Bitcoin Without Privacy Is A Surveillance System

Bitcoin Magazine

Bitcoin Without Privacy Is A Surveillance System

Builder: Yuval Kogman (nothingmuch)

Language(s): Rust, C#, Go, Python

Contribute(s/ed) To: rust-payjoin, WabiSabi/Wasabi 2.0, General Privacy Research

Work(s/ed) At: Spiral (currently), zkSNACKS (formerly)

Yuval had an interest in subjects related to Bitcoin far before it was actually birthed into the world. A lifetime software developer and technology enthusiast, as well as a general purpose autist, he first became interested in cryptographic technology around 2002. 

His father attended a talk by Adi Shamir, the famous cryptographer who co-invented the RSA signature scheme, on ecash. A father-son conversation later and Yuval was now aware of linkable ring signatures, the double-spending problem, and the concept of ecash. His journey down the rabbit hole had begun before the Bitcoin branch had even a single shovel of dirt removed. He even ran hashcash on his mailserver in the early 2000s. 

Like many Bitcoiners at the time (including myself), Yuval saw the original Bitcoin article on Slashdot in 2010 and promptly dismissed the entire idea as silly and unworkable. Later in 2013 he realized that Bitcoin was still around, chugging along and producing a block roughly every ten minutes, but still Yuval did not act to get more involved. 

Eventually in 2015 he took advantage of an offer someone made to sell him some, and that did the trick. Actually owning some bitcoin himself was the last nudge he needed to really go down the rabbithole. 

Sifting Through The Noise

Through the beginning of his time in this space Yuval focused very heavily on researching different privacy coins. 

When asked what made privacy such an important area of focus for him, he said this: “Realizing my silly impulse buys or poor choice of wallet software was being recorded on-chain for all to see, and possibly making me an easy target if Bitcoin was going to be outlawed one day.”

Despite all of the different approaches and potential advances of privacy coins at the time, nothing fully convinced him that they were a comprehensive solution despite all the progress they had made in different areas. 

“Even as I realized I only really believe in Bitcoin, impostor syndrome kept me trying to learn about all the things. By that point the rate at which new things to understand were being made up was orders of magnitude more than I could keep up with, but it took me a while to stop trying,” he said about that time period. 

For a while he simply lurked on Reddit and Bitcoin Twitter, soaking in what was going on but not really participating to any degree besides researching and learning. The first community he actively participated in was an open voice chat server called the Dragon’s Den that he heard about on the Bitcoin podcast Block Digest (Disclosure: the author both operated the chat server and co-hosted the podcast in question). 

WabiSabi And Wasabi 2.0

Yuval was one of the designers of the WabiSabi protocol implemented in Wasabi Wallet 2.0. WabiSabi was a protocol designed to facilitate coinjoins of flexible denominations as opposed to every output having to be the exact same amount. He was quick to point out that it was simply combining an aspect of confidential transactions with anonymous credentials, something Jonas Nick prototyped already for an ecash implementation. 

One important thing to make clear is that WabiSabi is simply the mechanism replacing blind signatures for users to interact with the coordinator and accomplish building a coinjoin transaction, it is not a part of how those coinjoin transactions are structured or look on-chain. It was however designed specifically to allow coinjoin transactions to be structured with arbitrary amounts without being a point of failure that could deanonymize users trying to create such transactions to the coordinating server. 

While Wasabi 2.0 did implement the WabiSabi protocol itself, the zkSNACKs team ignored almost the entirety of the research and work Yuval did on the structure of arbitrary amount coinjoin transactions. He did this work in order to ensure that the transactions WabiSabi was coordinating were sufficiently private, and did not implement behaviors or transaction structures that could undo user privacy after the fact. 

“Where it went wrong is death by a thousand cuts, with the primary cause of that being that nopara73 and molnard refused to learn anything about how to avoid the same mistakes that were already made in Wasabi [1.0.]” 

Expanding on that he said, “Everything from coin selection, to when the decisions about what output values to use, to when CoinJoins are done, to how Tor is utilized had corners cut and was implemented based on vibes with no understanding of the underlying mathematics. Even the game theoretical assumptions necessary for the denial of service concept to really work do not hold in any rigorous sense.” 

As a specific example of general incompetence he witnessed at zkSNACKs he said this, “A related ‘fun’ fact, even though for years zkSNACKS claimed they kept no logs, the unnecessary use of mostly default configuration nginx to serve the website using the same host as the coordinator service meant that logs were in fact being kept.”

He ultimately left zkSNACKs due to his disapproval of the corners the company was cutting, and his unwillingness to participate in that. 

Yuval’s current opinion on Wasabi Wallet, especially given the current environment of multiple people running Wasabi 2.0 coordinators, is that no one should use a coordinator server unless they trust that server to not take advantage of implementation and protocol flaws to deanonymize them. 

