I thought that an idea implied in my TokenShuffle gist needed further clarification. That idea is this: If a trusted, central wallet is used, combining its UTXOs is equialent to a CoinJoin.
Why is this important? Setting up a CoinJoin is a very difficult thing to do. Several actors have to participate at the same time, and that level of synchronous, parallel communication is difficult to achieve. By trusting an app with a wallet to execute the CoinJoin, it makes an 'effective' CoinJoin much easier to achieve. I'll expand on this idea after showing the equivalence.
This is the diagram of CoinJoin from the original reddit post:
CoinJoin is also often depicted as below, as it makes it easier to explain the implementation:
N Addresses submit a UTXO of a common amount (for example, 0.01 BCH) into a multi-signature transaction.
That transaction has a new set of N' output addresses for the same amounts (0.01 BCH).
There is no way to know which output address is controlled by which input address, in a true multi-signature transaction like this.
In the world of expensive BTC fees, it's important to minimize the number of transactions in any obfuscation protocol. But on the BCH chain, you can do roughly 100 transactions for the same price as a single transaction on the BTC chain. That greatly reduces the need to minimize the number of transactions.
There is a great desire to do all transactions in the Bitcoin world in a trustless, decentralized manner. I too share this desire. But I also don't shy away from using centralized methods in an effort to promote Bitcoin usage, or improve its fungability.
In this particular case, a trusted, central wallet does not need to be a company or a person. It can be an open source app, running on cloud infrastructure. Code that anyone can audit, download, and execute. Code that could run as an IPFS blob or a .onion hidden service. Code that can be programmed to forget, or self destruct after a period of time. Code that is impervious to legal threats of any government.
If the trade off of trusting a wallet-app is acceptable, then an equivalent form of CoinJoin can be accomplished by consolidating all UTXOs in this trusted wallet as shown in this diagram:
N number of participants transfer equivalent amounts of money to addresses controlled by the server. In the figure above, I use 0.1 BCH, but intput amounts can be any arbitrary value.
Once a trigger point is reached, say a balance of 1 BCH or 10 BCH, the wallet-app generates a multi-input, single-output transaction to consolidate all the UTXOs into a new single UTXO. This is transaction 'TX N+1'.
A final transaction (TX N+2) is executed with N outputs to new addresses, redistributing the funds. The output address is only known to the wallet-app and the user. After the transaction, the app can be programmed to delete this data.
The combination of 'TX N+1' and 'TX N+2' is effectively the same thing as a CoinJoin.
Although there are more transactions, the end result with respect to privacy is exactly the same as CoinJoin. If the app is properly programmed, there is no way to link the ownership of the output addresses to the input addresses.
This wallet-app implementation has a few advantages over traditional CoinJoin:
Users no longer have to participate synchronously. They can now participate asynchronously. Funds can be pooled and the UTXO consolidation automatically triggered once the pool reaches a certain quantity.
- When triggered this way, the only risk of lost funds is in the current pool.
Users can input large amounts. For example, if the pool is set to 10 BCH, any single user can submit a large fund such as 1 BCH and send it to 10 addresses, each with a final output of 0.1 BCH. This is very much in line with good address hygiene and privacy-reinforcing practices as described here.
A second wallet-app could be programmed to send small, unspedable UTXOs and other arbitrary amounts to a Consolidating CoinJoin server in order to consolidate UTXOs without linking addresses. This would solve the 'dust problem', which is a serious problem for privacy in Bitcoin. It could also restore lost privacy, and multiple rounds could obfuscate the origin of coins.