TumbleBit: An Untrusted Bitcoin-Compatible
Anonymous Payment Hub
Ethan Heilman∗ , Leen AlShenibr∗ , Foteini Baldimtsi† , Alessandra Scafuro‡ and Sharon Goldberg∗
∗ Boston University {heilman, leenshe}@bu.edu, [email protected]
† George Mason University [email protected]
‡ North Carolina State University [email protected]
Abstract—This paper presents TumbleBit, a new uni-
directional unlinkable payment hub that is fully com-
patible with today’s Bitcoin protocol. TumbleBit allows
parties to make fast, anonymous, off-blockchain payments
through an untrusted intermediary called the Tumbler.
TumbleBit’s anonymity properties are similar to classic
Chaumian eCash: no one, not even the Tumbler, can link
a payment from its payer to its payee. Every payment
made via TumbleBit is backed by bitcoins, and comes with
a guarantee that Tumbler can neither violate anonymity,
nor steal bitcoins, nor “print money” by issuing payments
to itself. We prove the security of TumbleBit using the
real/ideal world paradigm and the random oracle model.
Security follows from the standard RSA assumption and
ECDSA unforgeability. We implement TumbleBit, mix
payments from 800 users and show that TumbleBit’s off-
blockchain payments can complete in seconds.
I. I NTRODUCTION
One reason for Bitcoin’s initial popularity was the
perception of anonymity. Today, however, the sheen of
anonymity has all but worn off, dulled by a stream of
academic papers [38], [51], and a blockchain surveil-
lance industry [32], [26], that have demonstrated weak-
nesses in Bitcoin’s anonymity properties. As a re-
sult, a new market of anonymity-enhancing services
has emerged [43], [23], [1]; for instance, 1 million
USD in bitcoins are funneled through JoinMarket each
month [43]. These services promise to mix bitcoins
from a set of payers (aka, input Bitcoin addresses A)
to a set of payees (aka, output bitcoin addresses B) in a
manner that makes it difficult to determine which payer
transferred bitcoins to which payee.
To deliver on this promise, anonymity must also
be provided in the face of the anonymity-enhancing
service itself—if the service knows exactly which payer
is paying which payee, then a compromise of the service
Foteini Baldimtsi and Alessandra Scafuro performed this work while
at Boston University.
This is the authors’ full version, last updated on July 31, 2017, of a
paper that was first posted online on June 3, 2016 and subsequently
appeared at NDSS ’17, 26 February - 1 March 2017, San Diego,
CA, USA
http://dx.doi.org/10.14722/ndss.2017.23086
leads to a total loss of anonymity. Compromise of
anonymity-enhancing technologies is not unknown. In
2016, for example, researchers found more than 100 Tor
nodes snooping on their users [45]. Moreover, users of
mix services must also contend with the potential risk
of “exit scams”, where an established business takes in
new payments but stops providing services. Exit scams
have been known to occur in the Bitcoin world. In 2015,
a Darknet Marketplace stole 11.7M dollars worth of
escrowed customer bitcoins [53], while btcmixers.com
mentions eight different scam mix services. Thus, it is
crucial that anonymity-enhancing services be designed
in a manner that prevents bitcoin theft.
TumbleBit: An unlinkable payment hub. We present
TumbleBit, a unidirectional unlinkable payment hub
that uses an untrusted intermediary, the Tumbler T ,
to enhance anonymity. Every payment made via Tum-
bleBit is backed by bitcoins. We use cryptographic
techniques to guarantee Tumbler T can neither violate
anonymity, nor steal bitcoins, nor “print money” by
issuing payments to itself. TumbleBit allows a payer
Alice A to send fast off-blockchain payments (of de-
nomination one bitcoin) to a set of payees (B1 , ..., BQ )
of her choice. Because payments are performed off
the blockchain, TumbleBit also serves to scale the
volume and velocity of bitcoin-backed payments. Today,
on-blockchain bitcoin transactions suffer a latency of
≈ 10 minutes. Meanwhile, TumbleBit payments are
sent off-blockchain, via the Tumbler T , and complete
in seconds. (Our implementation1 completed a payment
in 1.2 seconds, on average, when T was in New York
and A and B were in Boston.)
TumbleBit Overview. TumbleBit replaces on-
blockchain payments with off-blockchain puzzle solv-
ing, where Alice A pays Bob B by providing B with the
solution to a puzzle. The puzzle z is generated through
interaction between B and T , and solved through an
interaction between A and T . Each time a puzzle is
solved, 1 bitcoin is transferred from Alice A to the
Tumbler T and finally on to Bob B.
The protocol proceeds in three phases; see Figure 1.
In the on-blockchain Escrow Phase, each payer Alice
1 https://github.com/BUSEC/TumbleBit/
 Tumbler
{
Alice
Phase 1:
Escrow
3 BTC 3 BTC
{
Escrow Transaction
Payment
Phase 2:
Z RSA-Puzzle-Solver
Protocol
ϵ independent interest. This protocol allows Alice A to
{
Cash-out
Phase 3:
Cash-out Transaction
2 BTC 1 BTC 2 BTC
Fig. 1. Overview of the TumbleBit protocol.
A opens a payment channel with the Tumbler T by
escrowing Q bitcoins on the blockchain. Each payee
Bob B also opens a channel with T . This involves
(1) T escrowing Q bitcoins on the blockchain, and
(2) B and T engaging in a puzzle-promise protocol
that generates up to Q puzzles for B. During the off-
blockchain Payment Phase, each payer A makes up to Q
off-blockchain payments to any set of payees. To make
a payment, A interacts with T to learn the solution
to a puzzle B provided. Finally, the Cash-Out Phase
closes all payment channels. Each payee B uses his Q0
solved puzzles (aka, TumbleBit payments) to create an
on-blockchain transaction that claims Q0 bitcoins from
T ’s escrow. Each payer A also closes her escrow with
T , recovering bitcoins not used in a payment.
Anonymity properties. TumbleBit provides unlinkabil-
ity: Given the set of escrow transactions and the set of
cash-out transactions, we define a valid configuration
as a set of payments that explains the transfer of funds
from Escrow to Cash-Out. Unlinkability ensures that if
the Tumbler T does not collude with other TumbleBit
users, then T cannot distinguish the true configuration
(i.e., the set of payments actually sent during the Pay-
ment Phase) from any other valid configuration.
TumbleBit is therefore similar to classic Chaumian
eCash [17]. With Chaumian eCash, a payee A first
withdraws an eCash coin in exchange for money (e.g.,
USD) at an intermediary Bank, then uses the coin to
pay a payee B. Finally B redeems the eCash coin to the
Bank in exchange for money. Unlinkability ensures that
the Bank cannot link the withdrawal of an eCash coin to
the redemption of it. TumbleBit provides unlinkability,
with Tumbler T playing the role of the Chaumian Bank.
However, while Tumbler T need not be trusted, the
Chaumian Bank is trusted to not (1) “print money”
(i.e., issue eCash coins to itself) or (2) steal money (i.e.,
refuse to exchange coins for money).
TumbleBit: As a classic tumbler. TumbleBit can also
be used as a classic Bitcoin tumbler, mixing together the
transfer of one bitcoin from ℵ distinct payers (Alice A)
to ℵ distinct payees (Bob B). In this mode, TumbleBit is
run as in Figure 1 with the payment phase shrunk to 30
seconds, so the protocol runs in epochs that require two
blocks added to the blockchain. As a classic tumbler,
Bob
TumbleBit provides k-anonymity within an epoch—no
Puzzle-Promise
Protocol one, not even the Tumbler T , can link one of the k
(c, Z )
Z transfers that were successfully completed during the
epoch to a specific pair of payer and payee (A, B).
Escrow Transaction
Z =Blind(Z )
RSA-puzzle solving. At the core of TumbleBit is our
1 BTC from A to B new “RSA puzzle solver” protocol that may be of
Unblind( ϵ )= ϵ ϵ
σ = Dec ( c) pay one bitcoin to T in fair exchange2 for an RSA
ϵ
Cash-out Transaction exponentiation of a “puzzle” value z under T ’s secret
1 BTC key. Fair exchange prevents a cheating T from claiming
A’s bitcoin without solving the puzzle. Our protocol
is interesting because it is fast—solving 2048-bit RSA
puzzles faster than [37]’s fair-exchange protocol for
solving 16x16 Sudoku puzzles (Section VIII))—and
because it supports RSA. The use of RSA means that
blinding can be used to break the link between the
user providing the puzzle (i.e., Bob B) and the user
requesting its solution (e.g., payer Alice A).
Cryptographic protocols. TumbleBit is realized by
interleaving the RSA-puzzle-solver protocol with an-
other fair-exchange puzzle-promise protocol. We for-
mally prove that each protocol is a fair exchange.
Our proofs use the real/ideal paradigm in the random
oracle model (ROM) and security relies on the standard
RSA assumption and the unforgeability of ECDSA
signatures.
A. TumbleBit Features
Bitcoin compatibility. TumbleBit is fully compati-
ble with today’s Bitcoin protocol. We developed (off-
blockchain) cryptographic protocols that work with the
very limited set of (on-blockchain) instructions provided
by today’s Bitcoin scripts. Bitcoin scripts can only
be used to perform two cryptographic operations: (1)
validate the preimage of a hash, or (2) validate an
ECDSA signature on a Bitcoin transaction. The limited
functionality of Bitcoin scripts is likely here to stay;
indeed, the recent “DAO” theft [47] has highlighted
the security risks of complex scripting functionalities.
Moreover, the Bitcoin community is currently debat-
ing [20] whether to deploy a solution (“segregated
witnesses” [58]) that corrects Bitcoin’s transaction mal-
leability issue 1). TumbleBit, however, remains secure
even if this solution is not deployed as explained in
Appendix I.
No coordination. In contrast to earlier work [35], [52],
if Alice A wants to pay Bob B, she need not interact
with any other TumbleBit users. Instead, A and B need
only interact with the Tumbler and each other. This
lack of coordination between TumbleBit users makes
it possible to scale our system.
2 True fair exchange is impossible in the standard model [46]
and thus alternatives have been proposed, such as gradual release
mechanisms, optimistic models, or use of a trusted third party. We
follow prior works that use Bitcoin for fair exchange [4], [30], [31]
and treat the blockchain as a trusted public ledger. Other works use
the term Contingent Payment or Atomic Swaps [34], [6].
2
Scheme Prevents Theft Anonymous Resists DoS Resists Sybils Minimum Mixing Time Bitcoin Compatible No Coordination?
Coinjoin [35] X small set × ×
Coinshuffle [52], [41] X small set × ×
1
Coinparty [59] 2/3 users honest X some X (fees)
XIM [13] X X X X (fees)
Mixcoin [15] TTP accountable × (TTP) X X (fees)
Blindcoin [57] TTP accountable X X X (fees)
CoinSwap [36] X × (TTP)2 X X (fees)
BSC [25] X X X X (fees)
TumbleBit X X X X (fees)
TABLE I. A COMPARISON OF B ITCOIN T UMBLER SERVICES . TTP STANDS FOR T RUSTED T HIRD PARTY. W E COUNT MINIMUM MIXING
TIME BY THE MINIMUM NUMBER OF B ITCOIN BLOCKS . A NY MIXING SERVICE INHERENTLY REQUIRES AT LEAST ONE BLOCK .
1 C OINPARTY COULD ACHIEVE SOME D O S RESISTANCE BY FORCING PARTIES TO SOLVE PUZZLES BEFORE PARTICIPATING .
Performance. We have implemented our TumbleBit
system in C++ and python, using LibreSSL as our
cryptographic library. We have tumbled payments from
800 payers to 800 payees; the relevant transactions are
visible on the blockchain. (See Section VIII-C).Our
protocol requires 327 KB of data on the wire, and
0.6 seconds of computation on a single CPU. Thus,
performance in classic tumbler mode is limited only
by the time it takes for two blocks to be confirmed
on the blockchain and the time it takes for transactions
to be confirmed; currently, this takes ≈ 20 minutes.
Meanwhile, off-blockchain payments can complete in
seconds (Section VIII).
B. Related Work
TumbleBit is related to work proposing new anony-
mous cryptocurrencies (e.g., Zerocash [40], [10], Mon-
ero [2] or Mimblewimble [28]). While these are very
promising, they have yet to be as widely adopted as
Bitcoin. On the other hand, TumbleBit is an anonymity
service for Bitcoin’s existing user base.
Off-blockchain payments. When used as an unlinkable
payment hub, TumbleBit is related to micropayment
channel networks, notably Duplex Micropayment Chan-
nels [18] and the Lightning Network [48]. These sys-
tems also allow for Bitcoin-backed fast off-blockchain
payments. Payments are sent via paths of intermedi-
aries with pre-established on-blockchain pairwise es-
crow transactions. TumbleBit (conceptually) does the
same. However, while the intermediaries in micropay-
ment channel network can link payments from A to B,
TumbleBit’s intermediary T cannot.
Our earlier workshop paper [25] proposed a protocol
that adds anonymity to micropayment channel networks.
TumbleBit is implemented and Bitcoin compatible,
while [25] is not. Moreover, [25] requires both Alice
A and Bob B to interact with the Tumbler T as part of
every off-blockchain payment. Thus, the Tumbler could
correlate the timing of its interactions with A and B
in order to link their payments. Meanwhile, TumbleBit
eliminates this timing channel by only requiring inter-
action between A and T (and A and B) during an off-
blockchain payment (see Figure 1 and Section VII-B).
TumbleBit is also related to concurrent work propos-
ing Bolt [24], an off-blockchain unlinkable payment
channel. While TumbleBit is implemented and Bitcoin
3
1 block X ×
1 block X × (p2p network)
2 blocks X ×
hours X × (uses blockchain)
2 blocks X X
2 blocks X X
2 blocks X X
3 blocks × X
2 blocks X X
compatible, Bolt has not been implemented and employs
scripting functionalities that are not available in Bitcoin.
Instead, Bolt runs on top of Zerocash [40], [10].
Bolt operates in several modes, including a unidirec-
tional payment channel (where Alice can pay Bob), a
bidirectional payment channel (where Alice and Bob
can pay each other), and bidirectional payment hub
(where Alice and Bob can pay each other through
an Intermediary). The latter mode is most relevant to
TumbleBit, and offers different unlinkability properties.
First, Bolt hides the denomination of the payment from
the Intermediary; meanwhile, TumbleBit payments all
have the same denomination, which is revealed to the
Tumbler. Second, off-blockchain Bolt payments hide
the identity of the payer and payee; meanwhile, off-
blockchain TumbleBit payments reveals the identity of
the payee (but not the payer) to the Tumbler. Finally,
if a party aborts a payment via Bolt’s bidirectional
payment hub, then the identity of the payer and payee
is revealed. In this case, Bolt must fall back on the
anonymity properties of Zerocash, which ensures that
on-blockchain identities are anonymous. Meanwhile,
abort attacks on TumbleBit are less damaging (see
Section VII-C). This is important because TumbleBit
cannot fall back on Zerocash’s anonymity properties.
Bitcoin Tumblers. Prior work on classic Bitcoin
Tumblers is summarized in Table I-A.
Blindcoin [57], and its predecessor Mixcoin [15],
use a trusted third party (TTP) to mix Bitcoin addresses.
However, this third party can steal users’ bitcoins;
theft is detected but not prevented. In Mixcoin, the
TTP can also violate anonymity. CoinSwap [36] is a
fair-exchange mixer that allows two parties to anony-
mously send bitcoins through an intermediary. Fair
exchange prevents the CoinSwap intermediary from
stealing funds. Unlike TumbleBit, however, CoinSwap
does not provide anonymity against even an honest-but-
curious intermediary. Coinparty [59] is another decen-
tralized solution, but it is secure only if 2/3 of the users
are honest.
CoinShuffle [52] and CoinShuffle++[41] build on
CoinJoin [35] to provide a decentralized tumbler that
prevents bitcoin theft. Their anonymity properties are
analyzed in [39]. CoinShuffle(++) [52], [41] both per-
form a mix in a single transaction. Bitcoin’s maximum
transaction size (100KB) limits CoinShuffle(++) to 538
users per mix. These systems are also particularly vul-
nerable to DoS attacks, where a user joins the mix and
then aborts, disrupting the protocol for all other users.
Decentralization also requires mix users to interact via
a peer-to-peer network in order to identify each other
and mix payments. This coordination between users
causes communication to grow quadratically [13], [14],
limiting scalability; neither [52] nor [41] performs a
mix with more than 50 users. Decentralization also
makes it easy for an attacker to create many Sybils
and trick Alice A into mixing with them in order