The State Of Things

“Privacy is a human right, but in Bitcoin it’s also a personal safety issue for more or less anyone on a long enough time horizon.”

Yuval’s view on the current state of Bitcoin privacy is not the rosiest. He has a number of concerns with the general landscape as it stands now. Specifically custodial exchanges being overzealous in their refusal to interact with users who make use of privacy tools. He sees nothing about the use of privacy tools preventing you from selectively disclosing information to an exchange when required. 

“There’s a difference between sharing your information with exchanges you trust and by extension regulators and broadcasting that for the entire world to see,” he said. 

Apathy from users is another thing that concerns him. Many users do not care about their privacy, if they even consider it, and the use of privacy tools among Bitcoin users is realistically a very small thing. In some social circles there is even a stigma around privacy. “…apathy compounds this stigmatization, effectively normalizing the absence of privacy[.] Exchanges don’t lose many customers if they refuse to serve customers that use privacy tech,” he said. 

He isn’t very happy with the current state of privacy tools either. 

“[R]ent seeking “privacy wallets” snake oil peddlers have poisoned the well. Their zero-sum brainworm infestations led them to spend their time shit slinging in twitter feuds instead of god forbid opening a textbook or academic paper. This toxic discourse also alienated users, feeding into the apathy and the stigmatization.”

Ultimately all of these concerns are rooted in social issues, how people or businesses act, how people react to others actions, etc. That is how they must ultimately be solved. 

“Without sufficient user demand for privacy tech and for the normalization of its use Bitcoin is one hell of a surveillance tool.”

Spiral

In September 2023 Yuval was hired full time by Spiral to work full-time on Bitcoin privacy research and development. Given that many of the issues with current coinjoin implementations stem from their dependence on a centralized coordinator server, Yuval has decided to focus his work on decentralized coinjoins. 

As such, at Spiral he is working on decentralizing coinjoin coordination and improving the ability to analyze and optimize multiparty transaction structures for privacy. 

“My long term goals are to see through my now more developed ideas for CoinJoin. Privacy should have close to 0 marginal cost, or high fees will deter its use. It should also not be a “product” that grifters can shill to make a quick buck by deceiving uninformed users. And finally it should be strong and robust, primarily against intersection attacks.” 

[An intersection attack is an attack taking advantage of mixed coins being spent in the same transaction(s) together improperly to deanonymize their history.]

He is currently contributing to the rust-payjoin library maintained by Dan Gould to work towards his ultimate goal of a decentralized coinjoin protocol.

“Payjoin is currently [specified] as a 2 party collaborative transaction construction protocol. Although this only achieves the first of these two goals, generalizing it to multiple parties provides the opportunity to do the third one properly, potentially in any wallet.”

Covenants

Yuval thinks that covenants are a valuable improvement to the Bitcoin protocol, but thinks that the current set of covenant proposals is made out to be more impactful in the long term than they actually would be alone. 

“The current favorites, CTV+CSFS, seem like a significant step forward, but the way I see it wouldn’t suffice for the kind of long term scaling improvements we’d need for global adoption, even if CTV is generalized into TXHASH.”

He is a fan of Varops concept from Rusty Russel’s Great Script Restoration proposal as a general mechanism to constrain more complicated covenants or other opcodes to prevent them from making block validation too expensive for users. 

“I’m sad to say I also find many of the discussions to be disappointingly tribal, with many words spent arguing in circles about why one’s preferred opcode is the best hammer because look how many problems look like a particular kind of nail if you squint hard enough and you’re such an idiot and on top of that clearly dishonest for not sharing my preferences.”

Overall he thinks the conversation around covenants is poorly managed, with too much focus being given to individual covenant proposals rather than considering what kinds of use cases we want to enable, and which use cases we do not want to enable, and working backwards from there to design appropriate proposals to service the desired use cases. 

Use It Or Lose It

Regarding what average Bitcoiners can do to improve their own privacy, or support privacy in general, he had this to say: 

“Accept that there is no magical solution, we’re kind of stuck with the Bitcoin we’ve got as far as the transaction graph. Then critically assess what solutions are available, affordable, and safe to use, and use them. “

Ultimately privacy requires everyone to take action. So what do people do? Lightning offers some improved degree of privacy, there is still Joinmarket and Wasabi (with the disclaimers from above). Do what you can. Investigate the tools, verify what you can, and make sure you appropriately consider who you are trying to stay private from and how much effort it will take to do so. 

“Even if you don’t think you need privacy today, at least figure out what you could afford to use if you might need it tomorrow, so you don’t get caught off guard. Also consider that the people who do really need it today can’t have it without those who can live without it, so if you want to have that option tomorrow, you should exercise it today. Use it or lose it.”

This post Bitcoin Without Privacy Is A Surveillance System first appeared on Bitcoin Magazine and is written by Shinobi.