputs and 294 outputs gained even more privacy by participating in multiple coinjoin transactions.  It's not a flaw, it's an advantage, because someone trying to track the flow of someone's coins now have to consider inputs from previous transactions and spends from future transactions.

legendary
Activity: 1512
Merit: 7340
Farewell, Leo
They don't want to create change outputs though because the change addresses in Whirlpool are completely traceable: change can't be spent without linking your transactions together.  These 305 sat and 933 sat Whirlpool outputs are in addresses 100% deterministically linked to the original owner, whereas the 5000 and 6561 sat outputs from WabiSabi are spendable because they are completely anonymous.
And it is the user's fault to consolidate badbank change with private coins. Change should be spent with other change, and not with private coins, which is the reason why Sparrow doesn't even allow you to mess that up, unless you deliberately combine them in a separate transaction.

Spending received coins and Whirlpool change together links those two transactions together.  This isn't a feature, it's an unavoidable privacy leak
It is very avoidable. You simply choose to never combine change and private coins in one transaction.

So you think the Whirlpool user should consolidate their postmix outputs within a WabiSabi coinjoin to add mix partners?  Makes sense.
The Whirlpool user can gather change, and once the amount is sufficient, send them over to Whirlpool.

If a user chooses to reuse a receive address for multiple payments, that's a conscious choice, not a problem with the software.
Good, so we agree. The problem with Wasabi 1.0 was that it reused addresses in both sides, which is 100% a software problem. The problem with WabiSabi coinjoins is the same as with consolidating Whirlpool private coins without a mix partner; input / output merges, which possibly belong to the same wallet. WabiSabi coinjoins contain lots of them. Have you checked the kycp.org link?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
What do you think of the dust problem in Whirlpool that wastes money for even smaller outputs?  https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461
You have already received your reply. Users are free to mess with their privacy and money. The client should not recommend them to do so, but if they nonetheless want to create dust outputs, they are free to do so. In the given transaction, it is clear that this was a conscious choice made by the user.

They don't want to create change outputs though because the change addresses in Whirlpool are completely traceable: change can't be spent without linking your transactions together.  These 305 sat and 933 sat Whirlpool outputs are in addresses 100% deterministically linked to the original owner, whereas the 5000 and 6561 sat outputs from WabiSabi are spendable because they are completely anonymous.

... yes? That's because spending your received coins and change together is generally considered a feature?

Spending received coins and Whirlpool change together links those two transactions together.  This isn't a feature, it's an unavoidable privacy leak.

You showed proof of a Whirlpool user consolidating the many post-mix outputs into one, which agrees with my initial statement that the user is free to mess up with their privacy. If you use Whirlpool in Sparrow wallet, trying to consolidating all these will warn you that it will appear as a self-transfer, and instead will suggest you into adding a mix partner.

So you think the Whirlpool user should consolidate their postmix outputs within a WabiSabi coinjoin to add mix partners?  Makes sense.

I don't think there's a problem with the user consciously deciding to harm their privacy and pocket. I think the problem lies with software that harms the user's privacy without them knowing.

If a user chooses to reuse a receive address for multiple payments, that's a conscious choice, not a problem with the software. For example, this Whirlpool user combined his traceable premix change output with his postmix outputs that were sent to a reused address:

Whirlpool premix transaction: https://mempool.space/tx/f7e015cc5f84517e45c107e3c8385b49f6f5a1196ef87fe84f495754272387f5
Whirlpool traceable change address: bc1q86n54k0f6gadrkhdsdut9r6ej3d8j68udrxggs
Whirlpool postmix outputs in reused address merged with traceable change: https://mempool.space/tx/983c459268435613fa8a19eebb7d80afae76f684ca5a2481877b37a41aab5e5a
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
What do you think of the dust problem in Whirlpool that wastes money for even smaller outputs?  https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461
You have already received your reply. Users are free to mess with their privacy and money. The client should not recommend them to do so, but if they nonetheless want to create dust outputs, they are free to do so. In the given transaction, it is clear that this was a conscious choice made by the user.

Using a different derivation path for the change output didn't stop those Whirlpool addresses from being linked together.
... yes? That's because spending your received coins and change together is generally considered a feature?

Furthermore, I showed the proof of how I linked postmix Whirlpool outputs to the premix transaction that generated it, which no one ever addressed at all
You showed proof of a Whirlpool user consolidating the many post-mix outputs into one, which agrees with my initial statement that the user is free to mess up with their privacy. If you use Whirlpool in Sparrow wallet, trying to consolidating all these will warn you that it will appear as a self-transfer, and instead will suggest you into adding a mix partner.

Okay, since you seem to think there's a problem, what is the solution to the problem you are describing?  How should the coinjoin protocol be changed?
I don't think there's a problem with the user consciously deciding to harm their privacy and pocket. I think the problem lies with software that harms the user's privacy without them knowing.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
A segwitv0 output is 31 vbytes, but a witness input is around 68. That's 99 vb, multiplied by 37.5 = 3712.5. Yes, it is less than I wrongly calculated, but it is still waste of money for such a small output.

What do you think of the dust problem in Whirlpool that wastes money for even smaller outputs?  https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461

Tell me why anyone would ever lose their sats deliberately by creating these traceable Whirlpool dust outputs:

https://mempool.space/address/bc1qp25y8kfywz88myuh7ed3dmx3vv2z2dwuxhjnlv

Value of output: 305 sats
Mining fee paid to create output: 369 sats
Mining fee paid to spend input: 1,776 sats
Net loss from dust bug: 1,840 sats
New transactions clustered: 5 txs

https://mempool.space/address/bc1q83sfgfefwupz8w3faawxjr5v8uf03ttjclrkda

Value of output: 933 sats
Mining fee paid to create output: 1,234 sats
Mining fee paid to spend input: 4,333 sats
Net loss from dust bug: 4,634 sats
New transactions clustered: 12 txs

I'm good at quoting old posts as well:
As has been explained to Kruw dozens of times, the change output from Tx0s are sent to a separate account and deliberately segregated from your other UTXOs. There is no way to accidentally include them in a transaction. Any user consolidating their change output as has been done in the transaction he has linked to above is doing so deliberately. I understand that Kruw gets angry when people spend their bitcoin in ways that he personally doesn't approve of, but there is no bug here, just Kruw either being deliberately misleading or simply not understanding what is happening.

Using a different derivation path for the change output didn't stop those Whirlpool addresses from being linked together.

Furthermore, I showed the proof of how I linked postmix Whirlpool outputs to the premix transaction that generated it, which no one ever addressed at all:

The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.

The flat pool entry fee structure is designed to incentivize worst privacy practices.  Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually.  Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.

Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases.  Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC - https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa

Notice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

When many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool.  Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable: https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da

As you noted already, the service does not choose the addresses, users choose their own addresses
B-b-but, I thought this ethos was unacceptable.  Sad

I guess I can't argue against someone who takes the stance "Wasting your Bitcoin and ruining your privacy should be allowed."

I know, I know... Just another confusion in the name of privacy!  Cheesy

Okay, since you seem to think there's a problem, what is the solution to the problem you are describing?  How should the coinjoin protocol be changed?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Your math is wrong:  At 37.5 sats/vbyte, it costs 1163 sats to create a segwitv0 output (31 vbytes) and 1612.5 sats to create a Taproot output (43 vbytes).  Smart WabiSabi clients make sure to choose outputs that aren't dust: https://github.com/zkSNACKs/WalletWasabi/issues/10675
A segwitv0 output is 31 vbytes, but a witness input is around 68. That's 99 vb, multiplied by 37.5 = 3712.5. Yes, it is less than I wrongly calculated, but it is still waste of money for such a small output.

(quoting old soundbites)
I'm good at quoting old posts as well:
As has been explained to Kruw dozens of times, the change output from Tx0s are sent to a separate account and deliberately segregated from your other UTXOs. There is no way to accidentally include them in a transaction. Any user consolidating their change output as has been done in the transaction he has linked to above is doing so deliberately. I understand that Kruw gets angry when people spend their bitcoin in ways that he personally doesn't approve of, but there is no bug here, just Kruw either being deliberately misleading or simply not understanding what is happening.

As you noted already, the service does not choose the addresses, users choose their own addresses
B-b-but, I thought this ethos was unacceptable.  Sad

I guess I can't argue against someone who takes the stance "Wasting your Bitcoin and ruining your privacy should be allowed."

I know, I know... Just another confusion in the name of privacy!  Cheesy
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
BlackHatCoiner, you still haven't followed up on our original conversation about me linking Whirlpool addresses together:

BlackHatCoiner, you merited a post above but you haven't responded to your previous conversation:

Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai.

What do you mean "as if they even mean something substantial"?  These Whirlpool addresses are linked to each other.

What's dust? Gimme my 5000 sat that costed more than double that amount to be created!

Your math is wrong:  At 37.5 sats/vbyte, it costs 1163 sats to create a segwitv0 output (31 vbytes) and 1612.5 sats to create a Taproot output (43 vbytes).  Smart WabiSabi clients make sure to choose outputs that aren't dust: https://github.com/zkSNACKs/WalletWasabi/issues/10675

However, Whirlpool clients create traceable dust outputs that cost more than their value to create.  I reported this to Samourai, but the bug report was deleted without comment: https://web.archive.org/web/20231025112756/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/461

Tell me why anyone would ever lose their sats deliberately by creating these traceable Whirlpool dust outputs:

https://mempool.space/address/bc1qp25y8kfywz88myuh7ed3dmx3vv2z2dwuxhjnlv

Value of output: 305 sats
Mining fee paid to create output: 369 sats
Mining fee paid to spend input: 1,776 sats
Net loss from dust bug: 1,840 sats
New transactions clustered: 5 txs

https://mempool.space/address/bc1q83sfgfefwupz8w3faawxjr5v8uf03ttjclrkda

Value of output: 933 sats
Mining fee paid to create output: 1,234 sats
Mining fee paid to spend input: 4,333 sats
Net loss from dust bug: 4,634 sats
New transactions clustered: 12 txs

Oh! It's supposed to confuse the observers of the coinjoin, that explains everything! Let's start reusing addresses in both inputs and outputs then, as in Wasabi 1.0. That will definitely help, because we will confuse chain analysis even more. Why kind of a clown service reuses addresses in both sides in the first place? That will leave them so speechless that they will give up!

As you noted already, the service does not choose the addresses, users choose their own addresses:

Come on, kayirigi. Get over it, it's clearly the user's fault!
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
15 address reuses
13 exit merges
233 inputs linked
236 outputs linked
Come on, kayirigi. Get over it, it's clearly the user's fault!  Grin

Cya privacy! And extra extra bonus of HUNDREDS of outputs ground in to dust. 5000sats? 6561sats? Losing money for Wabisabi coinjoins which don't work!
What's dust? Gimme my 5000 sat that costed more than double that amount to be created!

This is exactly the sort of confusion a coinjoin is designed to cause
Oh! It's supposed to confuse the observers of the coinjoin, that explains everything! Let's start reusing addresses in both inputs and outputs then, as in Wasabi 1.0. That will definitely help, because we will confuse chain analysis even more. Why kind of a clown service reuses addresses in both sides in the first place? That will leave them so speechless that they will give up!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
So exit merge on Wabisabi good. But exit merge on Whirlpool bad. LOL. And you think people believe this BS from a Wasabi worker?

As you demonstrated, you weren't you able to identify the inputs owned by the user who merged their outputs in WabiSabi.

WabiSabi exit: https://mempool.space/tx/9273410e2994fa02fb1baa071d84a44fb4ad12ceba50a46eadfd24cf0dd7efa6
WabiSabi entrance: Huh

As I demonstrated, I was clearly able to identify the inputs owned by the user who merged their outputs in Whirlpool:

Whirlpool exit: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db
Whirlpool entrance: https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa

Only WabiSabi preserved privacy in this case, while Whirlpool leaked the origin of the funds.
jr. member
Activity: 35
Merit: 35
blah blah blah stupidity

So exit merge on Wabisabi good. But exit merge on Whirlpool bad. LOL. And you think people believe this BS from a Wasabi worker?

And you ignore 100% deterministic links. And address reuse.  Grin Grin Grin

Wabisabi is a scam.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
BlackHatCoiner, you merited a post above but you haven't responded to your previous conversation:

Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai.

What do you mean "as if they even mean something substantial"?  These Whirlpool addresses are linked to each other.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:

https://kycp.org/#/1ca4743bd12bc54cd19233f0807ae8b7faec7fdce695f72f345b99d0200ef3d5

15 address reuses
13 exit merges
233 inputs linked
236 outputs linked

This is exactly the sort of confusion a coinjoin is designed to cause Grin  You mistakenly thought that multiple inputs being spent together meant that they were linked to the same owner, but a coinjoin has inputs from multiple owners in the same transaction!

https://kycp.org/#/ad5516f70697af7c9b14297bb4eb1249bee216b7976b7c50f2369a89afb86975

2 address reuses
2 exit merges
This one with extra bonus of 100% deterministic link between input and output!

