Spending Privately

Prerequistes

This guide explains how to send Bitcoin in a relatively private manner. If you haven’t read the Quick Start guide yet, that’s a good place to learn how to install and get introduced to Sparrow.

Why is this necessary?

Key to understanding the need for privacy tools is first understanding the Bitcoin UTXO model.

Every amount in Bitcoin consists of a transaction output - that is, the output of a transaction which sends an amount to a given address. Every transaction output, or TXO has a specific, discrete amount. Before an amount is spent, it is called an unspent transaction output, or UTXO.

When you create a Bitcoin transaction, you combine one or more UTXOs as inputs, providing the funds you are looking to spend. When the transaction is broadcast and mined in a block, all of these UTXOs become spent. In other words, they are not reduced in value, but completely consumed, and can never be spent again.

When the new output of your transaction does not match the input amount (less fees), a change output is created. This change output sends funds back to your wallet, which are then available as another UTXO.

Because the Bitcoin blockchain is public, this model has several privacy implications:

  1. The recipient of any transaction (and any outside observers who learn their address) can determine some information about the amount of funds you hold by looking at the input UTXOs you spent.
  2. If your transaction has a change UTXO, the same observers can see when that change (and its change) gets spent, and so learn more about your spending history as you transact over time.
  3. All input UTXOs in a transaction are generally assumed to be from the same owner, linking them together in a “cluster” to an outside observer (we’ll see how to break this assumption later).

Blockchain analysis uses a number of generally applicable rules or heuristics to separate payment amounts from change amounts. The primary goal of this lies in learning when ownership changes in order to understand more about your funds and how you use them. While these heuristics depend on probabilities, they can be very effective. Without privacy tools, once your identity is linked to one UTXO much about your wealth and transaction history can be determined with relatively high probability over time.

Privacy tools seek to disrupt these heuristics. Some, like the fake two person coinjoins discussed here, create transactions which introduce confusion (or entropy) in the transaction graph. Others, like payjoin, break some of the assumptions that common heuristics depend on. Used together, it is possible to remain relatively private when transacting with Bitcoin.

Fake two person coinjoin

A common approach for spending privately is to create an equal output coinjoin while spending.

An equal output coinjoin is a technique where individuals contribute inputs to construct a specific transaction containing a number of equal output amounts. This adds ambiguity about which of the output amounts went to which wallets or entities, and makes the probability of tracing ownership of funds much lower. In the case of a two person coinjoin with two equal outputs, either output could represent the funds of one of the individuals. In addition, a coinjoin output might or might not represent an external payment, since it is common to send the output amount back to a wallet you own. For example, you might do this to consolidate or break up UTXOs you own.

The simplest way to add privacy when spending is to create a fake coinjoin (also known as a Stonewall transaction). This is a transaction you create alone, but that appears to be potentially constructed by multiple individuals. To the outside observer, there is no way to determine whether the coinjoin is fake or not - it is ambiguous. This approach requires no collaboration, and can be done with any kind of wallet (including hardware wallets).

To create a coinjoin with yourself, create a transaction as normal on the Send tab and select to optimize for Privacy using the toggle button in the lower left. If the wallet has sufficient funds available, Sparrow will construct the coinjoin as follows:

Constructing a fake coinjoin

Note that there are two sets of inputs (indicated by the brackets on the left in the transaction diagram), representing each “individual” in the coinjoin. Each “individual” must contribute more than the payment amount, meaning your wallet must have funds greater than twice the payment you are making. If your wallet doesn’t have enough funds, you can still perform a collaborative coinjoin discussed below.

Of the outputs, the first output represents the payment to the address in the Pay to field. The second output is a “decoy” of the same amount (5,670 sats) and is paid to one of the change addresses in this wallet. Then there are two change outputs, representing change to each of the “individuals” - both of these are also sent back to this wallet as change.

As the Analysis… tooltip indicates, to the outside observer this appears to be a possible two person coinjoin. However, it is actually a transaction where all inputs are owned by the same wallet. You can now create, sign and broadcast this transaction as normal, having gained additional privacy at the cost of a slightly higher fee due to the additional inputs and outputs.

Note that to create this kind of coinjoin in Sparrow, the address you are paying to needs to be of the same type as your wallet (so the outputs look the same).

PayNym? Payment code?

In the previous example, the address we sent to was provided by the recipient. But what if we want to pay someone non-interactively (that is, without asking them for a fresh address every time)? For that to work in a private manner, we need to get a unique identifier for the recipient we can use to create fresh addresses. Each wallet can create this identifier deterministically, called a payment code. It’s similar to an xpub, except that no information about a wallet can be learned from it. In this sense, it is safe to share.

The payment code is however quite long, making it more difficult to share in person. Samourai Wallet have created a directory of payment codes at https://PayNym.is. Every payment code that is added to the directory is run through an algorithm that gives it a short, friendly name, such as +roundgrass881. This name is known as a PayNym. Every one is unique, and each has an associated “robot” profile picture to make them more memorable. In addition, each PayNym has a list of contacts. Much like the contacts on your phone, these contacts represent other PayNyms you collaborate with regularly. That said, use of PayNyms is opt-in via an application wide setting in the config file, and you can use all of the techniques described here with payment codes alone.

Paying to a PayNym

It is possible to send a payment directly to a PayNym, which sends it directly to a private address known only to you and the recipient.

To perform this kind of payment, click the down arrow to the right of the Pay To field in the Send tab and select PayNym….

Send to PayNym

You will see a dialog showing the PayNym of this wallet (click Retrieve PayNym if necessary).

Selecting a PayNym contact

You will now need to find the PayNym of the wallet you are paying to in the list of Contacts. If you need to add the PayNym to your list of contacts, enter it in the Find Contact field and click Add Contact when it appears.

To send to the PayNym, you will need to click the Link Contact button that appears after you have added the contact. Linking a contact requires sending a notification transaction to an address being watched by the PayNym wallet you are sending to. This will cost 546 sats, plus the mining fee.

Note: It is also possible to send directly to a payment code by pasting it into the Pay to field. Sending directly to a PayNym is not currently supported with a Taproot (P2TR) wallet.

Linking a PayNym

Once this has been done, a set of unique send and receive addresses are created both in Sparrow and the PayNym wallet, allowing you to send to the PayNym independently and privately. The notification transaction only needs to be sent once, and if the PayNym chooses to add you as a contact they will already be linked and can send to you immediately in the same way. This link is stored on the blockchain and any funds sent to these addresses are automatically found using only the wallet seed should you need to restore from backup. Amounts sent to you using this feature will appear in the first (master) wallet should you have multiple accounts configured.

Click Send To Contact to send directly to linked PayNyms. The dialog will close and the Pay to field will indicate you are paying to a PayNym. You can enter the Label and Amount as normal.

If you have linked the PayNym and are sending directly, you can proceed to Create Transaction as normal. Sparrow will automatically use one of the private send addresses known only to you and the PayNym you are paying to.

Conclusion

Using these tools, it is possible to remain relatively private while transacting. Linking and paying directly to a PayNym is a powerful feature particularly useful to send and receive payments independently and without the use of a server to offer fresh addresses. Consider using these techniques for every transaction you send. It is never too late to start.