Have you wondered about Bitcoin privacy or chain surveillance and how it’s done? Or how to defend against it? This is the episode for you, as Ergo of OXT Research (Part of Samourai Wallet) rejoins me on the show to talk: 

• Background on bitcoin transactions
• How Bitcoin surveillance works
• Peel chains and wallet clustering
• How to counter it in practice

Ergo Links:

• Twitter: @ErgoBTC
• Telegram: @ErgoBTC 
• Guide:  Understanding Bitcoin Privacy with OXT — Part 1/4

Sponsors: 

• Swan Bitcoin
• Hodl Hodl Lend
• Compass Mining
• Unchained Capital (code LIVERA)
• CypherSafe (code LIVERA)
• CoinKite.com (code LIVERA)

Stephan Livera links:

• Show notes and website
• Follow me on Twitter @stephanlivera
• Subscribe to the podcast
• Patreon @stephanlivera

Podcast Transcript:

Stephan Livera:

Ergo welcome back to the show.

Ergo:

Hey Stephan! Thanks for having me back.

Stephan Livera:

Yeah. Ergo. So I see you’ve got some really excellent work coming out soon. And so we’re going to talk today a little bit about how chain surveillance works and how to chain surveil ourselves. So this is going to be a beginner level episode, just to put it out there and help upskill people. Maybe you’re new to Bitcoin, and you’re learning a little bit about this and you might’ve heard some different things, right? So Ergo, what’s your take on, if somebody is new to Bitcoin, what are the typical things they might say? Would they say, oh, Bitcoin is totally private or is it totally public?

Ergo:

I guess that kind of concept has changed a lot. Over the last, I don’t know, few years, right? You know, originally we started out with kind of an anonymous payments meme you know, around silk road, WikiLeaks donations, but recently I think the knowledge of the traceability of Bitcoin has become a bit more mainstream. So yeah, there’s still gonna be stragglers people that don’t quite understand what the technology is and how it works. And that’s kind of the point of of the guide that I’ve written.

Stephan Livera:

Excellent. Yeah. So let’s start talking a little bit about some of the ways in which you might decrease or lose privacy in Bitcoin. So could you just give an overview just for a total beginner — let’s say maybe they’ve just bought some of their first Bitcoin but they, they don’t really know anything about the privacy elements of Bitcoin. What would you say?

Ergo:

I guess it’s hard at first to have a decent understanding of Bitcoin privacy. You do sort of need to start with the concept of UTXOs and get at least a basic understanding of what a UTXO is and for a beginner that can be a little bit daunting maybe your wallet, most wallets will kind of abstract that concept of UTXOs away so maybe they have a simple hardware wallet and they’re using for example, Trezor or Ledger — sort of web interface or they have even for most very simple mobile wallets, will sort of basically have the same kind of UX, right? You’ll see your total wallet balance. And then you’ll see sort of the bookkeeping, the credits and debits of your incoming transactions that increase the balance of your wallet and the outgoing transactions that will kind of decrease the balance of your wallet. You know, underlying kind of a lot of that is really the concept of UTXOs.

Stephan Livera:

Yeah. So let’s try and break that down a little bit. So let’s say I’m a total newcoiner, a new Bitcoiner, and I might be approaching this with the mindset of, oh, it’s just like money in my bank account. I just see the amount there. I’ve got, say a hundred dollars or I’ve got a thousand dollars and I received money. It goes up, I pay money. It goes down. That might be what a Bitcoin wallet looks like when you are totally new to all of this, but actually in reality, what happens in the background and your wallet manages this for you, is this concept of unspent transaction outputs. So can you explain a little bit around that and how Bitcoin transactions work? Just the elements around UTXOs?

Ergo:

Yeah. So I think maybe we’ll start first with just kind of the concept of an address, right? An address is a a public key or a representation of your wallet’s public keys. That’s what you hand out to someone when you want to receive a payment. There’s a difference between an address and a UTXO. Now a UTXO will be what your wallet software really receives and recognizes and then is later kind of spent. So if you go back to that sort of UX flow where you have your general wallet kind of overview balance with the credits and debits for your incoming and outgoing transactions, each of those incoming transactions will very likely represent a single unspent transaction output. That’s basically a piece of a Bitcoin it’s kind of, for lack of a better term, but each of those pieces of Bitcoin is sort of what gets managed in the background by your wallet software, as you had mentioned.

Stephan Livera:

Yeah. And so for listeners, one analogy I like to use when I’m explaining this, say I’m at a Bitcoin meetup and I’m teaching somebody, I might set use the analogy of gold. So let’s say I had 10 ounces of gold and I wanted to pay one ounce of gold to Ergo. And so I’m obviously oversimplifying a little bit, but just to help understand the concept, imagine I melted down that 10 ounces of gold into one hunk of nine ounces and one hunk of one ounce. And then I gave that to Ergo. That might be a nice, easy way to think about what’s going on in the background when your wallet, composes, or constructs a transaction. So do you want to just elaborate on that idea?

Ergo:

Yeah. I mean, that’s exactly kind of what happens is that a UTXO is completely consumed destroyed on the input side of a transaction and it’s recast as outputs to a new transaction and what you just described in that sort of very simple example with your 10 on the input side and a one and a nine on the output side, that’s very analogous to a simple Bitcoin spend, which is probably one of the most common transaction types. I think about 50% of Bitcoin spends will have one input and two outputs just as you said. And so then we can go from, you know kind of that concept of UTXOs into how do we sort of interpret that kind of transaction.

Stephan Livera:

Yeah. And so essentially for listeners out there, just think of it, like your wallet is managing all of this in the background, right? But what Ergo and I are talking about today is we’re just trying to help explain for you that dynamic. So you can understand that and then arm yourself with the tools and the techniques that you can use to maintain your privacy. And so essentially when those transactions are composed or constructed, as Ergo was just explaining your wallet will have a range of UTXOs, it will select from them and then compose the transaction. And it just so happens that some of these there’s certain heuristics that apply. So Ergo, could you just outline some of the heuristics that are possible out there?

Ergo:

Yeah. There are a handful of ways to interpret each transaction and it’s not just these simple spends, but in the guide, I focused specifically a good bit on simple spends because that’s what a significant portion of transactions are like. But to you know, to kind of simplify things in the guide, I mostly represent the simple spend as the payment and change you know, kind of output model. So as you said, in your example, if you were gonna try to pay me one ounce of gold, or let’s just say one Bitcoin using a 10 Bitcoin UTXO, that one Bitcoin will be a payment to me and the nine minus any miner fees will be the change that gets paid back to you as a UTXO. And so the interpretations that we sort of as a chain analyst, as you’re looking at a transaction like that is what information do I have that I can use to figure out which of those outputs would be a change back to the original wallet?

Ergo:

And if you can link you know, inputs and change outputs over a series of transactions, you can track what’s likely a single user or single wallet’s behavior over multiple transactions. So yeah, there are a handful of kind of specific heuristics for interpreting a simple spend like that. And that has to do typically with the address types, the address formats or the script types there’s PKH addresses, which start with 1 compatible SegWit, or P2SH addresses, which start with threes and then native SegWit, and eventually pay to Taproot, right? each of those has a little bit of a different format, which you can use to detect which output might be change if your wallet has is spending from let’s say a native SegWit output is very likely that it will generate a native SegWit output as change.

Ergo:

And if one of the other outputs is to a different address type, then we can assume which one is is the payment, which one is the change. So that’s one example that would be a, I guess, the script heuristic. Let me think there’s a, there’s a few others there’s round type payment amounts, right? So in our example, which you had just sort of described with a 10 BTC input and a one BTC payment to me that nine BTC change, won’t quite be exact. It won’t be exactly nine, it’ll be nine minus the miner fees. Yep. You know, we would interpret that nine BTC as the change back to you.

Stephan Livera:

Yeah. So let me just, again, zoom out a little bit there. So listeners, imagine you were trying to externally chase or watch what somebody else is doing, right? So you don’t necessarily know everything they’re doing, but if you, because remember all these transactions are on the blockchain, you can just download the blockchain. It’s about maybe a little bit under 400 gigabytes right now. So you can just download that or use a block Explorer. And obviously the chain surveillance firms have specialized tools and techniques to do this. And essentially they are trying to figure out where the flows are going. Okay. Now I guess there are, perhaps you could argue that some people are doing it in a white hat way, and some people are doing it in perhaps a black hat way to try to taint coins or to say, oh, these coins are quote unquote dirty because they came from the so-called for example, the silk road, dark net market, or whatever that like people will ascribe value to that. But the point being these heuristics can give off a fingerprint to that chain analyst or the person trying to surveil, right? And so essentially that’s why these heuristics matter, because they are what will be used to try to de-anonymize or try to understand what is to try and pierce that veil and see what’s actually going on the chain, so to speak on in terms of the transaction graph. So maybe, yeah, if you could just outline a little bit about what is the transaction graph?

Ergo:

The transaction graph is a mapping of the UTXO. So relationships over multiple transactions. As we described before the UTXOs in your wallet will be consumed and then spent in a transaction and create a new set of UTXO outputs. And so what the transaction graph attempts to do is, is visualize kind of those flows. OXT has a free transaction graph version. It’s one of the only ones that I think is out there. There are a few others, but I’m really not quite familiar with them. And this is a very common tool that chain analysis will kind of use to to map those flows over and see if they can’t track a single user.

Stephan Livera:

Okay. And just going back to the heuristics then, as you were saying, so we spoke about simple spins. What about sweeps? So when we spend the entirety of a single UTXO to a new address, what is this? And what’s a common interpretation there?

Ergo:

So a sweep we usually refer to as a transaction with one input and one output. the term really derives from sweeping a private key, which is from that sort of original UTXO. From one wallet to a new wallet, and when we do or when a sweep or when you observe a sweep an analyst can kind of make some assumptions about what, what that transaction might be. And because there is no second output that could be interpreted as change. A simple spend is usually interpreted as or a sweep is usually interpreted as a self spend where a user is simply spending to themselves or possibly spending to some other service where they could keep a balance.

Stephan Livera:

Right, right? And I guess, while we’re talking about this aspect, the heuristics, it’s probably also important to mention here that you don’t necessarily know for sure. Just based on the, on chain data, you might need to combine that with other information. Could you just explain a little bit around that and what does it mean that this is probabilistic type analysis?

Ergo:

So a lot of that comes back to the pseudonymity of Bitcoin, right? Bitcoin does not include anyone’s personal identification information at the protocol level when a transaction is broadcast to the network. So because of that, we now have to use some of these heuristics for interpreting transactions. And because we’re using heuristics, heuristics are kind of rules of thumb, they’re kind of shortcuts mental shortcuts based on typical user behavior and typical wallet, software behavior. And because these are heuristics they might not be correct. There might be another interpretation to kind of that transaction. We can’t really know unless we can potentially get some additional information that might not be just included in that individual transaction. It might be maybe some address re use kind of on the output side of that transaction, or maybe it’s a spend to a wallet cluster at Coinbase or something like that. And from there, you can sort of narrow down some of those additional transaction interpretations and get a better idea of what you think you’re observing, right?

Stephan Livera:

Right. And as an example let’s say somebody had an open dome and they were claiming that open dime. They were sweeping, right. As we mentioned, the swipe heuristic. And so that could just, it could just be somebody claiming it, right? And but the other way is it could be that they are making a donation. So that’s maybe another way. So they found a cause that they believe in, maybe it’s a protest in some country under an authoritarian regime or whatever it may be, and then they might be donating that. So that’s another example where it is a bit probabilistic, but as you point out that it requires, for analysis, it requires looking generally one step back and once at full it to sort of see what happened before that. And what happened after that? Where did it go from then? You might have a bit better idea on what was the truth of that matter.

Ergo:

Yeah that’s exactly correct. Yeah. And so in the, in the guide, I sort of make the distinction between what is internal transaction data and external transaction data. And so internal transaction data is the information that’s only included in that single transaction. You have the input and output addresses the input and output amounts and a few other kind of technical parameters. And that information is a good bit limiting, right? And so if you have that example of that sweep we can’t quite tell, right. We might not be in from outside of that individual transaction, we might be able to get a better idea of what we think we’re observing.

Stephan Livera:

Yeah. So sometimes it requires adding in data obtained from some other means whether that is another form of surveillance, whether that is some kind of information sharing and we’ll get to some of those as well. So another spend type is called the consolidation spend. So what’s a common interpretation there?

Ergo:

A consolidation transaction is if you have a very fragmented kind of UTXO set in your wallet, and you were looking to you know, maybe save on fees in the future and sort of reduce the UTXO set size of your wallet, you might spend all of those UTXOs to yourself. And this is kind of similar to that simple spend or that sweep where if we only have one output, then we can kind of make that same assumption that, well, this isn’t really quite that true payment fingerprint without a payment and a change output, because we only have that single output we’re either, again spending the entirety of this, this UTXO set to someone else or we’re spending it to kind of ourselves this is kind of a common process with people that are looking to keep their cold storage you know, a little more skinny on the UTXO set size. So that’s one of the common places that we see that.

Stephan Livera:

Yeah, great example there. And probably the other bad example is is if people are consolidating coming out of a coinjoin and not aware that they need to make sure that they’re maintaining that the privacy afterwards, but anyway, that’s probably a bit more of an advanced conversation we’ll get to that later. There’s another heuristic called batch spends. So what’s a batch spend?

Ergo:

A batch spend is you know, a transaction that has very few inputs, but many, many outputs. And this is a sign of relatively large economic activity. This isn’t kind of a typical spend there. Aren’t very, there actually, aren’t very many wallets that can even do a batch spend, but this is a sign of kind of large economic activity. And it’s typically exchanges that are doing this. And what they’ll do is they’ll, they’ll try to use as few inputs as possible and as many outputs as possible, and that transaction to try to save on their miner fees that will reduce the size of the transaction and they can make as many payments to their users on chain as kind of possible. So a batch spend is most likely an example of exchange activity. you can get a better idea. I have that when you look at some of the examples in the guide batch spend if you open that up in OXT, we have labels of exchanges and that’ll be displayed in that kind of batch spend example. That’ll become a little bit more obvious when you can see the example.