Here is the exit merge transaction spending 2 outputs from the coinjoin worth 0.1 BTC each - 9273410e2994fa02fb1baa071d84a44fb4ad12ceba50a46eadfd24cf0dd7efa6 - let's analyze them:

In the coinjoin, there are 13 outputs for 0.1 BTC:

bc1qzy2dlcau905jwaktrlnqd7q2uu8m6296xe0y0t <- Exit merged
bc1qykz79d67prjv73wej032kreyysumvg54wlqsc3
bc1qfdt9na0vqu94y0ltz97fg6ep0nztqrlhj4e6as
bc1q26vktzc3uqhld6kgf0c0zgldh4t7wp665kfwm7
bc1qvged8zxdpcsxc3qe2pl62lsl3neprltrvtspn3
bc1qsl2sp0t87rsau6tusy465p9e5vq7r9y0ldns6a
bc1qjpmncaadtk5ef32km44xa5z0mzsden78ev66ws
bc1q5t00axlmeyg7crkq4rlh2qevdz8lcud8gl2q8h <- Exit merged
bc1qe3s0vlsvu3rhd7w7dsswsgdj5k2t99e0f90a9n
bc1q7whl0n3dvu5n3tjqd4g4r7antz70t96mhepn6v
bc1q7cnu23w5rxlktdhm7322y7spe8kyj98dl6stwf
bc1pdu3xkqcpwd6x9uhhy5rh536nevj9vzqkpqmnqjqkhuwpqp9zgrssjh3gwa
bc1pkmkkpug5z2w6pn80kwlyev7v5nw6rukjae4cha2mz6vusz0ef98q5vcv9d

By consolidating two inputs for 0.1 BTC in the payment, the owner retroactively reveals a coinjoin output value of 0.2 BTC.  Does this cause him to lose any privacy?  Let's check the original coinjoin transaction to find out...

In the coinjoin, there are are 9 outputs for 0.2 BTC:

bc1qxcfcgdqey4yc3cqjknea2spe8mw2r0k7n083t2
bc1qwezuexwx4lvafeg34ctzpny64fu3t9w8ngtngg
bc1qs3ztep3w80pm3wz4htj2h9x4ewdug4hzaphfve
bc1quqzcseygmad87g4plgf9yuxzss5r5q72w9g3w2
bc1qu7uj5tcdj5s2e23t08v0rsneejvfd6n0qrxf36
bc1qu77gevtnq6uky0vpjpl2ru96lus58p38qmpywc
bc1p2mzlp34rqsyv7u28y6xdpypqapc8aeeuczuaaqzkv9snmnsenj2sw0uny9
bc1p742nnv0774t5gk8lt72t02wuupapt47dx00ddsq45zl9gedcw22qp3ayg2
bc1plmzmhejjuqykvnf00mue54egap3kjtl5qtcdzf4q6k7v87q34lqs37z3t5

The user stayed anonymous when merging his two 0.1 BTC outputs together since there's many possible ways to create 0.2 BTC as an output from the inputs of the original coinjoin.  This transaction demonstrates how the "smart clients" arrange their output values so that merging smaller matching outputs together results in creating a larger amount with additional matches!

This exit merge proves that even smaller denominations than 0.1 BTC are now also possible combinations that would add up to 0.2 BTC, adding even more anonymity!  Let's check the original coinjoin transaction again to find some...

In the coinjoin, there are are 13 outputs for 0.05 BTC:

bc1qyttl3f9wu2zm3dwnytavs6eqk00glc3xng43ea
bc1qye0g8qdjdl48c5hx7a69t5ekcgcemfrhx9z6sr
bc1qxrgu0lv0ps50c9nf2efjq5zfdfruxejmfu8g8y
bc1qgpwc5803au9cs95u38yz64jhdjrkpp4j249n9u
bc1qt2wugrvm5nts263he4aj2ky2pghhdl90j0lx03
bc1qvzanwhhyf2tfcds3rts958jun84ves3xtc3gcp
bc1qvgmnh5fzrqzx7uhhrcw6emzmktj4atqpn7ev9m
bc1qdm9ae8rq0403ga5rshvw4vjd507t8chu4fn40k
bc1q0ltpdzchc6eeytaafl7muhscdfejr2w269a8xl
bc1q3z5cj7sx53lq8sqdkmflce0dzsaj6437zzqj3p
bc1qhm4cd97znryr6rx4wqrsjj2shcpl44hhmsf8hz
bc1qcww2qypj47vz52uw5y8m7cn7y8vvfxx7tnrajq
bc1pncyek7s2m3tc9kwkswqnja8309gtmjgsykpa5jyahhv7yuavyugqlfpee5

On top of the possibilities of creating one output for 0.2 BTC, or two outputs for 0.1 BTC, it's also possible a user with 0.2 BTC on the input side created 4 outputs for 0.05 BTC instead!

___________________________________________________________________

How does this compare to Whirlpool exit transactions?  Here's the kycp analysis of the Whirlpool exit transaction I traced in the OP: https://kycp.org/#/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

All 20 postmix outputs merged were a direct descendant the same premix transaction, making it trivial to unmix.  Unlike JoinMarket or WabiSabi, this user is not in control of remixing, he is dependent on the Whirlpool coordinator to push his coins deeper into the pool.
jr. member
Activity: 35
Merit: 35

Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:


https://kycp.org/#/1ca4743bd12bc54cd19233f0807ae8b7faec7fdce695f72f345b99d0200ef3d5

15 address reuses
13 exit merges
233 inputs linked
236 outputs linked

Cya privacy! Let's do another!

https://kycp.org/#/ad5516f70697af7c9b14297bb4eb1249bee216b7976b7c50f2369a89afb86975

2 address reuses
2 exit merges
This one with extra bonus of 100% deterministic link between input and output!

Cya privacy! And extra extra bonus of HUNDREDS of outputs ground in to dust. 5000sats? 6561sats? Losing money for Wabisabi coinjoins which don't work!
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Chainalysis can demix Wabisabi protocol and do this for OFAC. Wabisabi is the only one of three coinjoin protocols which can be demixed like this.

Here is government contract with Chainalysis
https://archive.is/1zU9t

You are lying, the document you linked was published a year before the WabiSabi protocol was in production.

Feel free to try to trace a WabiSabi coinjoin yourself, no one else has been able to do it:

you don't need to be a "whale" at all in order to receive absolutely zero privacy from a Wasabi coinjoin.

