Skip to main content

Envoy 1.4 – Say Hello to Coin Control

With the release of Envoy version 1.4 today, we’ve taken the next big leap forwards in our goal with Envoy — to bring the best of Bitcoin to you, simplified. Since the release of Envoy’s full mobile wallet functionality with Magic Backup, we’ve been working tirelessly to bring you the next phase focused on giving you full control over your Bitcoin. Say hello to the most intuitive and approachable coin control to date.

Coin Control Made Easy

Taking control of your money has been a part of our mission from day one, and the ability to control exactly how you spend your bitcoin through Envoy is a key part of that. In this release of Envoy we’ve spent countless hours taking the concept of coin control that has existed in other Bitcoin wallets back to the drawing board, as coin control should be within reach of everyone, not just “techy” Bitcoiners. We think coin control should be something even grandma can use.

The concept of coin control can often be a foreign one to new Bitcoiners, but quite simply it’s a tool that allows you to choose what coins get spent in each transaction. The standard functionality of a wallet is to use a coin-selection algorithm to intelligently select the best coins to spend when you send bitcoin, but without some form of coin control there is no way for the algorithm to know what history each coin carries with it. When you combine coins with different histories, you reveal information about your financial activity you may not be intending to share!

When you use coin control, you can tag coins and add notes to transactions as you use Envoy, allowing you to spend only the coins which you want to each time you spend your bitcoin. Don’t want to reveal how much you get paid to your grocer? Only pay him using coins from your previous visits to the grocery store. Tired of your barista seeing how much you paid for dinner last night? Only pay him using coins you just got peer-to-peer. Coin control gives you total control over what information you choose to reveal each time you use Bitcoin — the very definition of privacy.

Using coin control on Envoy is just a tap away behind the new “Tags” icon inside of each account, where you can easily select to spend from an entire tag or get into the weeds and select individual coins to spend. You can keep things as simple as you want or get as granular as you want — you’re in control now. And if the concept of coin control seems like too much for you today, you can simply never touch it and still benefit from a smart coin-selection algorithm in the background that does its best to reduce fees while preserving your privacy.

All of this functionality gets added on top of the 60 second onboarding that Envoy brings via Magic Backups, the seamless integration with Passport, and the fully customizable privacy settings across the board. It’s time you experienced Bitcoin, simplified by downloading Envoy today.

If you want to deep dive into how you can use coin control we’ve got you covered with our new docs on the topic: Tags, Notes + Coin Control | Foundation Docs

Redesigned Learn Center

We have a deep passion for user education and empowerment, and want to make the output of that passion more accessible through Envoy. When you have questions about how Envoy or Passport works, want to learn more about Bitcoin, or simply want to pass the time with the sound of BitcoinQnA’s voice in the background, we’ve got you covered. We’ve started from scratch and improved every aspect of the Learn center, starting with a drastically improved video player and a new video host. Videos are faster to load, easier to control, and are now automatically marked as watched afterwards.

We’ve also added full support for reading our blog posts directly in Envoy without ever leaving the app or opening your browser. Blog posts also get marked as read immediately after viewing them, making it simple to keep up with the latest in Foundation announcements and education. In addition, we’ve revamped our FAQ section at the bottom and updated it with all of the recent changes in Envoy and Passport.

Privacy Shield Joins the Toolbar

We’ve always held preserving user privacy as one of our chief values at Foundation, and that starts with the options available to our Passport and Envoy users. With this version of Envoy, we’re taking things a step further and improving the visibility and usability of all of those privacy settings in Envoy with a new standalone section we’re calling the “Privacy Shield.” Quickly connect to your own Bitcoin full node, switch back to Foundation’s, use Tor for improved privacy, or turn Tor off for better performance when necessary.

Everything you need to know about preserving your privacy while using Envoy can be found in our documentation: Privacy | Foundation Docs

Activity Center, Reborn

In addition to launching coin control and revamping our privacy settings, we’ve taken the time to overhaul the activity center in Envoy and give it a new home in the toolbar. Everything you need to keep up with your Bitcoin activity, Passport firmware updates, and more can be found in the Activity Center now. We plan on expanding this in the near future to encompass more things as well, so keep an eye out for future Envoy updates!

Want to learn more? Dive into our docs here: Activity | Foundation Docs

So Much More

If this has piqued your interest, head on over to our full release notes to learn more about what we’ve added, improved, or fixed with this release of Envoy:

https://foundationdevices.com/2023/12/envoy-version-1-4-0-is-now-live/

We can’t wait to hear your feedback on this latest iteration of Envoy, and if you have any questions or run into any issues, please don’t hesitate to reach out:

https://foundationdevices.com/2021/12/support-where-and-when-you-need-it/

Announcing Envoy Wallet: Bitcoin Simplified

We’re thrilled to announce a groundbreaking release of Envoy, our mobile companion app for Passport. This new update transforms Envoy into a standalone Bitcoin mobile wallet with powerful account management and privacy features.

Envoy makes financial sovereignty more accessible than ever before and radically lowers the barriers to Bitcoin self custody.

Notably, Envoy Magic Backups take the pain and worry out of setting up and backing up a mobile wallet, allowing you to get up and running in 60 seconds and restore your wallet anytime, on any device, in just three taps. It’s time you experienced Bitcoin, simplified.

Read below to learn more, or dive right in and download Envoy now!

THE BEST OF BOTH WORLDS

With mobile wallet support in Envoy, the combination of Envoy + Passport empowers you to store your wealth in an ultra secure, intuitive hardware wallet while also spending Bitcoin on the go in just a few taps. Move funds back and forth between Envoy and Passport, make airgapped transactions, and access your spending and saving balances from anywhere – all in a single app!

Not a Passport owner? This update introduces full Bitcoin wallet functionality on your iOS or Android phone. Use Envoy to store and spend your Bitcoin with strong security, privacy via Tor, and a streamlined setup experience.

We are excited to bring our best-in-class design, intuitive and approachable user experience, and peace of mind to smartphone users across the globe – no Passport required.

WHAT IS A “MOBILE WALLET?”

In Bitcoin, the term “mobile wallet” refers to any wallet that keeps your keys on an internet-connected smartphone for easier spending and receiving of funds. While you should not keep your life savings in a mobile wallet, it provides easier access to a small amount of Bitcoin for spending, withdrawing from an exchange, and onboarding new users.

Envoy has traditionally been a “watch-only wallet” that connects to Passport, allowing you to view your balance and create transactions, but providing limited functionality when you are away from your hardware wallet. Now you can enjoy Envoy as a full-featured Bitcoin wallet on the go.

EXPERIENCE MAGIC BACKUPS

Envoy introduces a new seed-less onboarding experience called Magic Backups. While Envoy users can of course manually handle seed words if desired, we aimed to engineer a solution that enables 60-second onboarding and automatic encrypted backups of Envoy’s private key and application data (such as settings and labels), with a full restore taking just three taps.

Additionally, we wanted to ensure that Envoy does this without collecting any user data – no email address, no passwords, no IP address (when Tor is enabled) – no friction!

We expect Envoy Magic Backups will lead to a massive increase in self custody, with easier onboarding than you’d find at any Bitcoin exchange or custodian.

