Table of Contents
Original SPEECH TITLE: Anonymous transactions of base money
SPEAKER: Max Hillebrand
CONFERENCE: Pizza Day Prague 2023
Let’s talk about some cool things, some cool ideas that are happening. The first statement I propose is anonymous transactions of base money with Coinjoin. That’s a super fascinating topic and one that has enlightened the minds of cypherpunks for quite some time.
What is anonymous? Anonymous comes from Greek – without a name. An action that is not attributed to a certain name, where we cannot then therefore link multiple actions to the same person. The realm of anonymity is when we choose not to reveal much about ourselves and the names that we have with the associated transactions.
Benefits of anonymity
Anonymity means that we can reduce the potential attacks that we might suffer because if nobody knows what you’re doing or how much money you have or what you spend it on, nobody really can steal it from you. And that’s a nice benefit. This is why it’s important for your property to be able to not share how much you have and what you do with it.
What are transactions? Transactions are about economic exchange, two parties coming together consensually and agreeing that they’re better off if they trade with the other party. Someone gives pizza in exchange for some money. That’s the most liquid medium of exchange that we have, where basically any merchant in the economy is willing to give his precious goods for this particular good – the money. Money is half of every transaction. Whenever you buy a good or a service, you offer your money in exchange and the other party accepts it because he’s pretty sure that other merchants will accept that particular good. So his suppliers will want to get paid with that money and for every time you receive money, it means that somebody knows that you just got paid and at least the person who paid you the money and he has to know your name or at least he knows that you’re the guy behind this counter who’s selling pizza. Later when you’ve spent that money, you are going to give it to your suppliers, right? Now, the supplier that provides you the raw materials to sell the pizza, he is going to want to get paid in money and he will know that you had enough money to give him.
These are some of the minimum amounts of information that has to be revealed when we transact, when we purchase things with money. But it’s not quite necessary for the whole world to know about this and other people don’t care or don’t need to know about the fact that I just purchased a pizza with some money. Especially then when we’re talking about the next aspect which is base money.
What is base money?
Money is the most liquid medium of exchange as we’ve established earlier but what is the base money in and of itself? Base money is money proper. It’s the good as is. It’s a chunk of physical gold in your hand and you control it fully and nobody can easily take it away from you. There’s no legal claim that you have here, it’s the actual money.
Another alternative is you take that gold coin and you give it to the goldsmith who has a huge box that is out of solid metal and protected by a guy with a gun. He’s very high security invested into protecting the things inside the vault and you could put your money inside the vault and get a paper certificate saying, ‘Whoever has this paper he can take one piece of gold back out of the vault.’ This paper itself it’s not base money. It’s a claim on base money. There’s a big difference. It’s not the good in and of itself, it’s a promise that you can redeem the money back at a future point in time.
Of course, the paper itself doesn’t have much value especially if the guy who owns the mint is running away with it and that means having access to base money is again extremely important. Why? Because it reduces the risk of theft. If you have your money in a vault in a money warehouse the operator thereof can take it and run away but if you hold the money yourself that operator has no extra leverage to run away with your money than any other guy and that’s a big benefit of base money. It’s something that only you control that nobody else has a claim other than you.
Base money anonymity and Bitcoin
Base money anonymity is quite important because once the base money is handed over the other party has it now, meaning there is no leftover claim or promise to pay money in the future. The debt has been distinguished, the trade is settled. The base money has moved control and therefore the purchase is made and no future relationship is required between the merchant and the customer after this point. You pay and you go, that’s it. We don’t need to have any reputation for the future for this specific trade to happen. We’ve just paid and it’s done and that’s how physical gold worked all the time and that’s how physical cash nowadays works in the fiat world. Bitcoin is equivalent to these two aspects in the sense that it is base money. It is not a claim on something else if you have a UTXO on the Bitcoin blockchain. This is an irrefutable asset that you can use and spend in a future Bitcoin transaction. However, Bitcoin is peculiar in some senses because it requires that every user verifies the transactions of everyone else, and that’s part of the Bitcoin system. It’s a distributed network where every operator of a Bitcoin full node needs to download, remember and process a huge amount of data, which is the transactions where that base money changed hands, presumably. This means that there’s a lot of cost associated with running a Bitcoin full node, with verifying the integrity of the actual money that you’re holding.
Bitcoin is the system that is optimized for verification, in the sense that because we want to have many users, we need to have many people to verify every transaction of everyone else, and so we prioritize that. We have certain types of transactions that are extremely easy to verify and very difficult or impossible to forge or tamper with. Bitcoin achieves that beautifully but still at quite a huge cost, even at the low rate of transactions that we’re currently seeing. And then, the more users make transactions, the more everyone has to remember about everyone else. It’s a system where we have to share a lot of information with basically everyone. We make a lot of knowledge public, the information of our transactions in the Bitcoin sense, which coins are being spent (the inputs to a transaction) and which coins are being created (the outputs to a transaction).
In order to use this base money, we have to reveal the intent of moving it to the entire world. The first part of this statement then becomes a bit difficult. Because is it still anonymous if you have to reveal every transaction to everyone in this entire world? That seems to be difficult to still retain anonymity in this system.
Address reuse: a privacy concern
There are numerous tricks that we can use to reduce the amount of information that we reveal about ourselves when we make transactions with the Bitcoin base money system. One of the really obvious ways, one of the big fallacies or huge user problems that were created after the deployment of Bitcoin was the reuse of addresses.
Understanding addresses in Bitcoin transactions
An address is essentially a public key and the address basically defines who can spend the coin that we are creating here. So an address first appears on the output side of a transaction where that condition of who can spend this amount of money is first mentioned in the Bitcoin blockchain. And at a later point in time when someone wants to spend this coin that was created, he needs to prove that he has a valid witness to the lock of the address, so to say. In most cases that’s just the signature of a private key. A transaction that spends the coin from this address is only valid if the transaction was signed by the private key that corresponds to the public key that corresponds to the address.
The power of new identities with fresh addresses
If you want to receive Bitcoin multiple times, you could use the same public key, the same address all the time. Because you still know the private key to it and presumably nobody else does. But the big problem then is an outside observer sees an address getting paid and later paying money not just one time but instead, sees it multiple times happening. So I can attribute that multiple transactions that are different times in the blockchain come from the same person. This is what you can stop by not using the same address every time.
You just generate a new private key, a new public key, and therefore a new address for each time you get paid. All of a sudden, every time you receive money, you have a new identity. Just when you receive money, that new identity is completely random. Every time you received money in the past, it has never been seen before. It’s a truly new name. And then, you can receive money frequently without anyone knowing that these addresses belong to the same person.
Spending bitcoin from multiple addresses
What if you want to spend your money? Let’s say you received one, two, and three bitcoin in the past and now you want to make a payment of six bitcoin. What do you do? You have to create a new transaction where you spend the three coins from fresh addresses that you received in the past and you put them in a transaction, three coins on the input side. And on the output side you have one address. That’s the six Bitcoin that you want to pay. But now you’ve just revealed that there are three inputs from completely random addresses but that now were mentioned at the same time, signing the same message, being in the same transaction which is a high indication that they probably belong to the same guy. So you’ve just revealed the common ownership of certain addresses in certain coins not at the point where you received them but at the point where you spent them. And that’s a big problem. These are the things that we have to address if we want to have a private base money system.
Problems with hard forks
There were lots of different approaches to address this problem, for example changing the protocol completely, forking off and doing something radically new like Z-Cash or Monero. But it seems that whenever we try to add more complex privacy solutions to the Bitcoin protocol, if we change the rules in any way, it seems that even though we might get some benefits, we get huge downsides. Especially in terms of verification costs. To run a Monero full node or Z-Cash node and to verify everything from scratch, the cost is an extremely expensive computer and a huge internet connection. Then in some conditions, you might not even be able to verify the blocks that are coming in fast enough. So before you verify one block, the next one’s already coming in.
These are actual problems of these systems that mean that the cost of verification increases. Therefore, few users can use it as a base money. Base money means you don’t have to trust anyone else to hold that asset. Well, if you didn’t verify the UTXO set and the blockchain of the coin that you’re holding right now, then you cannot be sure that this is an actually legit coin that will be accepted by other people. So if you want to use it as a base money, you need to verify it fully and that means a high verification cost limits the amounts of users that could use the base money system, plus it creates a complete new shitcoin that nobody cares about. With Bitcoin already having a huge network effect and the massive amount of users, that just means that you are in the tiny minorities a small group of cypherpunks trying to hide. But your crowd is tiny and you’re quite easy to identify. That’s a problem. Instead, we can try to use the Bitcoin system as it’s currently designed with the same inherent set of rules and just get a bit smarter about using it.
I would argue we can actually achieve fully anonymous transactions of the Bitcoin base money system on the base layer blockchain. We have, for all intents and purposes, solved the problem for now. It’s just a question of polishing it up a little bit.
