{"id":20718,"date":"2018-12-31T16:31:27","date_gmt":"2018-12-31T16:31:27","guid":{"rendered":"http:\/\/ci027cfe78e00626c3"},"modified":"2018-12-31T16:31:27","modified_gmt":"2018-12-31T16:31:27","slug":"blockchain-analysis-about-get-harder-p2ep-enters-testing-phase","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/culture\/blockchain-analysis-about-get-harder-p2ep-enters-testing-phase","title":{"rendered":"Blockchain Analysis Is About to Get Harder as P2EP Enters Testing Phase"},"content":{"rendered":"
<\/div>
<\/figure>\n

Yet another tool is being added to Bitcoin\u2019s growing number of privacy solutions<\/a>.<\/p>\n

Thought up at a brainstorming event attended by Bitcoin developers and privacy researchers last summer, Pay to Endpoint (P2EP) is a relatively new trick that utilizes the well-known CoinJoin mixing technique to make blockchain analysis much harder. An early version of it, called \u201cBustapay,\u201d was quickly implemented by independent Bitcoin developer Ryan Havar and is being tested as of now. Meanwhile, the privacy-focused Samourai Wallet as well as JoinMarket developer Adam Gibson are working on two P2EP projects of their own, which are getting closer to deployment too.<\/p>\n

\u201cPrivacy is essential for Bitcoin,\u201d Havar told Bitcoin Magazine<\/em>. \u201cIdeally we want to screw up [blockchain] analysis so badly, that they can’t even make it.\u201d<\/p>\n

CoinJoin<\/h2>\n

To understand P2EP, let\u2019s first recap what CoinJoin transactions look like, and why they are (and aren\u2019t) useful.<\/p>\n

Many normal Bitcoin transactions send coins from several addresses (inputs), because the sender\u2019s addresses individually don\u2019t contain enough coins needed for the payment. This is very helpful for blockchain spies, as it usually means that all inputs in a transaction belong to the same entity. It allows for address clustering.<\/p>\n

But by combining several transactions into one big transaction, CoinJoin \u2014 a privacy solution first proposed by Bitcoin Core contributor Gregory Maxwell \u2014 has the potential to break this assumption. If multiple senders cooperate to create a single transaction that sends coins from all of their inputs to the different receiving addresses (outputs) they\u2019re paying, blockchain spies would be wrong to assume all inputs belong to the same entity. As such, they can\u2019t just assume it, even if it is a regular transaction. It would make address clustering, and thus blockchain analysis, significantly harder.<\/p>\n

However, CoinJoin also has its limitations. If all CoinJoin participants don\u2019t use equal amounts, it\u2019s easy to puzzle together which inputs are paying which outputs. As such, it doesn\u2019t really prevent address clustering after all.<\/p>\n

CoinJoin is still useful for mixing, which can easily be done with equal amounts. Users don\u2019t pay other users, but rather, themselves. This is effective in breaking the trail of coins, but it does give away that a mixing session took place.<\/p>\n

\u201cWhile it \u2018clears your history,\u2019 it is not as useful as people imagine,\u201d Havar argued. \u201cYour coins are obviously and intentionally washed. That makes it problematic to use. Try depositing your post-mixed coins into an exchange, for example, and watch when they lock your account and ask you a lot of questions.\u201d<\/p>\n

CoinJoin\u2019s potential to break the assumptions used for addresses clustering had not really been realized yet. But this may be about to change.<\/p>\n

P2EP<\/h2>\n

P2EP is a relatively new idea, first proposed by participants of a brainstorming event for Bitcoin developers and privacy researchers last summer, who published the idea in several<\/a> blogs<\/a>. It cleverly works around CoinJoin\u2019s \u201cequal amount\u201d limitation, opening up the possibility to use CoinJoin for regular payments \u2014 not just mixing specifically.<\/p>\n

The central concept behind P2EP is simple yet effective: the receiving party in a payment takes part in the CoinJoin. If Alice pays Bob, Bob participates in Alice\u2019s CoinJoin transaction to him, so he also pays himself.<\/p>\n