HERE’S HOW ENVOY MAGIC BACKUPS WORK

  1. Envoy generates a seed and stores it on your phone’s secure element.
  2. Since most users have iCloud Keychain or Android Auto Backup enabled, the seed is automatically synced to your other iOS or Android devices – fully end-to-end encrypted, without needing to give Envoy permission to access your iCloud or Google account. This encryption means that only you can access this data, not even Apple or Google.
    • Learn more about iCloud Keychain.
      • “iCloud protects your information with end-to-end encryption, which provides the highest level of data security. Your data is protected with a key that’s made from information unique to your device, and combined with your device passcode, which only you know. No one else can access or read this data, either in transit or storage.”
    • Learn more about Android Auto Backup.
      • “Android preserves app data by uploading it to the user’s Google Drive—where it’s protected by the user’s Google account credentials. The backup is end-to-end encrypted on devices running Android 9 or higher using the device’s pin, pattern, or password.”
  3. Envoy then creates a backup file containing your app settings, account labels, and other non-sensitive app data, so that Envoy can be restored to its exact previous state. This folder is end-to-end encrypted with your seed so that Foundation can never see the contents. We call this the Envoy Backup.
  4. The fully encrypted Envoy Backup is uploaded to Foundation’s servers, alongside a hash of the seed (a cryptographic representation of the seed that proves your knowledge of the seed, not the seed itself!) so that we can ensure no one else can attempt to download your backup without proving knowledge of your seed phrase.
  5. There is no Foundation user account, no email, no password – all you need is access to your iCloud or Google account.

RESTORING FROM MAGIC BACKUPS

If you lose your phone or delete the Envoy app, restoring your wallet takes only a few seconds with Magic Backups.

  1. Envoy checks the secure element on your phone and looks for the seed.
    • If it discovers a seed on the secure element, Envoy hashes the seed and sends the hash to our server.
      • This merely proves your knowledge of the seed and does not reveal your seed to Foundation in any way!
    • If it does not discover a seed, it accesses the encrypted backup from iCloud Keychain or Android Auto Backup and restores the seed to the secure element. Then Envoy hashes the seed and sends the hash to our server.
  2. Envoy then downloads the encrypted Envoy Backup from our servers.
  3. Envoy uses the seed to decrypt the Envoy Backup file locally (on your phone!) and restores all user settings, account labels, and other app data – so it’s like you never left.

OTHER NOTABLE CHANGES

We’ve also added the following features and improvements in this release:

  • Biometric/PIN authentication. Now you can protect your mobile wallet or Passport balances from prying eyes
  • Ability to swipe on accounts to hide balances while you’re on the go. For example, you can display your mobile wallet balance but hide your hardware wallet balance.

TRY ENVOY TODAY

We’ve released this new version of Envoy to all major platforms, so you can choose the method that suits you best below:

  1. If you’re on iOS, you can install Envoy from the App Store using the following link:
  2. For those on Android, you can either find Envoy in the Play Store, install via F-Droid, or download the app directly from Github (Envoy is fully open source!):
    • Play Store
    • F-Droid
    • GitHub
      • Download the APK titled “envoy-apk-1.1.3.apk” directly from the above link and install
      • As this APK is signed with our own keys instead of Google’s keys via the Play Store, if you’re using the Play Store version you’ll have to uninstall Envoy first before installing the public beta

HOW CAN I GIVE FEEDBACK OR GET SUPPORT?

As you use Envoy as a mobile wallet, we’d love to hear from you – every issue, bug, or favorite feature! There are three main places you can go to give us feedback or get help with Envoy:

  1. We have a standalone Telegram channel for our community that you can join and give feedback or get support
  2. You can email us
  3. You can direct message us on Twitter

WHAT’S NEXT

The release of Envoy as a mobile wallet paves the way for a range of roadmap items we’ve been planning for some time, and we can’t wait to build on this strong foundation of simplified Bitcoin usage. Next you’ll be able to jump in the ???? with thousands of other Bitcoiners, become a ????, or ⚡ your way to a cup of coffee — all within Envoy!

We’re excited to release the next piece of your financial sovereignty toolkit to the masses and onboard a wave of Bitcoiners to self-custody, privacy, and financial sovereignty sat by sat.

Now back to building.

All your wallets, one backup

With the release of our latest update for Passport, we’ve empowered you to leverage your Passport for far more than just a cold storage wallet. The introduction of a new “Key Manager” extension enables two powerful new tools in child seeds and Nostr keys, both of which are derived directly from your Bitcoin seed on Passport and automatically backed up to microSD. All of your wallets under one backup.

As both of these features are entirely new to our products, we’ve set out in this blog post to explain how you can use them, detail some real world use-cases, and walk through how all of this is possible from a simple Bitcoin seed phrase.

BIP 85 done right

While the ability to create nearly infinite child wallets from a single master seed phrase has been around for a few years in BIP 85, the complicating factor has always been how to implement in a way that is intuitive and easy to use. In previous attempts at allowing users to generate child keys they’ve required manual index backups, had no ability to name the keys themselves to differentiate them, and have pushed the feature to only the most advanced Bitcoin users.

As one of our goals at Foundation is to bring Bitcoin self-custody down into the real-world and make it more approachable, we spent many hours working with our design team to make Key Manager accessible for even the least technical users. That work has culminated in an extension that takes one click to enable and then guides you through every aspect of key management, regardless of background or expertise.

Key Manager at a glance

Let’s get to the fun stuff — how does all of this actually play out when using Passport? All you have to do to unlock all of this new functionality in Passport is to enable the Key Manager extension from the settings menu. Just a few presses and you have a new card on your home screen that lets you create and manage BIP 85 child seeds and Nostr keys with a few clicks! View all your keys, distinguish them quickly by unique icons, and manage their names in seconds.

Once you have enabled Key Manager, creating a new key is incredibly straight forward. Simply navigate to the new Key Manager card on your home screen and select “New Key.” Choose how many words you want the seed to be and the new key is automatically saved via encrypted microSD backups. When you need to use the new child seed in another wallet, simply select “Export,” choose whichever format your favorite wallet supports, and import it. It’s that easy.

Using Key Manager in the real world

Still wondering how all of this can help you? Let’s walk through some real-world examples of ways that you can leverage child seeds to simplify and safeguard your Bitcoin journey. Once you’ve secured your Passport backup properly — either by encrypted microSD backups or manual seed backup — you can start creating child seeds for all kinds of uses without the additional headache of needing to back each of them up separately.

One of the most common and immediately useful ways to leverage child seeds is by using a child seed from Passport for your mobile wallet of choice. Simply turn on your Passport, navigate to the Key Manager page, create and name a new key, and then export as a QR or seed words and setup your mobile wallet. In just a few minutes you have a highly secure backup already in place for your new mobile wallet, but can spend easily and freely on the go. This makes pairing Passport with Envoy as a mobile wallet the best of both worlds.

Another common use-case for our more privacy-minded community is to use a child seed from Passport to create a hot wallet for mixing in Samourai Wallet or Sparrow Wallet. You can now easily keep those funds in your mixing wallet while you’re reclaiming your privacy without an additional seed to back up (or potentially lose). You can even leverage Sparrow Wallet to mix from that new child seed directly to Passport using our Postmix extension, bringing privacy to your cold storage without all of the normal headaches. Privacy meets peace of mind.

Lastly, child seeds present an incredible way for those who are more knowledgeable and further along in their Bitcoin journey to help back up funds of close family and friends while they’re learning the ropes. You can generate child seeds for your parents, your kids, or your friends who are new to Bitcoin to help get them started while reducing the risk of them losing precious sats. While this does give you access to their bitcoin, it’s a great temporary tool while they get comfortable using Bitcoin.

But wait, there’s more!

That’s not all that the Key Manager extension enables, though! We’ve also been building out full Nostr key support as a part of the extension, allowing you to leverage the power of child keys to create Nostr keys directly from your Bitcoin seed on Passport. One master backup with Passport and all your Nostr keys are safe and secure.

When you want to create that new Nostr key, it’s as easy as navigating to the new Key Manager card, selecting “New Key,” choosing the “Nostr” option, and then naming it as you see fit. Whenever you want to login to a Nostr client, simply export the new key to QR and scan it from your favorite client (Amethyst currently supports this) or export to microSD as a text file and copy paste if necessary. No more worrying about losing your Nostr key.