to deanonymize her payments [14], [56]. TumbleBit
sidesteps these scalability limitations by not requiring
coordination between mix users.
XIM [13] builds on fair-exchange mixers like [8].
XIM prevents bitcoin theft, and uses fees to resist DoS
and Sybil attacks—users must pay to participate in a
mix, raising the bar for attackers that disrupt the proto-
col by joining the mix and then aborting. We use fees in
TumbleBit as well. Also, an abort by a single XIM user
does not disrupt the mix for others. TumbleBit also has
this property. One of XIM’s key innovations is a method
for finding parties to participate in a mix. However, this
adds several hours to the protocol, because users must
advertise themselves as mix partners on the blockchain.
TumbleBit is faster; a tumble requires only two blocks
on the blockchain.
When used as a classic tumbler, TumbleBit and [25]
shares the same fair-exchange properties and anonymity
properties. However, unlike TumbleBit, [25] is not com-
patible with Bitcoin and does not provide an implemen-
tation. Also, [25] requires three blocks to be confirmed
on the blockchain, while TumbleBit requires two.
Implementation. After this paper was first posted
online, Dorier and Ficsor began an independent open-
source TumbleBit implementation.3
II. B ITCOIN S CRIPTS AND S MART C ONTRACTS
In designing TumbleBit, our key challenge was
ensuring compatibility with today’s Bitcoin protocol.
We therefore start by reviewing Bitcoin transactions and
Bitcoin’s non-Turing-complete language Script.
Transactions. A Bitcoin user Alice A is identified by
her bitcoin address (which is a public ECDSA key),
and her bitcoins are “stored” in transactions. A single
transaction can have multiple outputs and multiple in-
puts. Bitcoins are transferred by sending the bitcoins
held in the output of one transaction to the input of a
different transaction. The blockchain exists to provide a
public record of all valid transfers. The bitcoins held
in a transaction output can only be transferred to a
single transaction input. A transaction input T3 double-
spends a transaction input T2 when both T2 and T3
point to (i.e., attempt to transfer bitcoins from) the
3 https://github.com/NTumbleBit/NTumbleBit
4
same transaction output T1 . The security of the Bitcoin
protocol implies that double-spending transactions will
not be confirmed on the blockchain. Transactions also
include a transaction fee that is paid to the Bitcoin miner
that confirms the transaction on the blockchain. Higher
fees are paid for larger transactions. Indeed, fees for
confirming transactions on the blockchain are typically
expressed as “Satoshi-per-byte” of the transaction.
Scripts. Each transaction uses Script to determine
the conditions under which the bitcoins held in that
transaction can be moved to another transaction. We
build “smart contracts” from the following transactions:
- Toffer : One party A offers to pay bitcoins to any party
that can sign a transaction that meets some condition C.
The Toffer transaction is signed by A.
- Tfulfill : This transaction points to Toffer , meets the
condition C stipulated in Toffer , and contains the public
key of the party B receiving the bitcoins.
Toffer is posted to the blockchain first. When Tfulfill
is confirmed by the blockchain, the bitcoins in Tfulfill
flow from the party signing transaction Toffer to the
party signing Tfulfill . Bitcoin scripts support two types
of conditions that involve cryptographic operations:
Hashing condition: The condition C stipulated in
Toffer is: “Tfulfill must contain the preimage of value
y computed under the hash function H.” Then, Tfulfill
collects the offered bitcoin by including a value x such
that H(x) = y. (We use the OP_RIPEMD160 opcode
so that H is the RIPEMD-160 hash function.)
Signing condition: The condition C stipulated in Toffer
is: “Tfulfill must be digitally signed by a signature that
verifies under public key PK .” Then, Tfulfill fulfills
this condition if it is validly signed under PK . The
signing condition is highly restrictive: (1) today’s Bit-
coin protocol requires the signature to be ECDSA over
the Secp256k1 elliptic curve [50]—no other elliptic
curves or types of signatures are supported, and (2)
the condition specifically requires Tfulfill itself to be
signed. Thus, one could not use the signing condi-
tion to build a contract whose condition requires an
arbitrary message m to be signed by PK .4 (Tum-
bleBit uses the OP_CHECKSIG opcode, which re-
quires verification of a single signature, and the “2-of-2
multisignature” template ‘OP_2 key1 key2 OP_2
OP_CHECKMULTISIG’ which requires verification of a
signature under key1 AND a signature under key2.)5
Script supports composing conditions under
“IF” and “ELSE”. Script also supports timelocking
(OP_CHECKLOCKTIMEVERIFY opcode [55]), where
Toffer also stipulates that Tfulfill is timelocked to time
window tw . (Note that tw is an absolute block height.)
This allows the party that posted Tfulfill to reclaim their
4 This is why [25] is not Bitcoin-compatible. [25] requires a blind
signature to be computed over an arbitrary message. Also, ECDSA-
Secp256k1 does not support blind signatures.
5 Unlike cryptographic multisignatures, a Bitcoin 2-of-2 multisig-
nature is a tuple of two distinct signatures and not a joint signature.
bitcoin if Tfulfill is unspent and the block height is
higher than tw . Section VIII-A details the scripts used
in our implementation. See also Appendix I.
2-of-2 escrow. TumbleBit relies heavily on the
commonly-used 2-of-2 escrow smart contract. Suppose
that Alice A wants to put Q bitcoin in escrow to
be redeemed under the condition C2of 2 : “the fulfilling
transaction includes two signatures: one under public
key PK 1 AND one under PK 2 .”
To do so, A first creates a multisig address
PK (1,2) for the keys PK 1 and PK 2 using the Bit-
coin createmultisig command. Then, A posts an
escrow transaction Tescr on the blockchain that sends
Q bitcoin to this new multisig address PK (1,2) . The
Tescr transaction is essentially a Toffer transaction that
requires the fulfilling transaction to meet condition
C2of 2 . We call the fulfilling transaction Tcash the cash-
out transaction. Given that A doesn’t control both PK 1
and PK 2 (i.e., doesn’t know the corresponding secret
keys), we also timelock the Tescr transaction for a time
window tw . Thus, if a valid Tcash is not confirmed by
the blockchain within time window tw , the escrowed
bitcoins can be reclaimed by A. Therefore, A’s bitcoins
are escrowed until either (1) the time window expires
and A reclaims her bitcoins or (2) a valid Tcash is
confirmed. TumbleBit uses 2-of-2 escrow to establish
pairwise payment channels, per Figure 1.
III. T UMBLE B IT: A N U NLINKABLE PAYMENT H UB
Our goal is to allow a payer, Alice A, to unlinkably
send 1 bitcoin to a payee, Bob B. Naturally, if Alice
A signed a regular Bitcoin transaction indicating that
Addr A pays 1 bitcoin to Addr B , then the blockchain
would record a link between Alice A and Bob B
and anonymity could be harmed using the techniques
of [38], [51], [12]. Instead, TumbleBit funnels payments
from multiple payer-payee pairs through the Tumbler T ,
using cryptographic techniques to ensure that, as long
as T does not collude with TumbleBit’s users, then no
one can link a payment from payer A to payee B.
A. Overview of Bob’s Interaction with the Tumbler
We overview TumbleBit’s phases under the assump-
tion that Bob B receives a single payment of value
1 bitcoin. TumbleBit’s Anonymity properties require
all payments made in the system to have the same
denomination; we use 1 bitcoin for simplicity. Ap-
pendix A shows how Bob can receive multiple payments
of denomination 1 bitcoin each.
TumbleBit has three phases (Fig 1). Off-blockchain
TumbleBit payments take place during the middle Pay-
ment Phase, which can last for hours or even days.
Meanwhile, the first Escrow Phase sets up payment
channels, and the last Cash-Out Phase closes them
down; these two phases require on-blockchain transac-
tions. All users of TumbleBit know exactly when each
5
phase begins and ends. One way to coordinate is to use
block height; for instance, if the payment phase lasts
for 1 day (i.e., ≈ 144 blocks) then the Escrow Phase is
when block height is divisible by 144, and the Cash-Out
Phase is when blockheight+1 is divisible by 144.
1: Escrow Phase. Every Alice A that wants to send
payments (and Bob B that wants to receive payments)
during the upcoming Payment Phase runs the escrow
phase with T . The escrow phase has two parts:
(a) Payee B asks the Tumbler T to set up a payment
channel. T escrows 1 bitcoin on the blockchain via
a 2-of-2 escrow transaction (Section II) denoted as
Tescr(T ,B) stipulating that 1 bitcoin can be claimed by
any transaction signed by both T and B. Tescr(T ,B) is
timelocked to time window tw 2 , after which T can
reclaim its bitcoin. Similarly, the payeer A escrows 1
bitcoin in a 2-of-2 escrow with T denoted as Tescr(A,T ) ,
timelocked for time window tw 1 such that tw 1 < tw 2 .
Upon conclusion of the puzzle-promise protocol both
the escrows are established by confirming Tescr(A,T ) ,
Tescr(T ,B) on Bitcoin’s blockchain.
(b) Bob B obtains a puzzle z through an off-
blockchain cryptographic protocol with T which we call
the puzzle-promise protocol. Conceptually, the output of
this protocol is a promise by T to pay 1 bitcoin to B
in exchange for the solution to a puzzle z. The puzzle
z is just an RSA encryption of a value 
z = fRSA (, e, N ) = e mod N (1)
where (e, N ) is the TumbleBit RSA public key of
the Tumbler T . “Solving the puzzle” is equivalent
to decrypting z and thus obtaining its “solution” .
Meanwhile, the “promise” c is a symmetric encryption
under key 
c = Enc (σ)
where σ is the Tumbler’s ECDSA-Secp256k1 signature
on the transaction Tcash(T ,B) which transfers the bitcoin
escrowed in Tescr(T ,B) from T to B. (We use ECDSA-
Secp256k1 for compatibility with the Bitcoin protocol.)
Thus, the solution to a puzzle z enables B to claim 1
bitcoin from T . To prevent misbehavior by the Tumbler
T , our puzzle-promise protocol requires T to provide a
proof that the puzzle solution  is indeed the key which
decrypts the promise ciphertext c. The details of this
protocol, and its security guarantees, are in Section VI.
2: Payment Phase. Once Alice A indicates she is ready
to pay Bob B, Bob B chooses a random blinding factor
r ∈ ZN∗
and blinds the puzzle to
z = re z mod N. (2)
Blinding ensures that even T cannot link the original
puzzle z to its blinded version z. Bob B then sends z to
A. Next, A solves the blinded puzzle z by interacting
with T . This puzzle-solver protocol is a fair exchange
that ensures that A transfers 1 bitcoin to T iff T gives
a valid solution to the puzzle z. Finally, Alice A sends
the solution to the blinded puzzle  back to Bob B. Bob
unblinds  to obtain the solution
 = /r mod N
and accepts Alice’s payment if the solution is valid, i.e.,
e = z mod N .
3: Cash-Out Phase. Bob B uses the puzzle solution 
to decrypt the ciphertext c. From the result B can create
a transaction Tcash(T ,B) that is signed by both T and B.
B posts Tcash(T ,B) to the blockchain to receive 1 bitcoin
from T .
Our protocol crucially relies on the algebraic prop-
erties of RSA, and RSA blinding. To make sure that
the Tumbler is using a valid RSA public key (e, N ),
TumbleBit also has an one-time setup phase:
0: Setup. Tumbler T announces its RSA public
key (e, N ) and Bitcoin address AddrT , together with
a non-interactive zero knowledge proof that RSA with
parameters (e, N ) is a permutation and a proof of
knowledge of the associated RSA secret key6 . Every
user of TumbleBit validates (e, N ) using π.
B. Overview of Alice’s Interaction with the Tumbler
We now focus on the puzzle-solving protocol be-
tween A and the Tumbler T to show how TumbleBit
allows A to make many off-blockchain payments via
only two on-blockchain transactions (aiding scalability).
During the Escrow Phase, Alice opens a payment
channel with the Tumbler T by escrowing Q bitcoins in
an on-blockchain transaction Tescr(A,T ) . Each escrowed
bitcoin can pay T for the solution to one puzzle. Next,
during the off-blockchain Payment Phase, A makes off-
blockchain payments to j ≤ Q payees. Finally, during
the Cash-Out Phase, Alice A pays the Tumbler T by
posting a transaction Tcash(A,T ) (j) that reflects the new
allocation of bitcoins; namely, that T holds j bitcoins,
while A holds Q − j bitcoins. The details of Alice A’s
interaction with T , which are based on a technique used
in micropayment channels [44, p. 86], are as follows:
1: Escrow Phase. Alice A posts a 2-of-2 escrow
transaction Tescr(A,T ) to the blockchain that escrows Q
of Alice’s bitcoins. If no valid transaction Tcash(A,T ) is
posted before time window tw 1 , then all Q escrowed
bitcoins can be reclaimed by A.
2: Payment Phase. Alice A uses her escrowed bitcoins
to make off-blockchain payments to the Tumbler T . For
each payment, A and T engage in an off-blockchain
puzzle-solver protocol (see Sections V-B,V-D).
Once the puzzle is solved, Alice signs and gives T
a new transaction Tcash(A,T ) (i). Tcash(A,T ) (i) points to
Tescr(A,T ) and reflects the new balance between A and
6 The zero-knowledge proof of knowledge can be realized via the
Poupard-Stern protocol [49] that proves knowledge of the factorization
of the RSA modulus N .
𝓐1 t3 𝓑1 2 BTC
?
t5
?
𝓐2 t2
?
(3) t3
? 𝓑2 3 BTC
t4
𝓐3 t1
?
?
t6
𝓐4 ? 𝓑3 3 BTC
t5
? A compatiable interaction graph
Payer puzzle-solver payments Payee cashouts
{
{
Tumbler's View
Fig. 2. Our unlinkability definition: The Tumblers view and a
compatible interaction multi-graph.
T (i.e., that T holds i bitcoins while A holds Q − i
bitcoins). T collects a new Tcash(A,T ) (i) from A for
each payment. If Alice refuses to sign Tcash(A,T ) (i),
then the Tumbler refuses to help Alice solve further
puzzles. Importantly, each Tcash(A,T ) (i) for i = 1...j
(for j < Q) is signed by Alice A but not by T , and is
not posted to the blockchain. At the end of the Payment
Phase, A has made j payments, and the Tumbler T has
transaction Tcash(A,T ) (j), signed by Alice A, reflecting
a balance of j bitcoins for T and Q − j bitcoins for T .
3: Cash-Out Phase. The Tumbler T claims its bit-
coins from Tescr(A,T ) by signing Tcash(A,T ) (j) and
posting it to the blockchain. This fulfills the condi-
tion in Tescr(A,T ) , which stipulated that the escrowed
coins be claimed by a transaction signed by both A
and T . (Notice that all the Tcash(A,T ) (i) point to the
same escrow transaction Tescr(A,T ) . The blockchain
will therefore only confirm one of these transactions;
otherwise, double spending would occur. Rationally,
the Tumbler T always prefers to confirm Tcash(A,T ) (j)
since it transfers the maximum number of bitcoins to
T .) Because Tcash(A,T ) (j) is the only transaction signed
by the Tumbler T , a cheating Alice cannot steal bitcoins
by posting a transaction that allocates fewer than j
bitcoins to the Tumbler T .
Remark: Scaling Bitcoin. A similar (but more elaborate)
technique can be applied between B and T so that only
two on-blockchain transactions suffice for Bob B to
receive an arbitrary number of off-blockchain payments.
Details are in Appendix A. Given that each party uses
two on-blockchain transactions to make multiple off-
blockchain playments, Tumblebit helps Bitcoin scale.
C. TumbleBit’s Security Properties
Unlinkability. We assume that the Tumbler T does not
collude with other users. The view of T consists of (1)
the set of escrow transactions established between (a)
escrow,a
each payer Aj and the Tumbler (Aj −→ i T ) of value
escrow,b
ai and (b) the Tumbler and each payee Bi (T −→ i Bi ),
(2) the set of puzzle-solver protocols completed with
each payer Aj at time t during the Payment Phase, and
(3) the set of cashout transactions made by each payer
Aj and each payee Bi during the Cash-Out Phase.
6
 An interaction multi-graph is a mapping of pay-
ments from payers to payees (Figure 2). For each
successful puzzle-solver protocol completed by payer
Aj at time t, this graph has an edge, labeled with time
t, from Aj to some payee Bi . An interaction graph is
compatible if it explains the view of the Tumbler T ,
i.e., the number of edges incident on Bi is equal to the
total number of bitcoins cashed out by Bi . Unlinkability
requires all compatible interaction graphs to be equally
likely. Anonymity therefore depends on the number of
compatible interaction graphs.
Notice that payees Bi have better anonymity than