Okay then, I'll call your bluff again- Here's 20 non whale non matching outputs from WabiSabi coinjoins, try to identify the inputs owned by even a single one of the 20 outputs (which would be 5%):

01 bc1q032caguldmlrrztmrwhv5wqveyywdu2rtmd740
02 bc1q6vgwhsfkg343mmh27vc6prg3clsd4xu3p68vyd
03 bc1qre8jjpu8p9taw8j44r39z56vfr4sw64d4wyaj4
04 bc1qarharg76gfcrvskfw46f67vtqzd6hxa9pnspp5
05 bc1q4sexgt2p96x3ytnjjttp59w6mkj00kedal3xze
06 bc1qwrf50wpjws5mhdg2rhdu5hy7nqdtl8z94lp75n
07 bc1qz0tal2udfpr20x793fdw6v8lzp2qze7z5zje64
08 bc1qqw2h7fa3n8vyxgqru664fmft2trl9sqh9kz3fp
09 bc1qsud748whmum4gpt2qu52z8gqlgzcjyvhd5w2a5
10 bc1qctvxddyvxupjj8w82m8w5grzn59arstlrnaauw
11 bc1qq2fl05cmmhkr3pzg8elyr859v2fpcltynrk2j5
12 bc1qvwkrd3aecrvql5j8mqkmketvw6g6qwzt4juprq
13 bc1qhc2565fac4lrgyfq6n0mzc0l86jeptfnv2um9x
14 bc1qat6445gutyl3qdz3zhmdng9cdt92mevjlvaljs
15 bc1qk5f3mz0fetccey4nyyjedlrmqstkz2hmun96ha
16 bc1q4tpvm378a9d4n0xcnjtwfwujtr8eatjzvru8dx
17 bc1qd5epyjpj6vuejdppj24wew5n4n5rzepjx2xnay
18 bc1qgafud63me5mffn00g90ch08jjn5h20umzwxd62
19 bc1q5u3f2ldrtqa7ea79a8hcd8kssgw2gmalk4uej9
20 bc1qa6n7g7r4j3nv78gzgzmuvg56em4guppckqpz7r
jr. member
Activity: 35
Merit: 35
Chainalysis can demix Wabisabi protocol and do this for OFAC. Wabisabi is the only one of three coinjoin protocols which can be demixed like this.

Here is government contract with Chainalysis
https://archive.is/1zU9t
Quote
Chainalysis Rumker licenses include Observations and Nodes, which help locate where server nodes are running.  This license also includes Wasabi Demixing services at no additional cost to OFAC, and with no limits to the number of requests.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
There's 0 mention of keyword "tor" or "onion" on it's documentation though https://docs.btcpayserver.org/Wabisabi/. Although i didn't watch included youtube video.

Yes, it doesn't appear the docs are extremely thorough for the coinjoin plugin.  Here's the big red /!\ warning message that appears in BTCPay Server if you try to coinjoin with Tor off: https://github.com/raspiblitz/raspiblitz/issues/3729

I would go further and say you absolutely should connect it to your own node. Samourai suffers from the same issue as does every light wallet, in that the entity running the server you connect to can link all your addresses together (as well as your IP, but obviously you should be running over Tor).

Whirlpool does use a central coordinator, so it is absolutely vital that you use it with your own node and Tor to keep your privacy from the central coordinator.

Whirlpool clients have Tor disabled by default, so I opened an issue to get a warning added to Samourai Wallet about the privacy leak, but they said that any PR that adds this warning will not be merged: https://web.archive.org/web/20230417145554/https://code.samourai.io/wallet/samourai-wallet-android/-/issues/458
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

Tor is used by default for the WabiSabi coinjoin plugin in BTCPay Server.

There's 0 mention of keyword "tor" or "onion" on it's documentation though https://docs.btcpayserver.org/Wabisabi/. Although i didn't watch included youtube video.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
That makes sense. But it heavily depends on whether client or software you use have ability to mitigate those attack.

Yep, I'm excluding any wallet level implementation details and focusing on the protocols. As you indicated further on, the most trivial way to forfeit privacy in this process is reuse the same IP address for each "identity" you assume:

At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

Tor is used by default for the WabiSabi coinjoin plugin in BTCPay Server.

Is that from section 7.1.2? What exactly do you mean by marginal cost?

Yes, that's the section.  There's 0 marginal cost for an attacker to DoS a WabiSabi coinjoin round just like there's 0 marginal cost to get another plate of food at an all-you-can-eat buffet.  Since you will pay to transfer any UTXO you own at some point anyways, there's no disincentive for attacking with it before giving up ownership in the future.

In the JoinMarket framework, this 0 cost attack applies to malicious takers who propose offers to makers without ever intending to complete them.  Makers will reveal common ownership of their unspent coins to the taker, who never ends up paying the mining fees to mix that maker's coins. See https://reyify.com/blog/poodle and https://github.com/JoinMarket-Org/joinmarket/issues/156 for the defense against this attack.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
A malicious coordinator may tag users by providing them with different issuer parameters. When registering inputs a proof of ownership must be provided. If signatures are used, by covering the issuer parameters and a unique round identifier these proofs allow other participants to verify that everyone was given the same parameters.

As noted, you can register multiple inputs with WabiSabi to verify that the parameters match each other.

A malicious coordinator could also delay the processing of requests in order to learn more through timing and ordering leaks. In the worst case, the coordinator can attempt to linearize all requests by delaying individual to recover the full set of labelled edges. This is possible when k = 1 and users have minimal dependencies between their requests and tolerate arbitrary timeouts but issue requests in a timely manner.

As noted, clients would be able to detect this and defeat it by disallowing arbitrary timeouts.

Similarly the coordinator may delay information such as the set of ownership proofs or the final unsigned transaction. In the case of the latter, this can be used to learn about links between inputs. This is because a signature can only be made after the details of the transaction are known. If the unsigned was only known to one user but multiple inputs have provided signatures, it follows that those inputs are owned by the same user.

If I understand it correctly, this is handled by using a different Tor identity for listening to round updates than the Tor identities you register inputs with.  Because the coordinator does not know which Tor identity is listening for which inputs, they do not know who to target with this delay.

Since the coordinator must be trusted with regards to denial of service a more practical variant of this attack would involve more subtle delays followed by sabotaging multiple successive rounds during the signing phase in order to learn of correlations between registrations while maintaining deniability.

Clients abandon rounds after multiple successive failures as a basic way to prevent this.

That makes sense. But it heavily depends on whether client or software you use have ability to mitigate those attack. At very least, BTCPay doesn't use Tor by default and in certain cases i expect to detect whether it's deanonymization attempt or network problem.

I know you didn't mention it, but I disagree with this conclusion in section 7 of the WabiSabi paper:

Denial of service is not costless because unspent transaction outputs are a limited resource.

This is incomplete because the marginal cost of a DoS attack is zero if you are going to spend your UTXO anyways.

Is that from section 7.1.2? What exactly do you mean by marginal cost?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
The saddest thing of all is that you don't even recognize your mistake, let alone show any remorse. It is pathetic.