While it’s not live in this release, we’ve also been hard at work implementing delegated key signing a la NIP-26 into Passport. This new approach to key management means that you can leverage a child key to sign-in and use Nostr without ever exposing your master Nostr key to the world. This standard and implementation are still in their infancy, but we’re excited to help grow the ways that our users can leverage Passport to empower their freedom in areas outside of Bitcoin alone. We’re thankful for all those working on freedom tech more broadly and we can’t wait to get delegated key signing in your hands shortly.

Driving Nostr forward

Nostr key management is one of the areas where Nostr is very early in development today, so we’ve been working hard as a team to find ways that we can give back to the Nostr ecosystem and help to drive forward mature standards. One of the ways we have worked to improve the ecosystem is by helping expand the standard for Nostr key derivation in NIP-06 to include generating multiple keys properly. We helped to develop and test a derivation method that would allow you to generate practically infinite usable Nostr keys from a single Bitcoin seed and contributed that tested definition to the official repository on Github.

Another key way we have worked to help grow the Nostr key management ecosystem is through funding bounties to implement Nostr key QR login and delegated key use in Amethyst, one of our favorite Nostr clients today. Taking the time to create issues for features you love and drive open bounties incentivizes developers to implement these features and rewards them for their incredible contributions to free and open-source code, something that is absolutely vital to continuing to grow the FOSS movement!

If you’re on Nostr today, be sure to follow us below to keep up with the latest things we’re building, writing, and sharing:

What’s next

We’re also working on expanding the Taproot payments support added in this version into full Taproot support to both send and receive, implementing NIP 26 support as mentioned above, and much more. We hope you enjoy the new features in Passport’s latest firmware as much as we do, and we can’t wait to hear your feedback on what uses you find for child seeds, Nostr keys, and so much more!

If you’d like to learn more about the technical details and usage of Key Manager, you can jump right into our detailed support docs below:

Bitcoin doesn’t need banks

As governments attempt to stanch the bleeding of citizens waking up to the need for freedom and fleeing the dollar for harder money, they are rapidly shutting down the centralized, surveilled, and regulated on and off-ramps that the Bitcoin ecosystem has relied on for so many years. The resulting tightening of regulation and control should be a helpful push for each of us to explore the tools available for buying and selling Bitcoin as we need without trusting third parties, giving up Personally Identifiable Information (PII), or giving up custody of our Bitcoin.

The search for a powerful and yet easy-to-use peer-to-peer (P2P) platform for buying and selling Bitcoin has been a complicated road, but the last few years have seen rapid growth, added liquidity, and improvements in the tools we have at our disposal. In this post we’ll break down what a P2P exchange is, why we need them, and how you can approach using some of the best out there today.

Why we need P2P exchanges

When Satoshi set out to create Bitcoin, he envisioned a world where Bitcoin freed us from the control and surveillance of third parties, banks, or custodians. A world where we have ultimate control of our money, we contribute to network security through mining, running a node, and paying network fees, and where we can carve out the middle-man we’ve had to endure in the modern financial system. Instead, much of the Bitcoin ecosystem today centers around custodial exchanges that charge fees, collect sensitive information about Bitcoiners and their on-chain activity, and constantly rug pull users intentionally or due to hacks and theft.

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.

Satoshi Nakamoto

Thankfully, even though these exchanges have dominated the Bitcoin space so far, developers and Bitcoiners have been working tirelessly to build tools that keep the middle-man out of our fiat <> Bitcoin trades and allows us to embrace the intended form of Bitcoin – one that is censorship-resistant, non-custodial, and P2P in nature. Bitcoiners trading with other Bitcoiners is the path towards making Bitcoin much more resilient to attacks by nation states and regulators, and is key for us to be able to continue using Bitcoin with or without the State’s approval. No banks required.

What is a P2P exchange?

Though most of us are familiar with the flow of using a centralized exchange, few Bitcoiners have ventured into the waters of P2P exchanges yet. As a result, the thought of breaking the centralized paradigm and trading directly with other people can be daunting, but thankfully the reality is far more approachable! In a P2P exchange, you’re no longer trading with a faceless corporation or trading desk, but instead you’re working directly with other Bitcoiner’s like you to buy and sell Bitcoin as you need.

While the exact approach to using these tools can differ, the core principle is the same. For this scenario, let’s assume you want to buy Bitcoin:

  1. The platform hosts an “order book,” letting you easily see what amounts are available at what prices.
  2. You select an offer you want to take, and a trade is created between you and the “maker” of the offer.
  3. The maker deposits Bitcoin into a multisig wallet you share to ensure that he can’t run off with your fiat.
  4. You coordinate fiat payment with the maker, usually something like Zelle, Cash App, Revolut, or cash face-to-face or by mail.
  5. Once fiat payment is completed, the maker confirms he received the fiat and releases the Bitcoin to be sent directly to your wallet.

And that’s it! In reality it’s a simple and uncomplicated process, but does differ from the flow we’ve all become accustomed to with centralized exchanges. You just traded fiat for Bitcoin directly with another human without involving any intermediaries, without sacrificing your personal privacy, and without giving up custody of funds to an exchange for a prolonged period of time. P2P exchanges are the future.

Our best options today

So what are you waiting for? Let’s dive into our favorite options out there today, learn a bit about them, and go over some resources that are helpful when getting started. The beauty of a free and open ecosystem driven by people like you is that there is a broad range of tools available, each with a unique set of benefits and tradeoffs.

A quick note: though it might be confusing, most of the P2P options that are widely used still rely on a centralized website in order to find buyers and sellers. However, even though there is a centralized website or platform in most of these tools, they don’t hold your Bitcoin, don’t collect personal information, and merely serve as a gateway to trading safely and securely with other Bitcoiners. Also, the list below is in no particular order, we love all these P2P exchanges equally.

AgoraDesk

AgoraDesk is a platform in the vein of LocalBitcoins (RIP), providing a simple and intuitive platform for buying and selling Bitcoin P2P. When you trade on AgoraDesk, you create a simple profile (no PII involved!), select an offer according to the payment method you prefer, and trade directly with other humans. AgoraDesk also recently launched an excellent open-source mobile app, making it far easier to buy and sell Bitcoin on the go.

How it works

AgoraDesk is a centralized platform with a company behind it that acts as an arbitrator for trades in case of any dispute. When a seller creates an offer, the seller has to lock Bitcoin (equal to the trade amount) in an “arbitration bond,” providing funds that will be used if the seller attempts to back out of the trade or run off with your fiat. If the seller follows through, the appropriate amount of Bitcoin gets sent to you after the seller confirms receipt of your fiat, and all is well. If the seller attempts to steal your fiat or fails to follow through on the trade, an arbitrator gets involved and their arbitration bond (equal to the amount owed to you) is sent to you as compensation.

As long as you read carefully along the way and be sure to follow all steps properly, there is no way that a malicious seller can scam you out of your funds.

More here: FAQ — AgoraDesk

Learn more

 

Hodl Hodl

Hodl Hodl is a very similar platform to AgoraDesk, focusing on buying and selling Bitcoin P2P. They never custody your Bitcoin, never hold your fiat, and seek to protect your privacy from the moment you start using their platform. Simply sign up with an email and password, pick (or make) an offer for the payment method you want to use, and get Bitcoin directly to your wallet. No KYC. No middle-man. No custodians.

How it works

Hodl Hodl is also a centralized platform with a company that acts as an arbitrator in the case of a dispute. When you accept an offer, the seller and you create a 2-of-3 multisig escrow along with Hodl Hodl. This multisig ensures that if the trade goes well you and the seller can collaborate to send the Bitcoin to your wallet properly, but if the seller is malicious or fails to follow through on the trade an arbitrator can step in and assist. If the seller fails to follow through, an arbitrator can review the trade and send the Bitcoin to the harmed party (whether buyer or seller), ensuring that good actors don’t lose any funds.