payers Aj . (This follows because the Tumbler T knows
the time t at which payer Aj makes each payment.
Meanwhile, the Tumbler T only knows the aggregate
amount of bitcoins cashed-out by each payee Bi .)
A high-level proof of TumbleBit’s unlinkability is
in Section VII, and the limitations of unlinkability are
discussed in Section VII-C.
Balance. The system should not be exploited to print
new money or steal money, even when parties collude.
As in [24], we call this property balance, which estab-
lishes that no party should be able to cash-out more
bitcoins than what is dictated by the payments that
were successfully completed in the Payment Phase. We
discuss how TumbleBit satisfies balance in Section VII.
DoS and Sybil protection. TumbleBit uses transaction
fees to resist DoS and Sybil attacks. Every Bitcoin
transaction can include a transaction fee that is paid
to the Bitcoin miner who confirms the transaction on
the blockchain as an incentive to confirm transactions.
However, because the Tumbler T does not trust Alice
A and Bob B, T should not be expected to pay fees
on the transactions posted during the Escrow Phase. To
this end, when Alice A establishes a payment channel
with T , she pays for both the Q escrowed in transaction
Tescr(A,T ) and for its transaction fees. Meanwhile, when
the Tumbler T and Bob B establish a payment channel,
the Q escrowed bitcoins in Tescr(T ,B) are paid in the
Tumbler T , but the transaction fees are paid by Bob B
(Section III-A). Per [13], fees raise the cost of an DoS
attack where B starts and aborts many parallel sessions,
locking T ’s bitcoins in escrow transactions. This simi-
larly provides Sybil resistance, making it expensive for
an adversary to harm anonymity by tricking a user into
entering a run of TumbleBit where all other users are
Sybils under the adversary’s control.
IV. T UMBLE B IT: A LSO A C LASSIC T UMBLER .
We can also operate TumbleBit as classic Bitcoin
Tumbler. As a classic Tumbler, TumbleBit operates in
epoches, each of which (roughly) requires two blocks
to be confirmed on the blockchain (≈ 20 mins). During
each epoch, there are exactly ℵ distinct bitcoin addresses
making payments (payers) and ℵ bitcoin addresses
7
receiving payments (payees). Each payment is of de-
nomination 1 bitcoin, and the mapping from payers to
payees is a bijection. During one epoch, the protocol
itself is identical to that in Section III with the following
changes: (1) the duration of the Payment Phase shrinks
to seconds (rather than hours or days); (2) each payment
channel escrows exactly Q = 1 bitcoin; and (3) every
payee Bob B receives payments at an ephemeral bitcoin
address Addr B chosen freshly for the epoch.
A. Anonymity Properties
As a classic tumbler, TumbleBit has the same bal-
ance property, but stronger anonymity: k-anonymity
within an epoch [25], [13]. Specifically, while the
blockchain reveals which payers and payees participated
in an epoch, no one (not even the Tumbler T ) can
tell which payer paid which payee during that specific
epoch. Thus, if k payments successfully completed
during an epoch, the anonymity set is of size k. (This
stronger property follows directly from our unlinkability
definition (Section III-C): there are k compatible inter-
action graphs because the interaction graph is bijection.)
Recovery from anonymity failures. It’s not always the
case that k = ℵ. The exact anonymity level achieved
in an epoch can be established only after its Cash-Out
Phase. For instance, anonymity is reduced to k = ℵ − 1
if T aborts an payment made by payer Aj . We deal
with this by requiring B to uses an ephemeral Bitcoin
address Addr B in each epoch. Consider first a malicious
Tumbler T that behaves itself during the Escrow Phase
of some epoch, but then refuses to help some payer A
solve a puzzle during the Payment Phase. The payment
from A to its payee B will fail. As such, the payee
B will not be able to claim a bitcoin from T during
the Cash-Out Phase. It follows that the Tumbler can
trivially link A and B by identifying the payee that
failed to cash out. To recover from this, we follow [25]
and require B to discard his ephemeral address and
never use it again if T aborts the protocol. Note that
both B loses nothing in this case, since no funds have
been transferred from T to B. Also, A loses nothing,
since by the fair-exchange property of the puzzle-solver
protocol (Theorem 1) T only obtains a bitcoin from A
if it cooperated in solving the puzzle.
Let us now consider a non-aborting epoch with
a small anonymity set. If B is comfortable with the
size of his anonymity set, he can use standard Bitcoin
transactions to move the bitcoin from his ephemeral
address to his long-lived Bitcoin address. Otherwise,
if he thinks that the anonymity set is too small, B
can remix, i.e., choose a new fresh ephemeral address
Addr 0B and rerun the protocol where his old ephemeral
address Addr B pays his new ephemeral address Addr 0B .
Remixing can continue until B is happy with the size
of his anonymity set, and he transfers his funds to his
long-lived address.
Remark: Intersection attacks. While this notion of k-
anonymity is commonly used in Bitcoin tumblers (e.g.,
[13], [25]), it does suffer from the following weakness.
Any adversary that observes the transactions posted to
the blockchain within one epoch can learn which payers
and payees participated in that epoch. Then, this infor-
mation can be correlated to de-anonymize users across
epochs (e.g., using frequency analysis or techniques
used to break k-anonymity [21]). These ‘intersection at-
tacks’ follow because k-anonymity is composed across
epochs; see also [13], [39] for discussion.
DoS and Sybil Attacks. We use fees to resist DoS
and Sybil attacks. Alice again pays for both the Q
escrowed in transaction Tescr(A,T ) and for its transaction
fees. However, we run into a problem if we want Bob
B to pay the fee on the escrow transaction Tescr(T ,B) .
Because Bob B uses a freshly-chosen Bitcoin address
Addr B , that is not linked to any prior transaction on
the blockchain, Addr B cannot hold any bitcoins. Thus,
Bob B will have to pay the Tumbler T out of band.
The anonymous fee vouchers described in [25] provide
one way to address this, which also has the additional
feature that payers A cover all fees.
An anonymous fee voucher is a blind signature σ
that T provides to A in exchange for a small out-of-
band payment; A could pre-purchase these vouchers
in bulk, before she begins participating in TumbleBit.
Then, when A is ready to participate, she unblinds σ to
σ and provides it to B who passes it along to T . The
protocol begins once T is sure that it was paid for its
efforts.
V. A FAIR E XCHANGE FOR RSA P UZZLE S OLVING
We now explain how to realize a Bitcoin-compatible
fair-exchange where Alice A pays Tumbler T one
bitcoin iff the T provides a valid solution to an RSA
puzzle. The Tumbler T has an RSA secret key d and the
corresponding public key (e, N ). The RSA puzzle y is
provided by Alice, and its solution is an RSA secret-key
exponentiation
−1
 = fRSA (y, d , N ) = y d mod N (4)
The puzzle solution is essentially an RSA decryption or
RSA signing operation.
This protocol is at the heart of TumbleBit’s Payment
Phase. However, we also think that this protocol is
of independent interest, since there is also a growing
interest in techniques that can fairly exchange a bitcoin
for the solution to a computational “puzzle”. We there-
fore start by surveying the literature in Section V-A.
Section V-B presents our RSA-puzzle-solver protocol
as a stand-alone protocol that requires two blocks to
be confirmed on the blockchain. Our protocol is fast—
solving 2048-bit RSA puzzles faster than [37]’s protocol
for solving 16x16 Sudoku puzzles (Section VIII)). Also,
the use of RSA means that our protocol supports solving
8
blinded puzzles (see equation (2)), and thus can be used
to create an unlinkable payment scheme. Section V-D
shows how our protocol is integrated into TumbleBit’s
Payment Phase. Implementation results are in Table II
of Section VIII-B.
A. Approaches from the Literature
Contingent payments. Maxwell described a
protocol for “zero-knowledge contingent payments”
(ZKCP) [34]. The scheme in [34] swaps one bitcoin
from Alice A in exchange for having T compute any
agreed-upon function f on an input of A’s choosing.
The idea is as follows. After T computes the result
f (y) on Alice’s input y, it encrypts the result under
a randomly chosen key k to obtain a ciphertext c,
and hashes the encryption key to obtain h = H(k).
T then sends Alice A the ciphertext c and hash h
along with a zero-knowledge (ZK) proof that they
were formed correctly. (This proof must been done
in zero knowledge, because T should not reveal the
key k that decrypts f (y) to A before being paid with
A’s bitcoin.) After A verifies the proof, A posts a
transaction Tpuzzle offering one bitcoin under condition:
“Tsolve must contain the hash preimage of h”. T claims
the bitcoin by posting a transaction Tsolve containing
k. Now A can use k to decrypt c to obtain her desired
output f (y). This realizes a fair exchange because the
offered bitcoin reverts back to A if T fails to post a
valid Tsolve in a timely manner.
The limitations of using ZKCP in this setting arise
due to the inefficiency of the instantiations of ZK proofs.
Two main approaches exist:
ZKCP via ZK-Snarks. Recently, [37] showed how to
instantiate the ZK proofs used in this protocol with ZK-
Snarks [11]. The function f was a 16x16 Sudoku puzzle
and the resulting protocol was run and completed within
20 seconds. We could use this approach in our setting by
−1
(1) letting f be fRSA , an RSA decryption/signature, and
(2) using [37]’s ZK-snark but replacing the verification
of the Sudoku puzzle with an RSA verification fRSA .
One disadvantage of this approach is that RSA verifi-
cation within a ZK-Snark is likely to be slower than
Sudoku puzzle verification because state-of-the-art ZK-
Snarks operate in prime order fields of (roughly) 254
bits. Since a 2048-bit RSA verification deals with 2048-
bit numbers, each such number has to be split up and
expressed as an array of smaller ones, making arithmetic
operations far more complicated [19]. In any case, our
protocol for RSA exponentiation is faster than [37]’s
protocol for 16x16 Sudoku puzzles (Section VIII).
Also, ZK-Snarks are only secure under less standard
cryptographic assumptions. Meanwhile, our protocol’s
security follows from the standard RSA assumption (in
the random oracle model).
ZKCP via Garbled Circuits. As an alternative to ZK-
Snarks, one could use more generic ZK proofs based
on zero-knowledge garbled circuits (GC) as shown
in [27]. While GC-based ZK proofs work reasonably
well for evaluating hash functions, they are computa-
tionally heavier for modular exponentiations (like RSA
verification) because the latter do not have a short
Boolean-circuit representation [29].
ZKCP via Proof-of-Knowledge. A concurrent work [7]
proposes proposing ZKCP using Bitcoin Script’s Sign-
ing Condition (Section II) rather than its Hashing Con-
dition. [7] aims to be generic to all problems that have
zero-knowledge proof-of-knowledge protocols. Our ap-
proach is customized to RSA puzzles. [7] needs about
2 minutes to sell a 1024-bit RSA factorization with a
cheating probability of 2−48 . Our approach is faster,
solving 2048-bit RSA puzzles in seconds with cheating
probability of ≈ 2−80 .
Incentivizing correct computation. [30] proposed a
different approach that also uses GCs. Two parties use
GCs to compute an arbitrary function g(a, b) without
revealing their respective inputs a and b. [30]’s protocol
has the added feature that if one party aborts before
the output is revealed, the other party is automatically
compensated with bitcoins. To use this protocol in our
−1
setting, the function g should be fRSA , input a is the
RSA secret key d of T , and b becomes the input y
chosen by A. Then, if T aborts the protocol before
A learns the output, the bitcoin offered by A can be
reclaimed by A. Again, however, the efficiency of this
approach is limited by the computational overhead of
performing modular exponentiations inside a GC.
Our protocol sidesteps these issues by avoiding ZK
proofs and GCs altogether.
B. Our (Stand-Alone) RSA-Puzzle-Solver Protocol
The following stand-alone protocol description as-
sumes Alice A wants to transfer 1 bitcoin in exchange
for one puzzle solution. Section V-D shows how to
support the transfer of up to Q bitcoins for Q puzzle
solutions (where each solution is worth 1 bitcoin).
The core idea is similar to that of contingent pay-
ments [34]: Tumbler T solves Alice’s A’s puzzle y by
computing the solution y d mod N , then encrypts the
solution under a randomly chosen key k to obtain a
ciphertext c, hashes the key k under bitcoin’s hash as
h = H(k) and finally, provides (c, h) to Alice. Alice A
prepares Tpuzzle offering one bitcoin in exchange for the
preimage of h. Tumbler T earns the bitcoin by posting
a transaction Tsolve that contains k, the preimage of h,
and thus fulfills the condition in Tpuzzle and claims a
bitcoin for T . Alice A learns k from Tsolve , and uses k
to decrypt c and obtain the solution to her puzzle.
Our challenge is to find a mechanism that allows A
to validate that c is the encryption of the correct value,
without using ZK proofs. We do so by applying the
cut-and-choose technique and exploiting the blinding
properties of RSA. (We follow the blueprint of Lindell’s
recent work [33]. Roughly, a malicious party can only
9
cheat if all of the “opened” values are correct and all
of the “hidden” ones are incorrect. This allows us to
use fewer values in order to more efficiently achieve a
better security level.)
Thus, instead of asking T to provide just one (c, h)
pair, T will be asked to provide m + n pairs (Step 3).
Then, we use cut and choose: A asks T to “open” n
of these pairs, by revealing the randomly-chosen keys
ki ’s used to create each of the n pairs (Step 7). For
a malicious T to successfully cheat A, it would have
to correctly guess all the n “challenge” pairs and form
them properly (so it does not get caught), while at the
same time malforming all the m unopened pairs (so it
can claim a bitcoin from A without actually solving the
puzzle). Since T cannot predict which pairs A asks it
to open,
T can only cheat with very low probability
1/ m+nn .
However, we have a problem. Why should T agree
to open any of the (c, h) values that it produced? If A
received the opening of a correctly formed (c, h) pair,
she would be able to obtain a puzzle solution without
paying a bitcoin. As such, we introduce the notion of
“fake values”. Specifically, the n (c, h)-pairs that A asks
T to open will open to “fake values” rather than “real”
puzzles. Before T agrees to open them (Step 7), A must
prove that these n values are indeed fake (Step 6).
We must also ensure that T cannot distinguish “real
puzzles” from “fake values”. We do this with RSA
blinding. The real puzzle y is blinded m times with
different RSA-blinding factors (Step 1), while the n
fake values are RSA-blinded as well (Step 2). Finally,
A randomly permutes the real and fake values (Step 3).
Once Alice confirms the correctness of the opened
“fake” (c, h) values (Step 7), she signs a transaction
Tpuzzle offering one bitcoin for the keys k that open all
of the m “real” (c, h) values (Step 8). But what if Alice
cheated, so that each of the “real” (c, h) values opened
to the solution to a different puzzle? This would not be
fair to T , since A has only paid for the solution to a
single puzzle, but has tricked T into solving multiple
puzzles. We solve this problem in Step 9: once A posts
Tpuzzle , she proves to T that all m “real” values open to
the same puzzle y. This is done by revealing the RSA-
blinding factors blinding puzzle y. Once T verifies this,
T agrees to post Tsolve which reveals m of the k values
that open “real” (c, h) pairs (Step 10). A gets a valid
solution to puzzle y if at least one of the real (c, h)
pairs is validly formed (Step 11).
C. Fair Exchange
Fair exchange exchange entails the following: (1)
Fairness for T : After one execution of the protocol A
will learn the correct solution y d mod N to at most
one puzzle y of her choice. (2) Fairness for A: T will
earn 1 bitcoin iff A obtains a correct solution.
 Public input: (e, N ).
π proves validity of (e, N ) in a one-time-only setup phase.
Alice A Tumbler T
Input: Puzzle y Secret input: d

