In this section, we build upon Obscuro’s security analysis performed on Coin-Join, CoinShuffle, CoinParty, Xim, Mixcoin, Blindcoin, and TumbleBit in . We expand on their academically proposed Bitcoin mixer comparison by performing the same analysis on the five mixing services included in this study.
The five mixers in the study do not have protections in place against coin theft .ChipMixer, Bitcoin Mixer, and Sudoku Wallet provide no proof of origin for the provided input address, making it possible for adversaries or malicious mixer operators to steal funds. On the other hand, MixTum and CryptoMixer provide signed letters of guarantee, making it difficult for an attacker to inject their own address. However,the letter of guarantee is ineffective against malicious mixer operators. Although it sets accountability, users can still have their funds stolen. Mixcoin and Blind coin suffer from the same protections against a malicious operator. Thus, six out of eight mixing services in Obscuro’s analysis implement protections against coin theft. For example, CoinJoin, CoinShuffle, and TumbleBit use multisig addresses to ensure all parties are involved in the movement of funds.
ChipMixer and Sudoku Wallet provide private keys as outputs. Importing these keys to a wallet may be appealing because of its off-blockchain nature, however it leaves users susceptible to coin theft. The mixing service could still have access to the private key and sweep the funds to a separate address without user permission.
Relationship anonymity is not guaranteed in any of five mixing services studied. Malicious mixing operators can directly learn the permutation between inputs and outputs. Additionally, all five services store or log session data for a limited amount of time, providing a tempting target for adversaries. In comparison, five out of eight pro-posed mixing services in Table provide a method to ensure relationship anonymity.For example, CoinParty and CoinShuffle use output address shuffling while Blindcoin and TumbleBit use blinding.
All five public mixers lack resistance against dropping participants. This is common in protocols that involve a mixer operator who can control the mixer’s worldview.In comparison, five out of eight protocols studied in Obscuro’s analysis guarantee participation for all users. The only centralized protocol included in these five is Obscuro. In its implementation, selective dropping of participants results in a DoS attack because of the protocols dependence on public bulletin boards.
Large Mixing Set Guarantee
Of all five services, CryptoMixer was the only to guarantee a large mixing set size.For public mixing services, we view the mixing set to be the pool of UTXOs that the mixing service controls. To guarantee a large mixing set, CryptoMixer provided reputable Bitcointalk users with access to a list of their owned addresses along with signatures for each. The users were able to confirm that the service had nearly 2000 BTC in their pool. In comparison, two out of eight proposed services provide a guarantee of a large mixing set. For example, Obscuro refunds user inputs when a minimum number of participants is not reached. Mixcoin, Blindcoin, and TumbleBit do not include an agreement of a minimum mixing set size in their centralized protocols. In decentralized protocols like CoinJoin, CoinShuffle, and CoinParty, users are guaranteed a small set due to the communication overhead and long wait times with larger anonymity sets.
All five public mixing services provide resistance against join-then-abort attacks. This is common with all centralized mixing services. Users are unable to abort the mixing protocol after funds have been sent to the given input address. In comparison, five out of eight proposed protocols also provide resistance against this attack. In CoinJoin implementations, like CoinShuffle, users are able to disrupt the mix by disapproving of the final transaction.
Minimum On-Chain Transactions
The number of on-blockchain transactions for the five mixers in this study is similar to the proposed protocols in Obscuro’s analysis. Aside from Xim, which requires three ads on-blockchain before the four transactions in Barber’s Fair Exchange, and TumbleBit, which uses two escrow channels, the proposed protocols require one to two transactions.