Coinjoin

Introduction

A coinjoinopen in new window is a special Bitcoin transaction where several peers get together to literally join their coins in a single transaction. They collaboratively build a transaction where each of them provides some coins as inputs, and fresh addresses as outputs. The concept has been around since the early days of Bitcoin, and it was formalized by the great Greg Maxwell in this awesome introductory threadopen in new window.

The goal is to gain privacy by breaking the link of which input "pays" which output so that none of the outputs can be attributed to the owner of the input. WabiSabi enables centrally coordinated coinjoins with variable amounts in a trustless (meaning nobody can steal) and private (meaning even the coordinator cannot spy) manner, as described in the WabiSabi paperopen in new window.

WabiSabi Coinjoin Explained in 3 Minutesopen in new window

Coinjoin step-by-step

  1. Launch Wasabi and open your wallet.
  2. Wait. Wasabi coinjoins automatically in the background.
  3. You're done! You can make private payments now.

A coordinator must be configuredopen in new window before using coinjoin for the first time.

Music box

After opening a hot wallet, it will automatically start a countdown to start coinjoining (±10 minutes). This and other coinjoin related information is shown in the music box.

Music Box Countdown

After the Waiting to auto-start coinjoin countdown is finished the wallet should start participating in the coinjoin process.

A blue aura will show up at the the bottom of the wallet, which indicates that the wallet is coinjoining, and the music box message will change.

Music Box Awaiting Other Participants

After some time the blue aura will change to an orange one, this indicates that the coinjoin process is now in a critical phase. Wasabi will prevent you from shutting down the app during the orange aura to not disrupt the coinjoin round.

Music Box Coinjoin In Progress

If this is succesfull, the coinjoin is completed and the coinjoin will show up in the history list.

Music Box Success

Notice that the wallet might have to repeat the coinjoin steps multiple times before a successful coinjoin is created. So it is possible that the aura colors will change without a successful coinjoin. Please leave Wasabi Wallet running, and eventually there will be a successful coinjoin.

More Details

By default, Wasabi starts automatically coinjoining your funds when the total value of the non-private coins is equal to or above the Auto-start coinjoin threshold (0.01 BTC by default). Automatically start coinjoin can be disabled from the coinjoin settings. In case you want to start the process manually, then click the play button; if you want to stop coinjoin, then click the pause button.

Once a coin achieves enough privacy (reaches the Anonymity score target), then the corresponding amount will show up in the wallet's main view as "PRIVATE".

Notice that it is not yet possible to coinjoin from a hardware wallet, the keys must be "hot" on your computer.

Fees

As of Wasabi version 2.2.0.0open in new window, the Wasabi client will only participate in coinjoin rounds where it only pays for the mining fees for the blockspace it uses, like any other bitcoin transaction.

In rare cases the output decomposition contains change (maximum of 10 000 sats per coinjoin), this leftover goes to the coordinator. This is because creating such small amounts would harm privacy and ends up being more expensive than just forfeiting it.

The coordinator sets the mining fee rate for the coinjoin transaction.

Users can set the maximum coinjoin mining fee rate they are willing to pay, as well as the minimum number of inputs the coinjoin transaction should have to participate.

The default is a maximum mining fee rate of 150 sat/vByte and a minimum input count of 21.

Coinjoin Configurations

It will not participate in rounds where the coordinator charges a coordination fee.

Previous versions also included the coordination fee concept, where the coordinator could charge a fee for providing the service. This has now been removed, as it could be abused by malicious coordinators and/or would require some trust in the coordinator (like free remixes, as they are not enforced in the protocol). The full explanation can be found hereopen in new window.

WabiSabi protocol step-by-step

WabiSabi protocol requires 5 steps to successfully create and broadcast a coinjoin transaction to the bitcoin network.

The round starts either as soon as the number of registered inputs reaches the maximum, or after the input registration time is reached and as long as the minimum number of inputs is satisfied.

Input registration

During the input registration, the client selects how many and which coins will be registered for coinjoin. These coins need to be confirmed on the Bitcoin blockchain. In the background Wasabi generates input proofs, which are signatures over challenge messages, made with the private keys that lock up the coins. With this, the coordinator can verify that you actually own these coins.

Wasabi wallet generates a new Tor identityopen in new window called Alice for each input. She is a separate entity, and for every round you use a new Alice who is not linked to any other input or previous connection. With Alice, you send the input ownership proof to the coordinator.

The Wasabi coordinator now verifies that:

  • There is still room for more inputs on this coinjoin.
  • The input has not already been registered, is not banned, is unspent, and that the input proof is valid.
  • The input has at least the required minimum BTC amount.

Only when all these checks are passed, does the coordinator allow this input to be registered. The coordinator creates and sends a credential back to Alice, which has the same amount as the input minus fees.

The input registration phase ends when either: the number of registered inputs reaches the maximum, or when the time elapsed and the minimum number of inputs is satisfied.

Connection confirmation

There are many users registering their inputs (with different Alice for each input) in the first phase, and this takes a while. The connection confirmation phase makes sure that all of them are still online and ready to continue. The coordinator verifies the unique ID from each Alice, and if everyone is still communicating. The coordinator sends a zero value credential to each Alice for each successful connection confirmation.

The round is abandoned and re-started if too many Alices have dropped, for example when their Wasabi is shut down, or when their Tor connection is temporarily broken. The connection confirmation phase ends when all Alices have provided their unique IDs, or after a timeout and the number of online Alices is still larger than the minimum number of inputs.