Stephan Livera:

Yeah, yeah. So for listeners, if you’re, if you’re following and you’re not quite following, what’s going on, think of it. Like lots of people are using an exchange and they are buying on that exchange and now they want to withdraw. And so a common technique exchanges are implementing, and it’s a good thing they’re doing this from a fees point of view is that they are batching up the withdrawals for those customers. So in this example, there might be one huge UTXO or however many 10 Bitcoins and there’s 10 customers who are all withdrawing one Bitcoin each just to make the numbers easy, right? And so that’s one possibility, or maybe another possibility might be it’s an employer paying out the employees and they’re just doing it in a batch way, right? So that’s potentially another possible explanation, but as you quite rightly point out, there’s not a lot of wallets that actually support this kind of spend type. So it is a little bit of a giveaway there that this is probably an exchange spend.

Ergo:

Yeah, exactly.

Stephan Livera:

Okay. And then we’ve got coin joints. So what does a coinjoin look like on chain?

Ergo:

So this is kind of one of my last basic examples is a coinjoin transaction, which has multiple inputs and multiple outputs and acquaint joined specifically will have many identical outputs and in the guide we discuss kind of how those, that that construct works and why it’s kind of important. But it does have a relatively distinct kind of on chain fingerprint.

Stephan Livera:

Yep. And so then when it comes to looking at what’s going on, as we were saying, we use those change heuristics to try to understand where, were the flows going. And some approaches might be to try to cluster some of the addresses into a certain entities and say, oh, look, that’s that’s Binance over there. Or that’s this other entity over there. And these are some of the individuals that got payouts from that exchange and so on and so forth. And so that’s essentially one of the ways that a chain analyst might try to look at this. Yeah.

Ergo:

That’s one of the ways that they’ll try to maybe leverage some additional external data to kind of aid in their transaction interpretation. And you know, so we, we discussed some of those basic payment heuristics before for detecting a change output. We also kind of went over the transaction graph and then you sort of mentioned they’re kind of wallet clusters, right. Wallet clustering among exchanges. And so wallet clustering is the grouping of multiple addresses that otherwise are relatively unrelated when they are later co spent in the same transaction an analyst based on the way most Bitcoin wallets work can make the assumption that all of those otherwise unique addresses are controlled by the same entity. And as Stephan kind of mentioned earlier you can take that sort of clustering to the next level where a regular cluster that hasn’t been attributed to kind of any economic entity, if you can interact with that entity or get any other additional information, then you can then take that, those, those addresses, those clustered addresses and give them a label as some kind of economic entity like Binance or Coinbase or something along those lines.

Stephan Livera:

Right. Yeah. And I guess the other thing to think about, I mean, whether it’s a different exchange, if it’s Swan Bitcoin or Cash App or whoever, but then the other aspect is many Bitcoin exchanges are also using a custodian in the background. So you might think it’s that, but actually it’s like a custodian, although they would have distinguished, I guess the accounts for them might be still segregated, obviously like the custodian might not necessarily be putting together, pooling together in this sort of omnibus account. But maybe that’s another aspect to consider there for the chain analyst.

Ergo:

Yeah, exactly. Is that sort of broader kind of custody, sort of the Xapo type you know, broader custody model if they’re sort of underneath that custodial umbrella, you might not sort of see that. But what you might see is that on chain you might see those UTXOs get consumed in to that maybe broader that broader cluster. And if you can figure out that, well, a few of these exchanges are using this the same cluster. Well then maybe we have a bigger custodian here.

Stephan Livera:

Right. I see. Yeah. And there are other pieces of data that can be used to fingerprint things. So can you give some examples there of other pieces of data that are, I guess, different from just necessarily the transaction graph?

Ergo:

Yeah. So this is a little bit more kind of technical but there are a few additional pieces of information that are included in a transaction version number lock time and replaced by fee. And there maybe, are a few other sort of attributes that go along with the transaction that aren’t just the inputs and outputs and amounts that can give us a clue as to what, while it’s software we think we might be observing and there are different wallets that will have kind of different or, or we’ll fall under the same kind of fingerprint. You know, so for example, I think Electrum uses version two and a lock time that’s greater than zero. There are a few other wallets that have that sort of fingerprint. So if you’re tracking an entity over multiple transactions and you then check the fingerprint of those series of transactions and you see that the fingerprint, the version number or the lock time changes, you can guess that you’re now potentially not following maybe the same entity as you thought you were.

Ergo:

There’s been a new software introduced into this kind of mix, which can make kind of that tracking a bit more. I don’t want to say difficult, but you know, that there’s a possibility that you’re dealing with either a new user, a new software at

Stephan Livera:

That point. Yeah. Good way to put that. And so let me just break that down again. So for listeners who are following along, there might be different pieces of software in use. So as an example, the exchange might have been using a custodian and that custodian might’ve been using a different kind of Bitcoin software to create and broadcast the transaction. And based on some of these little clues in terms of how that transaction was constructed and broadcast onto the chain that might give off a hint to the analyst are, what am I dealing with here? So, as an example you know, as you were saying, Electrum is a popular wallet maybe specter and Sparrow and things like that, or even some of the phone wallets, they might have their own little fingerprint, if you will. And so that’s also another aspect to be considered when you’re trying to either trace back what’s going on on the chain, or if you’re trying to be more private, you have to think about that also, so that there, I guess there’s different approaches there.

Stephan Livera:

So in some cases, the idea is to try to make things look the same. So that way everything just looks the same. But then another approach is actually to sort of randomize and in different cases or in different types of data or fields, I guess there are different approaches in play. So a quick example would be, I believe there was a note in to random output selection. I think it’s like making it so as an example, instead of making the change out, but always the zero with you know, the first one, it might be randomized that’s one example.

Ergo:

Yeah, exactly. And I think Laurent has the, Laurent is the developer of OST has written a little bit about kind of this concept of how do we sort of mitigate some of these fingerprinting issues. And I think his, his take home is that it should be randomized. And if you spend a little bit of time looking at things on chain you’ll sort of see these patterns start to emerge where if we think we’re following the same user where we’ve got the same version number, we’ve got the same lock time, we see that that change UTXO or that change output and that simple spend is always paid to like your example, the first UTXO output, you can become a good bit more confident that you’re tracking the same entity over multiple transactions.

Ergo:

So to break that we would, you would try to randomize as many of those things as possible.

Stephan Livera:

Yeah. What’s a peelchain?

Ergo:

A peelchain is that simple spend that we’ve talked about one input into output that’s over a series of transactions. You can think of it as kind of monotonically decreasing that change UTXO amount by each payment. So in our previous example, we had a 10 BT input one BTC payment and nine BTC change that nine BTC change will then get used in another transaction. Let’s say again for one BTC. So there’s a one BTC payment and an eight BTC change. So then we had 10, 9, 8, right? That’s sort of that decreasing kind of UTXO amount, which is what is kind of characterized as a peelchain. And as we’ve sort of talked about this is a very very, very common spend type about 50% of transactions are these simple spends with one input into output and over a series of transactions, they will make kind of this peeling chain that is evident on the transaction graph.

Ergo:

And I think it’s pretty important. The surveillance firms try to frame this as a a money laundering technique. I think they call it structuring, you know and I think it’s really important to hammer home that well, no, that’s very much basic normal wallet behavior and to interpret it as money laundering is just absolutely ridiculous. But so anyway, you might see us refer to peel chains in some of our previous writing and some of our previous work, but that’s kind of the general concept.

