Spending Privately


This guide explains how to send Bitcoin in a relatively private manner. If you haven’t read the Quick Start guide yet, that’s a good place to learn how to install and get introduced to Sparrow.

Why is this necessary?

Key to understanding the need for privacy tools is first understanding the Bitcoin UTXO model.

Every amount in Bitcoin consists of a transaction output - that is, the output of a transaction which sends an amount to a given address. Every transaction output, or TXO has a specific, discrete amount. Before an amount is spent, it is called an unspent transaction output, or UTXO.

When you create a Bitcoin transaction, you combine one or more UTXOs as inputs, providing the funds you are looking to spend. When the transaction is broadcast and mined in a block, all of these UTXOs become spent. In other words, they are not reduced in value, but completely consumed, and can never be spent again.

When the new output of your transaction does not match the input amount (less fees), a change output is created. This change output sends funds back to your wallet, which are then available as another UTXO.

Because the Bitcoin blockchain is public, this model has several privacy implications:

  1. The recipient of any transaction (and any outside observers who learn their address) can determine some information about the amount of funds you hold by looking at the input UTXOs you spent.
  2. If your transaction has a change UTXO, the same observers can see when that change (and its change) gets spent, and so learn more about your spending history as you transact over time.
  3. All input UTXOs in a transaction are generally assumed to be from the same owner, linking them together in a “cluster” to an outside observer (we’ll see how to break this assumption later).

Blockchain analysis uses a number of generally applicable rules or heuristics to separate payment amounts from change amounts. The primary goal of this lies in learning when ownership changes in order to understand more about your funds and how you use them. While these heuristics depend on probabilities, they can be very effective. Without privacy tools, once your identity is linked to one UTXO much about your wealth and transaction history can be determined with relatively high probability over time.

Privacy tools seek to disrupt these heuristics. Some, like Whirlpool and the two person coinjoins discussed here, create transactions which introduce confusion (or entropy) in the transaction graph. Others, like payjoin, break some of the assumptions that common heuristics depend on. Used together, it is possible to remain relatively private when transacting with Bitcoin.

Fake two person coinjoin

A common approach for spending privately is to create an equal output coinjoin while spending.

An equal output coinjoin is a technique where individuals contribute inputs to construct a specific transaction containing a number of equal output amounts. This adds ambiguity about which of the output amounts went to which wallets or entities, and makes the probability of tracing ownership of funds much lower. In the case of a two person coinjoin with two equal outputs, either output could represent the funds of one of the individuals. In addition, a coinjoin output might or might not represent an external payment, since it is common to send the output amount back to a wallet you own. For example, you might do this to consolidate or break up UTXOs you own.

The simplest way to add privacy when spending is to create a fake coinjoin (also known as a Stonewall transaction). This is a transaction you create alone, but that appears to be potentially constructed by multiple individuals. To the outside observer, there is no way to determine whether the coinjoin is fake or not - it is ambiguous. This approach requires no collaboration, and can be done with any kind of wallet (including hardware wallets).

To create a coinjoin with yourself, create a transaction as normal on the Send tab and select to optimize for Privacy using the toggle button in the lower left. If the wallet has sufficient funds available, Sparrow will construct the coinjoin as follows:

Constructing a fake coinjoin

Note that there are two sets of inputs (indicated by the brackets on the left in the transaction diagram), representing each “individual” in the coinjoin. Each “individual” must contribute more than the payment amount, meaning your wallet must have funds greater than twice the payment you are making. If your wallet doesn’t have enough funds, you can still perform a collaborative coinjoin discussed below.

Of the outputs, the first output represents the payment to the address in the Pay to field. The second output is a “decoy” of the same amount (5,670 sats) and is paid to one of the change addresses in this wallet. Then there are two change outputs, representing change to each of the “individuals” - both of these are also sent back to this wallet as change.

As the Analysis… tooltip indicates, to the outside observer this appears to be a possible two person coinjoin. However, it is actually a transaction where all inputs are owned by the same wallet. You can now create, sign and broadcast this transaction as normal, having gained additional privacy at the cost of a slightly higher fee due to the additional inputs and outputs.

Note that to create this kind of coinjoin in Sparrow, the address you are paying to needs to be of the same type as your wallet (so the outputs look the same).

Collaborative two person coinjoin

Of course, if all two person coinjoins were fake, their value would be reduced. You can improve the anonymity for yourself (and everyone else using this approach) by collaborating to creating to create a genuine two person coinjoin (also known as StonewallX2).

To do this you will need to use a singlesig, Native Segwit software wallet such as that used with Whirlpool. In fact, spending this way from a Whirlpool Postmix wallet is recommended, and for good reason - everyone who uses Whirlpool benefits from their peers using postmix privacy tools.

Start by creating a fake two person coinjoin as described above. Then, click on the blue icon in the second input bracket to replace your own UTXOs with those from a mix partner:

Starting a collaborative coinjoin

You will now see the following dialog, in which you need to enter the PayNym or Payment code of your mix partner. Your mix partner can be using either Sparrow or Samourai wallet, both of which use the Samourai Soroban service to exchange transaction information using an end-to-end encrypted protocol.

Adding a mix partner

Soroban? PayNym? Payment code?

Soroban is effectively a secure chat protocol for wallets to communicate. In order for two wallets to find each other, they need to use a unique identifier, much like a phone number. Each wallet can create this identifier deterministically, called a payment code. It’s similar to an xpub, except that no information about a wallet can be learned from it. In this sense, it is safe to share.

