Date: Wed, 10 Jun 2020 07:09:04 +0000
To: "Mr. Lee Chiffre" <lee.chiffre@secmail.pro>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <V-w3Jx5ssSZ1Ch5GEiJJjI12U1qmnlyCsET6JjsDAkl2yC6iJ7DK52mshe0F7wOAjK8vrbSeqRijC3QFRyl1FuGe41xcmYfgC6s7e7H_AQg=@protonmail.com>
In-Reply-To: <5b77933071fa02e900183d8d5e24d866.squirrel@giyzk7o6dcunb2ry.onion>
References: <82d90d57-ad07-fc7d-4aca-2b227ac2068d@riseup.net>
 <5b77933071fa02e900183d8d5e24d866.squirrel@giyzk7o6dcunb2ry.onion>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] Design for a CoinSwap implementation for
	massively improving Bitcoin privacy and fungibility
Precedence: list

Good morning Mr. Lee,


> > =3D=3D=3D Combining multi-transaction with routing =3D=3D=3D
> > Routing and multi-transaction must be combined to get both benefits. If
> > Alice owns multiple UTXOs (of value 6 BTC, 8 BTC and 1 BTC) then this i=
s
> > easy with this configuration:
> >
> >              Alice
> >     (6 BTC) (8 BTC) (1 BTC)
> >        |       |       |
> >        |       |       |
> >        v       v       v
> >               Bob
> >     (5 BTC) (5 BTC) (5 BTC)
> >        |       |       |
> >        |       |       |
> >        v       v       v
> >             Charlie
> >     (9 BTC) (5 BTC) (1 BTC)
> >        |       |       |
> >        |       |       |
> >        v       v       v
> >             Dennis
> >     (7 BTC) (4 BTC) (4 BTC)
> >        |       |       |
> >        |       |       |
> >        v       v       v
> >              Alice
> >
>
> Great work Chris and you have my respects for your contributions to
> Bitcoin. A concern I have with bitcoin is scalability and privacy. Both
> are important. The reasons people bash on Monero is also the same issue
> Bitcoin has. The very large transaction size to achieve acceptable privac=
y
> on a distributed financial network. Im not shilling Monero here. I am onl=
y
> saying that bitcoin transactions with similar privacy properties are at
> least equally as large as Monero transactions. Coinjoin on Monero can be
> compared to ring signatures in Monero from the view of using decoys to
> help conceal the source. From this proposal is this to say that
> transactions will be at least 12 times larger in size to achieve the
> property of privacy that bitcoin is currently missing?

CoinSwap lets you buy privacy at whatever rate is manageable for you.
You can buy a simple non-routed non-multitransaction CoinSwap, for example,=
 instead of larger sections like the above, depending on your privacy needs=
.
Even doing a non-routed non-multitransaction CoinSwap would help fungibilit=
y of those doing more complex setups, because the tiny CoinSwaps you make a=
re made of "the same things" that the more complex CoinSwaps are made of.

>
> Another thing to consider is that if coinswaps cannot be sent as a paymen=
t
> then a coinswap needs to take place after every transaction to keep the
> privacy and unlinkability from your other bitcoin transactions.
>
> I always thought that CoinSwap would be and is a very much needed thing
> that needs developed. The ability to swap coins with other people in a
> trustless way and way that is not linkable to the public blockchain. But
> how can this be scalable at all with the multiple branches and layers?
> This is a good idea in theory but my concern would be the scalability
> issues this creates.
>
> Do you have any comments on this?
> Thank you

Overall, multiple mixing techniques cover a wide range of cost and privacy.

* PayJoins are cheap and almost free (you are coordinating with only one ot=
her participant who is strongly incentivized to cooperate with you, and mak=
ing a single overall tx) but buys you only a small dollop of privacy (trans=
action can be misinterpreted by chain analysis, but probabilistic analysis =
can be "reasonably accurate" for a few transactions).
* Equal-valued CoinJoins are slightly more expensive than PayJoins but give=
 a good amount of privacy (you are coordinating with multiple participants,=
 and probably paying coordination/participation fees, but *which* output is=
 yours will give probabilistic analysis a run for its money, although it is=
 obvious that you *did* participate in a CoinJoin).
* CoinSwaps are a good bit more expensive than equal-valud CoinJoins but gi=
ve a significant amount of privacy for their cost (you are coordinating wit=
h multiple participants and paying coordination/participation fees *and* yo=
u run the risk of getting your funds timelocked in case of network communic=
ations problems or active hacking attempts, but it is hard for chain analys=
is to even *realize* that a CoinSwap even occurred, i.e. it is steganograph=
ic).

Chris argues that CoinSwap gives better privacy:cost ratios than equal-valu=
ed CoinJoins, you can wait and see if he gives more supporting arguments re=
garding this, but overall the various mixing tech exists to give choice on =
how much privacy you buy.

Regards,
ZmnSCPxj