 Quinsolo asks, do you think there is potential for companies and exchanges to blacklist all-coin-joined Bitcoin? I hope one day Bitcoin will include a full privacy solution on the base layer. But until then, coin-joined seems to be the best way to achieve reasonable privacy when purchasing BTC through an exchange, or some other place where they have KYC. Most of my coins have been mixed and put back into cold storage using Wasabi Wallet. Wasabi Wallet is one of the wallets that has a built-in coin-joined capability. Do you think there is a possibility of not being able to sell or spend those satoshis due to them being tainted? The type of coin-joined that Wasabi does is what is known as an equal-output coin-joined, where all of the participants are mixing with the same output amounts, which is one of the most effective types of coin-joined. It is impossible to unravel after several rounds, so it is not impossible. It is extremely difficult to unravel after several rounds of coin-joined. There is an interesting thing here, which is, what exactly is a coin-joined transaction, and how does it look on the blockchain? A coin-joined transaction is basically a transaction where multiple parties join together. It is not one person making the transaction, it is multiple people signing a whole bunch of inputs that belong to multiple people, and creating a whole bunch of outputs in the transaction that belong to multiple people. That is all it is. There is no one implementation of coin-joined. In fact, there have been several implementations of coin-joined, with multiple people joining together to spend bitcoin in a way that is more difficult to track. If you have a transaction with two inputs and two outputs, is that a coin-joined transaction? Not necessarily. It could be a transaction from my wallet that pays someone and then takes some change. If the payment and the change are the same amount, again, that doesn't tell you it is a coin-joined transaction. What if there are three inputs and three outputs? Maybe that looks a bit more like a coin-joined transaction. What if it is ten inputs and ten outputs? That kind of looks again like a coin-joined transaction, but it is also the kind of transaction I would do to run payroll in my company when I have to pay ten employees in bitcoin. I am not going to do that in ten different transactions. I am going to do it in one. That is not a coin-joined, but it might look like a coin-joined. How would exchanges really know if it is or isn't a coin-joined? I guess they could do some kind of heuristic. Then they are going to catch a lot of people who are not doing coin-joined transactions, and they are going to have some real problems if they start tainting coins that way, especially if people start structuring their wallets to make more coin-joined transactions or make more transactions look like coin-joined. Then, of course, what if you did coin-joined in the past, and then they decide to change how they treat coins, and they tell you, oh no, those coins are tainted? What does tainted mean? Tainted means that at some point in the last K number of transactions, those coins were involved in a coin-joined. What value are you going to give to that number K? How many hops or how many previous transactions are you going to look at? If you look back more than a dozen transactions, you are going to run into something that is tainted, which means that you can't go that far back. If you are in exchange, you can't blacklist after 12 normal transactions, because the 13th transaction in the past was a coin-joined. If you have coin-joined coins, all you have to do is do 13 consecutive transactions to yourself, regular transactions, where you just bounce them from address to address to address to address to address, and then they are no longer tainted. In general, when it comes to tainted coins, this mostly catches those who are unaware of these situations involving exchanges, because no matter how many hops they look back, all you have to do is, if they look at K hops back, you jump K plus one. You create K plus one transactions to yourself, creating K plus one addresses, and the last one isn't tainted, because the last K are not tainted. K plus one is tainted, but they are not looking that far back. If they keep increasing K, eventually they reach a point where everything is tainted, and they can't use that heuristic, because then they have to shut down their exchange. How much does it cost you to make a new transaction with a new address? Remind me, oh right, just a transaction fee. You can do that whenever you want. You can do it when the network is really low capacity. In fact, you're not in a hurry. You're sending from your own address to your own address. How much in a hurry are you? I can wait 200 blocks for a transaction like that to go through. I'm going to minimize the fee, so it's not that expensive to do. Of course, you have to pay the computational fee for creating a new address, which is zero. This whole idea of companies and exchanges, black, listen, coin, join, BTC, very quickly runs into some serious practical problems. That will only drive an arms race. If they do this, then wallets will keep adding hops. For example, there are wallets today that add hops. One of them is samurai that does something called ricochet. You can say how many hops you want to add, and it bounces your coins from address to address to address, and then sends them to distance yourself from any tainting that has happened in the past. More wallets will do that, and more wallets will do more stealthy forms of coin join to avoid any problems with exchanges. I think you're okay, Quinsado. Your coins are probably fine. I don't think you'll ever see a situation where you can't spend them or make them clean enough to spend them with a bit of effort. One of them is the kind of fingerprint that your wallet leaves. Wallets can do various things that are very harmful to privacy. For example, many naive wallets always put the change transaction last. The change output lasts. If they put the change output last, then you always know which output has changed, which means you know that the other one or other ones are payments. That reveals far too much information. There are techniques to avoid that. One of the techniques is to simply sort the outputs by the address. Basically, it's like alphabetically sorting the address. The first output is always the one that has the address that starts with the lowest prefix. The last output is always the one that has the highest prefix on the address. If you lexicographically sorted the address, it gives you no information about which one is payment and which one is change. There are other things about how wallets set various parameters in the transaction. Some wallets, for example, set the time lock in the transaction to avoid fee sniping. If you do that in a very specific way, that leaves a signature. If you're using certain types of wallets, they can leave little fingerprints behind that are very characteristic of that wallet and how it implements certain things. Having standardization where wallets do things in the same way, produce transactions in the same way, reduces the ability to identify what type of wallet it is. You can't see the difference between an electron wallet or a trezzel wallet, or a wasabi wallet, or a samurai wallet, or whatever else you're talking about, a bread wallet. That's another technique that's really important for privacy. Another element of privacy is how you route transactions when your wallet prepares them, and then once you transmit them on the Bitcoin network, which is if you simply give them to one of the nodes you're directly connected to as a peer, and that node transmits it to all its peers, and you flood it out, which is the traditional way of flooding transactions out, if an attacker has enough nodes in the network, they can triangulate the origin of the transaction, and then they can deduce information about geography, for example, or even pinpoint the specific IP address, which was the first one to see the transaction, and use that to find out which node it came from, which could reveal a lot of information. A technique to overcome that is called dandelion. Now, imagine a dandelion that is being blown by the wind, and then at some random time it breaks open and all of the little seeds fly away. That's the image for dandelion routing. In dandelion writing, what you do is basically you route an onion to a transaction to some node out there without flooding and sending it to anybody else, and then when it reaches that intermediate node, it puffs out and floods from there. So if someone was triangulated, they'd find it came from there, but they don't know if it really did come from there, or if it was dandelion routed. So again, that's another technique to avoid being tracked. Another technique to avoid being tracked is, of course, using the onion router network, Tor, in order to both connect your node to other nodes, as well as do transactions with your node, or even connect your wallet to your node if your wallet is not running on your node. Using your own node instead of an SPV wallet or some other lightweight client, and certainly not using a third-party custodial service. So again, privacy is something you use in layers, and you need to apply several layers of privacy in order to achieve a high degree of privacy, and it's never perfect. It's never perfect. There is no silver bullet. It's an arms race, like any aspect of information security. You do more things to do privacy. The analytics and surveillance companies do more things to violate your privacy. And if you do things well enough, and enough people do things well enough, we start winning. We start winning our privacy because it becomes very difficult for the analytics company to really pin down the information they need to. A lot of the information is tainted.