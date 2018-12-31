



Blockchain Analysis Is About to Get Harder as P2EP Enters Testing Phase

Yet another tool is being added to Bitcoin’s growing number of privacy solutions.



Thought up at a brainstorming event attended by Bitcoin developers and privacy researchers last summer, Pay to Endpoint (P2EP) is a relatively new trick that utilizes the well-known CoinJoin mixing technique to make blockchain analysis much harder. An early version of it, called “Bustapay,” was quickly implemented by independent Bitcoin developer Ryan Havar and is being tested as of now. Meanwhile, the privacy-focused Samourai Wallet as well as JoinMarket developer Adam Gibson are working on two P2EP projects of their own, which are getting closer to deployment too.

“Privacy is essential for Bitcoin,” Havar told Bitcoin Magazine. “Ideally we want to screw up [blockchain] analysis so badly, that they can't even make it.”

CoinJoin

To understand P2EP, let’s first recap what CoinJoin transactions look like, and why they are (and aren’t) useful.

Many normal Bitcoin transactions send coins from several addresses (inputs), because the sender’s addresses individually don’t contain enough coins needed for the payment. This is very helpful for blockchain spies, as it usually means that all inputs in a transaction belong to the same entity. It allows for address clustering.

But by combining several transactions into one big transaction, CoinJoin — a privacy solution first proposed by Bitcoin Core contributor Gregory Maxwell — has the potential to break this assumption. If multiple senders cooperate to create a single transaction that sends coins from all of their inputs to the different receiving addresses (outputs) they’re paying, blockchain spies would be wrong to assume all inputs belong to the same entity. As such, they can’t just assume it, even if it is a regular transaction. It would make address clustering, and thus blockchain analysis, significantly harder.

However, CoinJoin also has its limitations. If all CoinJoin participants don’t use equal amounts, it’s easy to puzzle together which inputs are paying which outputs. As such, it doesn’t really prevent address clustering after all.

CoinJoin is still useful for mixing, which can easily be done with equal amounts. Users don’t pay other users, but rather, themselves. This is effective in breaking the trail of coins, but it does give away that a mixing session took place.

“While it ‘clears your history,’ it is not as useful as people imagine,” Havar argued. “Your coins are obviously and intentionally washed. That makes it problematic to use. Try depositing your post-mixed coins into an exchange, for example, and watch when they lock your account and ask you a lot of questions.”

CoinJoin’s potential to break the assumptions used for addresses clustering had not really been realized yet. But this may be about to change.

P2EP

P2EP is a relatively new idea, first proposed by participants of a brainstorming event for Bitcoin developers and privacy researchers last summer, who published the idea in several blogs. It cleverly works around CoinJoin’s “equal amount” limitation, opening up the possibility to use CoinJoin for regular payments — not just mixing specifically.

The central concept behind P2EP is simple yet effective: the receiving party in a payment takes part in the CoinJoin. If Alice pays Bob, Bob participates in Alice’s CoinJoin transaction to him, so he also pays himself.

Say, for example, that Alice wants to send Bob 1.2 BTC. She may send it from two inputs: one that contains 1 BTC and one that contains 0.5 BTC. This adds up to 1.5 BTC, which means she also sends 0.3 BTC back to herself as change in the same transaction.

With P2EP, Bob adds one input of his own in the mix: let’s say it contains 0.9 BTC. As such, the transaction now has three inputs worth 1, 0.9 and 0.5 BTC, for a total of 2.4 BTC. The transaction also has two receiving addresses, worth 2.1 and 0.3 BTC. The 0.3 BTC is still the same change going back to Alice, while the 2.1 BTC really consist of the original payment of 1.2, plus the 0.9 that Bob is sending himself. While the transaction has some padding, Alice still just paid a total of 1.2 BTC to Bob.