Stephan Livera:

Right. And let me explain something there as well for listeners. And obviously I totally agree with you there, but I think it might be I’m speculating a little bit here, but it could be that historically the understanding, at least maybe under, in some of the regulators or in some of the banking sectors, they might’ve thought of it like, oh, see, Bitcoin, everyone just uses the same address. And you’re not meant to actually use wallets that actually give you a new address for each payment type and therefore your effort to try to use. And what’s known as an HD hierarchical deterministic wallet that makes new addresses each time. That’s, you’re trying to obfuscate your behavior and that’s bad because you’re now stopping us from being able to assess the source of your funds, which is often a regulatory requirement in things like AML and sanctions and things like that. So maybe that’s, I’m not excusing their behavior. I’m just trying to offer a potential explanation of why in their mind they think Peel chains are obfuscating when obviously you and I know that’s not. And so perhaps this is a good point to also explain the concept around a deterministic spend versus a non-deterministic spend. Could you explain what that means?

Ergo:

Yeah. So we’ve, we’ve talked a little bit about some of the heuristics that we use to interpret kind of the simple spins we did address. Well, I don’t even know if we talked about address re use, but address re use is one the round payment amount and the like type or different script output types can be used to evaluate what we think might be a payment and what might be a change. But so, and an analyst has to, kind of make those decisions right. Based on those heuristics. So there’s a little bit of uncertainty there that’s kind of provided by Bitcoin pseudonymity, however and to get back to Stephan’s question, which is about what is a deterministic spend. This gets back to that sort of UTXO flow model, which maybe we discussed in a previous podcast where that, simple spend, we know for a fact that there was only one UTXO and because there’s so we know that that one, UTXO was used to pay both of the outputs and so that we consider it to be deterministic because it’s a 100% certain interpretation.

Ergo:

It’s the only kind of interpretation of the relationship between that input and both of those outputs is that it’s deterministic.

Stephan Livera:

Yeah, right? And so essentially when you get to that point where you see that this is a deterministic spend, then that’s giving off way more clues to the chain analysts in that instance, because now there’s so much less doubt over whether that was which output was paying, which one, well, which one was the change output as we were talking about earlier. And I think another important point just to spell out here is this is, it can seem a bit overwhelming, but what we’re talking about here is mainly around the transaction graph and some of the associated points there is another whole range of ways in which our privacy can be reduced or lost because exchanges and many other parties have data sharing agreements with the likes of the chain surveillance firms, or potentially with taxation or police and law enforcement agencies as well. So could you outline a little bit around that aspect of it, the data sharing and the aspect of having a starting point?

Ergo:

Yeah. if we walk it back to that sort of simple spend an example again if we’re trying to guess which output we think might be the payment and which one might be the change. If we know that one of those outputs goes to a custodial exchange then that remaining output is very likely, very obviously kind of the change output. And so that’s where we kind of get back to that external data and how it can affect the transaction graph and how it can reduce the pseudonymity of Bitcoin. So Stephan brings up some additional points about how the surveillance firms will have data sharing agreements, where they might be privy to who may control an address or a cluster that somebody else might not be totally privy to. And that will sort of, again act as that reducer of the privacy provided by that kind of basic ambiguous, simple spend. And there are multiple a multitude of ways that the surveillance firms do share information. They share with exchanges, they share with law enforcement, they share they sybil the Bitcoin network by running malicious Electrum nodes. They do a lot of additional information gathering that somebody like me doesn’t have access to and that can of course greatly enhance their the accuracy of their analysis.

Stephan Livera:

Yup. And so then in terms of defending against analysis, and if you are attempting to maintain privacy in Bitcoin, this is where things like coinjoin, equal output coinjoin can come in and essentially break that link in a forward privacy sense. So could you just explain a little bit about what it means to break the privacy on in forward, Like what’s forward privacy?

Ergo:

We had talked about that deterministic spend exam spend example, right, where there’s a transaction with one input and two outputs. We know for a fact that that one input was used to pay both of those outputs. When you get to an equal output coinjoin transaction an analyst may be following someone along, who’s doing deterministic spends, and eventually they may come across that equal output coinjoin, which effectively addresses that deterministic relationship between inputs and outputs. And the way that a coinjoin will do that is by including multiple inputs and creating a transaction with multiple like amount outputs. And so as an analyst might be following a UTXO flow to performing a transaction graph analysis. When they come to that coinjoin, they won’t know unless there’s some additional flaws or issues with the coinjoin. They won’t necessarily know which output can be attributed to that original input. And so the way that a coinjoin establishes forward privacy is by basically introducing doubt into the transaction graph.

Stephan Livera:

And so then it can be thought of like a reset in some sense that if you’ve earned some coins and you now want privacy with those coins in terms of how you spend them, I guess we could say it’s a prudent idea to then run it through a coinjoin before then going on to do your actual spend going on from that, right.

Ergo:

I mean, there’s always the concept that privacy is bad. And you know, the coins are easily identified on chain by their like type amounts. But we kind of use the analogy that coinjoin is very much similar to the concept of encryption. We know that encryption an analyst or an observer may know that encryption is happening because they can’t read whatever the plain text they’re seeing that cipher text. They may know that encryption is going on, but they can’t reliably interpret what the message is. And so that’s what you know a coinjoin will do for you. The analysts will know that the coins were spent forward into that coinjoin, but they can’t reliably follow the amounts across that coin, right? so, so if you’re receiving a payment, right, that one of the consequences of Bitcoin’s very transparent nature is that sending and receiving payments necessarily reveals some of your UTXO set to your counterparty.

Ergo:

So if you’re doing some type of economic activity, or maybe you’re a journalist and you know, a despotic third world country who has been de platformed, or maybe you’re in a so-called Western democracy, and you’ve been de platformed by private companies at the behest of the government, and you are receiving payments in Bitcoin, someone can evaluate your UTXOs future spending. So if you receive coins you should coinjoin them to establish that sort of forward privacy and make it difficult for anyone to potentially surveil you going forward.

Stephan Livera:

Right. And just to bring it back as well for beginners, I sometimes get this question in my DMs, or just in-person sometimes people ask me, oh, so if I just go and join on private, right. Well, okay. It helps you in a forward transaction graph, privacy sense, but we have to remember if you purchase those coins on a KYC exchange, that KYC record still exists. So hypothetically a hacker could attack that exchange, steal that information, or a government agency could subpoena that agency, or just ask that exchange, sorry, subpoena that exchange, or ask that exchange. And in many jurisdictions around the world, regulated entities have to cooperate they’re mandated to, or if they aren’t essentially, it’s kind of like a, an understanding that you need to play nice with with them. So you should assume that the regulators or law enforcement would be able to get that transaction data and say, oh, look, X person, ABC purchased five Bitcoins on this exchange at this date. So even if they later went through a coinjoin, there’s still that record existing there.

Ergo:

Yeah. I think it’s a good point to remind everyone of that. The activity that you do on chain will not reach into the exchanges database and delete all of your records so yes, you might, you might be able to establish that forward privacy on chain, but the records that you leave with with those regulated entities, you kind of need to be need to remain cognizant of.

