Introduction

As a coinjoin user, you’re not only looking for privacy for your coins but also efficiency in terms of fees and time. We could say that the perfect on-chain coinjoin would be one transaction, would cost very little, and would provide a lot of privacy for all your coins while leaving no toxic change. At Wasabi, we have always improved our software so that it becomes more efficient, because this increases the accessibility of privacy. 

With the 2.0.4 release, we have improved coinjoin efficiency in multiple ways so that you reach private status on all your coins faster and incur less cost. Our main goal is to even further reduce the occurrence of toxic change. 

How are we improving coinjoin efficiency on the 2.0.4 release?

First off, the maximum number of outputs per user per coinjoin transaction is no longer 8 but is now 10. Then, output decompositions that produce toxic change outputs are now rarely chosen. Additionally, we have slightly changed how the anonymity scoring is calculated, to reflect further the reality. Finally, Wasabi’s definition of private coins has changed to a random value of an anonymity score of 27 to 76, instead of 50 to 100 in the privacy profile.

If you want to understand the details of how this works, what the above numbers mean, and understand the motivation behind our update, read further. To better communicate this topic, we have to first take a look at Wasabi Wallet 1.0 and its flaws, then how Wasabi Wallet 2.0.0 fixed many of them, and finally, the improvements done on the 2.0.4 release, to bring us one step closer to providing the perfect coinjoin protocol and application. 

This article assumes you understand Bitcoin’s UTXO model and the lack of privacy it creates, read about it here if you don’t.

The Flaws of Wasabi Wallet 1.0 and Zerolink

Wasabi Wallet 1.0 was released on October 31st 2018. It was the first implementation of a Zerolink Chaumian coinjoin protocol, in which encrypted communication with the coordinator was introduced through blind signatures. 

Trustless coinjoin transactions at scale became a reality. However, nothing is perfect and this mechanism has inherent flaws. Let’s look at how Wasabi Wallet 1.0 works and where the issue relies, particularly around coinjoin efficiency. 

How does Wasabi Wallet 1.0 work?

When you use Wasabi 1.0, you have to manually select the inputs you wish to be part of the coinjoin transaction and queue them. Once enough participants had joined the current queue, the coordination process of the coinjoin transaction would begin, including the phases of input and output registration, and transaction signing. Once all coordination phases are completed, the coordinator broadcasts the coinjoin transaction to the bitcoin network. It confirms and the coinjoin is complete. To learn more about the details of the Zerolink protocol, read about it here.

This is what the Wasabi Wallet 1.0 interface of the registration process looks like. 

What are the Flaws of Wasabi Wallet 1.0? 

Due to the inherent nature of blind signatures, the private output values of a coinjoin transaction in Wasabi Wallet 1.0 are of a fixed set of multiples of a base denomination. This inherent design issue leads to coinjoin inefficiency.

Example of what a Wasabi Wallet 1.0 coinjoin transaction looks like, with a no fee assumption for simplification purposes.

Since it’s unlikely that a participant’s input will equal the sum of the fixed output value and the additional required fees, the coinjoin transaction creates toxic change outputs for almost every user. This means that a user will pay bitcoin mining fees to create outputs that are not even private, and will have to pay even more in the future to get those UTXOs private. 

An additional issue of a fixed set of multiples of a base denomination for private outputs is accessibility. Users with less bitcoin than the base denomination find themselves excluded from participating in Wasabi Wallet 1.0 coinjoin transactions. 

Fortunately, the flaws of Wasabi Wallet 1.0 motivated the team to research and develop a new system that would fix those caveats on the WabiSabi protocol. 

WabiSabi to the Rescue

As previously said, Zerolink’s usage of blind signatures restricted Wasabi Wallet 1,0 to a fixed set of multiples of a base denomination. On the other hand, WabiSabi introduces KVACs (keyed-verification anonymous credentials) to replace blind signatures’ standard denominations with homomorphic amount commitments. To learn more about KVACs, the WabiSabi academic paper explains well the technology behind it.

