On August 10, the Stratis Platform team announced the attainment of a major milestone in the development of their Breeze Wallet, which is one of the first implementations of TumbleBit, a protocol to improve Bitcoin’s anonymity.
Stratis Marches Forward with Breeze Wallet
The new and improved wallet has been in testing since May, and is due for an imminent release, utilizing the TumbleBit protocol to provide enhanced privacy for cryptocurrency transactions conducted with the Breeze wallet. The Breeze Tumbler is expected to be used in commercial scenarios, for example, where businesses want to protect customer or sensitive data for competitive reasons.
The Breeze wallet is an ambitious project from the Stratis team, which was launched March 2017 and in less than a year, the wallet will have its alpha release. Adam Ficsor, one of the contributors to the original TumbleBit research paper, stated in March 2017:
“Everyone who is not using Bitcoin Core has already had all their addresses linked together by third parties. This is not a theoretical “assume the worst case” strategy, this is reality. The third parties are either the central servers your wallet relies on or in case of SPV wallets all Blockchain surveillance companies.”
Until a TumbleBit wallet such as Breeze is ready, it is best to hold your bitcoin in a full node for maximum privacy. With web wallets and SPV wallets, your identity is more at risk of being uncovered by third parties. The problem with traditional tumblers is that they frequently interact with the Bitcoin blockchain, which can be used to deanonymize users. TumbleBit solves two problems; how can we hide who sends from the tumbler? And how can we prevent the tumbler from stealing?
To solve these problems, TumbleBit is based on David Chaum’s blind signatures. Let’s look at how one person, Alice, donates 1 bitcoin to another, Bob, through TumbleBit by formalizing the actions of the actors as follows:
Tumbler: I want to play a game, I created a bunch of puzzles. I pay 1 btc for every solution and I also solve any puzzle for 1 btc. So the Tumbler solves any puzzle, not just ones it created.
Alice: I use this game to anonymously pay Greg. I choose a puzzle and blind it. Then I make the Tumbler solve this blinded puzzle for 1 bitcoin. Once the Tumbler solves the puzzle, I unblind the blinded solution. Finally, I give the solution and original puzzle to Greg.
Bob: I can redeem this solution for 1 bitcoin from the Tumbler, according to Roger.
Alice blinds a puzzle, makes the Tumbler solve the blinded puzzle for 1 bitcoin, and unblinds the blinded solution. Alice then gives the original puzzle and the solution to Bob, and he redeems 1 bitcoin from the Tumbler with them. The key observation is as follows; when Bob and, say hundreds of other payees, come to redeem a bitcoin with their own solutions, the Tumbler cannot link together the blinded puzzles and blinded solutions, which it previously solved for Alice and the hundreds of other payers, with the real ones. This is the main idea behind TumbleBit’s anonymization technique.
Exploring TumbleBit Further
While we have explained how TumbleBit anonymizes payments, how does the Tumbler forward your bitcoin without the ability to exit scam on you? Digging deeper, there are similarities between TumbleBit and the Lightning Network. Stratis’ BreezeWallet is a bitcoin wallet that does not ruin full node-level privacy but not as cumbersome as a full node. Technically, it is also an unidirectional payment hub, similar to how the Lightning Network operates, where opening payment channels allows trustlessness. You can read more about the basics of payment channels here.
We can explain the three phases of TumbleBit for a better understanding; in the Payment Phase, off-blockchain payments take place. Secondly, the Escrow Phase sets up payment channels and finally, the Cash Out phase closes them down, where only these two phases require on-blockchain transactions.
Now suppose Alice wants to send bitcoin to Bob. Bob asks for a payment channel to be setup, where the Tumbler (T) escrows 1 bitcoin for a 2-of-2 multisignature transaction between the Tumbler and Bob, that is time locked for a certain time, say t. Then Alice escrows 1 bitcoin, time-locked for a specified time prior to t.