Output registration

Now that all peers are online, we are ready to proceed with the output registration phase of the round.

First, every client needs to change the value of their credentials to the desired output values. For this, the client presents to the coordinator two old credentials, and two newly created ones. The coordinator does not know the amount value of any of those credentials, but it can verify, that the two pairs sum up to exactly the same value. For example, a user can present one 5 btc and one 0 btc credential, and redeem one 2 btc and one 3 btc credential. Or a user can present one 4 btc and one 1 btc credential, and redeem one 5 btc and one 0 btc credential. After potentially many rounds of reissuance, each client has exactly the amount credential it desires. Each of these reissuance is perfectly private, so the coordinator cannot link any of them to the same user.

Next, your Wasabi client generates multiple new Tor identities called Bob, which are in no way tied to any Alice. Bob sends to the Wasabi coordinator:

  • An unblinded credential signed by the coordinator
  • A new (unused) bitcoin address

Because the coordinator can verify its own credential, it knows that this credential came into existence after an input of at least this much value was registered. However, it cannot know which input exactly.

It is very important that the coordinator cannot link Alice to Bob. Because Alice has sent the cleartext input, and Bob sends the cleartext output. So, if the two were to be linked, then the coordinator can specifically link the input to the output, meaning that the anonymity set is 1. Because Alice received a credential from the coordinator, and because Bob is a new Tor identity not linked to Alice, the coordinator can verify that nobody is cheating, but it cannot deanonymize the peers.

The output registration phase ends when the value of cleartext outputs is equal to the value of inputs, meaning that all Bobs have registered. If after a timeout not all outputs are registered, then this round is abandoned, the missing inputs are temporarily banned, and a new round is started.

Possibility of Taproot outputs from coinjoin

Since Wasabi version 2.0.3open in new window coinjoin outputs can be SegWit v0 and SegWit v1 (Taproot). If running this version or higher, the client registers the output type in a semi-random way (~50% chance of receiving Taproot output).

Signing

Now that all inputs and outputs are registered, the coordinator can start the signing phase, by building the coinjoin transaction with all the registered inputs and outputs. It sends this transaction to all the Alices of the round.

Each Alice does the following:

  • Verifies that her input and output are included.
  • Signs the transaction with the private key of her input.
  • Sends the signature to the coordinator, who verifies this information.

The signing phase ends when the coordinator has received all the valid signatures for all the registered inputs.

Blame round

When the signing phase fails due to some Alices disrupting the round (failing to sign or send the signature to the coordinator), then the successful Alices will continue into a blame round. The blame round will redo the coinjoin phases in order to create a successful coinjoin.

This mechanism also prevents coinjoins from being DDoS-ed, because bad actors that are willingly disturbing rounds won't be able to join the blame round. The client will keep going to the blame round until there are not enough Alices left to meet the minimum input count of blame rounds.

The blame round is not a mandatory phase of the coinjoin process. It was introduced in order to have a higher coinjoin success rate.

Broadcasting

The coinjoin transaction has been successfully built and signed, and it is now ready to be broadcast to the peers of the Bitcoin network. The coordinator sends this transaction over the Tor network to random Bitcoin P2P nodes, and from there it is gossiped to other nodes and miners.

Coinjoin Settings

Wasabi Wallet has automatic coinjoin. It is done by the built-in automatic coinjoin "robot". The robot contains instructions/settings, like how often and when to coinjoin. The user is able to specify these settings in the Coinjoin Settings dialog, according to his own preferences. The wallet ships with default settings, which are good enough for most users.

Wasabi Wallet Coinjoin Settings

Coinjoin settings are wallet specific

As the coinjoin settings apply per individual wallet, it is possible to have multiple wallets with different coinjoin settings.

Automatically start coinjoin

This setting is enabled by default.

When this is enabled, the wallet will automatically start coinjoining soon after the wallet is loaded. The wallet will coinjoin until the privacy progress is 100%.

When this is not enabled, the user will have to manually press the Play button in order to start coinjoining.

Coinjoin Settings Automatically Start Coinjoin

Auto-start coinjoin threshold

The default Auto-start coinjoin threshold is 0.01 BTC.

The wallet will not automatically start coinjoining if the non-private balance is below the Auto-start coinjoin threshold, even if the Automatically start coinjoin is enabled. In this case the user has to manually press Play to start coinjoining. This setting can be used to prevent paying (relatively) high fees for smaller bitcoin amounts.

For example, if the non-private balance is 0.005 BTC and the Auto-start coinjoin threshold is 0.01 BTC, the user will have to manually press Play to start coinjoining.

Auto-start Coinjoin Threshold

It is OK to set the Auto-start coinjoin threshold to 0

If you have some small non-private left overs: you can coinjoin these by pressing Play, or wait until you receive more funds. If you want to always automatically coinjoin ALL your coins, this can be set to 0 BTC. Note that you might pay relatively more fees for coinjoining smaller amounts.

Coinjoin Strategy

Wasabi ships with 3 coinjoin strategies: Minimize Costs, Maximize Speed, and Maximize Privacy. Each of these contain different configurations, as shown in this table. They determine the Anonymity score target, Coinjoin time preference, and if Red coin isolation is enabled or not.

Coinjoin Strategy Settings

The default strategy is Maximize Speed.

It is possible to make your own custom strategy by using the customize button.

Coinjoin Strategy

Wasabi Coinjoin examples

Here's a list of Wasabi coinjoin examples and how they appear on a block explorer: