TumbleBit recently emerged as a Bitcoin privacy tool that works on the current protocol without requiring modifications. Like CoinJoin and CoinShuffle, it doesn't force users onto alternative blockcha
TumbleBit recently emerged as a Bitcoin privacy tool that works on the current protocol without requiring modifications. Like CoinJoin and CoinShuffle, it doesn't force users onto alternative blockchains or sidechains. A functioning version already exists for testing.
Andrew Poelstra, a mathematician at Blockstream, offered perspective on how it compares to existing approaches. "I think a . . . sensible comparison would be to something like CoinJoin, which is also something that works on top of bitcoin and involves participants communicating off-chain according to a separate protocol (but then going back to the blockchain in the end)," he told MiningPool.
CoinJoin originated with Greg Maxwell, Bitcoin Core contributor and Blockstream CTO. The method pools multiple bitcoin transfers into a single transaction, obscuring the trail of ownership. Instead of the blockchain displaying Bob's address sending to Alice's, it shows a mixed collection with various inputs and outputs. Outside observers cannot trace which address sent to which (when best practices apply).
The problem: someone typically holds the knowledge of which inputs match which outputs. JoinMarket's operator, for example, maintains that information. Participants pay for this privilege.
CoinShuffle solves this by hiding the mapping from all involved parties.
Poelstra described the benefit: "It's directly comparable to a scheme where people send their coins to some central party, then withdraw them from that party (and the central party doesn't link what comes in or what goes out). The user experience here is pretty much the same but there's huge privacy and trust benefits to this scheme. The tumbler can't steal, and the tumbler doesn't even know the mapping between what goes in and what goes out."
TumbleBit isolates each transaction. As Poelstra explained: "each interaction with the tumbler is isolated." "If the recipient screws around, his own receipt gets delayed or doesn't happen," he said. "If the sender screws around, her own send gets delayed or doesn't happen. They can't stall an entire round or affect other users."
CoinJoin transactions demand coordination among all mixing participants. "A bad apple can screw up a round for everybody," Poelstra said. "Then they get banned and the round gets restarted — not the end of the world, but it's annoying. I think probably you could implement CoinJoin in a way that this wouldn't happen, but it gets complicated."
One tradeoff: the TumbleBit operator must front funds for mixing transactions, though in a structure that shields the operator's money.
CoinShuffle, another CoinJoin variant, hides destination addresses even from senders. Ethan Heilman co-authored TumbleBit. He told MiningPool: "The best CoinJoin-based privacy tool which has been proposed is CoinShuffle. Since CoinShuffle is a Bitcoin tumbler we can compare it directly to TumbleBit's classic tumbler mode."
Both offer theft protection and k-anonymity without third-party dependence. They involve different trade-offs. Heilman laid out the distinction: "CoinShuffle and TumbleBit in classic tumbler mode represent different trade-offs between speed and anonymity. Coinshuffle can perform a tumble in only one block but the anonymity set provided is limited by quadratically increasing communication costs (CoinShuffle tested a tumble of 50 users). Using TumbleBit as a classic tumbler takes at minimum two blocks but it does not face any limitations on its anonymity size (we tested a tumble of 800 users on Bitcoin's Blockchain)."
Daniel Krawisz built Shufflepuff, implementing CoinShuffle differently. "In general, I would say that anonymity in Bitcoin is a hard problem and no single protocol or service is sufficient to provide it," he told MiningPool. "Instead, people will need to use every trick in the book. I would like to see people treating all these anonymity ideas as primitives that can be combined and built upon than as ultimate solutions."
All three systems share a weakness: the amounts in mixing transactions can expose identities. If Bob sends five bitcoins and Carol sends ten, blockchain observers will match Bob's five-bitcoin input with Alice's five-bitcoin receipt, and Carol's ten with Steve's ten.
Poelstra acknowledged this applies to TumbleBit. "It's a bit better than with CoinJoin in that the tumbler has to agree to all the amounts, so it can just say, 'I'll only deal with 1 BTC [transactions],' which reduces some room for user error or people deliberately trying to do bad mixes."
Confidential Transactions could encrypt bitcoin amounts, but altering the Bitcoin protocol would be necessary. Poelstra stated: "It's not obvious to me that you can just add Confidential Transactions [to TumbleBit] without more [crypto] magic."
Byzantine Cycle Mode presents another route forward. Poelstra explained: "It's a bit technical, but basically what it does is lets people restructure a series of payments with different amounts into a bunch of small sets of payments, with each set having equal-amount outputs."
TumbleBit also functions as a payment channel hub. "TumbleBit, when used as a payment hub, can make payments in seconds but requires first setting up a payment channel with the payment hub," Heilman said. Those who know the Lightning Network will recognize this model. The Lightning Network delivers near-instant transactions at near-zero cost, a capacity many see as vital to Bitcoin's long-term scaling prospects.
Adam Gibson, a JoinMarket developer, assisted with this article. Part three will examine TumbleBit and the Lightning Network in combination.
Correction: The original claimed that CoinJoin requires a central server with access to input-output mappings. This is false. Chris Belcher, a JoinMarket developer, identified the error on Reddit. Although Gibson provided assistance, he did not review the piece before publication; therefore, responsibility for the errors rests with the author alone. The article has been updated.
