This document was created in 2018 and is outdated by now.
Wasabi Wallet is a privacy focused Bitcoin wallet that is based on the ZeroLink Fungibility Framework. While statistical privacy can be achieved today with it, the cost, convenience, intuitiveness and strength of this privacy can be greatly improved. Wasabi must also improve its accessibility and its general Bitcoin wallet features. Furthermore Wasabi should look into ways of extending the scope of its privacy protection to other, not closely Bitcoin related fields, such as end-to-end encrypted messaging. Finally, Wasabi also needs to concentrate on its stability, performance, UX and code quality. This document aims to outline a starting plan to progress towards these objectives.
I. Introduction
II. Stability, Performance, UX, Code Quality
III. Education
IV. Bitcoin Privacy Improvements
V. General Wallet Features
VI. Accessibility
VII. Extending the Scope of Privacy
VIII. Unique Wallet Features
IX. Conclusion
Wasabi's main focuses are Bitcoin and privacy, thus section IV. Bitcoin Privacy Improvements. However, a loss of privacy in fields that are traditionally considered to be outside the scope of a Bitcoin wallet, such as sharing addresses through unsecure chat clients or checking transactions in a block explorer through the clearnet also pose privacy threats, ergo Wasabi cannot consider them entirely out of its scope, thus section VII. Extending the Scope of Privacy.
In the paper Anonymity Loves Company: Usability and the Network Effect the authors note:
We show that in anonymizing networks, even if you were smart enough and had enough time to use every system perfectly, you would nevertheless be right to choose your system based in part on its usability for other users.
Therefore Wasabi should also pay attention to fields that help to increase the number of Wasabi users, bringing greater privacy for everyone, thus sections III. Education and VI. Accessibility.
Furthermore, Wasabi is software, therefore it must not neglect general software quality issues, thus section II. Stability, Performance, UX, Code Quality. The better software Wasabi is, the more users it will retain.
Wasabi is also a Bitcoin wallet, therefore it must improve general Bitcoin wallet related features as well, thus section V. General Wallet Features.
Finally, there are development opportunities, where the developers of Wasabi recognize that they could easily add some unique wallet features that no other wallets have, like in-wallet multi-wallet support or copypaste malware defense, thus section VIII. Unique Wallet Features.
Note that the developers of Wasabi are currently occupied by section II. Stability, Performance, UX, Code Quality. This enjoys the highest priority. New issues will constantly come up as new users try to use the software. At this point it is unclear if Wasabi will ever have the resources to tackle other sections in this document.
Wasabi is an open-source, desktop Bitcoin wallet, working on Windows, Linux and OSX, written in .NET Core (C#), which is cross platform and open source .NET. Wasabi uses NBitcoin as its Bitcoin library, to which Wasabi developers are frequent contributors: @lontivero, @nopara73. Wasabi uses Avalonia library as its UI framework where Wasabi developer @danwalmsley is a maintainer.
Wasabi does not support and does not plan to support other currencies in the future.
Let's look at what is going on under the hood for Wasabi, what design decisions and tradeoffs the developers made, so we can later understand where it can be improved.
After setting up Wasabi and generating a wallet, Wasabi welcomes the user with a load wallet screen. Unlike other wallets, Wasabi has a convenient way to use multiple wallets. Privacy centric users may be already used to achieve coin separation this way. However Wasabi provides a convenient in-wallet coin separation interface too, more information will be provided about that later on. Since coin separation can be easily achieved without multiple wallet files, initially the developers did not plan for such a wallet management system, our UX design choices naturally lead us down this road.
Wasabi has a status bar that shows meta information about the state of the wallet. To better understand the architecture of the wallet it is helpful to go through them.
