Here's a payjoin demo, so people have some idea what workflow might be like:

(used asciinema + tmux, quite a nice combination btw!)

@waxwing Not sure if it's something of interest for joinmarket but here's something that I posted last week on the other site.

It's a steganographic 2-party coinjoin (third tx on the schema). Basically, it's what you get when you mix coinjoin and P2EP ideas :D

The scheme has some nice properties (hides paid amount, breaks basic assumptions about ownership of output changes)


Yeah these are all very reasonable possibilities :) Reminds me of that example I gave in Milan where I said there were at least 8 interpretations :)

Nice work, thanks. (btw the pic comes out twice for some reason).

@waxwing First pic shows 3 similar coinjoins. Second pic has labels showing who controls which UTXO, depending on the Stonewall option used in Samourai Wallet (from top to bottom: Stonewall, Stonewall-2P, Steganographic Stonewall-2P).

@laurentmt Oh the labels! I focused really hard to check that the amounts were really the same and so were the descriptions; didn't notice the labels :) Figured it out though :)


@stevenroose @waxwing Yep. It could be interpreted as BA->ABBA (among others interpretations).

But the real interpretation is that both mixed outputs go to one participant and both change outputs go to the other participant. It breaks the classic assumption that each participant is associated to 1 mixed output and 1 change output.

@laurentmt @stevenroose

I like to call this the "coinjoin hall of mirrors" :) One interpretation is the "obviously correct" one, so those trying to gain privacy deliberately use the less-accepted pattern; then the analyst notices most people are using the "not obvious" pattern, so it becomes the accepted interpretation, and then ... :)

@waxwing @laurentmt That's why we have things like canonical input and output ordering, right.

@stevenroose @laurentmt

Well it's certainly related but: ordering has no semantics in theory (also Gmax has elucidated good reasoning as to why *if anything* bip69 is not a good thing, although it doesn't matter too much); so interpretation is really all about amounts and utxo relationship (clustering, address reuse etc.).

@waxwing @laurentmt I don't see how it is a bad thing.
If course, it'd be better if it had set the guideline that wallets just have to randomize order instead of defining an order.

@stevenroose @laurentmt
SIGHASH_SINGLE is a corner case where it *could* be a bad thing (although no one really uses it right now). I forget, but I think there were one or two other counterarguments, but anyway as I said, it's not like it's terrible. Randomization might indeed be the better way to go.

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!