This allows the coordinator to verify that the sum of any participant’s outputs does not exceed that of their inputs while allowing the user to hide the underlying values from the coordinator. This innovation allows for Wasabi Wallet 2.0 to be more flexible on output decomposition for coinjoins, which means that users can now register inputs and outputs worth anywhere in between 5000 sats and 40000 bitcoin (find all the output denominations here). This greatly improves coinjoin efficiency, allowing most users to avoid toxic change outputs from the coinjoin transaction, and it drastically increases accessibility by lowering the minimum amount by 99%.

Example of what a Wasabi Wallet 2.0 coinjoin transaction looks like, with a no fee assumption for simplification purposes.

Now that we’ve explored the different approaches taken in Wasabi Wallet 1.0 and 2.0, let’s take a look at how coinjoin efficiency works. 

How is Coinjoin Efficiency Measured?

Briefly, the WabiSabi research paper defines coinjoin inefficiency “ to be the fraction of non-mixed change outputs and the total number of outputs in a CoinJoin transaction”. This means that a coinjoin transaction without any toxic change outputs has no coinjoin inefficiency. 

It’s also important to consider that a coinjoin participant wants to minimize the amount of fees he will pay and the amount of time he will spend to gain a sufficient level of privacy. 

Let’s complete this article by looking at the latest coinjoin efficiency improvements.  

Wasabi 2.0.4 Release Improvements on Coinjoin Efficiency

Wasabi Wallet’s 2.0.4 release introduces a few improvements to coinjoin efficiency by reducing further the occurrence of toxic change. It does so by introducing Naive Decomposition, an alternative way to decompose the input value sum into private outputs, which decreases the rate of decompositions that create toxic change outputs. 

Additionally, there is an adjustment to the anonymity score calculator, in which there’s now three types of anonymity score calculation for outputs instead of two. Also, the profile “Maximize Privacy” anonymity score target is now of a different value, from 50-100, to 27-76.

In this section, we’ll explain in detail what this means.

What is Wasabi Wallet’s Naive Decomposition?

Like previously mentioned when introducing Wasabi Wallet 2.0, coinjoin output decomposition happens freely, which means that amounts are no longer fixed, they’re way more flexible. However, it’s nowhere near perfect and some coinjoin transactions still have toxic change. This particularly affects whale users that bring high value UTXOs to the collaborative effort.

To partially solve this problem and reduce even further toxic change, we introduce Naive Decomposition. It’s a method that attempts to break down a larger amount of money into smaller denominations in a straightforward or ‘naive’ manner, while adhering to certain constraints such as maximum number of outputs and minimum allowed output amounts. Here’s the codebase section on the Naive decomposition.

How does Naive Decomposition Create Less Toxic Change?

The way it does this is fairly straightforward: it iterates over the provided denominations and continuously subtracts them from the total sum until it can’t anymore, respecting the constraints of maximum number of outputs and the available virtual size (vsize).

If there’s enough ‘remaining’ to create a change output (greater than the minimum allowed amount + change fee), it adds a change output.  If not, the ‘remaining’ amount is treated as a ‘loss’ that goes to the miners. 

It’s also important to note that on the Naive Decomposition the maximum number of outputs is 10, including a toxic change output. For regular previously used decomposition, the number remains at 8. Increasing this number helps in creating better decompositions, with less toxic change. However, we don’t want to increase this number too much because it could lead to  heavy computer resource consumption and then to software crashes. Also, it’s important to avoid creating too many outputs, to reduce the future fees the user will have to pay to spend each one of them.

Now that we’ve understood the gains of coinjoin efficiency of the Naive Decomposition on the 2.0.4 release, let’s finish up the blog post by describing the motivations behind the changes on the anonymity score calculator and the profile “Maximize Privacy” anonymity score target value. 

The Anonymity Score Calculator Becomes More Accurate

Every coinjoin protocol has its own way to calculate anonymity gain, and on Wasabi Wallet 2 it’s called anonymity score. This term is different from anonymity set used in Wasabi Wallet 1.0, and to know more about the difference between these two terms and how the anonymity score calculator works in detail, read this previous blog post. 