The "Tor" label shows the status of the Tor daemon. Tor is an anonymity network which Wasabi ships with by default and runs in the background. The user can also opt to use their own Tor instance. All Internet traffic goes through Tor and by deafault all this traffic stays inside the onion network. Exit nodes are only involved in fallback scenarios. For example if the Tor hidden service of the backend becomes unavaiable for the user, the wallet falls back communicating with the backend's clearnet endpoint, still over Tor. Wasabi also frequently utilizes multiple Tor streams where applicable. For example, registration of coinjoin inputs and outputs is done through different Tor streams to avoid linking.
Wasabi's backend is used to facilitate Chaumian CoinJoin coordination between the mixing participants and to serve Golomb-Rice filters to the clients, similarly to BIP158. More information will be provided about the difference soon. Before that, it is worth pointing out that the design choice of building a light wallet was made because such a wallet can attract orders of magnitude more users compared to a wallet on top of a full node, and more users means larger and faster coinjoins. Historically, all light wallets were vulnerable to some kind of network observer due to unprivate utxo fetching. A few years ago, the only type of wallet that wasn't vulnerable was a full node, like Bitcoin Core. The first iteration of Wasabi was HiddenWallet, which was a full-block SPV wallet that aimed to leverage usability without compromising privacy through the omission of initial blockchain downloading compared to a full node. In theory, it was a light wallet. In practice, it was hard to compete with Bitcoin Core's micro-optimizations and it was still painful to wait for wallet synchronization every time the wallet was opened. Read more about network level Bitcoin wallet privacy here.
Back to Wasabi. After loading the wallet, the user can generate a receive address. Some important design choices were made here. First, Wasabi had to be a Segregated Witness only wallet, so the registration of unconfirmed coinjoin outputs into a new coinjoin round is done to prevent malleability attacks. However, the developers of Wasabi decided to make the wallet native segwit (bech32) only, not supporting wrapped segwit. This way, the backend server can leverage this and only generate filters regarding bech32 addresses. This makes Wasabi's filter size a few megabytes today, instead of >4GB. At first glance, this may be seen as hazardous to privacy, however Wasabi user utxos can be identified as Wasabi utxos by the huge coinjoins that only Wasabi does anyway, so minimal to no additional privacy loss happens there. In the future, as more and more wallets adopt bech32, Wasabi developers will have to look at how to scale the performance and network usage of the wallet. Failing that, Wasabi's initial sync will slow down.
This page shows the wallets that can be used to send to and receive from Wasabi: https://en.bitcoin.it/wiki/Bech32_adoption#Software_Wallets
Wasabi also maintains a connection to the Bitcoin P2P network over Tor. After Wasabi receives the filters from the backend, it can download the required blocks (there are false positives, too) one block from one peer. Wasabi then stores the block in its entirety on disk so it won't fetch it again. Storing blocks on the disk may take up too much space when the wallet is used extensively. There is room for improvement there as well. Wasabi only connects to onion peers, which faciliates end to end encryption, and it connects to them on a different Tor streams. After every block download Wasabi disconnects the peer.
Furthermore, if you have a full node running in the background Wasabi won't download blocks from peers, but rather will use the full node to fetch the block from instead.
Wasabi receives incoming transactions from the nodes it is connected to. This is, while privacy preserving, a relatively insecure way of handling this, and should be improved in the future. Generally, unconfirmed transactions are considered to be insecure regardless.
Unlike in other Bitcoin wallets, generating a label for each Bitcoin address is not optional, but required. That is because Wasabi has an intra-wallet blockchain analysis tool built into it, which tries to cluster utxos (Wasabi calls them coins). Based on these clusters, the user can make an educated decision on which coins to merge.
Wasabi also has a History tab like any other Bitcoin wallet.
Unlike other Bitcoin wallets, the user cannot spend from Wasabi without selecting coins, since "Coin Control Is Must Learn If You Care About Your Privacy In Bitcoin", at least for today. The label field of the Send tab is also compulsory.
By clicking on the Max button, one can spend all selected coins. Spending whole coins is beneficial to privacy.