As long as you read carefully along the way and be sure to follow all steps properly, there is no way that a malicious seller can scam you out of your funds.

More here: Hodl Hodl – Why is trading on Hodl Hodl secure?

Learn more

Hodl Hodl’s website

Peach Bitcoin

Peach Bitcoin is one of the newest P2P exchanges to leap onto the scene over the last year, and has become a favorite of many in our community even while it remains in beta. Peach Bitcoin is a simple app that connects you with sellers directly, facilitating trades in a very similar fashion to AgoraDesk and Hodl Hodl but with a focus on mobile, intuitive user experience, speed, and a modern UI.

Peach also helps you backup your app in a self-sovereign way, save fiat payment methods for easier trades, and much more.

How it works

Peach Bitcoin is a centralized platform that acts as the arbitrator in trades. When a seller creates an offer, the seller sends Bitcoin to a 2-of-2 “decaying” (more on that later) multisig wallet that he shares with Peach, ensuring that he can’t send funds without Peach’s approval and Peach can’t steal funds themselves. If the trade goes properly, the seller and Peach will work together to send funds to your wallet directly. If the seller is malicious or fails to follow through, after 30 days the multisig will decay to a 1-of-2 and Peach will control the funds, sending them to the buyer appropriately. This approach allows trades to proceed much more quickly as the seller’s Bitcoin are already locked in the multisig escrow and confirmed on-chain before a buyer even accepts the trade.

As long as you read carefully along the way and be sure to follow all steps properly, there is no way that a malicious seller can scam you out of your funds.

More here: Trading FAQ · Peach Bitcoin

Learn more

Peach Bitcoin’s Android app

Robosats

Robosats is an incredibly innovative P2P exchange built around the Lightning Network, enabling you to buy and sell Bitcoin directly on Lightning from other people across the globe. Robosats can only be used over Tor, ensuring that you have strong privacy from both Robosats themselves and the peers you trade with. 

Not only that, but each time you use Robosats you quickly generate an entirely new “Robot,” giving you a new pseudonym and account to transact under. You should always backup the token Robosats gives you to recover your active trades if you delete the app or close the website while an offer or trade is active. If you’re an active Lightning user, Robosats is an important tool in your toolkit and an awesome P2P exchange.

How it works

Robosats is a centralized platform where they act as an arbitrator in the case of a dispute like the other options, but as it’s a Lightning-centric platform the methods differ. When a seller opens a trade, the seller locks a “fidelity bond” of a small percentage of the total trade amount. When a buyer takes the trade, the buyer also locks a small fidelity bond of the same percentage, and if either buyer or seller fails to follow through in a timely manner their bond is forfeit to the honest party. Once the trade is in-progress, the Bitcoin seller locks funds in an escrow “hold invoice” to Robosats wallet and the buyer provides an invoice of the same amount to Robosats.

If the trade is successful, the fidelity bonds are returned to the buyer and seller appropriately, and the locked hold invoice pays out to Robosats, who then pay out the full amount to the buyer’s provided invoice. If the trade is unsuccessful and one party is malicious and tries to game the system, a dispute can be opened where an arbitrator steps in and determines the honest party, rewarding them the fidelity bond of the malicious party and sending the sellers Bitcoin to the buyer if fiat has already changed hands.

As long as you read carefully along the way and be sure to follow all steps properly, there is no way that a malicious seller can scam you out of your funds. Note that in order to make your first trade on Robosats you do need to already have Bitcoin in order to lock the fidelity bond upon making or taking a trade.

More here: 

Learn more

 

Bisq

Bisq is the only P2P exchange for Bitcoin that is truly decentralized in nature and does not rely on a single website or entity for its functionality. This makes Bisq an extremely resilient platform for buying and selling Bitcoin, even in the harshest adversarial environments around the world. Bisq operates as a standalone desktop app that natively integrates the Tor network for preserving your privacy when communicating with the Bitcoin network, the Bisq network, and your trading peers.

While Bisq doesn’t have the more familiar UX of other options we’ve given, it provides an option that is viable in almost any scenario and should be much more resistant to pressure over the long run.

How it works

Bisq stands apart from the other options on this list due to its true decentralization, and as a result has a slightly different model for security. When a seller creates an offer and when a buyer takes an offer, both buyer and seller lock security deposits (with the amount being set by the seller). When the trade begins, the Bitcoin being sold is sent to a shared 2-of-2 multisig wallet between the buyer and seller, ensuring that neither party can steal funds from the other. If the trade is successful, the buyer and seller both sign to send the funds to the buyer’s wallet directly. 

If either party is malicious, a dispute can be opened where arbitrators from the community are engaged to help decide the honest and malicious parties and properly award the security deposits. If no resolution can be reached between both parties, the funds can be sent to a Bisq community donation address by either party and the arbitrator can reimburse the honest party from the Bisq DAO.

As long as you read carefully along the way and be sure to follow all steps properly, there is no way that a malicious seller can scam you out of your funds or prevent you from being reimbursed by an arbitrator. Note that in order to make your first trade on Bisq you do need to already own Bitcoin, as you must lock a security deposit when making or taking offers.

More here: Frequently asked questions – Bisq Wiki

Learn more

Bisq’s desktop app

Azteco Vouchers

Azteco is an entirely different beast, and actually not a P2P exchange at all so we’ve added it as a bonus! Azteco is on this list still as it provides a powerful way to buy Bitcoin directly from corner shops and retailers in many countries without providing ID or even creating an account anywhere. Azteco does this by creating Bitcoin vouchers (just like those “top up” SIM cards) that you can buy for cash or with a credit card in person. Simply buy a voucher in person, go to azte.co, and redeem the voucher directly to your Bitcoin wallet. Azteco has many of the same benefits as normal P2P exchanges, and is a great option if you want to buy in person but don’t have any P2P sellers in your area on something like AgoraDesk or Hodl Hodl.

How it works

Azteco is obviously very different from the other options listed here, and is entirely custodial until you redeem the voucher given to you when you purchase. As such there is no risk of a malicious peer stealing your Bitcoin, but of course you are trusting Azteco to properly send the Bitcoin when you go to redeem the voucher!

The only key thing to watch out for is to be sure the Azteco vendor you choose is properly listed on their site before buying a voucher to prevent unknowingly buying counterfeit vouchers.

More here: Azte.co

Learn more

Azteco’s website

What to look forward to

We’ve only scratched the surface of what can be built for empowering use of Bitcoin without needing banks, and the recent explosion is strong evidence that the concept of P2P exchanges is taking off. We’ve been thrilled to see new apps like Peach Bitcoin and Robosats rapidly growing in volume and usage, and can’t wait to see what ingenious tools get built in the coming years. As more and more Bitcoiner’s start to use P2P exchanges to buy and sell Bitcoin, the future becomes brighter for how easy these tools are to use, how much liquidity is available, and how much funding goes to building them out.

We hope that this list gives you practical ways that you can start to use Bitcoin without involving the traditional banking system, enabling you to access Bitcoin without permission and without surveillance. Now let’s get out there and build a better world with Bitcoin at its core.

Making sense of stealth addresses

In our previous blog post we briefly touched on how important it is to protect the privacy of the recipient in a transaction. Today we’re going to take a closer look at a specific way to preserve privacy – “reusable payment codes”, otherwise known as “stealth addresses.” While the concept of the reusable payment code is not a new one – a form of them was officially proposed as a Bitcoin Improvement Proposal (“BIP”) in 2015 by Peter Todd – they’ve become a popular topic again after two recent proposals on new ways to implement them.

