Spending Privately

Prerequistes

This guide explains how to send Bitcoin in a relatively private manner. If you haven’t read the Quick Start guide yet, that’s a good place to learn how to install and get introduced to Sparrow.

Why is this necessary?

Key to understanding the need for privacy tools is first understanding the Bitcoin UTXO model.

Every amount in Bitcoin consists of a transaction output - that is, the output of a transaction which sends an amount to a given address. Every transaction output, or TXO has a specific, discrete amount. Before an amount is spent, it is called an unspent transaction output, or UTXO.

When you create a Bitcoin transaction, you combine one or more UTXOs as inputs, providing the funds you are looking to spend. When the transaction is broadcast and mined in a block, all of these UTXOs become spent. In other words, they are not reduced in value, but completely consumed, and can never be spent again.

When the new output of your transaction does not match the input amount (less fees), a change output is created. This change output sends funds back to your wallet, which are then available as another UTXO.

Because the Bitcoin blockchain is public, this model has several privacy implications:

  1. The recipient of any transaction (and any outside observers who learn their address) can determine some information about the amount of funds you hold by looking at the input UTXOs you spent.
  2. If your transaction has a change UTXO, the same observers can see when that change (and its change) gets spent, and so learn more about your spending history as you transact over time.
  3. All input UTXOs in a transaction are generally assumed to be from the same owner, linking them together in a “cluster” to an outside observer (we’ll see how to break this assumption later).

Blockchain analysis uses a number of generally applicable rules or heuristics to separate payment amounts from change amounts. The primary goal of this lies in learning when ownership changes in order to understand more about your funds and how you use them. While these heuristics depend on probabilities, they can be very effective. Without privacy tools, once your identity is linked to one UTXO much about your wealth and transaction history can be determined with relatively high probability over time.

Privacy tools seek to disrupt these heuristics. Some, like Whirlpool and the two person coinjoins discussed here, create transactions which introduce confusion (or entropy) in the transaction graph. Others, like payjoin, break some of the assumptions that common heuristics depend on. Used together, it is possible to remain relatively private when transacting with Bitcoin.

Fake two person coinjoin

A common approach for spending privately is to create an equal output coinjoin while spending.

An equal output coinjoin is a technique where individuals contribute inputs to construct a specific transaction containing a number of equal output amounts. This adds ambiguity about which of the output amounts went to which wallets or entities, and makes the probability of tracing ownership of funds much lower. In the case of a two person coinjoin with two equal outputs, either output could represent the funds of one of the individuals. In addition, a coinjoin output might or might not represent an external payment, since it is common to send the output amount back to a wallet you own. For example, you might do this to consolidate or break up UTXOs you own.

The simplest way to add privacy when spending is to create a fake coinjoin (also known as a Stonewall transaction). This is a transaction you create alone, but that appears to be potentially constructed by multiple individuals. To the outside observer, there is no way to determine whether the coinjoin is fake or not - it is ambiguous. This approach requires no collaboration, and can be done with any kind of wallet (including hardware wallets).

To create a coinjoin with yourself, create a transaction as normal on the Send tab and select to optimize for Privacy using the toggle button in the lower left. If the wallet has sufficient funds available, Sparrow will construct the coinjoin as follows:

Constructing a fake coinjoin

Note that there are two sets of inputs (indicated by the brackets on the left in the transaction diagram), representing each “individual” in the coinjoin. Each “individual” must contribute more than the payment amount, meaning your wallet must have funds greater than twice the payment you are making. If your wallet doesn’t have enough funds, you can still perform a collaborative coinjoin discussed below.

Of the outputs, the first output represents the payment to the address in the Pay to field. The second output is a “decoy” of the same amount (5,670 sats) and is paid to one of the change addresses in this wallet. Then there are two change outputs, representing change to each of the “individuals” - both of these are also sent back to this wallet as change.

As the Analysis… tooltip indicates, to the outside observer this appears to be a possible two person coinjoin. However, it is actually a transaction where all inputs are owned by the same wallet. You can now create, sign and broadcast this transaction as normal, having gained additional privacy at the cost of a slightly higher fee due to the additional inputs and outputs.

Note that to create this kind of coinjoin in Sparrow, the address you are paying to needs to be of the same type as your wallet (so the outputs look the same).

Collaborative two person coinjoin

Of course, if all two person coinjoins were fake, their value would be reduced. You can improve the anonymity for yourself (and everyone else using this approach) by collaborating to creating to create a genuine two person coinjoin (also known as StonewallX2).

To do this you will need to use a singlesig, Native Segwit software wallet such as that used with Whirlpool. In fact, spending this way from a Whirlpool Postmix wallet is recommended, and for good reason - everyone who uses Whirlpool benefits from their peers using postmix privacy tools.