The Bitcoin fee rates are fetched from the backend server, the source of these fees are Bitcoin Core's estimatesmartfee's CONSERVATIVE output. Every fee query happens over Tor with a new Tor identity. When clicking send, the wallet will broadcast the transaction to a random peer, then disconnects the peer. This is currently the optimal way to broadcast transactions from a privacy point of view, but a more ideal way would be to implement the Dandelion protocol for transaction broadcasting when the Bitcoin network adopts it.
Coins in Wasabi have Privacy and History properties. The anonymity set is just a momentary estimation, however, by examining the mixes and other people's transactions we will be able to show accurate values. The History is the calculated clusters from the labels based on typical Blockchain analysis heuristics. For example, if the user joins together a "foo" labeled coin with a "bar" labeled coin at sending, then the change coin history will show "change of (foo), change of (bar)". From this, users are able to make educated decisions as to which coins not to join together at any cost. Human input is invaluable.
Wasabi has a CoinJoin tab as well, its use is straightforward. The user queues their coins for coinjoin and waits for others to join the mix.
If the user does not wish to proceed, they can dequeue their coins.
After a mix has successfully executed, the resulting CoinJoin transaction will look like the following (real example): https://www.smartbit.com.au/tx/a0855875fd3d19522568ad673e4b52e11691d837021d74eef0d177f9e0950bf2
Wasabi also has a Tor website where one can see real time statistics about the mixes: http://wasabiukrxmkdgve5kynjztuovbg43uxcbcxn6y2okcrsg7gb6jdmbad.onion/
To this day, Wasabi's coinjoins have created >22941 BTC outputs with equal value.
As was discussed above, the main priority of Wasabi developers is currently the stability, performance, code quality and user experience of Wasabi. Great care must be taken here because the more users a network reliant privacy software has, the better privacy it offers. The more users there are, the better the software is. In Wasabi, this is most apparent during CoinJoins. The more users participating in a round, the higher the anonymity set the CoinJoin achieves and the more frequent the rounds will be. In our calculations, if Wasabi would acquire the volume of the most popular Bitcoin mixers, Wasabi could provide a 100 anonymity set round with the denomination of 0.1 BTC every 3 to 5 minutes.
This section consists of many small issues, waiting to be solved one-by-one. Since solving these issues is often more effective than discussing them, they won't be discussed in this document.
While education, content creation and marketing have little place in a technical document, they are still important parts of the big picture. Through education, Wasabi can obtain new users. The more Wasabi users there are, the better their privacy. Advancing this issue can take various, often opportunistic forms. A few ideas:
At the Blockchain level Wasabi currently helps its users achieve the desired level of privacy in three main ways: mixing, coin control and intra-wallet clustering.
Coin mixing happens through Chaumian CoinJoin, as described in the ZeroLink protocol. In a nutshell, Wasabi users register their transaction inputs and desired outputs with a coordinator, and the cooperation of these users results in a large coinjoin transaction. The coordinator cannot steal from, nor deanonymize the users. However, with ZeroLink, in order to statistically avoid post-mix deanonymization, coins must not be joined together. This, however, is unfeasible in practice.
Thus, various strategies are needed to mitigate this deanonymization risk.
One such strategy is Wasabi's current compulsory coin control feature. It helps the users to not join coins together and spend whole coins, but it does not force them, so it is not perfect.
Another is Wasabi's intra-wallet clustering system, where the users must use required labels. This helps the user to make an educated decision if they must join inputs together at send.
Another thing that the author of ZeroLink did not anticipate was the frequent remixing of already-mixed coins. In every round, more than half of the inputs are remixes, which not only results in perfect mixes for those inputs, but also results in anonymity set growth somewhere between the scales of addition and multiplication, instead of simple addition as the ZeroLink paper anticipated. Whether the anonymity set gain is closer to addition or multiplication depends on how other users behave. Right now, Wasabi simply counts the worst case scenario: so it shows the user addition. As of today, mixes are so interconnected that not even extensive input joining can deanonymize the users. However, this is happening in a low Bitcoin fee environment, so this is not to be taken for granted in the future. Additional measures are necessary.
