Like it or not, Trezor Coinjoin is the best solution out there

Czech company Trezor has taken many pole-positions in the Bitcoin space in the past and they leave the market in the mirrors again with their Coinjoin solution for a cold wallets.

Trezor is in the Bitcoin space for a long time in which they introduced the first fully open-source hardware wallet (Trezor Model One) for cryptocurrencies, several Bitcoin Improvement Proposals (BIPs), for enhancing the Bitcoin protocol, and also were the first to implement Shamir backup and many more standards and features.

Now, they have released the long awaited update for their successful Model T that can perform Coinjoin transactions in collaboration with the WabiSabi protocol. This feature is critical for increasing the privacy of Bitcoin users. However, this new update has also sparked strong emotions, and some in the community are not entirely enthusiastic about it. Today’s article is meant to clarify most aspects and to offer an answer if the emotions and doubts are somewhat justified.

If you know Bitcoin for a while, you can skip directly to chapter called “Anonymity in the Crowd.” For the newcomers to Bitcoin and crypto space I will explain the Coinjoin process later, but first, I need to dispel a common Bitcoin myth first:

Bitcoin is not anonymous.

At best, it is pseudonymous, meaning that a user is hidden behind the numbers and letters of their Bitcoin address. However, this anonymity only lasts until the user interacts with that address in the real world. For instance, if a user buys Bitcoin on a centralized exchange where they provided their personal information during the registration process (known as KYC, or "know your customer"), they create a relatively clear digital trail. Similarly, spending previously anonymous coins on a purchase in a store where the user has a registered account can also create similar footprint.

Furthermore, it is basic knowledge of Bitcoin protocol that all transactions are recorded permanently in the blockchain. And since the chain analysis tools exist, it is possible to track all subsequent transactions made from this address. I’ll say it again: The chain-analysis is already here surveilling all transactions in the blockchain.

Another problem may be that the balance held at the address is also visible. That means anyone who knows your address (or addresses, as we will explain below) - which is actually anyone with whom you have made a transaction through that address - can see how many bitcoins you have at that address. And that is something you do not want.

Modern wallets are trying to enhance users' privacy by generating new addresses for each transaction, but this creates other tradeoffs, which are not a topic of this article. Let us continue with the knowledge that this is the reason why the coin-control feature was implemented into Trezor (and many more wallets) prior to Coinjoin in the last year. Coin-control enables users to pick their desired UTXO’s to conduct a transaction with the goal of maintaining a maximum possible privacy.

When you pay for a few cans of soda with a twenty dollar bill at the store, no one needs to know that you have two more hundred dollar bills in your wallet. So basically, you’ll most likely go with the smallest bill possible. Similarly in Bitcoin, you’ll probably want to use big enough UTXO to cover your expense but not reveal any more information about your stack. But that’s not how it works.

With Bitcoin, which is digital asset and must maintain its transaction history for verification the change output is always visible in the blockchain. It is not, however, Bitcoin’s fault, but rather a feature by design.

When Bitcoin was created, it voluntarily sacrificed some of its users' privacy in order to maximize security. This was actually much more important to Satoshi Nakamoto because it allows Bitcoin to function without relying on a third party authority to verify users' balances and prevent double spending. And that is why we now have truly anonymous cryptocurrencies like Monero, which prioritize privacy over self-auditability.

The previous paragraphs also invalidates another myth about Bitcoin, one that it is mainly used by criminals and drug dealers. You now understand more than many members of the European Parliament and many US senators, that using Bitcoin to buy drugs actually doesn't make sense. That's why physical cash is still the preferred option for illegal activities – which is something that ironically enough confirms even the hated Chain Analysis itself.

In a world where the government and other organizations, not necessarily with good intentions, are trying to learn as much information about you as possible to use them against you, it's better to have tools to increase privacy. And here comes Coinjoin.

