Introducing ZeroLink — The Bitcoin Fungibility Framework

To cut through my waffle click for ZeroLink’s specification

I am extremely excited to announce the joint research of SamouraiWallet and HiddenWallet developers: ZeroLink that will make it possible to use Bitcoin in a fully anonymous way the first time. And no, I am not overstating it.

Overview

Even if there is a great, cheap and performant anonymity technique, there are just so many ways a user can be deanonymized, for example through network analysis. For this reason we came up with the Wallet Privacy Framework.

ZeroLink defines a pre-mix and a post-mix wallet and a mixing technique.
Pre-mix wallet functionality can be added to any Bitcoin wallet without much overhead. Post-mix wallets on the other hand have strong privacy requirements, regarding coin selection, private transaction and balance retrieval, transaction input and output indexing and broadcasting. The requirements and recommendations for pre and post-mix wallets together define the Wallet Privacy Framework.
Coins from pre-mix wallets to post-mix wallets are moved by mixing. Most on-chain mixing techniques, like CoinShuffle,CoinShuffle++ or TumbleBit’s Classic Tumbler mode can be used. However ZeroLink defines its own mixing technique: Chaumian CoinJoin.

Chaumian CoinJoin

In 2013 Gregory Maxwell detailed CoinJoin the first time. He already described this technique, hidden inside his FAQ, compressed into a few lines. It based on the Chaum Blind Signature Scheme, therefore we call it Chaumian CoinJoin:

Using chaum blind signatures: The users connect and provide inputs (and change addresses) and a cryptographically-blinded version of the address they want their private coins to go to; the server signs the tokens and returns them. The users anonymously reconnect, unblind their output addresses, and return them to the server. The server can see that all the outputs were signed by it and so all the outputs had to come from valid participants. Later people reconnect and sign.

A mixing round runs within seconds, and its anonymity set can go far beyond a single CoinJoin transaction’s if needed. Furthermore it is really cheap.

But if it’s so good why didn’t anyone build it? A part of the reason was: proper DoS protection is fairly hard to do. However the things have changed since 2013 and we are not living in a zero Bitcoin fee environment anymore. It turns out if Bitcoin fees stay around $1 there is an elegant way to make it uneconomical for malicious actors to disrupt mixing rounds.