Reviewing Privacy-Enhancing Proposals For Bitcoin

A version of this article was originally published on sethforprivacy.com.

Ragnar Lifthrasir asked for a list of Bitcoin proposals and ideas to improve privacy that either are still a work in progress, were abandoned or never implemented, or failed to make an impact, and so here is my attempt at just that.

This is not an exhaustive list and I would appreciate any help in keeping it current or finding old proposals that have fallen off the radar. Below, you will find sections broken down by project or implementation as well as in order of proposal (where applicable).

Note: While some of these proposals were non-starters or have been abandoned, some are interesting and potentially promising proposals. This is not a “hallowed” list. It’s a chance to learn from past proposals, and keep up with the latest ones.

Bitcoin

Confidential Transactions

Status: Never formally proposed for Bitcoin

Pros: Drastically improved privacy against amount-based heuristics; enables greatly-improved and more flexible app-layer privacy tools for Bitcoin (i.e., unequal output CoinJoins)

Cons: Supply auditability becomes more complex (but is still possible) and relies on more advanced cryptography; transaction sizes and verification times are both significantly increased

Confidential Transactions (used in Monero since 2017 and Liquid since 2018) are a technique used to blind the amounts in a transaction in a way that is still verifiable and provable without revealing amounts to anyone outside of the transaction participants. External observers, miners, and nodes can verify that transactions don’t create or destroy funds.

Further Reading:

• Initial proposal/investigation by Greg Maxwell
• Confidential Transactions in Elements

Reusable Payment Codes For Hierarchical Deterministic Wallets — BIP47

Status: Unanimously discouraged for implementation

Pros: Much easier receipt of funds to a static address while preserving privacy; no direct link between payment code and on-chain addresses/transactions (unlike static Bitcoin addresses)

Cons: Most versions require a notification transaction to be sent on-chain so that the recipient knows how to look for funds sent to them; notification transaction can undermine privacy if done incorrectly

The proposal for Reusable Payment Codes is one of the best-known BIPs due to its adoption and use by Samourai Wallet under the name “PayNym.” This proposal is similar to Stealth Addresses in that a single payment code can be used to derive unlinkable on-chain addresses, but differs in that it does not use different addressing formats on-chain and instead relies on a notification transaction to allow the recipient to find their funds on-chain.

PayNyms, despite being rejected/discouraged in BIP47 have seen quite widespread use and have recently been implemented in Sparrow Wallet and even by a Bitcoin mining pool “Lincoin.”

A great summary of the three main Reusable Payment Code schemes has been provided by Ruben Somsen, the author of Silent Payments in the gist for Reusable Taproot Addresses.

Further Reading:

• Original Payment Code BIP47

Stealth Addresses — BIP63

Status: Never accepted as a BIP despite being given a BIP number

Pros: When enforced, prevents all links between off-chain addresses/pubkeys and on-chain one-time addresses; breaks all address-based heuristics

Cons: Wallets now have to scan all transactions to validate which ones are owned by the user’s private keys; can no longer do simple address-based wallet sync

Stealth Addresses are a novel concept that allows a receiver to share or publish a single static address that senders can derive one-time addresses from, breaking any cryptographic links to the shared/published address on-chain. This adds considerable overhead to wallet scan times (all transactions must now be scanned to verify ownership of your private keys)57Original Payment Code BIP98

to the address on-chain, and break any cryptographic links to the shared/published address.

Stealth Addresses were originally proposed for Bitcoin in 2011 on BitcoinTalk, but were abandoned as a BIP after OP_RETURN was changed:

“OP_RETURN got changed to 40 bytes at the last minute, preventing my stealth address standard from working, and moved on to work on other things.”

-u/petertodd

While Dark Wallet did implement Stealth Addresses for Bitcoin, the wallet never officially launched and was abandoned. Stealth addresses are included in Monero because they are a core part the original Cryptonote protocol.

Further Reading:

• Original Stealth Address BIP63

PayJoin — BIP78

Status: Draft

Pros: Creates transactions that look normal but break common heuristics; easy to perform when supported by the recipient

Cons: Requires hot wallet on the merchant/recipient side, cannot send to simple address etc. ; malicious sender can attempt to force recipient to reveal UTXOs (attack is mitigated if properly implemented)

PayJoin may also be well known to the Bitcoin privacy crowd as it has gotten some media and minor adoption despite its official “draft” status. PayJoin allows sender and receiver to work together to create a combined transaction that includes a UTO (or more) from both the sender or intended recipient of funds. This hides the true nature and purpose of the transaction on-chain.