Stephan Livera:

Yeah. And so I understand that people might be listening and thinking, oh, hang on. Stephan, aren’t you like advertising for KYC services as well? Well, at least for me personally, my view is you have to make your own assessment on whether you are willing to take that risk because you think you would earn, you will end up with more sats. So if you think that’s for you, that’s the way you could go about it. I mean, I personally have used KYC services and I believe I would not have as many sats today if I didn’t. But I also understand and appreciate the never KYC gang who say, just don’t do it only ever earned or mine, or purchase non KYC. And in doing so you are more private. I think that’s fair to say, because there’s no starting point or at least you’re making it harder for there to be a starting point for that analysis. Whereas in a KYC context, you have to consider that. Yeah.

Ergo:

And you bring up that good point where an analyst kind of needs a starting point. You know, if you just pull up a block Explorer if any sort of user pulls up a block Explorer samples of random transaction without much context it’s kind of mostly noise. But with that starting point you’ll gain a bit of context and if the goal of that analysis to target an entity you absolutely need that starting point. And so that gets back to kind of the concept of the addresses that you provide and where you leave them, right? And where that record stays.

Stephan Livera:

Right. And it’s probably also fair to say that many exchanges and financial institutions have things like data retention laws that they have to maintain the data on their customers. Even, I think it’s up to seven years after termination of the relationship with that customer. So even if you let’s say you delete it, you said to the exchange, I want to delete my account and please delete all my data. They might still be mandated by the law to keep that data for seven more years. So something to think about as well. And so I think that’s just a few points there to think about. Obviously everyone has to make their own assessment. What risks are they comfortable with? What price are they willing to pay in terms of acquiring Bitcoin? Cause we all want to acquire it, but it’s about what price are we willing to pay? What are we willing to do to get some Bitcoin to earn it, mine it, however you want to do it. And also another topic that comes up is this concept of confidential transactions. Now, confidential transactions, as it stands today, it does not seem likely at least as we speak today in August, 2021. But maybe in the future, this could come, but Ergo, I’m curious your thoughts as a chain analyst, what would the impact be? Would it mean people would still need to use coinjoin or would they not need to use coinjoin? What’s the impact analysis there? If we were to get confidential transactions on Bitcoin?

Ergo:

There are, I think a few different types of confidential transactions. Maybe the one that we should just start with is the one that hides the amounts of the UTXOs consumed and created in a transaction. And as you sort of walk through the guide, if you look at some of the examples that I talk about there’s the round number of payment heuristic, for example with confidential transactions, that interpretation kind of goes out the window. There’s also the problem, I wouldn’t call it a problem. There’s also, well, there’s also the concept that how the relationship and the flow is across an individual transaction can be used to interpret that transaction. And in the guide, I discuss the concept of Boltzmann, which is the privacy algorithm that Laurent created to evaluate coinjoin transactions.

Ergo:

And if amounts become hidden, that analysis is gone as well. We can’t really do that change detection for some of these non 100% entropy coin joins. And so really confidential transactions, it would sort of knock out a bunch of those those heuristics and those analysis points that we have at least surrounding just the amounts. Now, the problem is that that doesn’t necessarily address the transaction graph. And so if you’re still doing, maybe these deterministic spends with one input and two outputs sort of like what you would see on liquid that can still be deterministically backtracked, right? You might be able to find someone’s peg into that kind of side chain. So while the confidential transactions would address a lot of those heuristics and some of those analyses there needs to be sort of that coinjoin property, that multiple input, multiple output transaction that makes the transaction graph non-deterministic right. Or at least more sort of noisy more difficult to evaluate.

Stephan Livera:

I see. Yeah. And so essentially what I’m reading from you there is that coinjoins are not dead and even hypothetically, if we got confidential transactions, we might still use coin joins or something like that. Or maybe it might be some sort of batch spending mechanisms, some kind of blinded batch spending mechanism used to create doubt when multiple parties have actually contributed their input into a transaction, right?

Ergo:

Yeah, yeah, exactly. And so I know I don’t have the best understanding of Monero, but my understanding of how their sort of ring signature and decoy inputs works is that that’s designed to basically address this issue specifically, right? So they still do that even though they have that confidential transactions on that.

Stephan Livera:

And just to fill in some blanks for listeners as well, you might be thinking, well, hang on what, oh, okay. It looks, it sounds like it’s pretty good. Why don’t we get it? Well, the reality also is that there are various trade-offs with that as well. And so it may be unclear whether the Bitcoin community would be supportive of that. Because for example, if we were it might raise the size of the transactions, meaning scalability might take a hit or there are potential concerns that people might say, oh, okay, there might be an inflation risk. And so on beyond the 21 million, obviously that obviously many of those things depend on which particular style of confidential transactions we were to go with. But essentially that’s the short answer today. That’s why we don’t have it today because essentially for some of these reasons, it was seen like the community and the Bitcoin users just out there in the world might not go for this change. And so that’s where we sit today, but potentially in the future, if technology improves, some other advancement comes along, it might be more feasible at that point. So also wanted to talk about payjoin. So what’s a payjoin or a stowaway in the Samourai model. What is that?

Ergo:

So this is a different type of coinjoin. We had discussed the equal output coin joints, which are easily identified on chain by their multiple outputs with the same amounts. That’s very similar to encryption, right? We can see it, but we can’t reliably interpret it. Then there’s the, a different sort of coinjoin model, which is this payjoin, pay to end point. You might see it also called stowaway. There are a handful of names and they all sort of attempt to do the same thing on chain. And what they do is they they involve the payment recipient in the transaction. So if I wanted to pay you and I would get together, you would contribute an input to this transaction and I would pay you. And we would basically use our two inputs to create a new transaction where you get your payment amount.

Ergo:

And I get my change UTXO. And what that does is that looks very much like not necessarily a simple spend, but another very basic Bitcoin spend where if for example, I have a wallet that has two UTXOs that are both for, you know 0.25, let’s say Bitcoin. And I want to spend 0.4, neither one of those individual UTXO is enough to cover that payment amount. So my wallet will select both of those. It will combine them it’ll make that 0.4 amount and I’ll get my 0.1 change. And that’s a, another very simple Bitcoin spend. And what that would look like on chain is that would look like the merchant heuristic or the comment input ownership heuristic that we talked about before, where the both of those addresses will be clustered by a third party observer a chain analyst.

Ergo:

But when we come back to that sort of payjoin model, because you and I are both collaborating to make that transaction, we are breaking that common input ownership heuristic, right? The common input ownership heuristic assumes that all of the inputs to the transaction are owned by the same entity, but because you and I are working together to make this spend and we, you might not necessarily have any additional data that can show that on chain or distinguish that on chain a payjoin is indistinguishable from a normal spend. And so to kind of take a full circle that relates back to the concept of steganography which is another privacy technique, which, which hides the fact that the privacy technique is being used, which is in contrast to that sort of encryption style where we know it’s happening, but we can’t rely really interpret it, right?