The next step for Bob is that he receives a cryptographic puzzle, as mentioned before, which occurs off-chain with the Tumbler. The output of the puzzle-promise protocol is a promise that T will pay Bob 1 bitcoin in exchange for the solution to the puzzle, z. The puzzle is just an RSA encryption of a given value. Solving the puzzle is equivalent to decrypting z and solving for the value. The promise part is a symmetric encryption key, which allows Bob to claim 1 bitcoin from T with the solution to the puzzle. It also ensures the Tumbler provides a proof that the puzzle solution is indeed the key that decrypts the ‘promise’ ciphertext.
Thirdly, once Alice indicates readiness to pay Bob, a random blinding factor is used to blind the puzzle, which ensures that not even the Tumbler can link the original puzzle to its blinded version. Bob sends the blinded version to Alice and he solves with T. This puzzle-solver protocol is a fair exchange ensuring Alice will send 1 bitcoin to T if and only if the Tumbler gives a solution to the puzzle. Then Alice sends the solution to the blinded puzzle back to Bob, who then unblinds the solution and accepts Alice’s payment if the solution is valid.
Then we get to the Cash Out phase, where Bob uses the puzzle solution to decrypt the ciphertext. With this, Bob can create a transaction that he signs and is signed by the Tumbler, which is then posted to the blockchain so Bob can receive 1 bitcoin from the Tumbler. The Tumbler could steal from Alice and not pay Bob, but we get around this as Alice signs claim 1 in the diagram below and Tumbler signs claim 2 at the same time with the use of hash locks, as mentioned previously, and hence explains why the 2-of-2 multisignature escrow between Bob and the Tumbler is longer than the time for Alice’s escrow. Alice signs claim 1, Tumbler signs claim 2 before time t specified earlier, then Bob recieves bitcoin.
How TumbleBit Benefits Bitcoin
From Roger’s perspective, we can see how TumbleBit can help scalability. For example, the Payer will escrow some bitcoins in the beginning phase, which are used to make off-blockchain payments to the Tumbler for solving puzzles. Suppose we want to make numerous payments, not just one, and we escrow Q bitcoin. Now for each puzzle the Tumbler solves, we sign an off-chain transaction, and give the Tumbler a new puzzle.
The Tumbler updates the balance but does not sign the transaction yet. More and more puzzles can be requested to be completed, and if Roger refuses to sign the transaction for the puzzle solved previously, the Tumbler will not solve any more puzzles. Each transaction in this stage is signed by Roger, but not by the Tumbler, which is required for the 2-of-2 multisignature to release the escrow and complete the payments.
Suppose we have transactions up to j bitcoin, for j<Q, for Roger. Now the Tumbler will claim its bitcoin for the escrow transaction by signing the transactions that sum to j bitcoin; as it is the only transaction to be signed by both the Tumbler and Roger, a cheating payer cannot steal the bitcoins. Moreover, it demonstrates that a payee can receive many transactions off-chain with just two on-blockchain transactions.
TumbleBit is exciting not just because of the privacy-augmenting features, but also because it requires many bitcoins to be put into escrow, so once widely used, it will act as a direct pressure on the price of bitcoin, as many units of the cryptocurrency will be locked away into escrow.
However, as outlined in the TumbleBit research paper, there are some weaknesses of the protocol, which could be researched further once the Breeze wallet is available. Payees have better privacy than the payers, as the the Tumbler knows the time t at which the payer sends each transactions, whereas only the aggregate number of bitcoins cashed out by the payee is known by the Tumbler. There is also the theoretical problem of collusion between payees and the Tumbler to uncover the identity of the payer.
In summary, the Stratis project is just over one year old and it is showing signs of progress, with a soon to be released privacy-focused wallet that can hold both stratis (STRAT) and bitcoin (BTC). As one of the first implementations of TumbleBit, it will mark a significant development for the scalability and privacy of bitcoin and cryptocurrency payments for businesses. Actual implementation of TumbleBit will enable the Stratis team to polish the protocol, explore any weaknesses and improve upon it further, demonstrating one way in which the progress made by altcoins is beneficial for the future development of Bitcoin.