A similar protocol was implemented in Samourai Wallet in 2019 as “Stowaway” (before the PayJoin proposal BIP), and PayJoin proper was implemented in BTCPay Server in June 2020, JoinMarket in August 2020, Blue Wallet in October 2020, and Sparrow Wallet in November 2020. See these documents for more information:

• Stowaway, Samourai Wallet
• “BTCPay Server PayJoin Guide,” BTCPay Server
• PayJoin (aka, P2EP) user guide, JoinMarket
• Paying to a PayNym, Sparrow Wallet

Although implemented in some wallets and tools, PayJoin usage unfortunately seems to remain very sparse today (though it’s hard to detect on-chain so might be higher than we realize). and BIP156 Status: 55 Original PayJoin BIP0341 and new BIP

Further Reading:

• Initial blog post on PayJoin
• Original PayJoin BIP78
• “PayJoin Adoption,” Bitcoin Wiki

Peer-To-Peer Communication Encryption — BIP151 and BIP324

Status: Original BIP151 withdrawn, new BIP324 in draft

Pros: Prevents simple snooping by internet-service providers (ISPs) and mobile carriers; prevents man-in-the-middle attacks by rogue nodes pretending to be your specified remote node; can pin known good nodes to ensure you have healthy nodes as peers

Cons: Increased overhead in peer-to-peer (P2P) protocol; new denial-of-service (DoS) vectors created by the use of encryption; does not fully prevent deep packet inspection by ISPs, etc.

P2P communication encryption is a large and necessary step forward in securing the P2P network in Bitcoin against common attacks and providing basic privacy to those running a node from their ISP and other basic surveillance, and has been proposed for Bitcoin via BIPs 151 and 324.

To quote the author:

“BIP324 proposes a new Bitcoin P2P protocol, which features transport encryption and slightly lower bandwidth usage.”

P2P communications encryption is something that is not commonly done in the cryptocurrency space, but is also being worked on in the Monero community.

Further Reading:

• BIP324 website
• Original BIP151
• Official BIP324

Dandelion — BIP156

Status: Rejected

Pros (Specifically Dandelion Iteration): Prevents deterministic linking of transactions back to their originating node by active surveillance of the P2P network; provides strong network-level privacy without necessitating use of an anonymity network (which have their own serious DoS/Sybil issues)

Cons (Specifically Dandelion Iteration): Transaction broadcast takes much longer (usually one minute to one-and-a-half minutes for complete propagation instead of just a few seconds); opens up new DoS vectors if using a malicious remote node and not your own

Dandelion is an approach to bringing plausible deniability to the Bitcoin peer-to-peer network in a way that prevents others on the network from deterministically tying transactions with the originating node. 63Official BIP78Ofl

Dandelion , an iteration that resolves many of the problems with the original Dandelion proposal, was implemented in Monero in 2020.

Further Reading:

• Original Dandelion BIP156
• Dandelion journal article

Taproot — BIP341

Status: Draft (but actually not, as it’s already deployed in Bitcoin via soft fork)

Pros: Drastically improved privacy when using scripts (like multisig or Lightning channel opens/closes) assuming broad adoption; more scripting possibilities via Tapscript; potential efficiency improvements, batching, etc.

Cons: Non-cooperative, channel-close transactions must still reveal script, negating privacy gains in those situations

Taproot is likely the most well-recognized BIP on this list, and has actually been implemented in Bitcoin despite still being marked as “Draft” in the BIP GitHub repository.

Taproot has been largely ignored. However, it is possible that Taproot will be widely adopted in Bitcoin in the future. This is due to the slow pace of adoption, especially when Taproot usage is optional.

Once Taproot can be used for Lightning Network channel openings, it will provide privacy by hiding the script details within each transaction. This will make it harder to find channels open on-chain in Bitcoin. In the event that a channel is closed, this privacy will be lost. However, the script must be made public on-chain.

Further Reading:

• Original Taproot BIP341

SNICKER

Status: Abandoned, never formally proposed for Bitcoin

As I don’t know much about SNICKER I won’t go into detail on my thoughts, but see the quote below for the summary of what the proposal was meant to do:

“SNICKER (Simple Non-Interactive Coinjoin with Keys for Encryption Reused) is a simple method for allowing the creation of a two party coinjoin without any synchronisation or interaction between the participants. It relies on the idea of reused keys (either reused addresses, or identification of ownership of signed inputs and thus pubkeys in signatures).”

As far as I can tell the proposal has been abandoned since 2020.