But, I still wish for someone to stand by you in your time of need, someone who will love you no matter what.

What mistake did I make?  Use a direct quote and I'll update it with a correction.
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
Lol, you didn't fall for that did you?  The scammers who promote custodial "Mixer Sites" formed a mob to leave false accusations against anyone who tells the truth that Bitcoin is untraceable.

The saddest thing of all is that you don't even recognize your mistake, let alone show any remorse. It is pathetic.

But, I still wish for someone to stand by you in your time of need, someone who will love you no matter what.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
This is my last post to you since you don't seem to care and I am tired of wasting my time.

I care deeply about Bitcoin privacy, that's why I spend so much time to educate people about it.

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

You don't seem to understand: Equal output coinjoins from JoinMarket, Whirlpool, and WabiSabi have a distinct on chain footprint that distinguish them from all other transactions regardless of whether those transactions are ordinals or not.

Could 1 person do it looking at a list? Probably not. Can a lot of people with a lot of computing power and resources following all transactions do it. Probably yes.

You can easily scan the blockchain yourself to identify any equal output transaction (including coinjoins) using this tool: https://supertestnet.github.io/coinjoin-explorer/

Here's what the footprints of each coinjoin protocol look like:

-JoinMarket - https://mempool.space/tx/c270b84767431eae0aabcd4f99f93f1d299518aebb7529650dbbf41815561d03
-WabiSabi - https://mempool.space/tx/d465033214fd2309dcce5a90c45fcaa788aa4394ee36debe07aad8d8a37907d2
-Whirlpool - https://mempool.space/tx/3cef999a3c006be772f7f63fc87b718cd01146ab593644e0eeb3d61e753f02b8

Merely knowing a coinjoin transaction has occurred does not actually make it any easier to determine what happened within the coinjoin transaction.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Ordinals has absolutely nothing to do with coinjoins.

This is my last post to you since you don't seem to care and I am tired of wasting my time.

You are 100% correct ordinals has absolutely nothing to do with coinjoins.
Ordinals are filling blocks with transactions that are obviously not coinjoins. And the rest is Crateology.
https://en.wikipedia.org/wiki/Crateology

As I said take out ordinals, take out known TXs, take out what else they know from other services and you have a very small pool of txs moving at the moment.
Keeping an eye on all of them and figuring out what is going on where is a lot less difficult then if all the txs in blocks were 'real' transactions.

Could 1 person do it looking at a list? Probably not. Can a lot of people with a lot of computing power and resources following all transactions do it. Probably yes.

You also seem to think that there are not a ton of tor nodes that are not run by and fully monitored by the government too.

-Dave




member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
1) Because all the other coins in the coinjoin would be that persons. That is the point.

Ah, I misunderstood: You meant this cost is to set up the attack, not to set up the coordinator itself.

2) Later people reconnect and sign is the problem. It's usually (not always) not later, it's then and there. a->b->c tend to happen in somewhat real time.

A is the input registration phase, B is the output registration phase, and C is the signing of the complete transaction.  Phase A always ends before phase B begins, which always ends before phase C begins.  Where's the problem?

So now I know what to look for. And with blocks being full with ordinals at the moment you can probably eliminate 80+% of the TX, take out what are other known addresses and transactions. And the few dozen or hundred at the most can be sorted through at the governments leisure.

-Dave

Ordinals has absolutely nothing to do with coinjoins.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
There are probably more then a few people on this board sitting with 50+BTC from the early days who could setup a coordinator

Setting up a coordinator doesn't cost any BTC, a coordinator just sends messages back and forth to coinjoin participants.

Once again, if I setup a CoinJoin Coordinator for Wasabi users with a bit of tweaking it's not impossible. Getting people to use it would be the issue. But if I am charging no fees I can see where every TX came from and where they went.

How would you be able to see where every tx came from or where they went?  Did you read gmaxwell's explanation about Chaumian blind signatures?

Quote from: gmaxwell
Don't the users learn which inputs match up to which outputs?

In the simplest possible implementation where users meet up on IRC over tor or the like, yes they do. The next simplest implementation is where the users send their input and output information to some meeting point server, and the server creates the transaction and asks people to sign it. The server learns the mapping, but no one else does, and the server still can't steal the coins.

More complicated implementations are possible where even the server doesn't learn the mapping.

E.g. Using chaum blind signatures: The users connect and provide inputs (and change addresses) and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants. Later people reconnect and sign.

1) Because all the other coins in the coinjoin would be that persons. That is the point.

2) Later people reconnect and sign is the problem. It's usually (not always) not later, it's then and there. a->b->c tend to happen in somewhat real time. So now I know what to look for. And with blocks being full with ordinals at the moment you can probably eliminate 80+% of the TX, take out what are other known addresses and transactions. And the few dozen or hundred at the most can be sorted through at the governments leisure.

-Dave
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
There are probably more then a few people on this board sitting with 50+BTC from the early days who could setup a coordinator

Setting up a coordinator doesn't cost any BTC, a coordinator just sends messages back and forth to coinjoin participants.

Once again, if I setup a CoinJoin Coordinator for Wasabi users with a bit of tweaking it's not impossible. Getting people to use it would be the issue. But if I am charging no fees I can see where every TX came from and where they went.

How would you be able to see where every tx came from or where they went?  Did you read gmaxwell's explanation about Chaumian blind signatures?

Quote from: gmaxwell
Don't the users learn which inputs match up to which outputs?

In the simplest possible implementation where users meet up on IRC over tor or the like, yes they do. The next simplest implementation is where the users send their input and output information to some meeting point server, and the server creates the transaction and asks people to sign it. The server learns the mapping, but no one else does, and the server still can't steal the coins.

More complicated implementations are possible where even the server doesn't learn the mapping.

E.g. Using chaum blind signatures: The users connect and provide inputs (and change addresses) and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants. Later people reconnect and sign.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
If a Fed was running a Whirlpool coordinator, they could perform a targeted attack where they only choose you to mix in rounds with 4 decoys so you gain a false sense of privacy.  Or, they could just rug pull you by not mixing your funds after you pay the coordinator fee.

Should read:

ANYONE can run a Whirlpool coordinator, and they CAN perform a targeted attack where they only choose you to mix in rounds with 4 (or more) decoys so you gain a false sense of privacy.  Or, they could just rug pull you by not mixing your funds after you pay the coordinator fee.

There are probably more then a few people on this board sitting with 50+BTC from the early days who could setup a coordinator



- Can WabiSabi be traced?