Today we’ll walk through why we need reusable payment codes, how the current approaches differ, and how you can start using them today.

Why do we need reusable payment codes?

If you’ve ever had to receive Bitcoin multiple times from the same person before, you’ll know that there is a seemingly simple choice to make – do you generate a new address for them each time (and communicate it somehow), or do you tell them to re-use the same address? If you choose to generate a new address each time, you have to actively communicate somehow, send them the address, and hope they copy and paste it correctly each time. If you instead choose for them to reuse a single address, you harm the privacy of both participants in order to simplify repeat payments.

For a real-world example, consider the case of wanting to accept donations as a political dissident. If you choose to post a single static Bitcoin address, you put every donor (and yourself) at risk of trivial surveillance in order to simplify the process for you and your donors. If you choose to generate a new address for each donor, you have to run extra infrastructure like BTCPay Server or SatSale, increasing the difficulty exponentially and requiring some technical know-how. We’ve even seen a recent example of this in donations raised by Russian opposition leader Alexey Navalny, easily visible to anyone with a blockchain explorer and actively surveilled by the Russian pro-Putin government.

The dilemma in both of these simple cases is exactly what reusable payment codes seek to solve, allowing you to provide a single static string of characters (a “code”) that can be reused as many times as necessary – even by multiple senders – without sacrificing privacy or requiring online communication with the recipient. To better understand how this type of tool presents a solution, we need to dig into each of the current proposals, including the only current live implementation of reusable payment codes, PayNyms (or BIP 47).

Where did the idea of reusable payment codes come from?

The original idea for reusable payment codes (originally called “stealth addresses”) is over a decade old at this point, originally being proposed in 2011 on the Bitcoin Talk forums and then unofficially given a BIP number (63) in 2015 after a proposal by Peter Todd in early 2014. This proposal never gained traction and was abandoned by the author when a change to Bitcoin’s OP_RETURN field broke his approach.

This original proposal shares many similarities to PayNyms, Silent Payments, and Private Payments, using a set of keys combined into one long payment code to allow senders to generate unique addresses for the recipient and leveraging the OP_RETURN. This approach is simple and relatively easy to implement, but relied on a large OP_RETURN field (something that was reduced shortly after it was proposed) and made every payment utilizing stealth addresses stand out on-chain. Even with its drawbacks, this was a major step forward and would form the foundation for future proposals.

Reusable payment codes become a reality

The next proposal to build on the work of Peter Todd was presented in BIP 47 and ultimately became what we know today as “PayNyms.” BIP 47 iterated on the stealth address proposal by utilizing a single notification transaction to signal to the recipient to watch for payments to a specific public key (and thus set of addresses) instead of including payment code signaling in every payment. While there are multiple versions of BIP 47, as the only one in use is version 1 we will focus on that in this post. For simplicity’s sake, for the rest of this post let’s have “Alice” represent the sender in a transaction, and “Bob” represent the recipient who is using a reusable payment code.

How it works

When Alice goes to send funds to Bob, her wallet uses the reusable payment code she got from Bob to generate a unique shared secret by combining (1) a private key from an output she owns, (2) the public key in Bob’s reusable payment code, and (3) a 64-byte blinding factor so that only Bob can interpret the shared secret. Alice’s wallet then converts this payment code to binary and inserts it into this notification transaction’s OP_RETURN field in order to let Bob know where to expect future payments from her. 

Both Alice and Bob have to be extremely careful not to link this notification transaction (or the inputs or outputs) with other transactions, as that could provide an on-chain link between their wallets and undo privacy gained from using BIP 47 reusable payment codes. Thankfully, current implementations in Samourai and Sparrow Wallet hide this “toxic” output associated with the notification transaction by default to protect both sender and recipient.

When Bob wants to check for received funds, he monitors his notification address, and when a transaction is received to it he (1) validates that it includes a BIP 47 payment code, (2) decrypts it with his private key, and then (3) stores the information on the set of addresses Alice can send to and watches them like any normal Bitcoin wallet. Even though this notification code is publicly visible on the blockchain, it is encrypted in such a way that only Bob can deduce the addresses it is used to generate, and thus all of Alice’s future payments are known only to Bob. Alice can now send as many payments as she would like to a unique address every time, and Bob can easily watch for new payments with both “light” wallets and “full” wallets.

A example BIP 47 notification transaction, note the OP_RETURN output

Advantages and trade-offs

BIP 47 holds the unique status of being the only form of reusable payment code to actually be implemented and widely used thanks to the efforts of the Samourai Wallet team, who have implemented BIP 47 as “PayNyms.” PayNyms are leveraged in Samourai Wallet, Sparrow Wallet, and Stack Wallet, allowing any user to easily share a reusable payment code or register their PayNym with Samourai Wallet’s servers to get a short version of their reusable payment code like “+shrillsurf491.” This short form of their reusable payment code can then be looked up by any PayNym user on Samourai’s servers and resolved to the full payment code, allowing them to then send payments in a privacy-preserving way.

While BIP 47 does have the major drawback of requiring a notification transaction for funds to be easily recovered, this is outweighed by the ability for light wallets to utilize reusable payment codes and the simplicity of implementation, making it very easy for wallet developers to add support for BIP 47 reusable payment codes to their wallets.

While BIP 47 does have the major drawback of requiring a notification transaction for funds to be easily recovered, this is outweighed by the ability for light wallets to utilize reusable payment codes and the simplicity of implementation, making it very easy for wallet developers to add support for BIP 47 reusable payment codes to their wallets. This has led to rapid growth and adoption of BIP 47 and PayNyms in a way that no other proposal has seen so far.

Doing away with the notification transaction via Silent Payments

Some Bitcoin developers consider the trade-offs inherent in BIP 47 too harmful, and have sought ways to implement reusable payment codes without needing an on-chain notification transaction, but no other proposals gained interest until 2022. However, in March of 2022 Ruben Somsen proposed “Silent Payments,” a new approach to reusable payment codes that removes the need for a notification transaction entirely by leveraging the outputs in a transaction to signal to the recipient when funds are intended for them. Silent Payments makes use of advances in Bitcoin scanning to remove the need for a notification transaction, thereby improving scaling and privacy associated with reusable payment codes (with a key trade-off we’ll address later).

How it works

When Alice goes to send funds to Bob, she takes three keys and creates a unique one-time address that only Bob controls the keys to. These three keys are the (1) public key of the output(s) Alice wants to send to Bob, (2) Bob’s public key in his reusable payment code, and (3) a shared secret (generated using the same cryptography as stealth addresses and BIP 47, “ECDH“) that only Alice and Bob know. These three keys combine into a unique one-time address that Bob can then validate and spend from, allowing Alice to generate practically infinite addresses without any communication with Bob. This payment appears exactly like any other payment using the same script type (i.e. Taproot), thereby preventing an outside observer from even knowing Silent Payments were used at all, much less link payments to a Silent Payment address together.

When Bob wants to check for received funds, he takes (1) the private key from his payment code and (2) the aggregated key across the inputs of every transaction on-chain and checks to see if the combination matches an output in a transaction. If it matches, that output is owned by his private key and he can spend it at will, and if it doesn’t match he simply ignores that transaction and continues scanning. This process of checking every input in transactions is relatively costly and requires a full node, but does preserve privacy and remove the need for problematic notification transactions entirely. 

An example testnet SIlent Payment transaction, note that it looks like any other standard Taproot transaction

Advantages and trade-offs

[This] brings us to the significant trade-off of Silent Payments: because this scanning is relatively costly and can only be performed with a full Bitcoin node, Silent Payments necessarily do not work on light wallets, limiting their usage in practice.