Further Reading:

• SNICKER proposal gist

CoinSwap

Status: Work in progress, but never formally proposed for Bitcoin

Pros: Appears to be a normal transaction type on-chain

Cons: Does not actually obfuscate or break any on-chain history, it merely attempts to break simple ownership heuristics; allows those with tainted funds to swap for “clean” funds to the detriment of the swap participant; no clear privacy advantages in most situations

CoinSwap was a popular and oft-discussed proposal in 2020 to allow users to swap UTXOs (and thus their associated history), but was met with strong pushback as it does nothing to remove history or break deterministic links.

See the below quote for a simple summary of CoinSwap:

“Coinswap is a protocol that allows two or more users to create a set of transactions that look like independent payments but which actually swap their coins with each other, optionally making a payment in the process.”

It seemed that CoinSwap had been abandoned, as there was no progress made since 2020, but recently, Chris Belcher launched an implementation of CoinSwap called Teleport Transactions.

Further Reading:

• CoinSwap design proposal
• CoinSwap topic on Bitcoinops.org

Silent Payments

Status: Work in progress, not yet formally proposed for Bitcoin

Pros: Much easier receipt of funds to a static address while preserving privacy; no direct link between payment code and on-chain addresses/transactions (unlike static Bitcoin addresses); does not require on-chain notification transaction, unlike BIP47

Cons: Currently completely incompatible with light wallets; adding a new Silent Payment code after initial block download (IBD) requires completely restarting IBD; requires constant scanning of the blockchain for new uses/transactions

Silent Payments are all the rage in recent Bitcoin discussion, and are similar in some ways to BIP47 (mentioned above). While they allow you to share or publicly announce a single static payment code and receive payments that cannot be linked on-chain, there are serious tradeoffs with this approach.

It will be interesting to see this proposal play out but so far the better option appears to be BIP47 still.

A great summary of the three main reusable payment code schemes has been provided by Ruben Somsen, the author of Silent Payments, in the gist for Reusable Taproot addresses.

Further Reading:

• Silent Address proposal gist

Reusable Taproot Addresses

Status: Work in progress, not yet formally proposed for Bitcoin

Pros: Much easier receipt of funds to a static address while preserving privacy; no direct link between payment code and on-chain addresses/transactions (unlike static Bitcoin addresses); combines first payment and notification into one “real” transaction, unlike BIP47; notification transaction appears just like any other Taproot spend on-chain

Cons: Sender and receiver both must support and use Taproot; sender needs to follow a special protocol to be able to recover from backup

While this proposal bears many similarities to BIP47 and Silent Payments, it leverages new capabilities in Taproot to essentially improve on the tradeoffs taken by BIP47 reusable payment codes. A great summary has been provided by Ruben Somsen, the author of Silent Payments in the gist below:

Reusable Taproot addresses:

• No continuous scanning of every transaction
• One-time interaction with the recipient (stateful for sender: if they forget, they need to interact again)
• No on-chain footprint
• Sender needs to follow a special protocol to be able to recover from backup (this downside can be mitigated, see below)

BIP47:

• No continuous scanning of every transaction
• No interaction with the recipient
• On-chain footprint (or alternatively one-time interaction and stateful backups)

Silent Payments:

• Continuous scanning of every transaction (increases cost of running full node)
• No interaction with the recipient
• No on-chain footprint

Further Reading:

• Reusable Taproot addresses proposal gist
• Proof-of-concept implementation

Lightning Network

Please note that most of these proposals are still very much a work in progress and have yet to be given a clear yes/no approval. The Lightning Network proposals are listed below as important developments that could improve privacy when using the Lightning Network.

The Lightning Network was initially designed to be scalable and privacy-oriented. Many of the initial design decisions made are very detrimental to user privacy. These proposals seek to address these issues, and hopefully can do so without compromising payment reliability or routing efficiency.

Route Blinding

Status: Work in progress

Pros: Prevents sender from ascertaining full route to recipient; hides recipient node alias/pubkey; provides much better recipient privacy overall versus current transparent routing methods; can provide better payment success rate by providing local routing data in some specific scenarios

Cons: Can be difficult to craft blinded routes in specific routing graph scenarios; can have a negative impact on payment success rate in specific scenarios

The current Lightning Network suffers from severe issues centered around receiver privacy, and Route Blinding is one of the key proposals seeking to remedy at least a part of this issue.

To quote the proposal:

“Route blinding is a lightweight technique to provide recipient anonymity by blinding an arbitrary amount of hops at the end of an onion path.”

Route blinding is still very much a work in progress but shows promise for allowing a receiver to receive funds without deterministically revealing the final node receiving the funds.