Not unless you are the biggest whale in a coinjoin round with insufficient liquidity. Even outputs that do not have matching amounts cannot be traced to an owner on the input side - it’s even possible that the output changed hands as a payment to someone who did not own any funds on the input side at all:


Once again, if I setup a CoinJoin Coordinator for Wasabi users with a bit of tweaking it's not impossible. Getting people to use it would be the issue. But if I am charging no fees I can see where every TX came from and where they went.



The right tool for the right job. Hammering together something to make your BTC private will always have flaws / vulnerabilities.
It was not made to be private. Same way a VW Bug was not made to haul lumber. You can do it but why. Rent a pickup truck or a van.
Same here, want more private BTC there are enough BTC -> XRM or other privacy coins -> BTC and done.



Not kicking any of the people working hard to do this, but it really seems to be more effort then it's worth.

-Dave


member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Jambler is not a mixer. It buys coins from exchanges, miners etc. and sells them to real mixers.

No one sells coins to "mixers": A "mixer" is someone who gets others to deposit coins into their wallet by telling them they will keep their data secret.  Eventually, the "mixer" takes all the coins from the depositers and turns their data over to the government.  We've seen this happen many times before on Bitcointalk:

Destroying the session deletes chip private key.

Even my chips which I had in chipmixer service for which they claimed to "delete private" keys after 7 days or whatever, were seized/transfered. and these transactions took place good 3 months ago.
It seems that you are right, whoever had vouchers or chips was left without them. I checked some old wallets older than 1 year that only contained chips from CM, and they were all emptied. Yes, it's a bit stupid that I didn't spend them, but honestly I forgot about a few $ in those old wallets. It's really strange that it wasn't all deleted, but now we at least know where even 7GB of data came from.
Can confirm, they stole a chip of mine a friend of mine that he hadn't yet spent. :/ Really fucking bad practice of ChipMixer to keep private keys, not gonna lie.
It was still there today morning and even when the news broke here; I he had not considered that private keys may have been backed up on CM servers to be honest.

I really can't believe this is an exit scam. The service seemed legitimate.

I'm really pissed off, and not because I lost money; fortunately, I had grasped that "don't leave coins to third parties" cliché. I'm so pissed off because I've been advertising and recommending this shit for months, in such a way that I'm practically part of this scam. And it's just feels awful.

It makes you question the integrity of the service you're currently carrying in your signature.

To all criminal users of former mixer Sinbad.io,
This is a collective warning issued by the Dutch Investigation Service for Financial and Tax Crime (FIOD) and the Dutch Public Prosecution Office.
Our investigation has uncovered illicit activities on this mixer platform and the logs obtained have compromised the anonymity of numerous users.
We urge all criminal users and admins of mixers to cease all unlawful actions immediately. Persistent engagement will lead to severe legal consequences. We are resolute in pursuing and prosecuting all involved in criminal activities.
Your anonymity is no longer assured. Law enforcement actions are imminent.
With Vigilance,
Dutch Investigation Service for Financial and Tax Crime (FIOD) and the Dutch Public Prosecution Office

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
There are no more mixer services here, stop trying to die on that hill. Or maybe you forgot to teleport your account to Altcoinstalks? Roll Eyes

I clicked on the link in your signature, it says "Jambler.io mixing platform".  Did you know this is custodial?

Jambler is not a mixer. It buys coins from exchanges, miners etc. and sells them to real mixers.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
I somewhat agree. People will just assume you shill Wasabi.

Nope, these descriptions are agnostic of the wallet implementation.  There's multiple wallets that use each of the coinjoin methods I listed above, I'm not getting specific.

Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai.

What do you mean "as if they even mean something substantial"?  These Whirlpool addresses are linked to each other.

There are no more mixer services here, stop trying to die on that hill. Or maybe you forgot to teleport your account to Altcoinstalks? Roll Eyes

I clicked on the link in your signature, it says "Jambler.io mixing platform".  Did you know this is custodial?

If there is a service coordinating payjoins between different wallets, which is ultimately what all of these methods boil down to, whose going to be interested in collecting the UTXO history of all the people who participate?

I believe the functionality you're describing is "GroupHug" - https://peachbitcoin.com/blog/group-hug/index.html

However, as the article mentions, this does not provide privacy like WabiSabi and Whirlpool do.  gmaxwell explains the difference here:

Same with CoinJoins and coordinators. Let's say the Fed was running a coordinator, and recorded every UTXO going inside it. Where's the privacy now?

Takers in JoinMarket are the coordinator of their own coinjoin, so their threat is reversed (e.g. Feds running multiple maker identities to spy).

Privacy with WabiSabi is guaranteed by your client, it doesn't matter if the coordinator you connect to is a Fed or not because you do not reveal UTXO links to the coordinator or trust them with any data.  

If a Fed was running a Whirlpool coordinator, they could perform a targeted attack where they only choose you to mix in rounds with 4 decoys so you gain a false sense of privacy.  Or, they could just rug pull you by not mixing your funds after you pay the coordinator fee.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Don't you have enough with 15 neutral color tags but basically saying you're a piece of shit?

Lol, you didn't fall for that did you?  The scammers who promote custodial "Mixer Sites" formed a mob to leave false accusations against anyone who tells the truth that Bitcoin is untraceable.

There are no more mixer services here, stop trying to die on that hill. Or maybe you forgot to teleport your account to Altcoinstalks? Roll Eyes

More on topic:

Quote
- Can payjoins be traced?

Not from the outside. However, the disadvantage of payjoins compared to other coinjoins is that the sender and receiver are completely aware of the coins owned by the other participant, which introduces a trusted single point of failure. In theory, a payjoin could be composed with inputs from more than two parties, however, this introduces a time element since some parties must pause their transaction and wait for others to join instead of paying instantaneously.

If there is a service coordinating payjoins between different wallets, which is ultimately what all of these methods boil down to, whose going to be interested in collecting the UTXO history of all the people who participate? Same with CoinJoins and coordinators. Let's say the Fed was running a coordinator, and recorded every UTXO going inside it. Where's the privacy now?
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I'm educating people about Bitcoin privacy, just like I always have.
Look. I agree you believe you educate people about Bitcoin privacy, but we have repeated this conversation around solutions for privacy quite a lot of times. The fact that you still quote these whirlpool messages, as if they even mean something substantial, shows with what tenacity you're trying to sabotage Samourai. I agree with Poker Player that the more you talk, the more you ruin Wasabi's reputation.

Anonymous money is quite literally the most important thing in the entire world, don't you agree?
Quite literally not. There are far more important things in this world.