Because with Silent Payments Bob must scan all transactions on the blockchain from the point that he generated the payment code, it brings us to the significant tradeoff of Silent Payments: because this scanning is relatively costly and can only be performed with a full Bitcoin node, Silent Payments necessarily do not work on light wallets, limiting their usage in practice.

While Silent Payments present a unique and useful set of trade-offs in comparison to BIP 47, they have not yet been implemented in any wallet and thus cannot be used by the average person. Silent Payments are particularly useful when you only want to send a single payment or donation to a given reusable payment code, as they do not require a separate notification transaction and so are cheaper and more efficient than the alternatives available today. It will be interesting to see if Silent Payments catch on, but for now you can follow the conversation on the topic on Github for future developments.

BIP 47 with a twist: Private Payments

Last but not least, the newest kid on the block is BIP 351, or “Private Payments.” Private Payments strikes a middle ground in trade-offs between BIP 47 and Silent Payments, minimizing the potential impact and issues of a notification transaction (while still requiring one) and reducing the scanning requirements to only scanning OP_RETURNs (while still requiring a full node). Private Payments was proposed in July of 2022 by Alfred Hodler and Clark Moody, and is the latest approach to reusable payment codes.

How it works

When Alice goes to send funds to Bob, she takes (1) Bob’s public key encoded in his payment code and combines it with (2) a shared secret she generates to create a unique one-time address to use for a notification transaction. She then generates a unique notification code to include in the OP_RETURN of the notification transaction, creating a transaction that does not re-use a notification address (unlike BIP 47), but does stand out on-chain (unlike Silent Payments). Once she has sent this notification transaction, she can then generate a new, unique address for each subsequent payment to Bob without any links on-chain, and no direct link between any of her UTXOs and Bob’s notification address.

When Bob wants to check for received funds, he checks the OP_RETURN on every transaction since he generated his payment code for those with OP_RETURNs including a notification code that matches his private key. When he finds one that matches, he can then add all derived addresses to a watch list and monitor them for transactions just like a normal Bitcoin wallet. As this only requires checking the OP_RETURN field in each transaction instead of performing validation of every input and output, it’s necessarily much lighter on requirements than that of Silent Payments. While this still precludes the simple usage of light wallets (similar to Silent Payments), it would be easier to off-load the validation of OP_RETURNs to an external (trusted) service.

Advantages and trade-offs

As Private Payments requires both a notification transaction and a full node for proper scanning, it strikes something of a balance between the two other proposals without fully gaining the benefits of BIP 47’s notification transactions and the ability to use light wallets, or the scaling and privacy improvements from the omission of a notification transaction in Silent Payments. It could still pose an interesting approach for light wallets that are willing to trust an external OP_RETURN validation service, however, and gives us a great example of the continuing innovation and exploration around how we can best approach reusable payment codes.

Using reusable payment codes today

If you’ve read through this and are wondering how you can actually use this fascinating technology today, I’ve got great news for you – BIP 47, or PayNyms, are extremely easy to use today with both Samourai Wallet and Sparrow Wallet. Both have well-implemented native support for reusable payment codes, making it extremely easy to create one (all hot wallets have one by default) and to send to a reusable payment code. For the relevant documentation on using PayNyms in both wallets, you can jump in below:

If you’re not currently using one of these wallets, using reusable payment codes is unfortunately often not supported as it does require a bit of work for wallet developers to implement. There is, however, ongoing work by an independent developer to implement BIP 47 PayNyms in Blue Wallet, and we at Foundation are eager to implement PayNyms into Envoy in the future. Outside of using Samourai Wallet. Sparrow Wallet, or Stack Wallet, you can help along the growth of reusable payment codes by talking about the need on social media, following the relevant conversations and BIPs, and donating to developers and projects working on innovation and implementations along the way.

What We Protect

In Part 1 of our series on making every spend a CoinJoin, “Why We Mix”, we walked through the philosophical and practical first steps behind the fight for privacy in Bitcoin. In Part 2 we’re digging into what information we share when we make a standard Bitcoin transaction, and what we want to (and can!) choose to protect to gain financial privacy. 

Each transaction we send in Bitcoin contains information on all inputs used, all outputs sent, and the time when the transaction is published to the mempool and included in a block. This ultimately breaks down into 4 key pieces of information; the sender, the recipient, the amount sent, and the source node.

Why does Bitcoin reveal so much information in each transaction?

When you sit down and think about the amount of information contained in a Bitcoin transaction, you may begin to wonder why in the world all of this has to be shared with the world each time you send a Bitcoin transaction. One of the tradeoffs that comes with making Bitcoin a decentralized and distributed ledger is that each transaction must contain enough information for (1) miners and nodes to validate that transactions don’t double spend funds, (2) users to be able to find their own funds without hassle, and (3) for the supply of Bitcoin to be easily validated by network participants.

While novel approaches to leveraging more powerful (but more complex!) forms of cryptography to hide sender, recipient(s), and amounts have been developed and proposed over the years, none of these approaches existed in the early days of Bitcoin, and each comes with its own set of tradeoffs and risks. Instead of implementing protocol changes like ring signatures, confidential amounts, or stealth addresses at the base layer, the Bitcoin community and developers have opted to keep Bitcoin’s base layer transparent by design and rely on higher layers and application-level privacy tools to allow users to opt-in to better privacy in Bitcoin.

Because of this choice, the ability for each of us to gain privacy becomes a matter of personal responsibility and knowledge instead of a protocol-enforced default. For better or worse, we each get to choose our own preferences and path towards financial privacy when it comes to Bitcoin.

An example transaction

As we walk through these four key pieces of information about each Bitcoin transaction, having an example transaction to refer back to will be invaluable. This transaction has been chosen at random from the Bitcoin ledger, but illustrates quite a few key aspects of a lack of privacy being inherent in Bitcoin.

Transaction ID: 01b668043b819fd812dd861c2d28deba04136751af087386dc5b991beb73493a

What can we learn from a simple look into the transaction? Let’s break it down into key findings from using simple, widely available blockchain exploration tools like mempool.space and oxt.me:

  • The sender consolidated multiple outputs to make the transaction, revealing all the inputs as almost certainly belonging to them
  • Going back one hop with the largest input shows us that some of the funds were withdrawn from Bitstamp (but not all)
  • The sent amount is almost certainly 0.011 BTC, as it is sent to a different type of address (“P2SH”, or wrapped/nested SegWit)
    • We can also confirm this analysis due to the rounded payment amount (0.011 BTC) which almost never happens with fees or change outputs
  • The recipient is still using a legacy Bitcoin wallet and has not upgraded to use Segwit
  • The change amount is almost certainly 0.00004088 BTC, as it is sent to the same type of address as the inputs (“P2WPKH”, or Segwit Bech32)

We’ll look more at these findings in each section below.

Protecting the sender

When we look at the different pieces of information revealed in a Bitcoin transaction, the information on funds being spent (and thus on the sender themselves) rightfully deserves the most focus when approaching transactional privacy. When you view any basic Bitcoin transaction in an explorer, you quickly realize that you can learn an immense amount of information about the sender by simply following the inputs backwards.

How do we see this play out in our example transaction? Let’s take a closer look:

  • The sender consolidated multiple outputs to make the transaction, revealing all the inputs as almost certainly belonging to them
  • Going back one hop with the largest input shows us that some of the funds were withdrawn from Bitstamp (but not all), tying multiple addresses together with funds connected to the sender’s identity known by Bitstamp
Inputs to a previous transaction sent from Bitstamp wallets

This simple analysis is primarily possible because in Bitcoin, almost all transactions are performed by a single entity; and if a single entity is performing a transaction, then all inputs to that transaction are necessarily owned by them. This heuristic is called the “common-input-ownership heuristic” and is one of the foundational building blocks for the majority of chain surveillance in Bitcoin today. When those wishing to surveil Bitcoin’s usage can safely assume that all inputs in a transaction are owned by the sender, they can build detailed and nearly complete pictures of a user’s spending habits past, present, and future.