Further Reading:

• Route Blinding proposal
• Route Blinding BOLT pull request

Trampoline Onion Routing

Status: Work in progress

Pros: Can allow light wallets to craft routes in a privacy-preserving way without a full route graph; can be used to provide receiver privacy from the sender (but not the trampoline node as far as I can tell)

Cons: None that I know of at this time

While not strictly a privacy improvement, Trampoline Onion Routing can provide better route privacy in some scenarios for the receiver and so is mentioned here. You can pair it with route blinding to give even better privacy for receivers, especially in cases where you are unable to run a full node or build entire routes. The full privacy implications of this proposal are still being considered, but it will be interesting to follow along with.

Further Reading:

• Trampoline Onion Routing proposal
• Trampoline Onion Routing BOLT documentation pull request
• Trampoline Onion Routing BOLT specification pull request

Alias SCID

Status: Work in progress

Pros: Prevents simple linking of payments to single node alias/pubkey by using a unique alias per channel/peer

Cons: None that I know of at this time

One of the critical privacy issues in Lightning today is the fact that nodes have permanent aliases and pubkeys that are used for gossip and channel management, and as such, any receipt of payments leaks your nodes alias and pubkey to the sender of the payment. The key to solving this problem in Lightning is “Alias SCID BOLT pull request” 57590156BOLT

Further Reading:

• Alias SCID BOLT pull request

Offers — BOLT12

Status: Work in progress

Pros: Drastically-improved privacy and flexibility for payments as the recipient; much smaller QR codes and much less data needed in the offer itself (as the necessary data is collected from the recipients node directly instead of being all included in the invoice as in BOLT11 invoices)

Cons: None that I know of at this time

BOLT12 is a combination of many of the other proposed improvements and integrates them into a new and much more flexible invoice type for Lightning, also called an “offer.” The implementation of BOLT 12 alongside route blinding and node alias SCIDs would be a big step forward for both privacy and user experience in Lightning, and is somewhat of the current holy grail of proposals. HTML5_ The Lightning Network’s website is currently under development.

Further Reading:

• BOLT12 website
• BOLT12 — Offers BOLT pull request

Sidechains

The Liquid Network

Status: Live since 2018

Pros: Mildly improved per-transaction privacy due to Confidential Transactions (but mostly useless due to almost no usage reducing crowd to hide in); cheaper fees than on-chain

Cons: Custodial (via a federation); almost no usage gives you almost no crowd to hide in; past issues with “emergency” multisig being held by very few parties

The Liquid Network is a Bitcoin-pegged and federated sidechain for Bitcoin that allows users to peg BTC to redeem it for L-BTC and then be able to transact on the Liquid Network.

Liquid offers moderate privacy improvements over on chain Bitcoin because it uses Confidential Transaction. It is also extremely affordable to transact in.

Users need to be aware that Liquid uses a federated model. custodians have the keys to your bitcoin ,. This means your funds are at risk of theft or loss. You should not assume that you will be able to convert back into BTC.

But Liquid remains practically unused even after four years of being in the wild and heavy marketing.

Further Reading:

• Liquid Network website

FediMint

Status: Work in progress

Pros: Very strong privacy when transacting within the sidechain; interoperable with the Lightning Network without requiring each user to run a node/manage channels/etc. Anyone can create a new minimint. Not just certain people/groups. ; can be used as a neutral ground between self-sovereign Lightning and self-sovereign Lightning. and “single custodian” Lightning (Wallet, Cash App, Strike) while retaining user privacy from custodians

Cons: Custodial (via federations); potential regulatory pressure on federation members due to custody/transfer of user’s funds; centralization of Lightning Network due to users not running their own node, managing channels, etc. and instead relying on federation Lightning services

FediMint (and the specific initial implementation, minimint) is a relatively new proposal for building a federated Chaumian-blinded eCash as a sidechain to Bitcoin, denominated in bitcoin. These federated sidechains will be small and interoperable, and would compete for reputation, uptime, and fees.

While it is still a work-in-progress, minimint offers the possibility of a middle ground between fully autonomous Lightning Network usage (Zeus Core LN, LND), and fully self-sovereign Lightning Network usage. Single-custodian Lightning Network usage (Cash app, Strike, etc. By allowing a trusted consortium of custodians, to hold funds and manage Lightning Node(s), for their users.

Note that the proposal is still fully custodial, but has differing tradeoffs compared to something like the Liquid Network.

Further Reading:

• FediMint website
• MiniMint GitHub repository

This is a guest post by Seth For Privacy. 57MiniMint GitHub repository63This is a guest post by Seth For Privacy.