1. Prepare Real Puzzles R

For j ∈ [m], pick rj ∈ Z∗N
dj ← y · (rj )e mod N

2. Prepare Fake Values F

For i ∈ [n], pick ρi ∈ Z∗N
δi ← (ρi )e mod N

3. Mix Sets.
Randomly permute 4. Evaluation
{d1 . . . dm , δ1 . . . δn } For i = 1 . . . m + n
β1 ...βm+n
to {β1 . . . βm+n } −−−−−−→ Evaluate βi : si = βid mod N
Let R be the indices of the di Encrypt the result si :
Let F be the indices of the δi – Choose random ki ∈ {0, 1}λ1
– ci = H prg (ki ) ⊕ si
Commit to the keys: hi = H(ki )
c1 ,...,cm+n
←−−−−−−−
h1 ,...,hm+n
←−−−−−−−
F,ρi ∀i∈F
5. Identify Fake Set F −−−−−−→ 6. Check Fake Set F
For all i ∈ F :
Verify βi = (ρi )e mod N ,
If yes, reveal ki ∀i ∈ [F ].
7. Check Fake Set F Else abort.
k ∀i∈F
For all i ∈ F , i
←− −−−−
Verify that hi = H(ki )
Decrypt si = H prg (ki ) ⊕ ci
Verify si = ρi mod N
Abort if any check fails.

8. Post transaction Tpuzzle

Tpuzzle offers 1 bitcoin within timewindow tw 1
under condition “the fulfilling transaction is
signed by T and has preimages of hj ∀j ∈ R”.
9. Check βj unblind to y ∀j ∈ R
y, rj ∀j∈R
−−−−−−−→ For all j ∈ R
Verify βj = y · (rj )e mod N
If not, abort.