Stephan Livera:

And so the discussion in the Bitcoin community has been that, oh, okay, well, let’s try to increase payjoin adoption and in doing so we might help break the common input ownership, heuristic. And so that, I guess is one potential idea. Although there may be potential even downsides on that as well, because for people to use it at the start, some users might end up in scenarios where they quote unquote, get in trouble from say a chain surveillance firm, or in reality, a law enforcement or some kind of government, or even just someone else who’s using that chain surveillance incorrectly because they actually applied the common input ownership heuristic, when actually it was a payjoin and that it led them the wrong way. And so potentially the wrong person might get fingered for something. And so let’s say, hypothetically, you did pay join. And that person went on to do something bad. Then you might actually get in trouble with that too. So I guess it’s one of those things where obviously I want to see more Payjoin adoption, but I can understand there’s also that potential a mental block there for people that they might not want to feel like they’re getting in trouble for something someone else did.

Ergo:

And that’s exactly why payjoin by itself is not necessarily enough at least in my view for kind of privacy in general. Right? So the concept of that sort of backward history or that being able to follow the history forward the only way to really kind of subvert that forward or establish that forward privacy is with sort of an equal output coinjoin, right? There may be some other additional concepts that are in theory right now. But that equal output coinjoin, if you do that payjoin, and then later go on to do that equal output coinjoin. You might not be able to be followed forward. So that forward privacy is kind of really important. And I guess if I could say one other thing is that maintaining your sort of pseudonymity and maintaining your Pseudonymous use of Bitcoin you wouldn’t have to worry so much about the case that’s defined you just brought up.

Stephan Livera:

I see. Yeah, exactly. Because if you, for example, you never gave them a starting point every time you acquired Bitcoin, you did it without KYC. Then you can just go right ahead and use payjoin into your heart’s content because at that point there’s no, yeah, there wasn’t any data on you in the start, or at least a lot less data, obviously it’s always a relative thing without we’re just trying to talk through the basic idea. And so I guess it’s a similar thing with this concept of coin swap, where it might be a similar kind of mental block. Like we were saying earlier that quote unquote, the wrong person would get fingered for something and pointed at and say, Hey, you did this dodgy thing on chain because we said, look, we saw you did it with the common input ownership. And it’s like, oh no, I’m using a wallet that does pay join or coin swap. And so that is I guess maybe it’s pointing towards this idea that we really have to view things. Like you’ve got to run it through a coinjoin and then use other tools that are post mix tools. So I guess that’s probably the, if I had to try and explain what I think of as the samurai approach, that’s essentially what I understand of it. Do you have anything to add there or you disagree? Agree?

Ergo:

No, I agree. 100%.

Stephan Livera:

Gotcha. Yeah. So and then, yeah, so I guess it remains to be seen longer-term what happens when things like lightning adoption increases and maybe people might, as an example, they might coinjoin and then put those funds into their lightning node or lightning wallet and open channels from then. So maybe that’s another aspect of it as well. And maybe there’ll be additional work coming on. Things like, well as taproot which is locked in and will activate later this year that might also contribute to some of the heuristics being, or at least some of the fingerprinting being more difficult, longer term once everyone is kind of adopting over into the taproot world. So let’s talk a little bit about if somebody wanted to now, now that we’ve kind of explained some of the key concepts, let’s talk a little bit about what it would look like to try and change surveil ourselves. So can you tell us a little bit about some of the starting points and of course, some of the gotchas and maybe explain don’t do this on your normal internet users use Tor or use VPN for that.

Ergo:

You know, a lot of people will throw a bit of a hissy fit if you suggest that they look at their their own transactions. But as you said, you know if you plug your transaction ID into some party website third party browser third party block Explorer that might be associated with whatever IP address you’re using. So use the VPN use tour and in my opinion I think one of the biggest things that people should try to do is get familiar with some of what their transactions look like on chain that gives them some valuable context. They have their own sort of starting point. You know, it’ll, it’s very likely that whatever their point will be will be that that that spend, that we discussed earlier

Stephan Livera:

From a KYC exchange withdrawal

Ergo:

From a KYC exchange, if a few inputs, many, many outputs, and you might plug in either your address or your transaction ID into the block Explorer, and you’re going to see you know, this transaction, it’s not going to make very much sense, right? You’re just going to see a ton of addresses and a ton of different amounts. And that’s sort of where kind of Alexi can come in, right? We have clustered and labeled a handful of exchanges, right? And I shouldn’t say handful, many exchanges, certainly not all of them, but that starting point, that context can be very valuable for people when they say, oh, this is exactly what my, my transaction looks like. I’m one hop from this exchanges, hot wallet, right. It is kind of probably what most people will see if they try to start looking at what they’ve what their transaction history looks like.

Ergo:

And there’s a few other things that, that, depending on how they use Bitcoin, they might become aware of. So one of the others would be kind of address reuse if they’re really not careful or maybe they they’ve signed up for an exchange. And that exchange really lets them input one address, or they’ve just always used that same address, not really kind of knowing what they’re doing that address will show relatively all of their activity or a significant portion of their activity. You know, so, so those are some, some really kind of basic things that people can start with, right. is looking at maybe kind of what those what’s, some of your transaction data looks like. And then if you get to spending, then we can kind of get into the spending and really receiving payments. We can get into kind of the implications of that as well, right?

Stephan Livera:

Yeah. And yeah. So maybe let’s talk a little bit about that. So let’s say this user has, let’s say the hypothetical user, they have bought on a KYC exchange. They’ve withdrawn to their mobile wallet, and now they wanted to buy something on a website. What would that look like on chain? Yeah.

Ergo:

Yeah. So it’ll, it’ll depend on the UTXO set in their wallet. If they have enough to make that purchase, the wallet will select that UTXO and make that simple spend that we discussed before it’ll have that payment output and it’ll have that change output. And depending on how your wallet is configured, you might be able to run through some of the heuristics that we list in the guide and say, oh, look, this is relatively clearly. the change output that gets paid back to my own wallet you might be able to even take it a step further and apply some external transaction data and look at how that payment UTXO is spent. Right? You can basically follow the future spending of the entity that you pay. And you could see some additional information about their wallets. And I think when people start to do that, I think the gravity of what the transparency of Bitcoin’s transaction nature is like kind of becomes real, will really kind of sink in, right.

Ergo:

I mean, in the normal financial world you know, if I wanted to use, I don’t know, Venmo to send Stephan $5 I couldn’t then follow Stephan’s future spending of that $5, but yeah, you can do that with Bitcoin. And it’s not great. It’s very not good for privacy. So I think that that would kind of definitely benefit users to take it to that level and kind of see what they can’t find about some of the spends that they’ve made you know, and use that information to maybe benefit themselves and help the people that they might have, have also paid or interacted with, right?

Stephan Livera:

And also importantly, depending on how you use Bitcoin, you may be disclosing how many coins you have. So as an example, if you are keeping all your coins in one address and you just keep withdrawing into that address, and then you pay out of that address, then it’s very, very obvious. If you pay out that you paid that UTXO, it becomes very obvious to your counterparty, how much you have. And that could be a big deal if in the future, that’s a lot of money and potentially you’re painting a target on your back at that point.

Ergo:

I mean, that’s so the opposite is true, right? So you started with the example of you know, you making the payment to someone else and then following their activity forward. Well, if we’ve done sort of those, one of those simple spends they can do the reverse right to us. They know which, which output was the payment that they received, and they can make the guests that the, the remaining output is the change that was paid back to the person that they received the payment from. And so then they could track that spending as it goes forward. And as defined said, the larger, the UTXO the more often it’s used, the more sort of kind of snowballing of additional data that gets kind of wrapped up with that UTXO.

