Another CoinSwap milestone: Multi-hop CoinSwaps. Undetectable bitcoin privacy is being built

Suppose Alice has bitcoins and wants to send them with maximal privacy, so she creates a special kind of transaction. For anyone looking at the blockchain her transaction appears completely normal with her coins seemingly going from bitcoin address A to address B. But in reality her coins end up in address Z which is entirely unconnected to either A or B.

Now imagine another user, Carol, who isn’t too bothered by privacy and sends her bitcoin using a regular wallet. But because Carol’s transaction looks exactly the same as Alice’s, anybody analyzing the blockchain must now deal with the possibility that Carol’s transaction actually sent her coins to a totally unconnected address. So Carol’s privacy is improved even though she didn’t change her behaviour, and perhaps had never even heard of this software.

In a world where advertisers, social media and other companies want to collect all of Alice’s and Carol’s data, such privacy improvement would be incredibly valuable. And also the doubt added to every transaction would greatly boost the fungibility of bitcoin and so make it a better form of money.

This undetectable privacy can be developed today by implementing CoinSwap. The software could be standalone as a kind of bitcoin mixing app, but it could also be a library that existing wallets can implement allowing their users to send Bitcoin transactions with much greater privacy.

For the last few months I’ve been working on implementing this project, and recently reached another milestone: Multi-hop CoinSwaps.

In the original CoinSwap design there would be only two peers involved, that meant if your wallet did a CoinSwap the other party knew exactly where your coins went. They were a single point of failure in privacy. Multi-hop CoinSwap is where the user routes their coins of multiple CoinSwap peers, and all of them need to collude in order to figure out the final source and destination of the coins.

Just for fun I created a 5-hop CoinSwap on testnet. Each hop has 3 individual transactions:

Taker’s outgoing transactions:

First maker funding transactions:,,,

Second maker funding transactions:,,,

Third maker funding transactions:,,,

Fourth maker funding transactions (also taker’s incoming transactions):,,,

These transactions don’t look particularly special (which is the point), but they are CoinSwaps. Following the CoinSwap protocol, those coins are transferred off-chain to the next market maker. Even though the coin are unspent at the time of writing, they are unilaterally controlled by the other party.

The user created a CoinSwap for 0.05 tBTC in this case (but it could have been any amount), and out the other side they got the same amount of coins (minus a fee) entirely disconnected to their initial coins. The fee goes to the makers which provides them an incentive to cooperate to improve privacy, and also gets spent on miner fees.

From the point of view of someone just passively observing the blockchain, a single-hop CoinSwap is as private as a multi-hop CoinSwap, so I suspect in practice most users will just create 1-hop or 2-hop CoinSwaps.

These example CoinSwaps have a visible 2-of-2 multisig address. But the plan is to later use a protocol called ECDSA-2P which allows us to create 2-of-2 multisig addresses that look the same as regular single-signature addresses. This allows CoinSwaps to blend in with the rest of the bitcoin transactions out there. Even the legacy p2pkh addresses starting with 1 can be CoinSwap addresses.

CoinSwap is the next generation of bitcoin on-chain privacy tech. It improves on CoinJoin because it breaks the transaction graph, and even improves the privacy of people who don’t use it. CoinSwap also uses less block space for the same privacy and therefore is cheaper in miner fees.


* The code:

* Discussion: `##coinswap` IRC channel on the freenode network

* Design document:

* Previous reddit thread:

* Podcast:

* Donations:

View Reddit by belcher_View Source


Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


  1. I’m not sure I fully grasp everything you’re saying here but just like with all things Bitcoin related, the rabbit hole never ends.

    I have a lot more research to do but this sounds very promising.

  2. Can you do ecdsa 2P and make it look like a native segwit address? I always hate to hear it uses 1 addresses, personally I never use them, and want to increase segwit address usage.

  3. Oh yea, one other question. Currently with wasabi and others, wasabi makes btc off of each join. That is also an effective way of clearly identifying a wasabi coin join because that eventually fee goes to a known wasabi adress. Will you somehow be making fees off of this. Not thats its a bad thing, but I think it would be awesome if big time BTC holders would just donate BTC to projects like this. I would if it meant that there wasnt a way to identify the makers who ge a fee or whatever. But yea this is exciting.

  4. > . The fee goes to the makers which provides them an incentive to cooperate to improve privacy, and also gets spent on miner fees.


    Would that fee somehow be the giveaway that someone was involved as being a maker? Like if it ends up going into one address or the fees being consolidated as one UXTO ?

  5. Awesome! I have been following this project for quite long, glad to see it is steadily getting done. There is no such thing as ‘too much privacy’, so all steps in this direction are truly appreciated!

  6. Last time I used JoinMarket, I spent in total of $1500+ (could be 10x as of today price) to mix like 4btc. So that turned me off so bad. Will this tech enable mixing in much lower cost ?

  7. How does taproot affect CoinSwap?

    Is it technically possible to do a coin swap and have the output of that be the opening of a lightning channel? Is there any way that coin swap benefits lightning Network?