Lol, you didn't fall for that did you?  The scammers who promote custodial "Mixer Sites" formed a mob to leave false accusations against anyone who tells the truth that Bitcoin is untraceable.
Except that in your last 13 feedback of your Trust summary, people have accused you of being a horrible human being, regardless. People with no relations with mixers wrote these. Even Poker Player, who carries a Wasabi signature, and could have been considered in disadvantageous position. You cannot keep wandering around with that soundbite. Nobody buys it.

Everyone is going to die, why do you think that fact means we shouldn't have rationale debates?
Acknowledging that everyone is going to die versus wishing and praising for someone's death are two separate things. I'm quite struggling to think what else there is to say.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Look man, I don't know what you're trying to do here. Don't you have enough with 15 neutral color tags but basically saying you're a piece of shit? Now you want to open a rational debate by quoting someone who is going to die? If it's because Wasabi pays you to represent them on the forum, the best thing you can do is stop doing it. Otherwise you're just going to inspire more hate.

I somewhat agree. People will just assume you shill Wasabi.



- Can WabiSabi be traced?

Not unless you are the biggest whale in a coinjoin round with insufficient liquidity. Even outputs that do not have matching amounts cannot be traced to an owner on the input side - it’s even possible that the output changed hands as a payment to someone who did not own any funds on the input side at all:

--snip--

Have you checked WabiSabi paper from https://github.com/zkSNACKs/WabiSabi/releases/latest/download/WabiSabi.pdf and read section 7?

A malicious coordinator may tag users by providing them with different issuer parameters. When registering inputs a proof of ownership must be provided. If signatures are used, by covering the issuer parameters and a unique round identifier these proofs allow other participants to verify that everyone was given the same parameters.

A malicious coordinator could also delay the processing of requests in order to learn more through timing and ordering leaks. In the worst case, the coordinator can attempt to linearize all requests by delaying individual to recover the full set of labelled edges. This is possible when k = 1 and users have minimal dependencies between their requests and tolerate arbitrary timeouts but issue requests in a timely manner.

Similarly the coordinator may delay information such as the set of ownership proofs or the final unsigned transaction. In the case of the latter, this can be used to learn about links between inputs. This is because a signature can only be made after the details of the transaction are known. If the unsigned was only known to one user but multiple inputs have provided signatures, it follows that those inputs are owned by the same user.

Since the coordinator must be trusted with regards to denial of service a more practical variant of this attack would involve more subtle delays followed by sabotaging multiple successive rounds during the signing phase in order to learn of correlations between registrations while maintaining deniability.

To be specific, what do you think about sentences i quoted above?
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
Look man, I don't know what you're trying to do here.

I'm educating people about Bitcoin privacy, just like I always have.  Anonymous money is quite literally the most important thing in the entire world, don't you agree?

Don't you have enough with 15 neutral color tags but basically saying you're a piece of shit?

Lol, you didn't fall for that did you?  The scammers who promote custodial "Mixer Sites" formed a mob to leave false accusations against anyone who tells the truth that Bitcoin is untraceable.

Now you want to open a rational debate by quoting someone who is going to die?

Everyone is going to die, why do you think that fact means we shouldn't have rationale debates?

If it's because Wasabi pays you to represent them on the forum, the best thing you can do is stop doing it. Otherwise you're just going to inspire more hate.

The truth about Bitcoin privacy has always inspired hate because the promoters of "Mixing Site" scams don't want their source of income cut off.
legendary
Activity: 1372
Merit: 2017
Look man, I don't know what you're trying to do here. Don't you have enough with 15 neutral color tags but basically saying you're a piece of shit? Now you want to open a rational debate by quoting someone who is going to die? If it's because Wasabi pays you to represent them on the forum, the best thing you can do is stop doing it. Otherwise you're just going to inspire more hate.
member
Activity: 378
Merit: 93
Enable v2transport=1 and mempoolfullrbf=1
- Public payments made private?
See https://bitcoin.org/en/bitcoin-paper

Transactions on the Bitcoin blockchain have infamously bad privacy. Every historical transfer of coins is recorded publicly and permanently, providing a link between the public keys used as inputs and outputs. Satoshi noted this in section 10 of the whitepaper titled “Privacy”:

you don't need to be a "whale" at all in order to receive absolutely zero privacy from a Wasabi coinjoin.

Okay then, I'll call your bluff again- Here's 20 non whale non matching outputs from WabiSabi coinjoins, try to identify the inputs owned by even a single one of the 20 outputs (which would be 5%):

01 bc1q032caguldmlrrztmrwhv5wqveyywdu2rtmd740
02 bc1q6vgwhsfkg343mmh27vc6prg3clsd4xu3p68vyd
03 bc1qre8jjpu8p9taw8j44r39z56vfr4sw64d4wyaj4
04 bc1qarharg76gfcrvskfw46f67vtqzd6hxa9pnspp5
05 bc1q4sexgt2p96x3ytnjjttp59w6mkj00kedal3xze
06 bc1qwrf50wpjws5mhdg2rhdu5hy7nqdtl8z94lp75n
07 bc1qz0tal2udfpr20x793fdw6v8lzp2qze7z5zje64
08 bc1qqw2h7fa3n8vyxgqru664fmft2trl9sqh9kz3fp
09 bc1qsud748whmum4gpt2qu52z8gqlgzcjyvhd5w2a5
10 bc1qctvxddyvxupjj8w82m8w5grzn59arstlrnaauw
11 bc1qq2fl05cmmhkr3pzg8elyr859v2fpcltynrk2j5
12 bc1qvwkrd3aecrvql5j8mqkmketvw6g6qwzt4juprq
13 bc1qhc2565fac4lrgyfq6n0mzc0l86jeptfnv2um9x
14 bc1qat6445gutyl3qdz3zhmdng9cdt92mevjlvaljs
15 bc1qk5f3mz0fetccey4nyyjedlrmqstkz2hmun96ha
16 bc1q4tpvm378a9d4n0xcnjtwfwujtr8eatjzvru8dx
17 bc1qd5epyjpj6vuejdppj24wew5n4n5rzepjx2xnay
18 bc1qgafud63me5mffn00g90ch08jjn5h20umzwxd62
19 bc1q5u3f2ldrtqa7ea79a8hcd8kssgw2gmalk4uej9
20 bc1qa6n7g7r4j3nv78gzgzmuvg56em4guppckqpz7r

- Whirlpool Coinjoins
See https://bitcoinmagazine.com/technical/how-bitcoin-anonymity-sets-work

Whirlpool is a centrally coordinated coinjoin that implements the ZeroLink coinjoin protocol with a privacy restriction that limits the anonymity you can gain. This restriction is called “tx0”, it is a self spend transaction prior to the coinjoin that allows the trusted coordinator to custody the fee they charge in order to prevent DoS attacks from being costless. Once the coordinator’s fee is confirmed, they allow the outputs created from the premix tx0 to be added to their liquidity pools. There are 4 different liquidity pools with fixed output values:

0.5 BTC
0.05 BTC
0.01 BTC
0.001 BTC

The coordinator then chooses between 5 and 8 participants for a coinjoin round who use blind signatures to create an equal sized output whose origin input is anonymous to all parties. In order to incentivize liquidity, these participants are composed of new entrants (takers of liquidity) and remixers (makers of liquidity). The mining fee for the block space used by remixers is paid for by the new entrants, so the value a user receives from their first round does not change after they are selected to remix in future rounds.