Stephan Livera:

Are we totally defenseless or do we have any techniques we can use in our defense here, Ergo?

Ergo:

Yeah, of course we do. there’s a couple. And so I sort of close the guide with some of the basic Samourai wallet tools that you know, users can, can use to basically maintain their privacy as much as possible, as much as Bitcoin will sort of allow. We talked about needing that starting point for a an analysis, right? And if we are publishing the addresses that we are using on chain that as a starting point, any analyst, so to address that issue, semi-wild has a version of stealth addresses, which you’ll see referred to as BIP 47. I think there’s a new version that’s coming out that will be under the open Bitcoin privacy projects. They’re sort of, I wouldn’t call it BIP, but they’re sort of a new privacy sort of standard. We’ll see the next version of that, but this is what I’m talking about is a stealth address that you and I can share between each other or I could send to you through whatever kind of means.

Ergo:

And you can connect to that that stealth address establish a payment channel between your basically a payment channel between you and I, that allows us, or allows you to generate an infinite number of receive addresses for me. So every time you wanted to pay Ergo, you could find my PayNym, you could, you could fire up the connection establish the connection. And that would not allow a third party to, to get a starting point on chain. You would still know that you had paid me, but no other third party would know that. And so we call that kind of the stealth address concept where the address that gets published is not the address that shows up on chain. So that’s kind of one of the main, main aspects that people can use to defend their privacy. And then we I discussed some of the others Samourai wallet has randomized fingerprinting.

Ergo:

It has some additional spending tools like Stonewall, for example, which is either a simulated one party coinjoin, or an actual two party coinjoin and Stonewall is great for sort of breaking all of the all of the simple spend heuristics that I discussed earlier in the guide. There’s also real pool coinjoin which is for really, for establishing that forward privacy doesn’t have any change outputs. It doesn’t have any real deterministic link to any of your previous activity. And the last well, I shouldn’t say last there’s also payjoin, which we discussed is a different sort of model of coinjoin. And then there’s the ricochet tool, which simply adds hops can still, it’s still fairly useful today, right?

Stephan Livera:

Yeah. So these are a range of techniques that can be used, and maybe if you’re getting a bit confused, cause there’s all these different names and you’re not sure what they all mean. Maybe just put it to put it simply if you just want to get started, I might say, do you get a cheap Android phone? If you don’t have one or just use your existing Android phone, if you don’t want to go to that level. And then you can install summary wallet. You can receive some Bitcoin into it. You can run it through a coinjoin. So run it through Whirlpool. So basically that’s running it through the equal output coinjoin as we spoke about. And then basically when you spend, you want to baby by basically using one of those techniques. So that means Stonewall or Stonewallx2.

Stephan Livera:

And so think of it, listeners, think of it like you receive some coin, you run it through a coinjoin. And then on the other side of that coinjoin, we call that post mix spending. And so you use one of the Postmix tools. So generally this’ll be like a Stonewall or a Stonewallx2 where you collaborate with someone. So just to keep it simple, and if you’re getting started, that’s one way that you might make every payment that you’re doing, make it a Stonewall. And so Samourai Wallet will automatically default to that on if it’s available. And so that’s one way to, I guess, just slowly dip your toe in the water and get started. And then later on, then you will sort of understand more about these tools, how to use them and obviously learn how to run your own dojo, your own Bitcoin node backing that that’s a few ideas, I guess, therefore listeners out there who are interested in that. Do you have any tips that you would give for a beginner who maybe hasn’t had much exposure to the world of Bitcoin privacy? What sort of things should be, should they be thinking

Ergo:

About you know, probably one of the things, and we didn’t mention this as a tool is to get familiar with the concept of coin control. We discussed kind of that concept of UTXOs very early on at the start of the show. Those UTXOs are your sort of pieces of Bitcoin that make up the overall wallet balance that you have, and you should get familiar with knowing that each one of those UTXOs has a slightly unique previous transaction history. Maybe they all came from the same exchange or maybe they came from different exchanges, or maybe you had your friends send you know, 50 bucks cause you split dinner, you should get familiar with, with practicing coin control. If you can, right. There are handful of wallets that do coin control samurai while it’s one of them.

Ergo:

You know, so the concept of sort of as a UTXO comes in, you give it a label and the label should be probably consist of who it came from and what that payment was for kind of at the very least. And then you can get used to keeping your coins somewhat separate if they’re all they all happen to be in the same wallet. And if they have separate histories, you might want to do that. So that’s kind of probably where I would start with sort of on chain privacy is there, right?

Stephan Livera:

Yeah. And so with coin control, as an example, you might have different sources of Bitcoin income. So you might’ve bought that or you might have minded or you might’ve had some earnings on your online store that you’re running or whatever way you’re using to earn those coins. You might notate that. And so then when you run through the coinjoin, you might want to segregate which ones you run through the coinjoin together. So as an example, when you run through a Whirlpool, you might say, I want to do so there’s the a hundred thousand sat pool. And so as an example, you might want to run through 700,000 sats or a little bit over that, but you would want to make sure all the inputs going in for that are from the same kind of source. Otherwise you’re sort of doxing the cross of those different income sources aren’t you.

Ergo:

Yeah. you know, we talked about the common input ownership heuristic. When you combined coins from separate sources an analyst will assume that those, those coins are belong to the same wallet. You know, so if you can keep them separate, you can keep the relationship between those UTXOs separate. And as Stephan said, you can fire up a coin, join established that forward privacy as you’re sort of looking to spend in the future.

Stephan Livera:

And so also when it comes to spending in the future, do you have any thoughts there on coinjoining now versus coin joining into the future? So somebody might be thinking, okay, what if I just buy on a KYC exchange, withdraw it to my cold storage now and only worry about the coinjoin stuff in the future. What’s what would you, what would your response or thought be there?

Ergo:

It’s kind of a personal choice. I mean, if you’re only ever looking to you know, hop back in and out and capture some gains, maybe you don’t really care about your privacy that’s fine. You know, but certainly your transaction history really doesn’t you know, shouldn’t be anybody business. I know that there’s a little bit of a taboo around the concept of privacy, right? Privacy is only for criminals and people who have things to hide. But we live in this sort of crazy world now. The solar winds world where literally everything is packed, compromised shared without your permission. You know, so establishing that sort of forward privacy you know, sooner rather than later you know, might be become a little bit more necessary sooner rather than people can even kind of think, but I mean, it really has to be sort of you know, a personal decision. I think, I mean, yeah, if it and that’s just kind of it, I think.

Stephan Livera:

Yeah, yeah. And so maybe one way to put it for listeners is if you are interested to, let’s say, buy a VPN that might be an example where you want some privacy from corporate surveillance and VPNs can potentially help you against that. And you might want to be able to pay for that with Bitcoin. And so then it would be ideal if you’re able to spend, when you’re making that spend to buy the VPN or pay for it, you use a cleanser and you use a Stonewall as an example. So you might have earned some coin, run it through coinjoin, and then use the Stonewall to buy or to pay for that VPN that’s one example where you might want that privacy. That is just maybe just a easy example. Yeah, exactly.