This heuristic is also the core of what CoinJoin-style transactions attempt to confuse and break by coordinating a single transaction between many different participants. If enough Bitcoin users started to make CoinJoin transactions regularly, we could even go so far as to break this heuristic and make it inaccurate for chain surveillance companies, severely limiting their visibility into our financial activity on Bitcoin.

While hiding the input addresses and amounts is strictly not possible in Bitcoin today, we do have a few options for obfuscating and confusing chain surveillance, making their lives as difficult as possible.

What can we do today?

While we’ll keep things short and sweet in this section, here are a few ways you can better protect your financial privacy when sending Bitcoin transactions:

  1. Always use a new receive address
    1. If your current Bitcoin wallet doesn’t do this automatically, it’s far past time to switch!
  2. Don’t consolidate funds in your wallet (a commonly recommended way to save on fees down the line) by sending all of your Bitcoin back to yourself in a single transaction
  3. Use as few inputs as possible (only one, if possible!) when sending a transaction
    1. Thankfully most good Bitcoin wallets will do this for you by default!
  4. Prefer using PayJoin when enabled by a merchant (anyone using BTCPay Server can easily enable this if they’re using a hot wallet!)
    1. Read our guide on doing just that when buying a Passport: Buying Passport Privately Using CoinJoin
  5. Use wallets like Samourai Wallet and Sparrow Wallet to CoinJoin your funds, ensuring that even when you spend funds the prior history of each input isn’t able to be traced
  6. Use wallets like Samourai Wallet and Sparrow Wallet which automatically create dummy CoinJoin transactions whenever possible to obscure the sender (often called a “STONEWALL” transaction)
  7. Use wallets like Samourai Wallet and Sparrow Wallet to create collaborative transactions that obfuscate the true sender and input (often called a “STONEWALLx2” transaction)

Protecting the amount sent

Protecting the sender is the core focus for many of the privacy tools built on Bitcoin, but protecting the amount sent in each transaction is also an important piece of a holistic approach to privacy on-chain. If we’re not careful about how amounts are handled, we can make it easier to undo our privacy and link transactions and addresses to each other. The most common ways to use amounts to reveal information in a transaction are to look for rounded payment amounts (i.e., 0.001 BTC exactly) or to look for exactly matching amounts (minus normal fees) going into and out of exchanges, instant exchangers, or decentralized exchanges.

How do we see this play out in our example transaction? Let’s take a closer look:

  • The sent amount is almost certainly 0.011 BTC, as it is sent to a different type of address (“P2SH”, or legacy SegWit)
    • We can also confirm this analysis due to the rounded payment amount (0.011 BTC) which almost never happens with fees or change outputs
  • The change amount is almost certainly 0.00004088 BTC, as it is sent to the same type of address as the inputs (“P2WPKH”, or Segwit Bech32)

Amount-based heuristics are a common tool used by chain surveillance companies to confirm other heuristics (like the “common-input-ownership heuristic” we’ve already discussed) or to make educated guesses in the absence of clearer signs on-chain. The ability to use amounts to tie transactions and inputs together is one of the main reasons that most of the most battle-tested CoinJoin protocols use common denominations for inputs (i.e., 0.05 BTC) instead of allowing arbitrary amounts. Using these common denominations prevents trivial linkage of inputs and outputs down the line.

What can we do today?

  1. Avoid using rounded amounts (i.e,. 0.01 BTC) when sending funds unless necessary
  2. Avoid using specific fee amounts (outside of 1sat/vbyte, of course) and allow your wallet to calculate fees appropriately
  3. Prefer using PayJoin when enabled by a merchant (anyone using BTCPay Server can easily enable this if they’re using a hot wallet!)
  4. Use wallets like Samourai Wallet and Sparrow Wallet and create a “STOWAWAY” transaction with other Samourai and Sparrow users to hide the amount being sent and true input

Protecting the recipient

Now that we’ve taken a look at protecting both the sender and amount in a transaction, how do we go about protecting the recipient’s privacy? Thankfully, many of the same principles apply here as well, especially avoiding address re-use. As every transaction in Bitcoin necessarily has a recipient with address and amount being visible on-chain, it can be quite difficult to actually preserve the privacy of the recipient, both from the sender and from outside observers.

How do we see this play out in our example transaction? Let’s take a closer look:

  • The sent amount is almost certainly 0.011 BTC, as it is sent to a different type of address (“P2SH”, or legacy SegWit)
    • We can also confirm this analysis due to the rounded payment amount (0.011 BTC) which almost never happens with fees or change outputs
  • The recipient is still using a legacy Bitcoin wallet and has not upgraded to use Segwit
  • The recipient sweeps this output along with many others in a later transaction, linking their other receive history together

Chain surveillance companies leverage many of the same techniques to identify recipients as they do with senders, including wallet fingerprinting by fees, script types, output consolidation, and address re-use. When these types of heuristics are used, it can lead to “wallet clustering”, where those performing surveillance can tie together transactions under a single entity, even if there is no direct identification attached. As always with privacy, it’s important to blend in with the crowd and avoid any mistakes that can make it easier to separate and cluster transactions under a single entity.

What can we do today?

  1. Avoid re-using addresses when receiving funds
  2. If you’re the sender and a recipient is re-using an address or has a static Bitcoin address posted for donations or payments, pressure them to either use a PayNym or a solution like SatSale or BTCPay Server to provide a new address with every payment
  3. Prefer using PayJoin when enabled by a merchant (anyone using BTCPay Server can enable this, if it’s not enabled ask your merchant to enable it!)
  4. Use wallets like Samourai Wallet and Sparrow Wallet to create collaborative transactions that obfuscate the true sender, receiver and input (often called a “STONEWALLx2” transaction)
  5. Use wallets like Samourai Wallet and Sparrow Wallet and create a “STOWAWAY” transaction with other Samourai and Sparrow users to hide the amount being sent and true received output
Graphic explaining a STOWAWAY transaction

Protecting the source node

Last but not least comes an aspect of Bitcoin privacy that is often forgotten – protecting the IP address of the Bitcoin node that broadcasts the transaction in question. While the IP address and information about the originating node isn’t stored on the blockchain directly, it can be relatively easily seen by anyone operating a few nodes on the network and desiring to gather that type of information.

Because Bitcoin Core uses a very simplistic transaction broadcast protocol, an adversary seeking to surveil the network can run many nodes in many different geographic locations to try and be at least one connection of most nodes in the network. Once they have these broadly distributed nodes (a “Sybil attack”, something that is very cheap and easy to do in a permissionless and decentralized network like Bitcoin), they can then watch for where in the network they see transactions first broadcast. If they notice that a transaction they’re interested in was first broadcast from one node and propagated from there, they can make a very well educated guess that it was the source node for the transaction.

While this doesn’t guarantee that their guess is correct, it does help them narrow down the potential source node of a transaction and more actively Sybil attack that specific node to look for further transactions of interest. This can be combined with on-chain heuristics to try and find the source node being used by a specific entity and gain vast insight into their spending habits, their geographic location, and even their home address (if they reveal their true IP address to the Bitcoin network).

It’s important to remember that a peer-to-peer network like that used in Bitcoin is designed to be censorship-resistant and permissionless, not private. This approach works extremely well at ensuring that in most censorship scenarios a transaction can still be broadcast to the whole network, but also ensures that a motivated adversary can quite easily follow the flow of transaction propagation and block propagation across the network.