The ideas described in this section are just ideas. Many of them are not compatible with each other, not proven or require further research.
It is also worth pointing out that if Confidential Transactions somehow make their way into Bitcoin, there would be no need for most of the improvements described in this section.
One of the most exciting advancements could be achieved by improving the mixing itself. The intuition behind Unequal Input Mixing, (#4, nopara73/ZeroLink#74) that could replace today's fixed denomination mixing, is clear, and its benefits are huge. However this requires further research.
The currently identified advantages of unequal input mixing compared to fixed denomination mixing are discussed briefly below, using the following notation:
UIM - Unequal Input Mixing
FDM - Fixed Denomination Mixing
- UIM's main goal is to optimize the cost/anonymity set.
- In FDM, those who don't have enough money to mix will not be able to mix. In UIM, this is no longer an issue.
- In FDM, peers often join together their utxos in order to reach the desired denomination. This exposes common ownership. There is no such an issue in UIM. Because of this, joining utxos together after the mix is no longer such a big deal.
- In UIM, mixing can be done over and over again until the desired anonymity set is reached. In FDM, mixing cannot be repeated, because the mixed output of the mix will never reach the sufficient input level of the next mix (due to network fees.) In FDM, if the user would decide to participate with an already mixed coin, they would have to add another input in order to meet the mix requirements, which exposes common ownership.
- People with lot of money would get matched together and would not have to wait weeks/months to mix everything out.
Mix to Others (https://github.com/zkSNACKs/Meta/issues/6, nopara73/ZeroLink#75) also has great potential, since it could completely replace Simple Send. It is, however, dubious whether there will ever be enough liquidity for this.
Improving simple send using current Bitcoin anonymity techniques is also an interesting topic. These do not even have to disrupt the current user workflow, they can mostly "just happen" in the background. Some additional thoughts and details on this section can be found here.
- JoinMarket: https://github.com/zkSNACKs/Meta/issues/5
- Friend CoinJoin Network: #17
- Merge Avoidance with BIP47 Payment Codes: #10
- Clusterfuck Wallet Strategies: #11, #18, nopara73/ZeroLink#42, #18
- Pay to EndPoint: #18, #18, #23
- GroupSend: https://github.com/zkSNACKs/WalletWasabi/issues/760
Improving the user friendliness, the accuracy of coin awareness and what happens on the blockchain can be also beneficial.
- New Type of Bitcoin UI: #8
- Input Joining Avoidance Strategy by Killing Kittens: nopara73/ZeroLink#65
- Improve History of a Coin: WalletWasabi/WalletWasabi#612
- Accurate Anonymity Set Calculation: https://github.com/zkSNACKs/WalletWasabi/issues/728
- Interactive Privacy Suggestions when Spending - WalletWasabi/WalletWasabi#729
At this point, it is too early to start leveraging LN in a privacy oriented wallet. However, if Bitcoin is successful in the future, there will be a need to think about these questions, since blockchains don't scale.
- CoinJoinXT
- Open Lightning Channels with ZeroLink in Wasabi - https://github.com/zkSNACKs/Meta/issues/3, nopara73/ZeroLink#58
Wasabi today has all the features a Bitcoin wallet needs that are not related to privacy. There may be other useful features to add, however.
- Pay to Many: WalletWasabi/WalletWasabi#733
- Advanced RBF (ethical concerns here): #15
- Lightning Network integration eventually will be unavoidable for any Bitcoin wallet if they want to stay in business, since blockchains don't scale: https://github.com/zkSNACKs/Meta/issues/2
- Sweep Private Key: WalletWasabi/WalletWasabi#486
- Paper Wallet Generation: WalletWasabi/WalletWasabi#727
- Read QR Code (currently it only shows it): WalletWasabi/WalletWasabi#731
- Bitcoin URL Support: WalletWasabi/WalletWasabi#732
The more users use the wallet the more privacy it can provide.