Ergo:

There’s a few services that few VPNs that accept Bitcoin. And a lot of people are using their credit cards to pay for their pay for their VPNs. And there’s really no reason for a VPN to even need to be accepting credit cards except for their sort of subscription model. But there are there are a few, a great kind of VPNs that accept Bitcoin. They don’t require any personal information. They they’ll give you a, basically a throwaway account number. And it’s pretty straight. So that’s probably a good place for a lot of people to get started if they want to sort of make their first semi-private kind of Bitcoin spend would be would be buying to BP. Yeah.

Stephan Livera:

And maybe another context is if you are attending a Bitcoin meetup or you’re going to a conference and you want to be able to buy merch and have buy a t-shirt or whatever. And maybe that’s another example where you might be doing little spends here and there, and that’s where again, you can use Stonewall and these techniques also wondering your thoughts, I guess, longer term, if we are anticipating that the block space market, the market, the fee that we have to pay for our transactions rises, do you have any thoughts on what that impact would be on coinjoin and privacy focused users?

Ergo:

I think that at least with Whirlpool users tend to be pretty well-prepared for kind of the high fee environment. Users will get their coins in a Whirlpool kind of as quickly as they can, or as quickly as they want at times of low fees. And then because of the incentive model of Whirlpool, they get kind of free remixing. So a lot of people are incentivized to get their coins in that at sort of cheap you know cheap block space, cheap, cheap transaction fee times so they can get their privacy and start building that privacy you know, as early as they can you know, but kind of going forward. I mean, what, what will the fee market look like? I mean, supposedly now we’re in the greatest bull market of history and I mean, I haven’t checked the mempool today, but I mean, what’s it looking like, is it, is it, let me have a look, actually I have to have to look too, but it’s been relatively quiet I think for the last few weeks, right. Yeah.

Stephan Livera:

Right now next block you can get in with, for three sats per byte.

Ergo:

Yeah. I mean so the greatest bull market in history, and here we are clearing kind of one set, two set per byte. So I’m looking at some of the recent blocks. I mean, we’ll, we’ll see. I mean, I’m not sure what is to say that fees necessarily rise and set per byte sustainably over the long term, who knows. I know that’s kind of supposedly the model, but I mean, a lot of people are still anchored to Fiat world, right? Everyone’s still paying their, their electric bill and Fiat at least the miners that is but you know, there may be a chance or there may be a time in the future when things have matured and there is a legitimate fee market. And you can, you can say well, if people are kind of struggling with sort of the fee market now, I mean, a lot of people, they just wait until kind of blocks kind of clear out and spacing these up but if we can see something that’s kind of sustained for awhile you know, I mean, users will adapt.

Ergo:

There are potentially some protocol upgrades you know, cross input, signature, aggregation being kind of the big one that would you know, make you know, basically any, I guess, any transaction with multiple inputs cheaper, right? So that includes coinjoin, right? you know, so that is possibly implemented at some point in the future. I know it was discussed a while back, but I really haven’t been keeping up much with the protocol development lately because there doesn’t seem to be too much happening. You know, but you know, that that would be potentially something that could help ease some of those fee pressures.

Stephan Livera:

Yep. And I guess while we’re at it, a lot of the things we’ve been talking about today have been in terms of the transaction graph and Bitcoin on chain and things like that. But let’s also recognize that there are other ways that your privacy can be impacted too. It could be, for example, internet surveillance. It could be that somebody sees the transaction or knows the IP that you used to broadcast your transaction. And so then they could potentially figure out, oh, based on this IP, we know this ISP owns that block. Let’s go ask this ISP, Hey, who was using this IP at that time? Ah, boom. It’s Stephan Livera or it’s Ergo, or it’s whoever give us their input, where do they live? And then now all of a sudden they’ve, they’ve traced it down quite a bit. So that’s probably another example of another area that to think about also. So do you have any thoughts to add there for listeners?

Ergo:

Yeah. I mean, a lot of it’s good to see a lot of wallets are now starting to integrate some some sort of tour usage, right. And tour will mask your IP address. Your internet service provider will still know that you’re using tour. You know, because of some of the, I think it’s the length of the packets and a few other things that have to do with tour, but they won’t you know, necessarily know that maybe that you’re broadcasting a Bitcoin transaction. I mean, the same thing goes for hiding behind a VPN. Maybe they’ll know that you’re using a VPN, but they won’t know that you’re necessarily using Bitcoin. Yeah. You know, so there’s a couple of things that you can do there to sort of protect yourself. And it’s, it’s, I think it’s I mean, VPN usage has probably grown a lot.

Ergo:

I think in the last few years, I think some of the people that I wouldn’t expect to be, to see using VPNs or using VPNs and that’s sort of for different reasons, but you know, it’s you know, it’s tough. A lot of people don’t fully understand how the internet works. I mean, it’s very transparent. It’s kind of like Bitcoin it’s kind of startling when you start to dive into some of that stuff. So using tour and using VPN can, can help you help you protect your your hydro IP address, right?

Stephan Livera:

Yeah. And potentially another idea might be in the future, more commonplace use of this idea of having somebody else broadcast your transaction for you. So I know for example, there are, I think there are some services right now that do do this. So as an example, if you have the transaction that has not been broadcast yet, that file, you can go and put that up and have somebody else broadcast it from their node. So maybe that’s also some, an area that has opportunities to be explored in the Bitcoin privacy world. What do you think?

Ergo:

Yeah. I think at one point that was called dandy line.

Stephan Livera:

So the Dandelion thing was a little bit different than I think that was more like at a node level. Yeah. I mean, you’re right. But I think Dandelion got knocked down because of various other, I think dos protections and things. There were some other reasons that the idea got nixed, unfortunately.

Ergo:

Yeah, but I mean, it’s, I think it’s still sort of accomplished what you’re saying, which is the same thing. We just have somebody else broadcast a transaction for you, right? And so, and so, like there’s a couple of services that you can take depending on your wallet. I think it’s probably only Bitcoin core. Probably Electrum and Samourai, you can get what’s called the transaction hex which is sort of the broadcastable version of your transaction and pop it into I think at least blockstream.info we’ll do this for you. They have a transaction push service where you can just copy and paste and have blockstream you know, broadcast a transaction for you.

Stephan Livera:

Yeah. So that’s potentially an idea and maybe we’d see that become more commonplace as well as just as another layer to add on to all of the other techniques that can be used. But I know I’m conscious as well for our listeners who are new, we’ve talked through a lot of different concepts, so I guess just keeping it simple. So the simple summary would be try out the basics and slowly learn a little bit. And from there you can improve your level and try out some of the basics in terms of surveilling yourself. Like, so imagine you were to spend, and then try to trace back yourself on the chain using, say OXT.me or one of these others using a VPN or Tor, and you can trace back and see, what does it look like to an outside observer? Do you have any final tips there for listeners?

Ergo:

No. I think that’s it you can check out the guide. there’s a handful of examples. There’s some visuals, right? The transaction graphs in there, and I think visuals will always help people. So give the guide a read. And if you’ve got any questions I’m around typically on telegram sort of on Twitter, but find me on telegram and yeah, I think that’s it. Fantastic.

Stephan Livera:

Well, I’ll put all the links in the show notes and thank you, Ergo for joining me on the show today.

Ergo:

Thanks, Stephan.