10. Post transaction Tsolve

Tsolve contains kj ∀j ∈ R
11. Obtain Puzzle Solution
For j ∈ R:
Learn kj from Tsolve
Decrypt cj to sj = H prg (kj ) ⊕ cj
If sj is s.t. (sj )e = βj mod N ,
Obtain solution sj /rj mod N
which is y d mod N .
Fig. 3. RSA puzzle solving protocol. H and H prg are modeled as random oracles. In our implementation, H is RIPEMD-160, and H prg is
ChaCha20 with a 128-bit key, so that λ1 = 128.

10
 We prove this using the real-ideal paradigm [22].
We call the ideal functionality Ffair-RSA and present it in
Appendix C. Ffair-RSA acts like a trusted party between
A and T . Ffair-RSA gets a puzzle-solving request (y, 1
bitcoin) from A, and forwards the request to T . If T
agrees to solve puzzle y for A, then T gets 1 bitcoin
and A gets the puzzle solution. Otherwise, if T refuses,
A gets 1 bitcoin back, and T gets nothing. Fairness for
T is captured because A can request a puzzle solution
only if she sends 1 bitcoin to Ffair-RSA . Fairness for B is
captured because T receives 1 bitcoin only if he agrees
to solve the puzzle. The following theorem is proved in
Appendix E:
Theorem 1: Let λ be the security parameter, m, n
be statistical security parameters, let N > 2λ . Let π be
a publicly verifiable zero-knowledge proof that fRSA
with parameters (N, e) is defines a permutation over ZN
and a proof of knowledge for the associated secret key
d. If the RSA assumption holds in ZN , and if functions
H prg , H are independent random oracles, there exists a
negligible function ν, such that protocol in Figure 3
securely realizes Ffair-RSA in the random oracle model
with the following security guarantees. The security for
T is 1 − ν(λ) while security for A is 1 − m+n1
− ν(λ).
( n )
D. Solving Many Puzzles and Moving Off-Blockchain
To integrate the protocol in Figure 3 into TumbleBit,
we have to deal with three issues. First, if TumbleBit
is to scale Bitcoin (Section III-B), then Alice A must
be able to use only two on-blockchain transactions
Tescr(A,T ) and Tcash(A,T ) to pay for the an arbitrary
number of Q puzzle solutions (each worth 1 bitcoin)
during the Payment Phase; the protocol in Figure 3
only allows for the solution to a single puzzle. Second,
per Section III-B, the puzzle-solving protocol should
occur entirely off-blockchain; the protocol in Figure 3
uses two on-blockchain transactions Tpuzzle and Tsolve .
Third, the Tsolve transactions are longer than typical
transactions (since they contain m hash preimages), and
thus require higher transaction fees.
To deal with these issues, we now present a fair-
exchange protocol that uses only two on-blockchain
transactions to solve an arbitrary number of RSA
puzzles.
Escrow Phase. Before puzzle solving begins, Alice
posts a 2-of-2 escrow transaction Tescr(A,T ) to the
blockchain that escrows Q bitcoins, (per Section III-B).
Tescr(A,T ) is timelocked to time window tw 1 , and
stipulates that the escrowed bitcoins can be transferred
to a transaction signed by both A and T .
Payment Phase. Alice A can buy solutions for up to
Q puzzles, paying 1 bitcoin for each. Tumbler T keeps
a counter of how many puzzles it has solved for A,
making sure that the counter does not exceed Q. When
A wants her ith puzzle solved, she runs the protocol in
11
Figure 3 with the following modifications after Step 8
(so that it runs entirely off-blockchain):
(1) Because the Payment Phase is off-blockchain,
transaction Tpuzzle from Figure 3 is not posted to the
blockchain. Instead, Alice A forms and signs transaction
Tpuzzle and sends it to the Tumbler T . Importantly,
Tumbler T does not sign or post this transaction yet.
(2) Transaction Tpuzzle points to the escrow trans-
action Tescr(A,T ) ; Tpuzzle changes its balance so that T
holds i bitcoin and Alice A holds Q − i bitcoins. Tpuzzle
is timelocked to time window tw 1 and stipulates the
same condition in Figure 3: “the fulfilling transaction is
signed by T and has preimages of hj ∀j ∈ R.”
(Suppose that T deviates from this protocol, and
instead immediately signs and post Tpuzzle . Then the
bitcoins in Tescr(A,T ) would be transferred to Tpuzzle .
However, these bitcoins would remain locked in Tpuzzle
until either (a) the timelock tw expired, at which point
Alice A could reclaim her bitcoins, or (b) T signs and
posts a transaction fulfilling the condition in Tpuzzle ,
which allows Alice to obtain the solution to her puzzle.)
(3) Instead of revealing the preimages kj ∀j ∈ R in
an on-blockchain transaction Tsolve as in Figure 3, the
Tumbler T just sends the preimages directly to Alice.
(4) Finally, Alice A checks that the preimages open
a valid puzzle solution. If so, Alice signs a regular cash-
out transaction Tcash(A,T ) (per Section III-B). Tcash(A,T )
points to the escrow transaction Tescr(A,T ) and reflects
the new balance between A and T .
At the end of the ith payment, the Tumbler T should
have two new signed transactions from Alice: Tpuzzle (i)
and Tcash(A,T ) (i), each reflecting the (same) balance of
bitcoins between T (holding i bitcoins) and A (holding
Q−i bitcoins). However, Alice A already has her puzzle
solution at this point (step (4) modification above). What
if she refuses to sign Tcash(A,T ) (i)?
In this case, the Tumbler immediately begins to
cash out, even without waiting for the Cash-Out Phase.
Specifically, Tumbler T holds transaction Tpuzzle (i),
signed by A, which reflects a correct balance of i
bitcoins to T and Q − i bitcoins to A. Thus, T signs
Tpuzzle (i) and posts it to the blockchain. Then, T claims
the bitcoins locked in Tpuzzle (i) by signing and posting
transaction Tsolve . As in Figure 3, Tsolve fulfills Tpuzzle
by containing the m preimages kj ∀j ∈ R. The bitcoin
in Tescr(A,T ) will be transferred to Tpuzzle and then to
Tsolve and thus to the Tumbler T . The only harm done is
that T posts two longer transactions Tpuzzle (i), Tsolve (i)
(instead of just Tcash(A,T ) ), which require higher fees
to be confirmed on the blockchain. (Indeed, this is why
we have introduced the Tcash(A,T ) (i) transaction.)
Cash-Out Phase. Alice has j puzzle solutions once
the the Payment Phase is over and the Cash-Out Phase
begins. If the Tumbler T has a transaction Tcash(A,T ) (j)
signed by Alice, the Tumbler T just signs and post this
transaction to the blockchain, claiming its j bitcoins.
We implement this protocol and evaluate its perfor-
mance in Table II and Section VIII-B.
VI. P UZZLE -P ROMISE P ROTOCOL
We present the puzzle-promise protocol run be-
tween B and T in the Escrow Phase. Recall from
Section III-A, that the goal of this protocol is to
provide Bob B with a puzzle-promise pair (c, z). The
“promise” c is an encryption (under key ) of the
Tumbler’s ECDSA-Secp256k1 signature σ on the trans-
action Tcash(T ,B) which transfers the bitcoin escrowed
in Tescr(T ,B) from T to B. Meanwhile the RSA-puzzle
z hides the encryption key  per equation (1).
If Tumbler T just sent a pair (c, z) to Bob, then
Bob has no guarantee that the promise c is actually
encrypting the correct signature, or that z is actually
hiding the correct encryption key. On the other hand, T
cannot just reveal the signature σ directly, because Bob
could use σ to claim the bitcoin escrowed in Tescr(T ,B)
without actually being paid (off-blockchain) by Alice A
during TumbleBit’s Payment Phase.
To solve this problem, we again use cut and choose:
we ask T to compute many puzzle-promise pairs
(ci , zi ), and have Bob B test that some of the pairs are
computed correctly. As in Section V-B, we use “fake”
transactions (that will be “opened” and used only to
check if the other party has cheated) and “real” trans-
actions (that remain “unopened” and result in correctly-
formed puzzle-promise pairs). Cut-and-choose guaran-
tees that B knows that at least one of the unopened pairs
is correctly formed. However, how does B know which
puzzle zi is correctly formed? Importantly, B can only
choose one puzzle zi that he will ask Alice A to solve
during TumbleBit’s Payment Phase (Section III-A). To
deal with this, we introduce an RSA quotient-chain
technique that ties together all puzzles zi so that solving
one puzzle zj1 gives the solution to all other puzzles.
In this section, we assume that B wishes to obtain
only a single payment of denomination 1 bitcoin; the
protocol as described in Figure 4 and Section VI-A
suffices to run TumbleBit as a classic tumbler. We
discuss its security properties in Section VI-B and
implementation in Section VIII-B. In Appendix A and
Figure 6, we show how to modify this protocol so
that it allows B to receive arbitrary number of Q
off-blockchain payments using only two on-blockchain
transactions.
A. Protocol Walk Through
B prepares µ distinct “real” transactions and η
“fake” transactions, hides them by hashing them with
H 0 (Step 2-3), permutes them (Step 4), and finally sends
them to T as β1 , ..., βm+n . In Step 5, T signs each βi
12
to create an ECDSA-Secp256k1 signature σi . Each σi is
then hidden inside an promise ci which can decrypted
with key i . Finally, T hides each i (the encryption
keys) in an RSA puzzle zi per equation (1). As each i is
uniformly chosen at random, puzzle zi computationally
hides its solution i , under the RSA assumption7 .
Next, B needs to check that the η “fake” (ci , zi )
pairs are correctly formed by T (Step 8). To do this,
B needs T to provide the solutions i to the puzzles
zi in fake pairs. T reveals these solutions only after
B has proved that the η pairs really are fake (Step 7).
Once this check is done, B knows that T can cheat with
probability less than 1/ µ+η .


η
Now we need our new trick. We want to ensure that
if at least one of the “real” (ci , zi ) pairs opens to a valid
ECDSA-Secp256k1 signature σi , then just one puzzle
solution i with i ∈ R, can be used to open this pair.
(We need this because B must decide which puzzle zi
to give to the payer A for decryption without knowing
which pair (ci , zi ) is validly formed.) We solve this by
having T provide B with µ − 1 quotients (Step 9).
j jµ
q2 = 2 , , . . . , qµ = mod N
j 1 jµ−1
where {j1 , . . . , jµ } = R are the indices for the “real”
values. This solves our problem since knowledge of
 = j1 allows B to recover of all other ji , since
ji = 1 · q2 ·, . . . , ·qi
On the flip side, what if B obtains more than one valid
ECDSA-Secp256k1 signatures by opening the (ci , zi )
pairs? Fortunately, however, we don’t need to worry
about this. The escrow transaction Tescr(T ,B) offers 1
bitcoin in exchange for a ECDSA-Secp256k1 signature
under an ephemeral key PK eph T used only once during
this protocol execution with this specific payee B. Thus,
even if B gets many signatures, only one can be used
to form the cash-out transaction Tcash(T ,B) that redeems
the bitcoin escrowed in Tescr(T ,B) .
B. Security Properties
We again capture the security requirements of the
puzzle-promise protocol using real-ideal paradigm [22].
The ideal functionality Fpromise-sign is presented in Ap-
pendix D. Fpromise-sign is designed to guarantee the
following properties: (1) Fairness for T : Bob B learns
nothing except signatures on fake transactions. (2) Fair-
ness for B: If T agrees to complete the protocol, then
Bob B obtains at least one puzzle-promise pair. To do
this, Fpromise-sign acts a trusted party between B and
T . Bob B sends the “real” and “fake” transactions to
Fpromise-sign . Fpromise-sign has access to an oracle that can
compute the Tumbler’s T signatures on any messages.
(This provides property (2).) Then, if Tumbler T agrees,
7 Since we model hash functions as random oracles we can prove
i is computationally hidden when the hash of i encrypts σi to ci .
 Public input: (e, N, PK eph
T , π).
Tumbler T chooses fresh ephemeral ECDSA-Secp256k1 key, i.e., bitcoin address (SK eph eph
T , PK T ).
π proves validity of (e, N ) in a one-time-only setup phase.
Bob B Tumbler T . Secret input: d

1. Set up Tescr(T ,B)

Sign but do not post transaction Tescr(T ,B)
timelocked for tw 2 offering one bitcoin
under the condition: “the fulfilling transaction
must be signed under key PK eph T and
2. Prepare µ Real Unsigned Tcash(T ,B) . under key PK B .”
Tescr(T ,B)
For i ∈ 1, . . . , µ: ←−−−−−−
Choose random pad ρi ← {0, 1}λ
Set Tcash(T ,B) i = CashOutTFormat(ρi )
hti = H 0 (Tfulfill i ).

3. Prepare Fake Set.

For i ∈ 1, . . . , η:
Choose random pad ri ← {0, 1}λ
f ti = H 0 (FakeFormat||ri ).