  8. Will it be possible to prove “chain of custody” with CoinSwap?

    Suppose you get paid in bitcoin, and then send those coins to yourself via CoinSwap to break the transaction graph. Then you decide to send them to an exchange, and the exchange requests that you prove where the coins came from. Can you divulge to the exchange cryptographic proof that the coins you deposited into their exchange were the result of payroll which you CoinSwapped?

  9. Sorry for the dump question, but it’s CoinSwap within Bitcoin?

    There were some solutions that “swap” Bitcoin with some altcoins then “swap” back to Bitcoin. It seems that CoinSwap is different.

  10. I really like this idea, and excited to learn more.

    I’m a little nervous about regulation on the medium term horizon and one of the scenarios I’ve considered is that on/off ramps would be pressured to only deal with currency that had “clear title” for lack of a better term.

    Said differently, if you went to cash out 1 BTC and it had only ever gone from Exchange > Your Wallet > Back to Exchange they’d let you through and you’d be all set.

    However, if in the recent X number of transactions there had been a coinjoin / coinswap they would assume the funds are “guilty” and not allow them to be exchanged.

    I hope I’m being overly paranoid, but that is one reason I’ve avoided any kind of obfuscating transactions. Read up on Civil Asset Forfeiture if you need to reinforce your distrust of how personal property can be considered “guilty.”

    Interested to hear your thoughts on that, even if you just tell me to put my tinfoil hat back on.

  11. Regulators, Chainalysis, and others are going to be pissed off when they realize the Bitcoin narrative they’ve been told that “don’t worry it’s easier to track then cash” was just a bait and switch when it goes fully private and better than Monero.

    The future will be interesting…. Governments will have 2 options. Change politics entirely, or try to ban it.

  12. Serious question. Why do I care about this (I honestly don’t know)? What is this going to save me from / protect me from / improve Bitcoin? Seems to be more of an ‘Ideal’ as opposed to something that main street cares about. It is an honest question I hope I don’t get hammered over now.

  13. Forgive my ignorance, but I have heard before about the potential for certain bitcoins to be marked some how by authorities and therefore due to legislation coins that the authorities don’t like might be banned/blacklisted from regulated off ramp exchanges. It seems to me this process actually avoids the potential that such coins could be traced right? Is there any risk that those using it for testing could find their coins eventually blacklisted or is this the solution to that kind of blacklistings.

    Thx, a noob

  14. Thanks for your hard work on bitcoin privacy!

    Is it possible to incorporate a typical m of n style multisig cold storage scheme directly into coinswap? For example, let’s say I prefer a 2 of 3 hardware wallet setup for my cold storage but would prefer to perform a coinswap first… Is there a way to coinswap directly into that 2 of 3, or would I need to do a very careful set of sweep transactions to move them again at the end?

  15. Hey is this another BTC tumbler? You know your stuff is still traceable on the public blockchain even with tumblers. It makes it a little more difficult to track. But you can just make software do the tracking legwork. Track using first in first out approach. Obvious when
    100 bitcoins in is 99.7 bitcoins out on an address. Break the transactions up even more, use larger fees you may say. A loss of 10% is way too significant for anyone to practically do this. And software wont have a problem figuring out 25+60+5+10=100

    Dont expect to get away with running a drug empire using tumblers (or BTC in general). It is not long term sustainable, and less beneficial in terms of privacy than fiat cash.

    Maybe i didnt understand your “new” concept. Can you explain it a little better? All you said is Alice and Carol send coins to addresses they arent linked to. But didnt really explain it. Im genuinely curious.

  16. Question for OP that is less of an attack and more of a devil’s advocate Q:

    Isn’t software like this just begging for regulation? The ability to basically “VPN” (a verb now) a Bitcoin transaction smells like chum in the water for revenue services and treasury units designed to combat money laundering. I understand the concept, but is there any non-crypto example of a truly anonymous money transfer that couldn’t be traced by a government body designed to prevent financial crimes?

  17. >And the doubt added to every transaction would greatly boost the fungibility of Bitcoin and so make it a better form of money.

    You really need to stop claiming your tools do something that they don’t. If you are relying on doubt or plausible deniability then you do not have fungibility. As long as you can see a coins history, no amount of swapping coins improves fungibility, because prejudice can still be applied to a coin based on its history. And I’ll say it again, blindly swapping coins with complete strangers can ruin your privacy if you end up with coins that are being tracked by law enforcement. So this has the potential to draw scrutiny and erode your privacy when cashing out on a regulated exchange which is the opposite of what your users would want.

    When you have fungibility you don’t have to rely on doubt or plausible deniability and you automatically have a high level of privacy by simply being fungible.



What do you think?

money isn’t the same anymore

'Debris' Star Norbert Leo Butz on the Political Game of Chess Inside the Sci-Fi Mystery

‘Debris’ Star Norbert Leo Butz on the Political Game of Chess Inside the Sci-Fi Mystery