Here’s a brief but exact description of the anonymity score calculator for coinjoin transaction outputs. 

Before the 2.0.4 Release

There are two different anonymity scores possible to inherit for a coinjoin transaction output, they are as follows:

1. Non-Sanctioned: When the output is of standard denomination AND it’s not one of the two biggest output amounts in the transaction. It’s uniqueness doesn’t matter, it is a private output.
   1. Anonymity score is calculated as the sum of the weighted average of the anonymity scores of a user’s own inputs part of the coinjoin transaction, and the total number of outputs of the same denomination divided by the number of a user’s own inputs of that denomination.
2. Sanctioned: When it’s not non-sanctioned, so it’s either not of a standard denomination OR it’s one of the two biggest output amounts in the transaction.
   1. Anonymity score is calculated as the minimum anonymity score of a user’s own inputs part of the transaction. 

Since the 2.0.4 Release 

There’s now three different anonymity scores possible to inherit for a coinjoin transaction output. The changes will be highlighted. They are as follows:

1. Non-Sanctioned : When the output is of standard denomination (uniqueness doesn’t matter) AND it’s smaller than the biggest pair of foreign equal outputs(in other words, my output is smaller than the biggest foreign denomination that has at least two outputs)
   1. The anonymity score calculation doesn’t change for Non-Sanctioned outputs.
2. Sanctioned: When it’s not a standard denomination only (so it won’t be applied anymore for big standard denominations outputs, this is the main goal of the change)
   1. The anonymity score calculation doesn’t change for Sanctioned outputs.
3. Half-Sanctioned (new): When we are not a Non-Sanctioned or a Sanctioned output (is of a Standard denomination AND is bigger than the biggest pair of foreign equal outputs)
   1. The anonymity score is calculated as the minimum anonymity score of our own inputs part of this transaction that are bigger than the biggest foreign output. 

Why did we change this? 

We would previously lower the anonymity score of what is now a half-sanctioned output to the minimum anonymity score of a user’s own input part of the transaction. This calculation is done client-side so the software knows which inputs are yours. 

However, anonymity score should be a measurement of what can be perceived from analyzing the blockchain, so if an input is not in the penalty, well we can’t know it’s yours from a blockchain analytics perspective. It made little sense to penalize a half-sanctioned output to that level, instead we penalize it to the minimum anonymity score of our own inputs that are part of this transaction and are bigger than the biggest foreign output.  

Let’s conclude by explaining the profile “Maximize Privacy” change.

Why Has the Anonymity Score Target of Maximize Privacy Changed?

When you initialize Wasabi Wallet 2.0, you can choose your wallet profile either to “Minimize Cost”, “Maximize Speed” or “Maximize Privacy”. The first two will give the target an anonymity score superior to 5, but differ because the first one will wait for bitcoin network fees to be low to coinjoin. Maximizing privacy used to target a random number between 50 to 100, but that’s now 27 to 76. Why?

Based on our goal to prioritize efficiency for our users, we always want to offer the most economical solution available. We believe that an anonymity score of 100 is currently probably an overkill to recommend as a default setting, and we’ve lowered it because of that reason.

We’ve calculated that an output can never gain more than 26 anonymity scores from 1 coinjoin transaction, so a minimum of 27 enforces at least two coinjoin transactions. We kept the same spread which gives us 27 to 76. 

It’s important to know that this is just a default setting and you can always change your anonymity score target to a maximum of 300. 

Conclusion

This article explains the mechanism behind Wasabi Wallet 1.0 (and the Zerolink protocol), its inherent flaw of coinjoin inefficiency, how Wasabi Wallet 2.0 (and the WabiSabi protocol) improved efficiency and fixed many of the resulting caveats. This part introduces the goal of this article, which is to explain the improvements made on Wasabi Wallet’s latest release (2.0.4) on coinjoin efficiency through the introduction of the Naive Decomposition, and the further changes to the anonymity score calculator and the anonymity score target value of the profile “Maximize Privacy”.