4. Mix Sets.
Randomly permute
{f t1 , ..., f tη , ht1 , ..., htµ }
to obtain {β1 , ...βµ+η }
Let R be the indices of the hti
Let F be the indices of the f ti
β1 ...βµ+η
−−−−−−→
Choose salt ∈ {0, 1} λ

Compute: hR = H(salt||R)
hF = H(salt||F ) 5. Evaluation.
hR ,hF
−−−−→ For i = 1, . . . , µ + η:
ECDSA sign βi to get σi = Sig(SK eph T , βi )
Randomly choose i ∈ ZN .
Create promise ci = H shk (i ) ⊕ σi
Create puzzle zi =fRSA (i , e, N )
(c1 ,z1 ),...(cµ+η ,zµ+η )
←−−−−−−−−−−−−−− i.e., zi = (i )e mod N
R,F
6. Identify Fake Set. −−→
r ∀i∈F
i
−− −−−→
salt
−−→ 7. Check Fake Set.
Check hR = H(salt||R) and hF = H(salt||F )
For all i ∈ F :
8. Check Fake Set. verify βi = H 0 (FakeFormat||ri )
 ∀i∈F
For all i ∈ F i
←− −−−− Abort if any check fails
- Validate that i < N
- Validate RSA puzzle zi = (i )e mod N
- Validate promise ci :
(a) Decrypt σi = H shk (i ) ⊕ ci
(b) Verify σi , i.e.,
ECDSA-Ver(PK eph 0
T , H (f ti ), σi ) = 1 9. Prepare Quotients.
Abort if any check fails For R = {j1 , ..., jµ }:
q2 ,...,qµ  jµ
←−−−−− set q2 = jj2 , ..., qµ = jµ−1
1
10. Quotient Test.
For R = {j1 , ..., jµ } check equalities:
zj2 = zj1 · (q2 )e mod N
...
zjµ = zjµ−1 · (qµ )e mod N
Abort if any check fails 11. Post transaction Tescr(T ,B) on blockchain

12. Begin Payment Phase.

Set z = zj1 . Send z̄ = z · (r)e to Payer A

Fig. 4. Puzzle-promise protocol when Q = 1. (d, (e, N )) are the RSA keys for the tumbler T . (Sig, ECDSA-Ver) is an ECDSA-Secp256k1
signature scheme. We model H, H 0 and H shk as random oracles. In our implementation, H is HMAC-SHA256 (keyed with salt) . H 0 is
13 used in Bitcoin’s “hash-and-sign” paradigm with ECDSA-Secp256k1.
‘Hash256’, i.e., SHA-256 cascaded with itself, which is the hash function
H shk is SHA-512. CashOutTFormat is shorthand for the unsigned portion of a transaction that fulfills Tescr(T ,B) . The protocol uses ρi to
ensure the output of CashOutTFormat contains sufficient entropy. FakeFormat is a distinguishable public string.
Fpromise-sign provides Bob B with signatures on each
“fake” transaction only. (This provides property (1).)
The following theorem is proved in Appendix F:
Theorem 2: Let λ be the security parameter, m, n
be statistical security parameters, let N > 2λ . Let π be
a publicly verifiable zero-knowledge proof that fRSA
with parameters (N, e) defines a permutation over ZN
and a proof of knowledge for the associated secret
key d. If RSA trapdoor function is hard in ZN , if
H, H 0 , H shk are independent random oracles, if ECDSA
is strong existentially unforgeable signature scheme,
then the puzzle-promise protocol in Figure 4 securely
realizes the Fpromise-sign functionality. The security for
T is 1 − ν(λ) while security for B is 1 − µ+η 1
− ν(λ).
( η )
VII. T UMBLE B IT S ECURITY
We discuss TumbleBit’s unlinkability and balance
properties. See Section III-C for DoS/Sybil resistance.
A. Balance
The balance was defined, at high-level, in Sec-
tion III-C. We analyze balance in several cases.
Tumbler T ∗ is corrupt. We want to show that all the
bitcoins paid to T by all Aj ’s can be later claimed
by the Bi ’s. (That is, a malicious T ∗ cannot refuse a
payment to Bob after being paid by Alice.) If Bi suc-
cessfully completes the puzzle-promise protocol with
T ∗ , fairness for this protocol guarantees that Bi gets
a correct “promise” c and puzzle z. Meanwhile, the
fairness of the puzzle-solver protocol guarantees that
each Aj gets a correct puzzle solution in exchange for
her bitcoin. Thus, for any puzzle z solved, some Bi
can open promise c and form the cash-out transaction
Tcash(T ,B) that allows Bi to claim one bitcoin. Moreover,
transaction Tescr(A,T ) has timelock tw 1 and transaction
Tescr(T ,B) has timelock tw 2 . Since tw 1 < tw 2 , it
follows that either (1) T ∗ solves A’s puzzle or (2)
A reclaims the bitcoins in Tescr(A,T ) (timelock tw 1 ),
before T can (3) steal a bitcoin by reclaiming the
bitcoins in Tescr(T ,B) (timelock tw 2 ).
Case A∗j and Bi∗ are corrupt. Consider colluding payers
Bi∗ and payees A∗j . We show that the sum of bitcoins
cashed out by all Bi∗ is no more than the number of
puzzles solved by T in the Payment Phase with all A∗j .
First, the fairness of the puzzle-promise protocol
guarantees that any Bi∗ learns only (c, z) pairs; thus,
by the unforgeability of ECDSA signatures and the
hardness of solving RSA puzzles, B ∗ cannot claim
any bitcoin at the end of the Escrow Phase. Next, the
fairness of the puzzle-solver protocol guarantees that
if T completes SPj successful puzzle-solver protocol
executions with A∗j , then A∗j gets the solution to exactly
SPj puzzles. Payees Bi∗ use the solved puzzles to
claim bitcoins from T . By the unforgeability of ECDSA
signatures (and assuming that the blockchain prevents
14
double-spending), all colluding Bi∗ cash-out no more
than min(t, j SPj ) bitcoin in total, where t is the
P
total number of bitcoins escrowed by T across all Bi∗ .
Case Bi∗ and T collude. Now suppose that Bi∗ and
T ∗ collude to harm Aj . Fairness for Aj still follows
directly from the fairness of the puzzle-solver protocol.
This follows because the only interaction between Aj
and Bi∗ is the exchange of a puzzle (and its solution).
No other secret information about Aj is revealed to Bi∗ .
Thus, Bi∗ cannot add any additional information to the
view of T , that T can use to harm fairness for Aj .
We do note, however, that an irrational Bob Bi∗ can
misbehave by handing Alice Aj an incorrect puzzle z ∗ .
In this case, the fairness of the puzzle-solver protocol
ensures that Alice Aj will pay the Tumbler T for a
correct solution ∗ to puzzle z ∗ . As such, Bob Bi will
be expected to provide Alice Aj with the appropriate
goods or services in exchange for the puzzle solution
∗ . However, the puzzle solution ∗ will be of no value
to Bob Bi , i.e., Bob cannot use ∗ to claim a bitcoin
during the Cash-Out Phase. It follows that the only party
harmed by this misbehavior is Bob Bi himself. As such,
we argue that such an attack is of no importance.
Case A∗j and T collude. Similarly, even if A∗j and T
collude, fairness for an honest Bi still follows from the
fairness of the puzzle-promise protocol. This is because
A∗j ’s interaction with Bi is restricted in receiving a
puzzle z, and handing back a solution. While A∗j can
always give Bi an invalid solution ∗ , Bi can easily
check that the solution is invalid (since (∗ )e 6= z
mod N ) and refuse to provide goods or services.
Case A∗j , Bi∗ and T collude. Suppose A∗j , Bi∗ and T
all collude to harm some other honest A and/or B. This
can be reduced to one of the two cases above because
an honest A will only interact with Bi∗ and T ∗ , while
an honest B will only interact with A∗j and T .
B. Unlinkability
Unlinkability is defined in Section III-C and must
hold against a T that does not collude with other users.
We show that all interaction multi-graphs G compatible
with T ’s view are equally likely.
First, note that all TumbleBit payments have the
same denomination (1 bitcoin). Thus, T ∗ cannot learn
anything by correlating the values in the transactions.
Next, recall from Section III-A, that all users of Tum-
bleBit coordinate on phases and epochs. Escrow trans-
actions are posted at the same time, during the Escrow
Phase only. All Tescr(T ,B) cash-out transactions are
posted during the Cash-Out Phase only. All payments
made from Ai and Bj occur during the Payment Phase
only, and payments involve no direct interaction be-
tween T and B. This rules out timing attacks where the
Tumbler purposely delays or speeds up its interaction
with some payer Aj , with the goal of distinguishing
some behavior at the intended payee Bi . Even if the
Tumbler T ∗ decides to cash-out with Aj before the
Payment Phase completes (as is done in Section V-D
when Aj misbehaves), all the Bi still cash out at the
same time, during the Cash-Out Phase.
Next, observe that transcripts of the puzzle-
promise and puzzle-solver protocols are information-
theoretically unlinkable. This follows because the puz-
zle z used by any Aj in the puzzle-solver protocol is
equally likely to be the blinding of any of the puzzles z
that appear in the puzzle-promise protocols played with
any Bi (see Section III-A, equation (2)).
Finally, we assume secure channels, so that T ∗
cannot eavesdrop on communication between Aj ’s and
Bi ’s, and that T ∗ cannot use network information to
correlate Aj ’s and Bi ’s (by e.g., observing that they
share the same IP address). Then, the above two obser-
vations imply that all interaction multi-graphs, that are
compatible with the view of T ∗ , are equally likely.
C. Limitations of Unlinkability
TumbleBit’s unlinkability (see Section III-C) is in-
spired by Chaumian eCash [17], and thus suffers from
similar limitations. (Section VII-D discusses the lim-
itations of Chaumian eCash [17] in more detail.) In
what follows, we assume that Alice has a single Bitcoin
address Addr A , and Bob has Bitcoin address Addr B .
Alice/Tumbler collusion. Our unlinkability defini-
tion assumes that the Tumbler does not collude with
other TumbleBit users. However, collusion between the
Tumbler and Alice can be used in a ceiling attack.
Suppose that some Bob has set up a TumbleBit payment
channel that allows him to accept up to Q TumbleBit
payments, and suppose that Bob has already accepted Q
payments at time t0 of the Payment Phase. Importantly,
the Tumbler, working alone, cannot learn that Bob is no
longer accepting payments after time t0 . (This follows
because the Tumbler and Bob do not interact during the
Payment Phase.) However, the Tumbler can learn this by
colluding with Alice: Alice offers to pay Bob at time t0 ,
and finds that Bob cannot accept her payment (because
Bob has “hit the ceiling” for his payment channel). Now
the Tumbler knows that Bob has obtained Q payments at
time t0 , and he can rule out any compatible interaction
graphs that link any payment made after time t0 to Bob.
The ceiling attack assumes that Bob allows any
Alice to pay him whenever she wants. However, we can
rule out ceiling attacks if every Bob always initiates
every interaction with Alice. Alternatively, Bob’s can
ensure that his payment channel allows him to accept
significantly more payments that was he expects to
receive during an epoch. Another idea is to stagger
TumbleBit epochs, so that multiple epochs take place
simultaneously. Then, if Bob’s escrow from one epoch
runs out, he can start making payments to his escrow
in the next epoch.
15
Thus, suppose we eliminate ceiling attacks. Then,
the puzzle z provided by Bob cannot be linked to
any payee Bitcoin address Addr B1 , ..., Addr Bι that has
escrowed Bitcoins with the Tumbler, even if Alice and
the Tumbler collude.8 This property is useful when
Alice is able to pay Bob without learning Bob’s true
identity, e.g., when Bob is a Tor hidden service.
Bob/Tumbler collusion. Bob and the Tumbler can
collude to learn the true identity of Alice. Importantly,
this collusion attack is useful only if Bob can be paid by
Alice without learning her true identity (e.g., if Alice is
a Tor user). The attack is simple. Bob reveals the blinded
puzzle value z to the Tumbler. Now, when Alice asks
that Tumbler to solve puzzle z, the Tumbler knows that
this Alice is attempting to pay Bob. Specifically, the
Tumbler learns that Bob was paid by the Bitcoin address
Addr A that paid for the solution to puzzle z.
There is also a simple way to mitigate this attack.
Alice chooses a fresh random blinding factor r0 ∈ ZN ∗
and asks the Tumbler to solve the double-blinded puzzle
z = (r0 )e · z mod N. (5)
Once the Tumbler solves the double-blinded puzzle z,
Alice can unblind it by dividing by r0 and recovering
the solution to single-blinded puzzle z. This way, the
Tumbler cannot link the double-blinded puzzle z from
Alice to the single-blinded puzzle z from Bob.
However, even with double blinding, there is still a
timing channel. Suppose Bob colludes with the Tum-
bler, and sends the blinded puzzle value z to both Alice
and the Tumbler at time t0 . The Tumbler can rule out
the possibility that any payment made by any Alice
prior to time t0 should be linked to this payment to
Bob. Returning to the terminology of our unlinkability
definition (Section III-C), this means that Bob and the
Tumbler can collude to use timing information to rule
out some compatible interaction graphs.
Potato attack. Our definition of unlinkability does
not consider external information. Suppose Bob sells
potatoes that costs exactly 7 bitcoins, and the Tumbler
knows that no other payee sells items that cost exactly 7
bitcoins. The Tumbler can use this external information
rule out compatible interaction graphs. For instance,
if Alice made 6 TumbleBit payments, the Tumbler
infers that Alice could not have bought Bob’s potatoes.
Similarly, if Alice made 7 TumbleBit payments in a
short time, the Tumbler might infer that Alice was
buying Bob’s potatoes.
8 To see why, recall that the only interaction between Alice and Bob
consists of Alice receiving the puzzle from Bob and then handing
back its solution. Since we assumed that Alice always gets a puzzle
from Bob, the only information that Alice gets from Bob is a blinded
puzzle z (which is information-theoretically unrelated to any puzzle
generated by Tumbler). But, z is the same puzzle that is used by Alice
in the interaction with Tumbler, and so the combined view of Tumbler
and Alice is the same as the view of Tumbler alone. Therefore, the
anonymity of Bob follows from the anonymity against a malicious
Tumbler only.
 Potato attacks could be mitigated by aggregating
payments (e.g., buying additional goods at the same
time as buying potatoes) or adding noise (i.e., by having
Alice set up an a TumbleBit payee address, and paying
that address each time she buys potatoes). This problem
seems similar to those tackled with differential-privacy.
Intersection attacks. Our definition of unlinkability
applies only to a single epoch. Thus, as mentioned in
Section IV-A and [13], [39], our definition does not rule
out the correlation of information across epochs.
Abort attacks. Our definition of unlinkability applies
to payments that complete during an epoch. It does not
account for information gained by strategically aborting
payments. As an example, suppose that the Tumbler
notices that during several TumbleBit epochs, (1) Alice
always makes a single payment, and (2) Bob hits the
ceiling for his payment channel. Now in the next epoch,
the Tumbler aborts Alice’s payment and notices that
Bob no longer hits his ceiling. The Tumbler might guess
that Alice was trying to pay Bob.
D. Limitations of Unlinkability for Chaumian eCash.
Attacks analogous to those in Section VII-C are also
possible for classic Chaumian eCash [17].
Chaumian eCash. With Chaumian eCash, a payee
Alice interacts with the Bank to withdraws Q eCash
coins. Each coin is an RSA blind signature σ (signed
by the Bank) on a blinded serial number sn (selected
by Alice). The blindness of the blind signature ensures
that the Bank does not learn the serial number sn
at the time the coin is withdrawn. To use the coin,
Alice unblinds the serial number to sn and signature
to σ and sends them to Bob. Upon receipt of the coin
(sn, σ), Bob must immediately interact with the Bank
to deposit and confirm the coin’s validity. To validate
the coin, the Bank simply checks that no coin deposited
earlier had the same serial number sn. Notice that the
view of the Chaumian Bank includes (1) the time and
value of each payment made to Bob, and (2) the time
and value of each withdrawal made by Alice. This
is slightly different than the view of our TumbleBit
Tumbler, which sees (1) the time and value of each
payment made by Alice (rather than by Bob), and (2)
value of the total number of payments received by Bob.
We now point out how the attacks in Section VII-C
can be launched on Chaumian eCash. Analogous to the
first attack in Section VII-C, Alice and the Bank can
collude to unmask Bob, as follows: Alice simply reveals
the serial number sn to the Bank, and the Bank links
sn to the deposit made by Bob. The Chaumian Bank
can also collude with Bob to perform a ceiling attack,
as follows: Suppose that Bob offers to sell Alice an
item worth 1 coin at time t0 , but Alice has no unspent
coins. If Alice either (1) refuses to buy the item, or (2)
withdraws an additional coin, then the Bank learns that
Alice has no unspent coins at time t0 and the ceiling
16
attack follows. To launch a potato attack, the Bank
observes that Alice withdrew only 6 coins after opening
her account with the Bank. However, a potato costs 7
coins, and so the Bank learns that Alice could not have
bought a potato. Finally, the Chaumian bank can launch
an abort attack identical to that of Section VII-C by
refusing to allow Alice to withdraw a coin.
VIII. I MPLEMENTATION
To show that TumbleBit is performant and com-
patible with Bitcoin, we implemented TumbleBit as a
classic tumbler. (That is, each payer and payee can
send/receive Q = 1 payment/epoch.) We then used
TumbleBit to mix bitcoins from 800 payers (Alice A)
to 800 payees (Bob B). We describe how our imple-
mentation instantiates our TumbleBit protocols. We then
measure the off-blockchain performance, i.e., compute
time, running time, and bandwidth consumed. Finally,
we describe two on-blockchain tests of TumbleBit.
A. Protocol Instantiation
We instantiated our protocols with 2048-bit RSA.
The hash functions and signatures are instantiated as
described in the captions to Figure 3 and Figure 4.9
Choosing m and n in the puzzle-solving protocol. Per
Theorem 1, the probability that T can cheat is param-
eterized by 1/ m+n where m is the number of “real”


