March 26, 2017

Improving Bitcoin’s Privacy and Scalability with TumbleBit

Last week we unveiled TumbleBit, a new anonymous payments scheme that addresses two major technical challenges faced by Bitcoin today: (1) scaling Bitcoin to meet increasing use, and (2) protecting the privacy of payments made via Bitcoin. Our proof-of-concept source code and a pre-print of the latest version of our paper were both posted online last week. In this post, I’ll walk through the motivation and the design of TumbleBit, and explain how it achieves the following three important features:

  1. TumbleBit works with today’s Bitcoin protocol. No changes to Bitcoin are required.
  2. TumbleBit payments are processed off of the Bitcoin blockchain, helping Bitcoin scale to higher transaction velocity and volume. Like Bitcoin’s on-blockchain transactions, the safety and security of payments sent via TumbleBit do not require trust in any third party. The TumbleBit payment hub can not steal a user’s Bitcoins.
  3. TumbleBit provides anonymity for its off-blockchain payments even against the TumbleBit service. The exact property we guarantee is unlinkability (as explained in detail below).

Bitcoin Anonymity Concerns

Bitcoin is the ultimate transparent currency. Each transaction reveals the value of bitcoin that was transferred, and the addresses (Bitcoin identities) of both the party transferring the payment and the party receiving the payment. Even worse, these transaction details are recorded in an immutable and massively-replicated ledger which can be read by anyone, i.e. Bitcoin’s blockchain. Feeding this concern is a burgeoning blockchain analytics and surveillance industry.

This presents problems for businesses that want to use Bitcoin, but don’t want to open their books to competitors via the blockchain. It also presents problems for regular users. Much has been made of companies using social networking profiles to make employment decisions and a transparent currency would make this even worse. Just as common wisdom suggests users should be empowered to choose appropriate privacy settings on social networks, users also need to tools to that limit the exposure of their private financial and purchasing history on Bitcoin’s blockchain.

Bitcoin Scalability Concerns

Regarding scalability, Bitcoin faces a problem that many protocol designers only dream of having: too many users want to use it. “On Scaling Decentralized Blockchains (A Position Paper)” explains the issue as follows:

“Today’s representative blockchain such as Bitcoin takes 10 min or longer to confirm transactions, achieves 7 transactions/sec maximum throughput. In comparison, a mainstream payment processor such as Visa credit card confirms a transaction within seconds, and processes 2000 transactions/sec on average, with a peak rate of 56,000 transactions/sec [11]. Clearly, a large gap exists between where Bitcoin is today, and the scalability of a mainstream payment processor.”

Applying Metcalfe’s law to Bitcoin suggests that the more people who use Bitcoin the more useful Bitcoin becomes. Thus scalability both in terms of volume (how many transactions can be confirmed per second) and velocity (how long a transaction takes to be confirmed) are significant limiters of the utility of Bitcoin.

How Does TumbleBit Work?

TumbleBit is implemented as a layer built on top of Bitcoin, and thus is fully compatible with today’s Bitcoin protocol. (This is analogous to how Tor is built as a layer on top of IP.) TumbleBit payments are sent via an intermediary called the Tumbler. In our paper, we describe how the core TumbleBit protocol can be run in in two modes. The first mode is a classic Bitcoin tumbler (also called a mixing service). In this post I will only address the second mode, where TumbleBit is used as an unlinkable payment hub.

A Bitcoin payment hub is a system that allows users to make off-blockchain transactions (via an intermediary, aka the payment hub) with the same level of security as on-blockchain transactions. Users join the payment hub by “opening a payment channel” that escrows bitcoins in an on-blockchain Bitcoin transaction. Next, users send payments to each other off-blockchain. These payments can be high volume and fast, because they are not subject to the time it takes to confirm transactions on Bitcoin’s blockchain. Finally, a user “closes its payment channel” via an on-blockchain transaction that reflects its new balance of bitcoins after all off-blockchain payments have been made.

In order to provide anonymity, TumbleBit requires all its users to open payment channels (in the “Escrow Phase”) and to close their payment channels (in the “Cash-Out Phase”)*. These two TumbleBit phases are relatively slow, because they require each user to post on-blockchain Bitcoin transaction that takes about 10 minutes to be confirmed. However, between these two phases in the “Payment Phase” where users send fast off-blockchain payments. TumbleBit payments can complete in seconds, thus scaling the velocity of Bitcoin payments. Perhaps more importantly, off-blockchain TumbleBit payments do not take up space on Bitcoin’s blockchain. This allows Bitcoin to process many off-blockchain transactions for only two on-blockchain transactions (i.e. the transactions which open and close the payment channel), scaling the maximum transaction volume which Bitcoin can handle.

Payment hubs have a long history in Bitcoin. TumbleBit’s main innovation is to provide unlinkability.

