Blockchain Analysis Is About to Get Harder as P2EP Enters Testing Phase
Yet another tool is being added to Bitcoin’s growing number of privacy solutions.
Thought up at a brainstorming event attended by Bitcoin developers and privacy researchers last summer, Pay to Endpoint (P2EP) is a relatively new trick that utilizes the well-known CoinJoin mixing technique to make blockchain analysis much harder. An early version of it, called “Bustapay,” was quickly implemented by independent Bitcoin developer Ryan Havar and is being tested as of now. Meanwhile, the privacy-focused Samourai Wallet as well as JoinMarket developer Adam Gibson are working on two P2EP projects of their own, which are getting closer to deployment too.
“Privacy is essential for Bitcoin,” Havar told Bitcoin Magazine. “Ideally we want to screw up [blockchain] analysis so badly, that they can't even make it.”
CoinJoin
To understand P2EP, let’s first recap what CoinJoin transactions look like, and why they are (and aren’t) useful.
Many normal Bitcoin transactions send coins from several addresses (inputs), because the sender’s addresses individually don’t contain enough coins needed for the payment. This is very helpful for blockchain spies, as it usually means that all inputs in a transaction belong to the same entity. It allows for address clustering.
But by combining several transactions into one big transaction, CoinJoin — a privacy solution first proposed by Bitcoin Core contributor Gregory Maxwell — has the potential to break this assumption. If multiple senders cooperate to create a single transaction that sends coins from all of their inputs to the different receiving addresses (outputs) they’re paying, blockchain spies would be wrong to assume all inputs belong to the same entity. As such, they can’t just assume it, even if it is a regular transaction. It would make address clustering, and thus blockchain analysis, significantly harder.
However, CoinJoin also has its limitations. If all CoinJoin participants don’t use equal amounts, it’s easy to puzzle together which inputs are paying which outputs. As such, it doesn’t really prevent address clustering after all.
CoinJoin is still useful for mixing, which can easily be done with equal amounts. Users don’t pay other users, but rather, themselves. This is effective in breaking the trail of coins, but it does give away that a mixing session took place.
“While it ‘clears your history,’ it is not as useful as people imagine,” Havar argued. “Your coins are obviously and intentionally washed. That makes it problematic to use. Try depositing your post-mixed coins into an exchange, for example, and watch when they lock your account and ask you a lot of questions.”
CoinJoin’s potential to break the assumptions used for addresses clustering had not really been realized yet. But this may be about to change.
P2EP
P2EP is a relatively new idea, first proposed by participants of a brainstorming event for Bitcoin developers and privacy researchers last summer, who published the idea in several blogs. It cleverly works around CoinJoin’s “equal amount” limitation, opening up the possibility to use CoinJoin for regular payments — not just mixing specifically.
The central concept behind P2EP is simple yet effective: the receiving party in a payment takes part in the CoinJoin. If Alice pays Bob, Bob participates in Alice’s CoinJoin transaction to him, so he also pays himself.
Say, for example, that Alice wants to send Bob 1.2 BTC. She may send it from two inputs: one that contains 1 BTC and one that contains 0.5 BTC. This adds up to 1.5 BTC, which means she also sends 0.3 BTC back to herself as change in the same transaction.
With P2EP, Bob adds one input of his own in the mix: let’s say it contains 0.9 BTC. As such, the transaction now has three inputs worth 1, 0.9 and 0.5 BTC, for a total of 2.4 BTC. The transaction also has two receiving addresses, worth 2.1 and 0.3 BTC. The 0.3 BTC is still the same change going back to Alice, while the 2.1 BTC really consist of the original payment of 1.2, plus the 0.9 that Bob is sending himself. While the transaction has some padding, Alice still just paid a total of 1.2 BTC to Bob.
Importantly, not all inputs in this transaction belong to Alice, and it’s no longer obvious that a CoinJoin took place: there are no matching “sending” and “receiving” amounts to link addresses together.
“The on-chain structure of a P2EP payment is exactly like a normal transaction. So, at certain points, spies know their analysis is corrupted, but they don't exactly know how. Ideally, we want to screw up the analysis so badly, that they can't even make it,” said Havar.
Bustapay
Havar is the previous owner of Bustabit, an online gambling game, and has plenty of experience in the Bitcoin casino space in general. This is how he got a firsthand taste of Bitcoin’s privacy and fungibility issues: Several exchanges blacklist coins that are associated with gambling sites.
“As a casino operator, you want to help protect the privacy of your players,” Havar explained. “So I implemented a huge amount of privacy oriented features, but each time I was kind of surprised how ineffective it was. Bitcoin truly leaks a lot more information than you'd expect.”