m
values and n is the number of “fake” values in Figure 3.
From a security perspective, we want m and n to be
as large as possible, but in practice we are constrained
by the Bitcoin protocol. Our main constraint is that m
RIPEMD-160 hash outputs must be stored in Tpuzzle
of our puzzle-solver protocol. Bitcoin P2SH scripts
(as described below) are limited in size to 520 bytes,
which means m ≤ 21. Increasing m also increases the
transaction fees. Fortunately, n is not constrained by the
Bitcoin protocol; increasing n only means we perform
more off-blockchain RSA exponentiations. Therefore,
we chose m = 15 and n = 285 to bound T ’s
cheating probability to 2−80 . (2−80 equals RIPEMD-
160’s collision probability.)
Choosing µ and η in the puzzle-promise protocol.
Theorem
2 also allows T to cheat with probability
1/ µ+η
µ . However, this protocol has no Bitcoin-related
constraints on µ and η. Thus, we take µ = η = 42 to
achieve a security level of 2−80 while minimizing the
number of off-blockchain RSA computations performed
in Figure 4 (which is µ + η).
9 There were slight difference between our protocols as described
in this paper and the implementation used in some of the tests. In
Figure 3, A reveals blinds rj ∀j ∈ R to T , our implementation instead
reveals an encrypted version rje ∀j ∈ R. This change does not affect
performance, since A hold both rj and rje . Also, our implementation
omits the index hashes hR and hF from Figure 4; these are two 256-
bit hash outputs and thus should not significantly affect performance.
We have since removed these differences.
 TABLE III. AVERAGE OFF - BLOCKCHAIN RUNNING TIMES OF
T UMBLE B IT ’ S PHASES , IN SECONDS . (100 TRIALS )
Compute Running Time Running Time
Time (Boston-New York-Toronto) (Boston-Frankfurt-Tokyo)
Escrow 0.2052 0.3303 1.5503
Payment 0.3878 1.1352 4.3455
Cash-Out 0.0046 0.0069 0.0068
TABLE IV. T RANSACTION SIZES AND FEES IN OUR TESTS .
Transaction Size Satoshi/byte Fee (in BTC)
Tescr 190B 30 0.000057
Tcash 447B 30 0.000134
Trefund for Tescr 373B 30 0.000111
Tpuzzle 447B 15 0.000067
Tsolve 907B 15 0.000136
Trefund for Tpuzzle 651B 20 0.000130
Scripts. By default, Bitcoin clients and miners only
operate on transactions that fall into one of the five
standard Bitcoin transaction templates. We therefore
conform to the Pay-To-Script-Hash (P2SH) [3] tem-
plate. To format transaction Toffer (per Section II) as
a P2SH, we specify a redeem script (written in Script)
whose condition C must be met to fulfill the transaction.
This redeem script is hashed and stored in transaction
Toffer . To transfer funds out of Toffer , a transaction Tfulfill
is constructed. Tfulfill includes (1) the redeem script and
(2) a set of input values that the redeem script is run
against. To programmatically validate that Tfulfill can
fulfill Toffer , the redeem script Tfulfill is hashed, and
the resulting hash value is compared to the hash value
stored in Toffer . If these match, the redeem script is run
against the input values in Tfulfill . Tfulfill fulfills Toffer if
the redeem script outputs true. All our redeem scripts
include a time-locked refund condition, that allows the
party offering Toffer to reclaim the funds after a time
window expires. To do so, the party signs and posts
a refund transaction Trefund that points to Toffer and
reclaims the funds locked in Toffer . We reproduce our
scripts in Appendix I and Figure 9.
B. Off-Blockchain Performance Evaluation
We evaluate the performance for a run of our pro-
tocols between one payer Alice A, one payee Bob B
and the Tumbler T . We used several machines: an EC2
t2.medium instance in Tokyo (2 Cores at 2.50 GHz,
4 GB of RAM), a MacBook Pro in Boston (2.8 GHz
processor, 16 GB RAM), and Digital Ocean nodes in
New York, Toronto and Frankfurt (1 Core at 2.40 GHz
and 512 MB RAM).
Puzzle-solver protocol (Table II). The total network
bandwidth consumed by our protocol was 269 Kb,
which is roughly 1/8th the size of the “average web-
page” per [54] (2212 Kb). Next, we test the total (off-
blockchain) computation time for our puzzle-solver pro-
tocol (Section V-B) by running both parties (A and T )
on the Boston machine. We test the impact of network
latency by running A in Boston and T in Tokyo, and
then with T in New York. (The average Boston-to-
Tokyo Round Trip Times (RTT) was 187 ms and the
Boston-to-New York RTT was 9 ms.) From Table II, we
see the protocol completes in < 4 seconds, with running
17
time dominated by network latency. Indeed, even when
A and T are very far apart, our 2048-bit RSA puzzle
solving protocol is still faster than [37]’s 16x16 Sudoku
puzzle solving protocol, which takes 20 seconds.
TumbleBit as a classic tumbler (Table II). Next,
we consider classic Tumbler mode (Section IV). We
consider a scenario where A and B use the same
machine, because Alice A wants anonymize her bitcoin
by transferring it to a fresh ephemeral bitcoin address
that she controls. Thus, we run (1) A and B in Boston
and T in Tokyo, and (2) A and B in Boston and T
in New York. To prevent the Tumbler T for linking
A and B via their IP address, we also tested with
(a) B connecting to T over Tor, and (b) both A and
B connected through Tor. Per Table II, running time
is bound by network latency, but is < 11 seconds
even with when both parties connect to Tokyo over
Tor. Connecting to New York (in clear) results in ≈ 1
second running time. Compute time is only 0.6 seconds,
again measured by running A, B and T on the Boston
machine. Thus, TumbleBit’s performance, as a classic
Tumbler, is bound by the time it takes to confirm 2
blocks on the blockchain (≈ 20 minutes).
Performance of TumbleBit’s Phases. (Table III) Next,
we break out the performance of each of TumbleBit’s
phases when Q = 1. We start by measuring compute
time by running all A, B and T on the Boston machine.
Then, we locate each party on different machines. We
first set A in Toronto, B in Boston and T in New York
and get RTTs to be 22 ms from Boston to New York, 23
ms from New York to Toronto, and 55 ms from Toronto
to Boston. Then we set A in Frankfurt, B in Boston and
T in Tokyo and get RTTs to be 106 ms from Boston
to Frankfurt, 240 ms from Frankfurt to Tokyo, and 197
ms from Tokyo to Boston. An off-blockchain payment
in the Payment Phase completes in under 5 seconds and
most of the running time is due to network latency.
C. Blockchain Tests
Our on-blockchain tests use TumbleBit as a classic
tumbler, where payers pay themselves into a fresh
ephemeral Bitcoin address. All transactions are visible
on the blockchain. Transaction IDs (TXIDs) are hyper-
linked below. The denomination of each TumbleBit pay-
ment (i.e., the price of puzzle solution) was 0.0000769
BTC (roughly $0.04 USD on 8/15/2016). Table IV
details the size and fees10 used for each transaction.
Test where everyone behaves. In our first test, all
parties completed the protocol without aborting. We
tumbled 800 payments between ℵ = 800 payers and
ℵ = 800 payees, resulting in 3200 transactions posted
10 We use a lower transaction fee rate of 15 Satoshi/byte (see
Table IV) for Tpuzzle and Tsolve because we are in less of hurry to
have them confirmed. Specifically, if A refuses to sign Tcash(A,T ) ,
then T ends the Payment Phase with A early (even before the Cash-
Out Phase begins), and immediately posts Tpuzzle and then Tsolve to
the blockchain. See Section V-D.
 TABLE II. AVERAGE PERFORMANCE OF RSA- PUZZLE - SOLVER AND CLASSIC TUMBLER , IN SECONDS . (100 TRIALS ).
Compute Running Time RTT Running Time RTT
Bandwidth
Time (Boston-New York) (Boston-New York) (Boston-Tokyo) (Boston-Tokyo)
RSA-puzzle-solving protocol 0.398 0.846 0.007949 4.18 0.186 269 KB
Classic Tumbler (in clear) 0.614 1.190 0.008036 5.99 0.187 326 KB
Classic Tumbler (B over Tor) 0.614 3.10 0.0875 8.37 0.273 342 KB
Classic Tumbler (Both over Tor) 0.614 6.84 0.0875 10.8 0.273 384 KB