Anonymity in the Crowd

In a very simplified form, Coinjoin can be explained very easily: once you have an active Coinjoin service, your wallet can become a participant in a special transaction in which the coordinator "invites" other network users and mixes together multiple inputs from multiple users. The resulting outputs are then distributed back to the original owners but on fresh addresses. This creates a "ball of yarn" of transactions that is practically impossible to trace. Or rather, it can be traced, but no one can determine which Bitcoin belongs to whom. And that's the whole magic. Chain analysis, in fact, works on the principle of probability - trying to estimate with what probability the bitcoin is still owned by the original person whose identity was revealed in the past. With Coinjoin you are actually able to chop-off the history of your coins and start anew.

If the number of inputs and outputs is large enough, the chance that chain analysis can unravel that tangle is practically zero. And that is exactly what Coinjoin users strive for.

You can find a beautiful visualization of coinjoin transactions in practice in the Bitcoin mempool. This specific coinjoin transaction was able to erase the history of more than 200 bitcoins worth approximately 5.5 million US dollars, all in something that looks like one - albeit abnormally large - transaction.

Bitcoin tribalism as its finest kicked in

A number of Trezor users welcome the Coinjoin feature, as it is a long-proven open-source solution. The Coinjoin idea originated in 2013. It took years to take it from the drawing boards to a working solution for the masses. Until now, Coinjoin could only be used in hot wallets, where your private keys theoretically faced the risk of leakage onto the internet, hacking, etc. Trezor which is a HW wallet that keeps your keys offline at all times is the first HW wallet in the world that allows users to enjoy Coinjoin truly securely. For that, Trezor has earned well-deserved recognition from much of the community.

There are, however, some doubts if the implementation of WabiSabi instead of i.e. Samourai wallet was the right call. As soon as the Trezor announced the feature, Bitcoin tribalism kicked in and shitstorm took place. I was disappointed to find out that most of the hate was based on false claims. But to be honest, there was also some well placed criticism. Let's take a closer look on the hottest topics.

One of them, for example, is that zkSNACKs – coordinator used in Trezor/Wasabi coinjoin itself uses chain analysis to explore transactions that aim to use Coinjoin. The community reacted as expected - very explosively, even hostilely and without any true understanding of the issue.

In this I took advantage of the fact that Trezor is a Czech company and the community here is very interconnected and friendly, so I approached Trezor directly to help me shed light on these controversial topics. Many thanks to Hynek Jína, Head of development at Trezor, and his colleague Josef Tětek, Bitcoin analyst.

Firstly, it needs to be said that Coinjoin is a completely voluntary matter and you have to turn this feature ON yourself in your Trezor. Additionally, it can currently only be used on the more advanced Model T. I was assured by Trezor representatives that implementation of said feature is being planned for the older Model One as well but no additional information was shared. But now let’s face it. There are bitcoins whose history has been seriously tainted by criminal activity, and we can all agree that you don't want to have these funds in your possession if it can be avoided.

I would love to say that 1BTC = 1BTC is true at all times. But we need to admit to ourselves that this is not the case anymore. Bitcoin’s fungibility has been compromised a long time ago and we, the people, are to blame for we let it happen. So as much as I hate the chain analysis myself, I am glad that zkSNACKs protocol is using it for the safety reasons of its users. Since some coinjoins can have more than 300 inputs and outputs, I think it makes sense to refuse one tainted input, if it could put other 299 into precarious situation for no good reason.

Let it be clear it’s not the case that Trezor or zkSNACKs is in any way reporting their users for holding such bitcoins. Data about users’ identities are not collected by either company– it’s logical since there is no KYC needed to be able to use either Trezor or Coinjoin. Furthermore, all communication within Trezor Coinjoin feature is automatically channeled through TOR network to maximize privacy of the users.

So, the worst case scenario that can happen is that the coinjoin coordinator, which is essentially the protocol that prepares the entire coinjoin transaction, refuses to invite these "tainted bitcoins" into the coinjoin transaction. No true censorship, no reporting, no bullying or marking users takes place. Refusing to coinjoin your UTXO doesn’t in any way compromise your ability to transact within Bitcoin network. Because of that there is nothing easier to do with those coins than use other solutions like Samourai wallet mentioned before or mix them in a whirlpool if you wish.

In fact, I view this to be advantageous if such undesirable coins were to accidentally end up in your possession. Failed coinjoin will make it clear that your UTXO’s need special attention and to be handled with extreme care. Certainly, you wouldn’t want to send them to centralized exchanges that could potentially freeze them.