Start by creating a fake two person coinjoin as described above. Then, click on the blue icon in the second input bracket to replace your own UTXOs with those from a mix partner:

Starting a collaborative coinjoin

You will now see the following dialog, in which you need to enter the PayNym or Payment code of your mix partner. Your mix partner can be using either Sparrow or Samourai wallet, both of which use the Samourai Soroban service to exchange transaction information using an end-to-end encrypted protocol.

Adding a mix partner

Soroban? PayNym? Payment code?

Soroban is effectively a secure chat protocol for wallets to communicate. In order for two wallets to find each other, they need to use a unique identifier, much like a phone number. Each wallet can create this identifier deterministically, called a payment code. It’s similar to an xpub, except that no information about a wallet can be learned from it. In this sense, it is safe to share.

The payment code is however quite long, making it more difficult to share in person. Samourai Wallet have created a directory of payment codes at https://PayNym.is. Every payment code that is added to the directory is run through an algorithm that gives it a short, friendly name, such as +roundgrass881. This name is known as a PayNym. Every one is unique, and each has an associated “robot” profile picture to make them more memorable. In addition, each PayNym has a list of contacts. Much like the contacts on your phone, these contacts represent other PayNyms you collaborate with regularly.

You can perform a collaborative two person coinjoin with either payment codes or PayNyms on Sparrow. If you are collaborating with a Samourai user, you will need to use PayNyms, and add each other’s PayNym to your respective contact lists.

Starting the mix

For this guide, we’ll mix between two Sparrow users. Once your mix partner is ready to start, ask them to go to Tools > Find Mix Partner in the Sparrow menu.
They will see a dialog similar to the following:

Finding a mix partner

Note that they may need to click a Retrieve PayNym button the first time they use this feature - this will request the PayNym to be created on PayNym.is. This is not strictly necessary however - they can send you either the Payment code, or the PayNym from this dialog.

Once you have their PayNym or Payment code, copy it into the ‘PayNym or Payment code’ field in your Add Mix Partner dialog that you opened previously. Click Next, and ask your mix partner to do the same on their Find Mix Partner dialog. The mix will begin!

Reviewing the mix

Both you and your mix partner will get a chance to review the mix before it is broadcast. Here is what your mix partner will see once the mix begins:

Reviewing the mix type

They will get a chance to approve or decline the mix at this stage. If they click Next to approve, the mix will proceed and you will get to review the two person coinjoin transaction before it is broadcast. Note that it appears similar to the fake two person coinjoin above - however, both you and your mix partner have contributed UTXOs, and both receive change outputs. Of the two other outputs, one is your payment, and the other is a coinjoin output goes to one of your mix partner’s change addresses. You have a minute to review the mix.

Reviewing the mix transaction

Once you are comfortable, click Sign & Broadcast. You mix partner will be notified and will be able to inspect the broadcasted transaction themselves. Congratulations! You’ve just completed an on-demand, two person coinjoin!

Paying to a PayNym

It is also possible to send a payment directly to your mix partner’s PayNym using another type of privacy-focused transaction known as a Payjoin (or Stowaway). With this technique, both you and your mix partner contribute UTXOs as inputs to the transaction, but your mix partner receives an output with an amount greater than the value you are sending. This not only breaks one of the most common heuristics (known as common input ownership), but it also hides the amount you are sending. In addition, this transaction looks entirely normal to an outside observer.

Note for Samourai users: Do not send directly (non-collaboratively) to a Sparrow user PayNym. Sparrow does not support the necessary underlying BIP47 technology to receive the payment at this time.

To perform this kind of payment, click the down arrow to the right of the Pay To field in the Send tab and select PayNym….

Send to PayNym

You will see a dialog showing the PayNym of this wallet (click Retrieve PayNym if necessary).

Selecting a PayNym contact

You will now need to find the PayNym of the wallet you are paying to in the list of Contacts. If you need to add the PayNym to your list of contacts, enter it in the Find Contact field and click Add Contact when it appears.

Once you are ready, click Select Contact. The dialog will close and the Pay to field will indicate you are paying to a PayNym. You can enter the Label and Amount as normal. Once ready, again click the icon next to Add Mix Partner in the transaction diagram.

From here, the process is very similar to that of creating a two person coinjoin described above. Your mix partner will need to use Tools > Find Mix Partner (or Receive Online Cahoots in the Samourai Receive menu) and both of you should click the Next button when ready. Note that currently your mix partner will need to use a wallet funded with at least as much bitcoin as they are receiving. Once the collaboration is complete, you will have broadcast a private payjoin transaction you have both contributed to!

Here is an example payjoin, similar to what your mix partner would see once the transaction has been broadcast:

Completed Payjoin transaction

Conclusion

Using these tools, it is possible to remain relatively private while transacting. Even though collaborative transactions require more effort, the value they provide not only you, but other users is significant. Consider using them for every transaction you send. It is never too late to start.