- Can Whirlpool be traced?

Yes, the common input ownership heuristic and change output heuristics are revealed by the premix tx0, creating a 100% link between a Whirlpool user’s addresses. Any UTXO that does not precisely add up to a multiple of 0.5, 0.05, 0.01, or 0.001 (+fees) cannot gain complete privacy. There are no advanced calculations required to determine these links between addresses, they are visible to the naked eye:

Post the tx ID of any Whirlpool transaction and I will show you the tx0 transaction that was created by each of the new entrants.
Ok, here's one: https://mempool.space/tx/ed3131b544fbf00a71709942e483b55e629312ecb181e6e819409f419ee0d226

Where exactly is the privacy loss for new entrants, splitting a single UTXO in to multiple UTXOs to join the pool?

Okay, here's all the payments that can be tracked from the two new participants of the Whirlpool coinjoin transaction:

Entrant 1: bc1q03c0443ausjjdxl2h6ud5m8c0dux0zyg3dqdj7 created 0.00170417 BTC in unmixed change sent to bc1q3fduld0l3r8nclyt5p3r7ak675tekurstn55tl.  Since this UTXO is not private, the sats were marked as unspendable and have not been recovered by the wallet owner  Cry Cry Cry

Entrant 2: bc1qzc8zku26ej337huw5dlt390cy2r9kgnq7dhtys created 0.00191247 BTC in unmixed change sent to bc1qjlltxr443uy236wl4xhpxlr6dgsu0zltlv3m44. This UTXO was used in a second tx0 transaction, creating a huge trail of transactions that could be traced to each other  Shocked Shocked Shocked

The 2nd tx0 transaction created 0.00076348 BTC unmixed change which was sent to bc1qehd7gy8rza9mnzm9wnfjhgw82rp47wmqt7vpgy

Since this unmixed change is below the .001 pool minimum, it was consolidated in a 3rd tx0 with 3 other addresses owned by the same wallet:
31x8GPqrhzdaxiBJa9N5UisuoxbX1rAnHa
16Gw5WKjbxZmg1zhZQs19Sf61fbV2xGujx
3LZtsJfUjiV5EZkkG1fwGEpTe2QEa7CNeY

The 3rd tx0 transaction created .00200317 in unmixed change which was sent to bc1q2p7gdtyahct8rdjs2khwf0sffl64qe896ya2y5
This was spent in a 0.00190000 payment to 3B8cRYc3W5jHeS3pkepwDePUmePBoEwyp1 (a reused address)

That payment left .00008553 in change that was tracked to 3Dh7R7xoKMVfLCcAtVDyhJ66se82twyZSn and consolidated with two other inputs in a 4th tx0 transaction:
bc1qeuh6sds8exm54yscrupdk03jxphw8qwzdtxgde
3ByChGBFshzGUE5oip8YYVEZDaCP2bcBmZ

This 4th tx0 created .00533406 in unmixed change which was sent to bc1qzh699s75smwukg9jcanwnlkmkn38r79ataagd9 which was consolidated with 3 more addresses into a 5th tx0:
3F2qiWQJKQjF7XFjEo8FUYP3AU5AC6RqX8
3HAYYVKUpYbr2ARMdZJr9yVu8xi8UcxtPz
3GQtwwRK31wwCc22q6WS5sCgixUHsG5KaT

The 5th tx0 created 0.00058494 BTC in unmixed change that was sent to bc1qvh2zjcwwkj9y70xulla2semvlav3lty0p3l3w3
This was spent in a .00047290 payment to bc1qvzg8jq6wqtr5navn4e3ps4qrkk9r6n4h98gjck

That payment left .00008411 in change that was tracked to bc1qg6j0f0wfhpktt2l8uzdn48ct3um2xyur40eyzd and consolidated with another input into a 6th tx0 transaction:
31iZLXWfoywhuMZTPGxTkpzphzh2NXshpP

The 6th tx0 created .00753775 in unmixed change that was tracked to bc1qgfll2apc27yct6h2c8r8wq4kqhxjsfrudhhn5q
This was spent in a .00737000 payment to bc1q5emzer2t0sq5dez0zsrqgh6scvwn0n24xsladp (a reused address)

This payment left 0.00010896 BTC in change which has not been spent yet, but the payment only took place 11 days ago, so I assume it will eventually be spent, allowing the Whirlpool user to be tracked even further.

Postmix transactions can be traced to premix funds when outputs from child rounds of the same premix transaction are consolidated. Consolidation of mixed outputs from the initial round may be unavoidable since users do not have control over whether or not they remix:

The first is the fee to Whirlpool itself, which is a flat fee depending on the pool you are joining.

The flat pool entry fee structure is designed to incentivize worst privacy practices.  Since fees are not collected directly based on volume, it is cheaper to participate in a smaller pool and create more outputs than participate in a larger pool and create less outputs. Additionally, it incentivizes revealing common inputs ownership of premix UTXOs since it is cheaper to consolidate them to enter the pool once than to enter the pool with each UTXO individually.  Samourai has never explained why they purposely chose a fee structure that heavily penalizes the most private usage of their protocol.

Because of this backwards design, you can easily link premix inputs to postmix outputs in many cases.  Notice how this Whirlpool tx0 premix creates 70 outputs for 0.05 BTC - https://mempool.space/tx/63679c9ec82f246811acbab0c04cc0fc77ba050e1b6c23661d78afcfc13cf8aa

Notice how every single input of this Whirlpool exit transaction is a direct descendant of rounds created by the aforementioned premix transaction: https://mempool.space/tx/ce2f84f7c5ff74fb1da103acb7b279bd34f02f5e9e3a2e1b6417ce8b9b7392db

When many inputs used in the postmix exit transaction are created directly from a round that the premix transaction entered, it makes it trivial to trace the user through Whirlpool.  Fortunately, the user abandoned Whirlpool and upgraded to using the WabiSabi coinjoin protocol instead, which made him completely untraceable: https://mempool.space/address/bc1qjjw5gaglkycu2lm5fskl7qhktk0hec4a5me3da
Jump to: