ABSTRACT

Bitcoin transfers value on a public ledger of transactions anyone can verify. Coin ownership is defined there in terms of public keys. Despite potential use for private transfers, research has shown that users' activity can often be traced in practice. Businesses have been built on dragnet surveillance of Bitcoin users because of this lack of strong privacy, which harms its fungibility, a basic property of functional money.

Although the public nature of this design lacks strong guarantees for privacy, it does not rule it out. A number of methods have been proposed to strengthen privacy. Among these is CoinJoin, an approach based on multiparty transactions that can introduce ambiguity and break common assumptions that underlie heuristics used for deanonymization. Existing implementations of CoinJoin have several limitations which may partly explain the lack of their widespread adoption.

This work introduces WabiSabi, a new protocol for centrally coordinated CoinJoin implementations utilizing keyed verification anonymous credentials and homomorphic value commitments. This improves earlier approaches which utilize blind signatures in both privacy and flexibility, enabling novel use cases and reduced overhead.

Paper Summaries

“This paper presents a proposed improvement to the Wasabi CoinJoin scheme called WabiSabi, an application of KVAC. The paper begins by outlining several limitations of the current Wasabi design backed by statistical validation. The paper proceeds to outline the cryptography required to address many of these limitations and concludes with a discussion of some the security and privacy concerns of the given protocol.”

“The authors present WabiSabi, a new protocol that extends the ZeroLink protocol as used in the Wasabi wallet. WabiSabi adapts concepts from private group membership management, most notably an authentication primitive called keyed-verification anonymous credential (KVAC), to realize unlinkable CoinJoin transactions. The major advancement consists of homomorphic amount commitments that enable more flexible input/output denominations. Therefore, WabiSabi has the potential to increase transaction privacy.”

“The paper introduces a new protocol for coordinating CoinJoins using a central coordinator. For reducing privacy threats from the coordinator, the protocol combines homomorphic value commitments with keyed verification anonymous credentials, a construction previously proposed for enabling private group communication.”

Paper Strengths

“WabiSabi seems to be a sound and applicable protocol extension/generalization that is able to improve unlinkability of CoinJoin transactions. While the paper's scientific contribution is limited, it can have a practical impact on transaction privacy.”

“The proposed benefits of using KVAC for improving on CoinJoin by replacing standardized denominations is a novel one. The context of the proposed protocol is well defined an the contributions are clear.”

“The paper proposes a well designed solution to a highly relevant problem [and] can be deployed in practice with reasonable implementation effort. “

“The paper is solidly rooted in related work and leverages state of the art building blocks.”

Paper Critiques and Author Responses

“While this paper defines a number of statistical measures by which to demonstrate the limitations of Wasabi (e.g., CoinJoin inefficiency), it never actually revisits these concepts with WabiSabi to provide a direct comparison of the benefits.”

“There is no rigorous evaluation or security proof.”

“It seems that information leakage on the networking layer and timing attacks are out of scope of the paper. I suggest to clearly state such assumptions. In general, a system and adversary model would improve the quality of the paper.”

“An idea for making the protocol easier to grasp: Consider giving one end-to-end example (with, e.g., with Alice and Bob and one coordinator) that walks the reader through all steps, including fee payment to the coordinator.”

“The paper in general and the introduction in particular requires considerable pre-knowledge on the topic. The audience is therefore limited. In order to provide access to the article, I suggest to write a "standard" introduction and to move the analysis of the Wasabi implementation to a separate section with some additional background information.”

• The [article states] that malicious users can be blacklisted, if they fail to sign inputs (cf. Section 5.1.2). Have the authors considered the known attack vector of providing a signature, but at the same time publishing a transactions that refers the same output? If this concurrent transactions becomes valid, it invalidates the the CoinJoin transaction. Would [identifying] and [blacklisting] such behavior [be possible]?”