Future of Coinjoin transactions

Further concerns then arise from the fact that coins without a history, i.e. those that have successfully passed through coinjoin, may not be accepted by some exchanges. This information cannot be either confirmed or denied at this time. Indeed, some exchanges may (in future) limit coinjoined transactions as a preventive measure – for example, they could require additional KYC/AML verification for previously unverified accounts. But again, this is not the fault of Wasabi, Trezor, or Bitcoin itself, but rather that we as a community already allow regulators to interfere with our right to deal with our own money. It needs to be said that same issues will eventually arise for other Coinjoin solutions (i. e. Samourai wallet) and mixers, if that should be the case.

Is it clear that in the future, it will depend a lot on the community and how many users integrates Coinjoin as a standard practice for maintaining a privacy. Simply put, if the majority of coins repeatedly goes through Coinjoin or other forms of anonymization, Bitcoin will truly be able to serve as digital cash, where all coins are equal and 100% fungible because there will be no reason to treat them differently based on their transaction history. Remember: There is no real issue to use chain-analysis prior to coinjoin as it was already present. The real reason why we do coinjoins is to clear the history for further use.

If Coinjoin remains a marginal issue, it will be much easier for regulators and governments to label it as something only used by criminals and attempt to regulate it or even outright outlaw it. Remember:

“When privacy is criminalized, only criminals will have privacy."

- Daniel Suarez, American writer

Therefore, I also activated Coinjoin on my Trezor simply because I am not a criminal; I just have the right to privacy for myself and my money. And you have the same right. Now go claim it.

Coinjoin is not the only way to achieve privacy

Finally, it should be said that Coinjoin is not the only way to achieve greater anonymity in the Bitcoin network. Privacy can be achieved by using Lightning Network, privacy coins like Monero or ZCash, technique called Submarine swaps and so on. But that would be a topic for an entire series of articles.

There are so-called whirlpools or mixers but from my point of view I found them to be problematic since they are custodial (AFAIK). This means that the users temporarily entrusts their money to someone else, who will then send the money to several other users of the same service with varying delays (a time shift itself is an interesting way to achieve greater privacy). Therefore, users have to hope that the mixer operator does not abuse their position and steal their money. I recommend studying the use of mixers carefully, using a reputable service, even if it has a higher fee.

There is also a coinjoin alternative present in Samourai Wallet, which approaches the concept of Coinjoin in a different way than Wasabi. I am not an active user of Samourai so please, take it into consideration if I am somewhat wrong in next paragraphs.

If I understand Samourai Coinjoin correctly, there is always only 5 inputs and 5 outputs present. Since the additional remixes in Samourai coinjoin service are free I am afraid that bad actors can take the place of some (or most) of the inputs for a very low cost. Such bad actors can again be the chain analysis firm and the Samourai coinjoin would then solve nothing in terms of users’ privacy. This shows in clear light that every solution of coinjoins currently available to public has some tradeoffs and possible best practice would be to use all of them.

As I mentioned above, I do not have deep enough knowledge of Samourai coinjoin so if I got anything wrong, let me know. Reviewing this text and everything I know about this issue it just seems to me that there is no perfect solution to Bitcoin privacy (yet) and Bitcoin engineers have some more work to do.

Anyway, the fact remains that Trezor and Wasabi collaboration is the only available solution for HW wallets so far and that alone is a remarkable feat and from my perspective best solution out there. Combination of HW wallet (protecting users keys), secure communication via TOR network and Coinjoin with large quantities of inputs and outputs in my view outweighs any downsides such as understandable collaboration with Chain-analysis since it’s put into work for a greater good. Let’s see where it will lead us from here.

I would also love to get in touch with you and hear your feedback on this topic, my writing and to be able to discuss different coinjoin implementations and possible improvements on #Nostr.

My npub is: npub1assxmfau5fekks64w008x8celn94pd7ayvaucw67r9pkz29u7szsdpe9kz

Disclaimer! For the sake of transparency I make it clear that I am not associated with Trezor in any way other than we share a common state which is Czech republic.