If you’d like to learn more about the issues inherent in this approach, there is an excellent article on the topic titled “Bitcoin’s P2P Network” at nakamoto.com.

What can we do today?

  1. If you run your own Bitcoin node, set it to only use the Tor network for communication
    1. This option is controlled by `onlynet=onion` in the config file, read more on the topic here
  2. Broadcast transactions manually via the Tor Browser and a service like mempool.space
    1. Only do this over Tor, never via clearnet!
    2. The current Onion address of the mempool.space broadcast tool is here
  3. Run your own Samourai Wallet “Dojo” node stack, which is Tor-only by default

Conclusion

After reading this I hope you come away with the conclusion that while Bitcoin’s on-chain privacy is imperfect by default, there are solutions available to each of these problems today. It may seem daunting to have to consider each of these aspects of information when sending or receiving a Bitcoin transaction, but as the issues around privacy within Bitcoin are clarified and made known, the wallets and apps we use to interact with Bitcoin can grow to better handle all of these potential issues for a user automatically.

Over the long-term it’s extremely important that wallet developers and node developers work hard to build in sane and private defaults to their apps, as most users have neither the knowledge nor expertise to properly handle every core piece of Bitcoin privacy. The more we as developers can improve users’ privacy without them even thinking actively about it, the better off our users will be and the better off the Bitcoin network and ecosystem will be.

In part 3 of this series we’ll take a closer look at protecting the sender via CoinJoin, including a sneak peak at what we’re working on to help make Bitcoin privacy more approachable for every Bitcoin user.

Stay tuned, and thanks for diving into the deep end of Bitcoin privacy with us today!

Multisig – Is it For Me?

bitcoin Key storage

The Bitcoin network dictates that, to create a valid spend transaction, you must provide proof of ownership of the bitcoin being used in the transaction. This is done via the use of a private key to create a digital signature (or proof) that the person creating the transaction is spending the coins belonging to them. Anyone in the network can look at the provided signature and corresponding address being spent from to verify the authenticity of the transaction, without needing to know the private key of person creating the spend. Anyone with access to your private key can spend from your wallet. Now that we understand the importance of private keys, we should probably understand how to secure them properly!

A typical Bitcoin wallet, such as those found on a mobile phone or desktop applications, protects your sats with a single master secret or ‘key’. To sign off on any spend from such a wallet requires a signature from this single key. These types of wallets are colloquially referred to as ‘single-sig’, short for ‘single signature’, referring to the authentication level required to create a valid spend. Used in a setting such as a mobile phone, single-sig wallet setups provide great convenience for those on the go spends that are typically on the lower end of the value scale.

Single-sig wallets can of course be used in more secure setups, such as with an air-gapped hardware wallet like Passport. Used in this context, the key, which is required to authorize transactions, never leaves the offline device. When paired with wallet software like BlueWallet, the software manages incoming transactions and constructs outgoing spends for the offline device to read and sign using its stored key. This extra step, where the authority to spend has been removed from the ‘online’ wallet software, provides an extra security layer against potentially compromised internet connected devices.

With this simplicity comes a theoretical single point of failure. If your wallet and/or seed backup gets compromised, so does your bitcoin! Sure, you could deploy a Passphrase, but what if we wanted to take things a step further and protect ourselves against even more attack vectors?

What is multisig?

Much like single-sig, multisig (short for ‘multi signature’), derives its name from the level of authentication or ‘proof’ required to create a spend transaction. Generally speaking, a multisig wallet requires sign-off from more than one key for any spend. With multisig, you have the freedom to fine tune your wallet configuration to suit your personal circumstances. Two of the most common approaches taken today look like this:

A 2-of-3 setup where 3 keys are used to create the wallet and protect the bitcoin, but only 2 of those keys are required to authorize a spend

A 3-of-5 setup where 5 keys are used to create the wallet and protect the bitcoin, but only 3 of those keys are required to authorize a spend

The number of different Multisig configurations is almost limitless and can be tailored for almost any scenario. A company holding bitcoin on their balance sheet might opt to create an 7-of-12 setup where all board members hold a key and a majority (7) of them are required to authorize spends, whereas individuals would likely not require this level of complexity and would opt for a simpler setup with fewer keys to manage.

multisig benefits

So why might a sovereign individual want to consider a multisig setup? What extra benefits will be gained to offset the increased complexity?

  1. Removal of a single points of failure – In a single-sig setup, if the device holding your private keys, or the corresponding mnemonic seed backup is compromised, so is your bitcoin. With multisig, an attacker would need access to the multisig wallet (or backup file) AND the minimum number of keys required to make a spend.
  2. Redundancy – With a multisig wallet, you can afford to lose at least one key and its corresponding offline backup and still be able to spend your bitcoin. In a 2-of-3 setup, for example, loss of a single key would not result in a catastrophic loss of funds. Likewise, in a 3-of-5 setup, loss of two keys would not result in a loss of funds.
  3. Protection against a compromised manufacturer – In the unlikely event that the hardware wallet used in a single-sig setup turns out to contain a malicious back door, the wallet manufacturer could wait until funds are deposited and then drain the wallet at any point in the future. In this scenario, the manufacturer may not even be at fault; the device could be intercepted in-transit and swapped with a compromised device before arriving at its final destination. When a multisig wallet is configured with devices from multiple vendors, this attack is mitigated.

multisig considerations

While multisig offers exponentially improved protection from single points of failure and improved redundancy from key loss when compared to single-sig, it does also pose some new problems that must be considered before diving in head-first.

  1. More seeds to backup – Every device or key has its own mnemonic seed backup. Storing any of these at the same location negates the some of the benefits we outlined above. Do you have enough secure locations to store all of these seeds?
  2. More devices to secure – As outlined above, storing these devices in the same location is an attack vector. More devices = more secure locations required.
  3. Wallet configuration backup – In a doomsday scenario where a single key (and its backup) in a 2-of-3 setup is lost and the computer holding the wallet software is also not accessible, the remaining two keys, on their own, are not sufficient to recreate the wallet. To mitigate this, it is advisable to keep a copy of the wallet backup file with every key backup. Fortunately, modern multisig coordinator software like Sparrow or Specter Desktop offer this in a single file that can be printed or stored on a USB or microSD card. This file alone does not have the ability to spend; think of it as the ‘framework’ from which you can recreate the wallet.
  4. Inheritance – You might be an avid Bitcoiner, keen on leveling up your Bitcoin security but is your next of kin? You might have the most secure setup the world has ever witnessed, but if only you know how to access it, your bitcoin disappears when you do! The obvious thought is to leave some detailed instructions in case of emergency, but what if those instructions were to fall into the wrong hands?
  5. Spending inconvenience – If you need two keys to spend from your wallet, with one in your home and another a 90 minute drive away at a relative’s house, it could become a real chore if this is a wallet you’re planning to use on a regular basis.

multisig with passport

So, you’ve weighed up the pros and cons and decided to protect your bitcoin using a multisig wallet. Here’s one of the many ways you can do that easily using Passport and one of our favorite desktop wallets, Sparrow . Be sure to check out our other multisig tutorials covering BlueWallet and Specter Desktop.

https://youtu.be/Gx0mke_4BJU

Once set up, signing multisig transactions with Passport is very similar to single-sig and can be done via QR or microSD. Passport also allows you to view all of the multisig wallets it is a part of by heading to Settings > Multisig. Within the multisig menu you can also import new configurations via QR code or microSD as well as set the device’s ‘Multisig Policy‘. This setting dictates the way in which the device behaves when importing new configurations.

Multisig is an extremely powerful tool in the right hands, capable of protecting your wallet from almost all perceivable attack vectors – but it’s not without potential pitfalls! We suggest weighing the options discussed here and making up your own mind based on your own personal circumstances.