TumbleBit

TumbleBit operates through a central, untrusted Tumbler server that acts as a payment hub. The protocol ensures the Tumbler cannot steal funds or link transactions.

• Payer and Payee interact only with the Tumbler, never directly.
• Funds are locked in 2-of-2 multisig addresses, requiring cooperation from both the user and the Tumbler to spend.
• This creates an off-chain payment channel through the hub, with final settlement on the Bitcoin blockchain.

The core cryptographic innovation that prevents transaction linking. It uses a two-phase RSA Puzzle-Solver protocol.

• Puzzle Phase: The payer gives the Tumbler encrypted "puzzles" (RSA-encrypted payment secrets).
• Promise Phase: The Tumbler gives the payee signed promises to pay if a solution is provided.
• The payee solves a puzzle to claim funds from the Tumbler, but the Tumbler cannot determine which payer created which puzzle, breaking the link.

All mixing and payment routing occurs off the Bitcoin blockchain, enabling scalability and reducing fees.

• Only the initial funding and final cash-out transactions are broadcast on-chain.
• Hundreds of intermediate payments can be made through the Tumbler without creating blockchain bloat.
• This makes it suitable for micropayments and frequent transactions where on-chain fees would be prohibitive.

While a central Tumbler exists, the protocol is designed to be trust-minimized.

• The Tumbler cannot steal user funds due to the use of adaptor signatures and timelocks.
• If the Tumbler goes offline or acts maliciously, users can always reclaim their funds on-chain after a timeout.
• This makes it more resilient than traditional, custodial mixing services.

TumbleBit offers a different privacy model compared to the popular CoinJoin technique.

• CoinJoin: On-chain, cooperative transaction batching. Linkability is reduced but not eliminated, as all inputs/outputs are visible.
• TumbleBit: Off-chain, hub-based. Provides stronger unlinkability as the connection between payer and payee is cryptographically severed.
• TumbleBit typically requires a service fee to the Tumbler, whereas CoinJoin can be fee-less among peers.

The protocol is built on a cryptographic fair exchange and puzzle-solving mechanism. It uses RSA blind signatures and hash puzzles to ensure the Tumbler cannot link a payer's input to a payee's output. The process involves:

• RSA Puzzle Promise: The Tumbler creates a cryptographic puzzle for each payment.
• Blind Signatures: The payer blinds a payment request, gets it signed by the Tumbler, and then unblinds it to create a valid Bitcoin transaction the Tumbler cannot trace.
• Fair Exchange: Funds are atomically swapped, preventing theft by either party.

The Tumbler is an untrusted, incentivized intermediary that facilitates the mixing. It does not hold user funds in custody. Its role and economic model include:

• Service Fees: Earns fees for providing liquidity and facilitating the anonymous payment channels.
• No Custody Risk: Funds are locked in 2-of-2 multisig or HTLCs (Hashed Timelock Contracts), not in the Tumbler's wallet.
• Incentive Compatibility: The protocol's design makes honest behavior (completing the puzzle) the most profitable strategy for the Tumbler, penalizing malfeasance.

TumbleBit operates over payment channels (specifically, the Lightning Network architecture) to enable fast, off-chain mixing. This implementation provides unlinkability through:

• Off-Chain Execution: The mixing protocol occurs off-chain, with only funding and settlement transactions posted to the Bitcoin blockchain.
• Anonymous Payment Channels: Parties establish temporary, anonymous channels with the Tumbler. The on-chain opening and closing transactions for these channels are not linkable to the specific mixed payments that flow through them.

An extension of the base protocol, NTumbleBit enables true anonymous e-cash tokens on Bitcoin. It allows users to withdraw fungible tokens (TumbleBit coins) from the Tumbler that can be spent later without interaction. Key features:

• Tokenization: Withdraw coins represented by the Tumbler's RSA signatures.
• Unlinkable Redemption: Anyone can redeem these signed coins for Bitcoin later, with no link to the original withdrawal.
• Offline Payments: Coins can be transferred peer-to-peer offline before final blockchain settlement.

Bolt is the direct application of TumbleBit's principles to the Lightning Network. It adds privacy to Lightning payments by making route construction and payment hashes unlinkable. It achieves this through:

• Blinded Paths: The payer can construct a payment route where intermediate nodes, including the final payee, are hidden.
• Onion Routing Enhancements: Uses blinded group signatures to obscure the payment's ultimate destination within the onion packet.
• Sender Anonymity: Protects the payer's identity from nodes in the payment path.

A two-party, off-chain ledger that allows multiple transactions to be settled on the blockchain only once. TumbleBit uses a network of these channels to route payments, enabling fast and private transfers without broadcasting each transaction to the public ledger.

• Key Role: Forms the backbone of TumbleBit's Tumbler mode, where the tumbler acts as an intermediary hub in a payment channel network.
• Example: Bitcoin's Lightning Network is a well-known payment channel network that employs similar off-chain principles.

The core cryptographic commitment scheme that enables the Tumbler to act as a fair, trustless intermediary. It uses RSA encryption to create cryptographic puzzles that lock funds.

• Mechanism: The payer encrypts a secret with the Tumbler's public key, creating a "puzzle." The Tumbler can only claim the locked funds by solving it, which requires the payer's cooperation, ensuring neither party can cheat.
• Purpose: This prevents the Tumbler from stealing funds and prevents payers from falsely accusing the Tumbler, enabling strong fairness without a trusted third party.

A protocol where two parties can exchange items (e.g., digital cash for a secret) without requiring trust, ensuring that either both parties get what they expect, or neither does. TumbleBit is a canonical implementation of a fair exchange protocol for cryptocurrencies.

• Application: In TumbleBit, the payer's coins are exchanged for the Tumbler's signature on a new transaction, guaranteeing the payer receives a valid, unlinkable output.
• Property: Achieves atomicity, meaning the exchange is a single, indivisible operation that cannot be left in a partial state.

A bitcoin transaction privacy technique where multiple users combine their payments into a single transaction, making it harder to determine which inputs correspond to which outputs. TumbleBit's Classic mode is an off-chain, improved variant of CoinJoin.

• Comparison: Unlike basic on-chain CoinJoin, TumbleBit's implementation occurs off-chain via the Tumbler, providing stronger anonymity by breaking the common-input-ownership heuristic and preventing coordination attacks.
• Limitation Addressed: Solves CoinJoin's requirement for synchronous, coordinated rounds of participants.

A service that breaks the link between the source and destination of cryptocurrency funds by pooling and redistributing them. In TumbleBit, the Tumbler is a specific, non-custodial server that facilitates mixing using cryptographic protocols.

• Key Difference: Traditional mixers are often custodial and require trust. The TumbleBit server is non-custodial and cannot steal funds due to the RSA Puzzle Promise Scheme.
• Function: It acts as a hub in a payment channel network, receiving and forwarding payments without learning the linkage between them.

A core privacy property where an external observer cannot determine if two different transactions are related. TumbleBit is designed to provide strong payment unlinkability.

• Achievement: For an outside observer (and the Tumbler in Tumbler mode), the coins a user deposits into the protocol are cryptographically unlinkable to the coins they withdraw.
• Mechanism: Achieved through the use of blinded signatures and the structure of the off-chain payment channels, which sever the on-chain transaction graph.