Unlinkability is defined as follows. Informally, unlinkability ensures that no one can tell which payer (Alice) paid which payee (Bob) during the payment phase of TumbleBit. More formally, the amount of bitcoin each user escrowed on the blockchain during the Escrow Phase is public. The amount of bitcoin cashed-out by each user during the “Cash-Out Phase” is also public. Let an interaction graph be any mapping of payments from the payers using TumbleBit (Alice1, …, AliceN) to payees using TumbleBit (Bob1, …, BobM). An interaction graph is compatible if it explains the transfer of funds from TumbleBit’s “Escrow Phase” to TumbleBit’s “Cash-Out Phase”. Unlinkability requires all compatible interaction graphs to be equally likely. TumbleBit payments are unlinkable because the TumbleBit protocol ensures that all compatible interaction graphs are equally likely. The anonymity provided by TumbleBit grows with the number of compatible interaction graphs.

To achieve unlinkability without compromising the security and safety of Bitcoin payments, TumbleBit must also ensure that the hub can’t steal bitcoins from the users or “print money” for itself. To do this, TumbleBit uses two interleaved protocols, the puzzle-promise-protocol and the RSA-puzzle-solver protocol. I give a brief overview of each protocol here. Our paper has the full details.

TumbleBit Walk-Through

TumbleBit replaces on-blockchain payments with off-blockchain puzzle solving, where Alice pays Bob by providing Bob with the solution to a puzzle. The puzzle is generated through interaction between Bob and the Tumbler (the puzzle-promise protocol) solved through an interaction between Alice and the Tumbler (the puzzle-solver protocol). Each time a puzzle is solved, 1 bitcoin is transferred from Alice to the Tumbler and each time Bob learns a solution 1 bitcoin is transferred from the Tumbler to Bob. A TumbleBit puzzle z is simply an RSA evaluation of its solution value ϵ under the RSA public key (pk, N) of the Tumbler, ie

z = ϵᵖᵏ mod N

In the puzzle-promise protocol, Bob is convinced that he has received an valid puzzle $z$, and that the solution to this puzzle will allow Bob to increase the value of his escrow by 1 bitcoin. The puzzle-solver protocol allows the Tumbler to take 1 Bitcoin from Alice’s escrow if and only if the hub reveals the solution to an RSA-puzzle of Alice’s choice. Putting these two protocols together, Alice can buy puzzle solutions from the Tumbler using the puzzle-solver protocol, which is a cryptographically-enforced fair exchange where 1 Bitcoin (from Alice) is exchanged for 1 puzzle solution (from the Tumbler). By purchasing a solution to Bob’s puzzle, Alice in essence pays 1 Bitcoin to Bob via the Tumbler.

Naturally, if Alice gives the Tumbler the exact same puzzle that Bob got from the Tumbler, the Tumbler will know Alice is paying Bob. To solve this problem, we borrow a technique called RSA blinding from Chaum’s original eCash paper ‘Blind Signatures for Untraceable Payments’. Bob blinds the puzzle (by multiplying it with a random value) before sending it to Alice. This way, no one other than Alice and Bob, not even the Tumbler can link Bob’s (unblinded) puzzle to (blinded) puzzle that Alice will pay the Tumbler to solve. This blinding is information theoretically secure. When Bob receives the solution to the blinded puzzle, he can unblind it and learn the solution to the original RSA puzzle which the Tumbler issued to him.

This allows Alice to pay Bob by paying the Tumbler for a solution to a blinded RSA puzzle without revealing to the Tumbler which puzzle is being solved. All the Tumbler observes is Alice buying solutions to random puzzles that the Tumbler never issued. Thus, the Tumbler can not link the solution to any puzzle to an issued puzzle.

The Future of the TumbleBit Project

TumbleBit is a rapidly evolving project. We are currently developing our proof of concept implementation into production ready software, adding increased functionality into our core protocols and exploring new applications.

A major milestone for our protocol was using our proof of concept TumbleBit implementation (available on github) to perform a test of TumbleBit protocol on Bitcoin’s blockchain tumbling 800 Bitcoin addresses to 800 new Bitcoin addresses. Having demonstrated that TumbleBit works at scale on today’s Bitcoin, our next goal is to develop TumbleBit into software the average Bitcoin user can use to protect their privacy when paying with Bitcoin (see our software roadmap on github).

We are also working to improve our protocols and find new uses for them. In the current TumbleBit protocol, all payments must be of the same domination. If this domination is set to 0.01 Bitcoin, and Alice wants to pay Bob 0.05 she needs to make five payments. At the moment we are exploring extensions to our protocols to allow for TumbleBit payments of arbitrary denominations while still providing unlinkability. We are also exploring other applications for TumbleBit, like increasing the privacy of the Lightning Network or performing unlinkable cross-chain trading.


* TumbleBit is currently a unidirectional payment hub: each payment channel can either send funds or receive funds. Users who wish to do both must open two distinct TumbleBit payment channels.

The Princeton Bitcoin textbook is now freely available

The first complete draft of the Princeton Bitcoin textbook is now freely available. We’re very happy with how the book turned out: it’s comprehensive, at over 300 pages, but has a conversational style that keeps it readable.