Since most of the world does not speak English, localization (#22) of Wasabi is something to consider.
Wasabi wallet uses bech32 addresses only. These addresses are not fully supported by the whole Bitcoin ecosystem. It would be beneficial to make pull requests to open source softwares to support sending money to bech32 addresses: WalletWasabi/WalletWasabi#951
Wasabi, in theory could use P2SH over P2WPKH, wrapped segwit addresses, (#7) since the ability to spend to bech32 addresses is not quite there yet. On the other hand, this could be considered a backward-looking short-sighted improvement.
A way of facilitating funds to make their way into the wallet would be to introduce transitionary P2WPKH over P2SH addresses those would not be checked against Golomb-Rice filters, but rather a single backend query would establish its balance only once, then immediately sweeping the money to a bech32 wallet-managed address: #34
In theory, Wasabi could support smart phones (Android, iOS). In practice, these platforms and their tools are not mature enough just yet. The concept of network analysis resistant smartphone wallets is not yet proven. If we would try to port Wasabi's code today, the wallet would use too much storage space, battery and network. However, technology is improving quickly, thus, timing has special importance in this matter. https://github.com/zkSNACKs/Meta/issues/9
The question of a web-wallet is also something to think about. However, it may not be possible to build a network analysis resistant web wallet, nor to build a secure web wallet in general. Nevertheless this question deserves more thought. #20
Wasabi has hardware wallet integration however in this mode coinjoining is not possible: WalletWasabi/WalletWasabi#1341
Some of the users use full nodes, mainly Bitcoin Core as their personal wallet, because this is the ultimate way of minimizing trust. Wasabi could ship with a bitcoind, much the same way as it does with Tor.
Another way to improve the software is to let developers play with it through a daemon (RPC?) process. This however may lead to enterprise adoption, which is good for liquidity, but there is a risk of centralization and thus Sybil attacks. May become more likely. For example an exchange could decide to add coinjoins and if they acquire 50% of liquidity in Wasabi, this way many of the wallet assumptions about anonymity sets would become less accurate. #12 Wasabi already has a public web API. However developers should not build wallets on top of it, since breakin changes must be expected. Misc things like Twitter bots are fine: http://wasabiukrxmkdgve5kynjztuovbg43uxcbcxn6y2okcrsg7gb6jdmbad.onion/swagger/index.html (https://wasabiwallet.io/swagger/index.html)
Wasabi could roll out a NuGet package, enabling developers to build applications with Wasabi. It would be also beneficial and not difficult to integrate Wasabi into existing .NET softwares directly, like BTCPay. https://github.com/btcpayserver/btcpayserver
Other non closely Bitcoin related features may be beneficial for the privacy of Wasabi users.
- In-Wallet Block Explorer Query over Tor: #19
- Integrated VPN Service For Oppressed Countries: #16
- Basic PGP Client: #13
- Simple P2P, Encrypted Messaging: #14
- Add Folder Encryption #36
- Protect Data Folders #39
Unique wallet features are a set of unorganized ideas that are not closely related to privacy. These are by no means necessary for Wasabi, but what fun is there in programming if the developers are not allowed to play with their creativity once in a while?
- Clipboard Hijacker Malware Defense: WalletWasabi/WalletWasabi#496, WalletWasabi/WalletWasabi#697
In this document, we gave a comprehensive overview of Wasabi Wallet. Unlike the creators of many other products, we deliberately decided to honestly and extensively describe and discuss Wasabi's shortcomings, tradeoffs and design decisions. We outlined our ideas and our future technical plans and helped the reader get familiar with our thinking process. This document can be analyzed and used by anyone who would like to achieve the strongest privacy in Bitcoin today without falling prey to misinformation that is rampant in the space. Of course, it is unavoidable that the reader will still be susceptible to the authors unconscious biases, and we apologize for that in advance.