Havar sold Bustabit earlier this year and got interested in P2EP when he read about it last summer. He got to work and first announced the Bustapay implementation in late August 2018: a basic version of P2EP.
While intentionally keeping it simple, Havar believes he has improved on initial P2EP proposals in particular when it comes to denial-of-service prevention (where someone indicates an intention to make a payment but doesn’t) and privacy (spies can use the denial-of-service trick to learn which addresses belong to the payee). In both cases, Havar’s solution lets the payee claim a regular payment if the payer bails on the P2EP payment. This makes the attacks expensive — perhaps too expensive to be worthwhile.
Havar hopes the implementation will be adopted by wallets and services, but he did note interest has been limited so far.
“I tried to reach out to most wallets — but there's largely apathy,” Havar said, realizing Bustapay suffers from a “chicken-and-egg” problem. “For any wallet developer, there's a million things to do, and who wants to implement a protocol no one supports? Meanwhile, when I talk to several big bitcoin businesses, no one wanted to implement a protocol that no wallets support.”
Still, one service has now implemented Bustapay: Bustabit, the casino game Havar used to own, and which he himself believes might even be the biggest one on the internet. To keep things moving forward, Havar put out a call for testers and even offered a small reward last week, while also proposing wallet developers should get a piece of a five-year-old “CoinJoin bounty fund.”
With these tests, Havar hopes to learn how effective the implementation really is.
“Someone with Chainalysis access is giving me information about its effectiveness,” he told Bitcoin Magazine, “so I can kind of see how well it works, and how confused it gets.”
Stowaway and Payjoin
It turns out Bustapay is not the only P2EP project.
Inspired by a much earlier idea by Maxwell to disrupt blockchain analysis, privacy-focused Samourai Wallet revealed in September it has been working on a P2EP-type of solution, too. Based on guidelines by data analyst LaurentMT, the wallet had started working on the solution even before last summer's privacy brainstorming event and has been running private tests since. Dubbed “Stowaway,” the feature will enter a public testnet phase within weeks.
Samourai Wallet’s implementation does have one big difference from Havar’s implementation, however, and will, therefore, be incompatible.
“I'm happy to see Bustapay move forward, but personally I'm a bit put off by the the lack of ‘permissions’: It grants anyone the right to obtain knowledge about part of my UTXO [Bitcoin address] set,” pseudonymous Samourai Wallet developer “Samouraidev” told Bitcoin Magazine.
Stowaway will, therefore, only work between Samourai Wallet users that have indicated through the application that they have a trust relationship with each other.
“Users have to ‘follow’ one another and, in addition to that, provide that extra ‘permission’ to allow their UTXO set to be exposed,” said Samouraidev. “For example, I might have a basic two-way relation with my employer to receive [a] salary, but I do not want my employer to solicit me for collaborative spends, which would expose my UTXO set to him.”
And just a couple of days ago, a third P2EP project was revealed. Privacy-focused Bitcoin developer Adam Gibson is implementing a solution called “Payjoin” for another CoinJoin-based privacy project: JoinMarket.
Like Stowaway, Payjoin is specifically designed to be used between users’ wallets. Where Bustapay is developed with online merchants in mind and is available for anyone that wishes to make a payment, Payjoin would only be used when two users specifically choose to do so.
“With Payjoin you're not passively waiting for arbitrary people to ping your server, so you don't have to worry about snooping attacks,” Gibson explained. “You exchange payment details and you end up with a transaction that looks like an ordinary payment.”
Having been part of the brainstorming session where P2EP was formalized, Gibson has been aware of the solution for a little while; in August, he was even among the first to explain it publicly in a podcast. But he said he’d only recently realized the full potential benefit of the trick. Besides privacy, P2EP also positively impacts Bitcoin’s UTXO set, as more unspent coins end up held by fewer addresses.
Gibson, therefore, started working on PayJoin about a week ago and said that implementing it is relatively easy, as JoinMarket wallets already communicate with one another anyway. He thinks he could have a working implementation ready to be integrated into JoinMarket within a few weeks.
“I initially kind of dismissed this idea offhand as not getting enough usage,” he said. “That's, of course, still likely true. But the main reason I decided to devote a bit of time to it in JoinMarket is everything is set up for that already: anonymised Tor connections between counterparties, encrypted messaging, etcetera. So, even if hardly anybody uses it, it acts as a showcase for other wallets and systems in Bitcoin to let them think about it.”
Photo by Patrick Fore on Unsplash
This article originally appeared on Bitcoin Magazine.
by Aaron van Wirdum via Bitcoin Magazine