The payment code is however quite long, making it more difficult to share in person. Samourai Wallet have created a directory of payment codes at https://PayNym.is. Every payment code that is added to the directory is run through an algorithm that gives it a short, friendly name, such as +roundgrass881. This name is known as a PayNym. Every one is unique, and each has an associated “robot” profile picture to make them more memorable. In addition, each PayNym has a list of contacts. Much like the contacts on your phone, these contacts represent other PayNyms you collaborate with regularly. That said, use of PayNyms is opt-in via an application wide setting in the config file, and you can use all of the techniques described here with payment codes alone.

You can perform a collaborative two person coinjoin with either payment codes or PayNyms on Sparrow. If you are collaborating with a Samourai user, you will need to use PayNyms, and add each other’s PayNym to your respective contact lists.

Starting the mix

For this guide, we’ll mix between two Sparrow users. Once your mix partner is ready to start, ask them to go to Tools > Find Mix Partner in the Sparrow menu.
They will see a dialog similar to the following:

Finding a mix partner

Note that use of PayNyms is opt-in, and they may need to click a Retrieve PayNym button the first time they use this feature - this will request the PayNym to be created on PayNym.is. This is not strictly necessary however - they can send you either the Payment code, or the PayNym from this dialog.

Once you have their PayNym or Payment code, copy it into the ‘PayNym or Payment code’ field in your Add Mix Partner dialog that you opened previously. Click Next, and ask your mix partner to do the same on their Find Mix Partner dialog. The mix will begin!

Reviewing the mix

Both you and your mix partner will get a chance to review the mix before it is broadcast. Here is what your mix partner will see once the mix begins:

Reviewing the mix type

They will get a chance to approve or decline the mix at this stage. If they click Next to approve, the mix will proceed and you will get to review the two person coinjoin transaction before it is broadcast. Note that it appears similar to the fake two person coinjoin above - however, both you and your mix partner have contributed UTXOs, and both receive change outputs. Of the two other outputs, one is your payment, and the other is a coinjoin output goes to one of your mix partner’s change addresses. You have a minute to review the mix.

Reviewing the mix transaction

Once you are comfortable, click Sign & Broadcast. You mix partner will be notified and will be able to inspect the broadcasted transaction themselves. Congratulations! You’ve just completed an on-demand, two person coinjoin!

Advanced: If you want to create a mix between two open wallets in the same Sparrow instance, close Sparrow, edit the config file and change the value of sameAppMixing to true. Take care not to lose track of the mix dialogs however, as they will no longer be modal.

Paying to a PayNym

It is also possible to send a payment to a PayNym. You can either do this directly, sending to a private address, or collaboratively using another type of privacy-focused transaction known as a Payjoin (or Stowaway).

To perform this kind of payment, click the down arrow to the right of the Pay To field in the Send tab and select PayNym….

Send to PayNym

You will see a dialog showing the PayNym of this wallet (click Retrieve PayNym if necessary).

Selecting a PayNym contact

You will now need to find the PayNym of the wallet you are paying to in the list of Contacts. If you need to add the PayNym to your list of contacts, enter it in the Find Contact field and click Add Contact when it appears.

From here you need to decide whether to send directly (without needing a mix partner) or collaboratively. If you want to send directly, you will need to click the Link Contact button that appears after you have added the contact. Linking a contact requires sending a notification transaction to an address being watched by the PayNym wallet you are sending to. This will cost 546 sats, plus the mining fee.

Note: It is also possible to send directly to a payment code by pasting it into the Pay to field. Sending directly to a PayNym is not currently supported with a Taproot (P2TR) wallet.

Linking a PayNym

Once this has been done, a set of unique send and receive addresses are created both in Sparrow and the PayNym wallet, allowing you to send to the PayNym independently and privately. The notification transaction only needs to be sent once, and if the PayNym chooses to add you as a contact they will already be linked and can send to you immediately in the same way. This link is stored on the blockchain and any funds sent to these addresses are automatically found using only the wallet seed should you need to restore from backup. Amounts sent to you using this feature will appear in the first (master) wallet should you have multiple accounts configured.

You can also send to a PayNym collaboratively, which does not require the notification transaction but uses the same Soroban technology discussed previously instead. With this technique, both you and your mix partner contribute UTXOs as inputs to the transaction, but your mix partner receives an output with an amount greater than the value you are sending. This not only breaks one of the most common heuristics (known as common input ownership), but it also hides the amount you are sending. In addition, this transaction looks entirely normal to an outside observer.

Which approach you choose will be determined by the button you click once you have selected the PayNym you are paying to. Click Send Directly to send directly to linked PayNyms, and Send Collaboratively if you wish to make an interactive payment. The dialog will close and the Pay to field will indicate you are paying to a PayNym. You can enter the Label and Amount as normal.

If you have linked the PayNym and are sending directly, you can proceed to Create Transaction as normal. Sparrow will automatically use one of the private send addresses known only to you and the PayNym you are paying to.

If the PayNym is not linked, or you have chosen to send collaboratively, click the icon next to Add Mix Partner in the transaction diagram. From here, the process is very similar to that of creating a two person coinjoin described above. Your mix partner will need to use Tools > Find Mix Partner (or Receive Online Cahoots in the Samourai Receive menu) and both of you should click the Next button when ready. Note that currently your mix partner will need to use a wallet funded with at least as much bitcoin as they are receiving. Once the collaboration is complete, you will have broadcast a private payjoin transaction you have both contributed to!

Here is an example payjoin, similar to what your mix partner would see once the transaction has been broadcast:

Completed Payjoin transaction


Using these tools, it is possible to remain relatively private while transacting. Linking and paying directly to a PayNym is a powerful feature particularly useful to send and receive payments independently and without the use of a server to offer fresh addresses.

Further, even though collaborative transactions require more effort, the value they provide not only to you but to other users is significant. Consider using these techniques for every transaction you send. It is never too late to start.