Say, for example, that Alice wants to send Bob 1.2 BTC. She may send it from two inputs: one that contains 1 BTC and one that contains 0.5 BTC. This adds up to 1.5 BTC, which means she also sends 0.3 BTC back to herself as change in the same transaction.<\/p>\n

With P2EP, Bob adds one input of his own in the mix: let\u2019s say it contains 0.9 BTC. As such, the transaction now has three inputs worth 1, 0.9 and 0.5 BTC, for a total of 2.4 BTC. The transaction also has two receiving addresses, worth 2.1 and 0.3 BTC. The 0.3 BTC is still the same change going back to Alice, while the 2.1 BTC really consist of the original payment of 1.2, plus the 0.9 that Bob is sending himself. While the transaction has some padding, Alice still just paid a total of 1.2 BTC to Bob.<\/p>\n

Importantly, not all inputs in this transaction belong to Alice, and it\u2019s no longer obvious that a CoinJoin took place: there are no matching \u201csending\u201d and \u201creceiving\u201d amounts to link addresses together.<\/p>\n

\n

\u201cThe on-chain structure of a P2EP payment is exactly like a normal transaction. So, at certain points, spies know their analysis is corrupted, but they don’t exactly know how. Ideally, we want to screw up the analysis so badly, that they can’t even make it,\u201d said Havar.<\/p>\n<\/blockquote>\n

Bustapay<\/h2>\n

Havar is the previous owner of Bustabit<\/a>, an online gambling game, and has plenty of experience in the Bitcoin casino space in general. This is how he got a firsthand taste of Bitcoin\u2019s privacy and fungibility issues: Several exchanges blacklist coins that are associated with gambling sites.<\/p>\n

\u201cAs a casino operator, you want to help protect the privacy of your players,\u201d Havar explained. \u201cSo I implemented a huge amount of privacy oriented features, but each time I was kind of surprised how ineffective it was. Bitcoin truly leaks a lot more information than you’d expect.\u201d<\/p>\n

Havar sold Bustabit earlier this year and got interested in P2EP when he read about it last summer. He got to work and first announced<\/a> the Bustapay implementation in late August 2018: a basic version of P2EP.<\/p>\n

While intentionally keeping it simple, Havar believes he has improved on initial P2EP proposals in particular when it comes to denial-of-service prevention (where someone indicates an intention to make a payment but doesn\u2019t) and privacy (spies can use the denial-of-service trick to learn which addresses belong to the payee). In both cases, Havar\u2019s solution lets the payee claim a regular payment if the payer bails on the P2EP payment. This makes the attacks expensive \u2014 perhaps too expensive to be worthwhile.<\/p>\n

Havar hopes the implementation will be adopted by wallets and services, but he did note interest has been limited so far.<\/p>\n

\u201cI tried to reach out to most wallets \u2014 but there’s largely apathy,\u201d Havar said, realizing Bustapay suffers from a \u201cchicken-and-egg\u201d problem. \u201cFor any wallet developer, there’s a million things to do, and who wants to implement a protocol no one supports? Meanwhile, when I talk to several big bitcoin businesses, no one wanted to implement a protocol that no wallets support.\u201d<\/p>\n

Still, one service has now implemented Bustapay: Bustabit, the casino game Havar used to own, and which he himself believes might even be the biggest one on the internet. To keep things moving forward, Havar put out a call for testers<\/a> and even offered a small reward last week, while also proposing<\/a> wallet developers should get a piece of a five-year-old \u201cCoinJoin bounty fund<\/a>.\u201d<\/p>\n

With these tests, Havar hopes to learn how effective the implementation really is.<\/p>\n

\u201cSomeone with Chainalysis access is giving me information about its effectiveness,\u201d he told Bitcoin Magazine<\/em>, \u201cso I can kind of see how well it works, and how confused it gets.\u201d<\/p>\n