If you’re looking to truly understand how Bitcoin works at a technical level and have a basic familiarity with computer science and programming, this book is for you. Researchers and advanced students will find the book useful as well — starting around Chapter 5, most chapters have novel intellectual contributions.

Princeton University Press is publishing the official, peer-reviewed, polished, and professionally done version of this book. It will be out this summer. If you’d like to be notified when it comes out, you should sign up here.

Several courses have already used an earlier draft of the book in their classes, including Stanford’s CS 251. If you’re an instructor looking to use the book in your class, we welcome you to , and we’d be happy to share additional teaching materials with you.

Online course and supplementary materials. The Coursera course accompanying this book had 30,000 students in its first version, and it was a success based on engagement and end-of-course feedback. 

We plan to offer a version with some improvements shortly. Specifically, we’ll be integrating the programming assignments developed for the Stanford course with our own, with Dan Boneh’s gracious permission. We also have tenative plans to record a lecture on Ethereum (we’ve added a discussion of Ethereum to the book in Chapter 10).

Finally, graduate students at Princeton have been leading the charge on several exciting research projects in this space. Watch this blog or my Twitter for updates.

Provisions: how Bitcoin exchanges can prove their solvency

Millions of Bitcoin users store their bitcoins with online exchanges (e.g. Coinbase, Kraken) which store bitcoins on their customers’ behalf. They present an interface that looks somewhat like an online bank, allowing users to log in and request payments to other users or withdrawals. For many users this approach makes a lot more sense than the traditional approach of storing private keys on your laptop or phone and interacting with the Bitcoin network directly. Online exchanges require no software installation, enable a familiar password-based authentication model, and can guard against the risk of losing funds with a stolen laptop. Online exchanges can also improve the scalability and efficiency of Bitcoin by settling many logical transactions between users without actually moving funds on the block chain.

Of course, users must trust these exchanges not to get hacked or simply abscond with their money, both of which happened frequently in the early days of Bitcoin (nearly half of exchanges studied in a 2013 research paper failed). Famously, Mt. Gox was the largest online exchange until 2014 when it lost most of its customers’ funds under murky circumstances.

It has long been a goal of the Bitcoin community for exchanges to be able to cryptographically prove solvency—that is, to prove that they still control enough bitcoins to cover all of their customers’ accounts. Greg Maxwell first proposed an approach using Merkle trees in 2013, but this requires revealing (at a minimum) the total value of the exchange’s assets and which addresses the exchange controls. Exchanges have specifically cited these privacy risks as a reason they have not deployed proofs of solvency, relying on trusted audit instead.

In a new paper presented this month at CCS (co-authored with Gaby G. Dagher, Benedikt Bünz, Jeremy Clark and Dan Boneh), we present Provisions, the first cryptographic proof-of-solvency with strong privacy guarantees. Our protocol is suitable for Bitcoin but would work for most other cryptocurrencies (e.g. Litecoin, Ethereum). Our protocol hides the total assets and liabilities of the exchange, proving only that assets are strictly greater than liabilities. If desired, the value of this surplus can be proven. Provisions also hides all customer balances and hides which Bitcoin addresses the bank controls within a configurable anonymity set of other addresses on the block chain. The proofs are large, but reasonable to compute on a daily basis (in the tens of GB for a large exchange, computable in about an hour). Best of all, it is very simple and fast for each user to verify that they have been correctly included. We can even extend the protocol to prevent collusion between exchanges. The details are in the paper, the full version of which is now online.

While our Provisions protocol removes the privacy concerns of performing a cryptographic proof-of-solvency, there are still some practical deployment questions because the proof requires the exchange to compute using its private keys. Exchanges rightly go to great lengths to protect these keys, often keeping them offline and/or in hardware security modules. Performing a regular solvency proof requires careful thinking about the right internal procedure for accessing these keys.

These deployment questions can be solved. We hope that cryptographic proofs of solvency will soon be expected of upstanding exchanges. Incidents like that of Mt. Gox have greatly damaged public perception of the entire Bitcoin ecosystem. While solvency proofs can’t prevent exchange compromises, they would have made Mt. Gox’s troubles public earlier and more clearly. They would also shore up confidence in today’s exchanges which are (presumably) solvent.

Taking a step back, solvency proofs are yet another example where we can replace an  expensive and trust-laden process in the offline world (financial inspection by a trusted auditor) with a “trustless” cryptographic protocol. It’s always exciting to take a new step in that direction. There remain limits as to what cryptography can do though. Critically, solvency proofs do not create a binding obligation to pay. A malicious exchange could complete a Provisions proof and then immediately abscond with all of the money. For this reason, some form of government regulation of online exchanges makes sense. Though regulation is dreaded by many in the Bitcoin community, it appears to be on the horizon. Bills have been proposed in several states, largely aimed at exchanges. Interestingly, the model regulatory framework proposed by the Conference of State Bank Supervisors in September already mentions cryptographic solvency proofs as a means of demonstrating solvency. We hope this recommendation is enacted in law and solvency proofs are a tool to avoid the cost of the heavyweight auditing requirements traditionally demanded of banks, while simultaneously increasing transparency for exchange customers.