Concept of Coinjoin
How do we protect us from anyone else learning that multiple addresses belong to us or multiple transactions that we’ve made at different times belong to us, to the same name? How can we remove this information from getting out there? How can we make the system anonymous? It’s actually quite simple. Instead of making a transaction by yourself, you get together with hundreds of other people and you make a transaction with hundreds of inputs and hundreds of outputs, not alone but together. You hide in a crowd directly in a Bitcoin transaction and that’s the idea of a Coinjoin.
Benefits of Coinjoin
The really cool thing about Coinjoin is it’s still a base money system on the Bitcoin blockchain. You’re never giving up control over your money. You’re at no point in time at risk of someone stealing from you because you can fully verify what’s going on. This means nobody can steal from you and if the Coinjoin system is implemented well, nobody can spy on you, not a single person. Not the other people participating in the transaction, not the coordinator who brings us all together and not even an outside observer. Nobody can track that multiple inputs or multiple outputs belong to you in a single transaction. That is important because now we have held up the qualities of a base money system that nobody can steal from you and that nobody can spy on you. That’s what gold and physical fiat cash enable you as a bearer instrument base money systems. Well, it becomes very different because we’re in cyberspace but now at least we’ve regained the attributes of anonymity and of being able to use the system without revealing our true name and without tying the same name to multiple transactions and that means we can receive and spend money anonymously.
Reviving a Cypherpunk Vision
The great thing is that this was a vision of the cypherpunks from decades ago. Let’s say, cypherpunk project out there was in 1983 Chaumian blind signatures, which enabled the idea of an anonymous money system. The big problem of eCash is it’s not base money, it’s a claim on base money. You give your dollars or your gold to someone else and he returns you a tiny electronic signature, a couple of bits and bytes, and those bits and bytes aren’t the base money. And the guy who runs the mint can take off with your physical money or your gold. That’s a big problem but with Coinjoins while finally using the same technologies envisioned back then, Chaumian blind signatures, not as money substitutes but as anonymous access rights to this chat group of us together preparing the same Bitcoin transaction.
Challenges of Coinjoin
So, Coinjoin uses the same idea from the basic origins of the cypherpunk movement and applies it in a bit of a different way to create something that enables us to have anonymous transactions of base money and that’s a pretty bold claim to a long journey of people trying to fix this problem. It is a bloody difficult problem. I’m not claiming that we’re doing it perfectly at the moment but I think we’re on track to doing it really, really well. Especially with the work that we’ve been doing on Wasabi 2.0 where we basically create huge Coinjoins, at least 150 inputs, and around 300-400 inputs for every transactions. Now we have transactions every 20-30 minutes or so. This is shaping up to be an actually used way of making anonymous transactions where right now it’s very difficult for most cases. If you are under 100 bitcoin or so, you should gain a substantial amount of privacy within a couple of hours or days for your money using Coinjoin. It gets a bit tricky when we’re talking about thousands or tens of thousands of bitcoin. Why? Because there’s no crowd available yet. There’s not that many users, not that much liquidity where you could hide with Coinjoin. Being a whale is difficult.
The major concern that we currently still have is the cost of Coinjoin because making anonymous base money transactions should be not just effortless and fast but also efficient and cheap. And then in the sense of Bitcoin, we need to be block space efficient with how we register the inputs and which outputs do we register, etc. That’s a very broad possible space where we could design specific transaction networks. There’s a lot of flexibility that the WabiSabi Coinjoin protocol enables us to do.
Currently, we could certainly be more block space efficient. That means getting smarter about which inputs to register when, and which outputs, meaning how many outputs would you register in this round, and what’s the value of it, etc. This basically opens up against somewhat of an already discussed problem of like switch networks and transaction network topology where we can use old ideas from the cypherpunks and apply them on how your Bitcoin wallet chooses what’s the privacy level of coins, and which should be spent, and which newer coins should be created, etc. We have a long way ahead, still of making the system better but it’s a lot of fun building it, and the progress we have is really nice.
Disclaimer: Transcripts provided on bitlyrics.co represents solely the opinion of the speaker and is not by any means financial/legal advice or an opinion of the website. The content has been transcribed with maximum accuracy. Repetitions and fill words have been amended in order to enhance the reading experience. The full text may not be confirmed by the speaker. Please, refer back to the above-provided source of content for more certainty. If you are a speaker and wish to confirm/amend your speech please contact us.