CoinSwap is a proposed method for making Bitcoin transactions more private. Currently, chain analysis relies heavily on the assumption that if Alice sends an entire UTXO to an address, she is sending the transaction to herself. CoinSwap undermines this assumption by allowing two parties to send entire UTXOs to new addresses which are not their own. In doing so, parties will swap UTXOs and break the chain of custody for both coins.
While a CoinSwap is composed of on-chain transactions, CoinSwap is an off-chain coordination protocol, and it would not require any changes to Bitcoin’s protocol. All interactions between the two parties would take place over the internet, and normal Bitcoin transactions would be posted to the Bitcoin blockchain. However, CoinSwap is still in its nascent phase, and has not been widely implemented or adopted.
How CoinSwap Works
The way CoinSwap works is that two parties, Alice and Bob, both send a UTXO to separate 2-of-2 multisig addresses. These two transactions are completely separate, and, discounting timing and identical amount attacks, the two transactions should not be linkable by chain analysis.
Next, Alice and Bob cooperate to spend the bitcoin from both multisig addresses to each other. The bitcoin Alice sent to her multisig address will be sent to an address belonging to Bob, while the UTXO Bob contributed will be sent to Alice.
At the end of this process, Alice and Bob will each control the same amount of bitcoin—minus the transaction fees—and will have superior privacy.
Weaknesses of CoinSwap
The simplified explanation of CoinSwap provided above has several weaknesses, which would undermine the privacy enhancements CoinSwap offers.
For example, if Alice and Bob both send each other equivalent amounts of money, chain analysis might be able to match the amounts across the different transactions and deduce that a CoinSwap has occurred. In order to prevent this, the CoinSwap can be split into several transactions, obfuscating the total amounts sent by each party.
Additionally, a hypothetical CoinSwap market is ripe for denial of service (DoS) attacks and eclipse attacks. In a DoS attack, an attacker can repeatedly initiate a CoinSwap with an honest participant and halt it midway, forcing the victim to pay on-chain fees without reaping the privacy benefits. An attacker can also offer to execute a CoinSwap many times with many individuals in order to discover which UTXOs they control, stripping their existing privacy. Lastly, an attacker can participate in a large number of CoinSwaps and trick users into thinking they have established privacy when they have simply been executing one or more CoinSwaps with the same observer, who can then deanonymize the victim’s coins.
Fidelity bonds have been proposed as a solution to these attacks. In brief, fidelity bonds require the maker of a CoinSwap offer to post time-locked bitcoin as collateral, assuring the taker that the maker has a strong incentive to execute the CoinSwap smoothly. Fidelity bonds lock up a maker’s funds, and thus, a large-scale DoS attack would require an enormous amount of bitcoin to be locked up for a significant time period. This high cost is thought to be sufficient to deter DoS attacks.