Stowaway and Payjoin<\/h2>\n

It turns out Bustapay is not the only P2EP project.<\/p>\n

Inspired by a much earlier idea<\/a> by Maxwell to disrupt blockchain analysis, privacy-focused Samourai Wallet revealed<\/a> in September it has been working on a P2EP-type of solution, too. Based on guidelines<\/a> by data analyst LaurentMT, the wallet had started working on the solution even before last summer’s privacy brainstorming event and has been running private tests<\/a> since. Dubbed \u201cStowaway,\u201d the feature will enter a public testnet phase within weeks.<\/p>\n

Samourai Wallet\u2019s implementation does have one big difference from Havar\u2019s implementation, however, and will, therefore, be incompatible. <\/p>\n

\u201cI’m happy to see Bustapay move forward, but personally I’m a bit put off by the the lack of \u2018permissions\u2019: It grants anyone the right to obtain knowledge about part of my UTXO [Bitcoin address] set,\u201d pseudonymous Samourai Wallet developer \u201cSamouraidev\u201d told Bitcoin Magazine.<\/p>\n

Stowaway will, therefore, only work between Samourai Wallet users that have indicated through the application that they have a trust relationship with each other.<\/p>\n

\u201cUsers have to \u2018follow\u2019 one another and, in addition to that, provide that extra \u2018permission\u2019 to allow their UTXO set to be exposed,\u201d said Samouraidev. \u201cFor example, I might have a basic two-way relation with my employer to receive [a] salary, but I do not want my employer to solicit me for collaborative spends, which would expose my UTXO set to him.\u201d<\/p>\n

And just a couple of days ago, a third P2EP project was revealed. Privacy-focused Bitcoin developer Adam Gibson is implementing a solution called \u201cPayjoin\u201d for another CoinJoin-based privacy project: JoinMarket.<\/p>\n

Like Stowaway, Payjoin is specifically designed to be used between users\u2019 wallets. Where Bustapay is developed with online merchants in mind and is available for anyone that wishes to make a payment, Payjoin would only be used when two users specifically choose to do so. <\/p>\n

\u201cWith Payjoin you’re not passively waiting for arbitrary people to ping your server, so you don’t have to worry about snooping attacks,\u201d Gibson explained. \u201cYou exchange payment details and you end up with a transaction that looks like an ordinary payment.\u201d<\/p>\n

Having been part of the brainstorming session where P2EP was formalized, Gibson has been aware of the solution for a little while; in August, he was even among the first to explain it publicly in a podcast<\/a>. But he said he\u2019d only recently realized the full potential benefit of the trick. Besides privacy, P2EP also positively impacts Bitcoin\u2019s UTXO set, as more unspent coins end up held by fewer addresses.<\/p>\n

Gibson, therefore, started working on PayJoin about a week ago and said that implementing it is relatively easy, as JoinMarket wallets already communicate with one another anyway. He thinks he could have a working implementation ready to be integrated into JoinMarket within a few weeks.<\/p>\n

\u201cI initially kind of dismissed this idea offhand as not getting enough usage,\u201d he said. \u201cThat’s, of course, still likely true. But the main reason I decided to devote a bit of time to it in JoinMarket is everything is set up for that already: anonymised Tor connections between counterparties, encrypted messaging, etcetera. So, even if hardly anybody uses it, it acts as a showcase for other wallets and systems in Bitcoin to let them think about it.\u201d<\/p>\n

Photo by Patrick Fore<\/a> on Unsplash<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

\u201cPrivacy is essential for Bitcoin. Ideally we want to screw up [blockchain] analysis so badly, that they can’t even make it.\u201d<\/p>\n","protected":false},"author":2509,"featured_media":20719,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[291,3445,742,73,215],"class_list":{"0":"post-20718","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-culture","8":"tag-coinjoin","9":"tag-greg-maxwell","10":"tag-mixing","11":"tag-privacy","12":"tag-samourai"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/blockchain-analysis-is-about-to-get-harder-as-p2ep-enters-testing-phase.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=20718"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/20718\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/20719"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=20718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=20718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=20718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}