to the blockchain and a k-anonymity of k = 800.The
puzzle-promise escrow transactions Tescr(T ,B) are all
funded from this TXID and the puzzler-solver escrow
transactions Tescr(A,T ) are all funded from this TXID.
This test completed in 23 blocks in total, with Escrow
Phase completing in 16 blocks, Payment Phase taking
1 block, and Cash-Out Phase completing in 6 blocks.
We note, however, that our protocol could also have
completed much faster, e.g., with 1 block for the Escrow
Phase, and 1 block for the Cash Out Phase. A Bitcoin
block can typically hold ≈ 5260 of our 2-of-2 escrow
transactions Tescr and ≈ 2440 of our cash-out transac-
tion Tcash . We could increase transaction fees to make
sure that our Escrow Phase and Cash-Out phase (each
confirming 2×800 transactions) occur within one block.
In our tests, we used fairly conservative transaction
fees (Table IV). While the exact fees needed vary from
minute to minute, doubling our fees to 60 Satoshi per
Byte should be sufficient under standard transaction
volume.11 As a classic Tumbler, we therefore expect
TumbleBit to have a higher denomination than the
0.0000769 BTC we used for our test. For instance,
transaction fees of 60 Satoshi per Byte (0.0007644
BTC/user) are ≈ 1/1000 of a denomination of 0.5 BTC.
Test with uncooperative behavior. Our second run of
only 10 users (5 payers and 5 payees) demonstrates
how fair exchange is enforced in the face of uncooper-
ative or malicious parties. Transactions Tescr(A,T ) and
Tpuzzle were timelocked for 10 blocks and Tescr(T ,B)
was timelocked for 15 blocks. All escrow transactions
Tescr(A,T ) are funded by TXID and all escrow trans-
actions Tescr(T ,B) are funded by TXID. Two payer-
payee pairs completed the protocol successfully. For the
remaining three pairs, some party aborted the protocol:
Case 1: The Tumbler T (or, equivalently, Alice A1 )
refused to cooperate after the Escrow Phase. Alice A1
reclaims her bitcoins from escrow transaction Tescr(A,T )
10 This test, all escrow transactions T
escr(A,T ) and Tcash(T ,B) had
the same timelock tw 2 and Tpuzzle had a timelock of tw1 , where
tw 1 < tw 2 . Also, we also modify the protocol description in in Step
(2) of Section V-D to have both A and T sign Tpuzzle during the
Payment Phase without posting it to the blockchain. (We can do this
because Alice is only making a single payment in this epoch (i.e.,
Q = 1).) Then, if a malicious Tumbler tried to from steal bitcoins
(per the ‘Tumbler is corrupt’ case of Section VII-A), A could protect
herself by posting Tpuzzle to the blockchain, and reclaim the bitcoins
locked in Tpuzzle after its timelock tw 1 expires, but prior to tw 2.
11 For instance, in a 24 hour window starting on Aug 12 2016, all
188K transactions with a fee ≥ 41 Satoshi/Byte were confirmed in
the next block. A precise model of current Bitcoin miner behavior,
under different fees rates and transaction volumes, remains an open
research question. [42] analyzes transaction priority and fee rates but
uses older data which no longer reflects current trends.
Block Height
425500 { Escrow Phase
425502 Tescr(𝓐, 𝓣) & Tescr(𝓣, 𝓑)
425505 { Case 2 & 3: Tpuzzle
Case 3: Tsolve
425507
425509 { Case 1: Tescr(𝓐, 𝓣) Refund
Case 2: Tpuzzle Refund
425511
425514 { Case 1 & 2: Tescr(𝓣, 𝓑) Refund
425527
Fig. 5. Timeline of test with uncooperative behavior, showing block
height when each transaction was confirmed.
via a refund transaction after the timelock expires.
Tescr(A,T ) was timelocked for 10 blocks, and the refund
transaction was confirmed 8 blocks after Tescr(A,T ) was
confirmed. The Tumbler T reclaims its bitcoins from
his payment channel with Bob B1 escrow transaction
Tescr(T ,B) via a refund transaction after the timelock
expires. Tescr(T ,B) was timelocked for 15 blocks, and
the refund transaction was confirmed 25 blocks after
Tescr(T ,B) was confirmed.
Case 2: The Tumbler aborts the puzzle-solver protocol
by posting the transaction Tpuzzle but refusing to provide
the transaction Tsolve . (Per Section V-D, to meet the
condition in Tpuzzle and claim its bitcoins, the Tumbler
T has to post Tsolve that reveal a set of preimages.
Because the Tumbler refuses to post Tsolve , thus refusing
to solve Alice’s puzzle, Alice’s bitcoins are locked in
Tpuzzle until its timelock expires.) No payment com-
pletes from A2 to B2 . Instead, A2 reclaims her bitcoin
from Tpuzzle via a refund transaction after the timelock
in Tpuzzle expires. The refund transaction was confirmed
4 blocks after Tpuzzle was confirmed. Tumbler reclaims
its bitcoins from its payment channel with Bob B2 via
a refund transaction after the timelock on the escrow
transaction Tescr(T ,B) expires. The refund transaction
was confirmed 25 blocks after Tescr(T ,B) was confirmed.
Case 3: The Tumbler provides Alice A3 the solution
to her puzzle in the puzzle-solver protocol, and the
Tumbler has an Tpuzzle signed by A (Section V-D).
However, Alice refuses to sign the cash-out transaction
Tcash(A,T ) to pay out from her escrow with the Tumbler.
Then, the Tumbler signs and posts the transaction Tpuzzle
and its fulfilling transaction Tsolve and claims its bitcoin.
Payment from A3 to B3 completes but the Tumbler has
to pay more in transaction fees. This is because the
Tumbler has to post both transactions Tpuzzle and Tsolve ,
rather than just Tcash(A,T ) ; see Table IV.

18
Remark: Anonymity when parties are uncooperative.
Notice that in Case 1 and Case 2, the protocol aborted
without completing payment from Alice to Bob. k-
anonymity for this TumbleBit run was therefore k = 3.
By aborting, the Tumbler T learns that payers A1 , A2
were trying to pay payees B1 , B2 . However, anonymity
of A1 , A2 , B1 , B2 remains unharmed, since B1 and
B2 were using ephemeral Bitcoin addresses they now
discard to safeguard their anonymity (see Section IV-A).
ACKNOWLEDGEMENTS
We thank Ethan Donowitz for assistance with the
preliminary stages of this project, and Nicolas Dorier,
Adam Ficsor, Gregory Galperin, Omer Paneth, Dimitris
Papadopoulos, Leonid Reyzin, Omar Sagga, Ann Ming
Samborski, Sophia Yakoubov, the anonymous reviewers
and many members of the Bitcoin community for useful
discussions and suggestions. This work was supported
by NSF grants 1012910, 1414119, and 1350733.
R EFERENCES
[1] Bitcoin Fog. Wikipedia, 2016.
[2] Monero, https://getmonero.org/home. 2016.
[3] Gavin Andresen. BIP-0016: Pay to Script Hash. Bitcoin
Improvement Proposals, 2014.
[4] Marcin Andrychowicz, Stefan Dziembowski, Daniel Mali-
nowski, and Lukasz Mazurek. Secure multiparty computations
on bitcoin. In IEEE S&P, pages 443–458, 2014.
[5] Marcin Andrychowicz, Stefan Dziembowski, Daniel Mali-
nowski, and Łukasz Mazurek. On the malleability of bitcoin
transactions. In International Conference on Financial Cryp-
tography and Data Security, pages 1–18. Springer, 2015.
[6] A Back, G Maxwell, M Corallo, M Friedenbach, and L Dashjr.
Enabling blockchain innovations with pegged sidechains.
Blockstream, https:// blockstream.com/ sidechains.pdf , 2014.
[7] Wacław Banasik, Stefan Dziembowski, and Daniel Malinowski.
Efficient Zero-Knowledge Contingent Payments in Cryptocur-
rencies Without Scripts. Cryptology ePrint Archive, Report
2016/451, 2016.
[8] Simon Barber, Xavier Boyen, Elaine Shi, and Ersin Uzun.
Bitter to Better - How to Make Bitcoin a Better Currency. In
Financial Cryptography and Data Security. Springer, 2012.
[9] Mihir Bellare and Phillip Rogaway. Random oracles are
practical: A paradigm for designing efficient protocols. In
ACM-CCS, pages 62–73, 1993.
[10] Eli Ben Sasson, Alessandro Chiesa, Christina Garman,
Matthew Green, Ian Miers, Eran Tromer, and Madars Virza.
Zerocash: Decentralized anonymous payments from Bitcoin.
In IEEE Security and Privacy (SP), pages 459–474, 2014.
[11] Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran
Tromer, and Madars Virza. Snarks for C: verifying program
executions succinctly and in zero knowledge. In CRYPTO,
pages 90–108, 2013.
[12] Alex Biryukov, Dmitry Khovratovich, and Ivan Pustogarov.
Deanonymisation of Clients in Bitcoin P2P Network. In ACM-
CCS, pages 15–29, 2014.
[13] George Bissias, A Pinar Ozisik, Brian N Levine, and Marc
Liberatore. Sybil-resistant mixing for bitcoin. In Workshop on
Privacy in the Electronic Society, pages 149–158, 2014.
[14] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind
Narayanan, Joshua A Kroll, and Edward W Felten. SoK:
Research Perspectives and Challenges for Bitcoin and Cryp-
tocurrencies. In IEEE - SP, 2015.
19
[15] Joseph Bonneau, Arvind Narayanan, Andrew Miller, Jeremy
Clark, JoshuaA. Kroll, and EdwardW. Felten. Mixcoin:
Anonymity for bitcoin with accountable mixes. In Financial
Cryptography and Data Security, 2014.
[16] Ran Canetti. Universally composable signature, certification,
and authentication. In Proceedings. 17th IEEE Computer
Security Foundations Workshop, 2004., pages 219–233. IEEE,
2004.
[17] David Chaum. Blind signature system. In CRYPTO, 1983.
[18] Christian Decker and Roger Wattenhofer. A fast and scalable
payment network with bitcoin duplex micropayment channels.
In Stabilization, Safety, and Security of Distributed Systems,
pages 3–18. Springer, 2015.
[19] Antoine Delignat-Lavaud, Cedric Fournet, Markulf Kohlweiss,
and Bryan Parno. Cinderella: Turning Shabby X. 509 Cer-
tificates into Elegant Anonymous Credentials with the Magic
of Verifiable Computation. IEEE Symposium on Security and
Privacy 2016, 2016.
[20] Corin Faife. Will 2017 bring an end to bitcoin’s
great scaling debate? http://www.coindesk.com/
2016-bitcoin-protocol-block-size-debate/, January 5 2017.
[21] Srivatsava Ranjit Ganta, Shiva Prasad Kasiviswanathan, and
Adam Smith. Composition attacks and auxiliary information
in data privacy. In ACM SIGKDD, pages 265–273, 2008.
[22] O. Goldreich, S. Micali, and A. Wigderson. How to play any
mental game. In STOC. ACM, 1987.
[23] Grams. Helixlight: Helix made simple. https:
//grams7enufi7jmdl.onion.to/helix/light.
[24] Matthew Green and Ian Miers. Bolt: Anonymous Payment
Channels for Decentralized Currencies. Cryptology ePrint
Archive 2016/701, 2016.
[25] Ethan Heilman, Foteini Baldimtsi, and Sharon Goldberg.
Blindly Signed Contracts: Anonymous On-Blockchain and Off-
Blockchain Bitcoin Transactions. In Workshop on Bitcoin and
Blockchain Research at Financial Crypto, February 2016.
[26] Chainalysis Inc. Chainalysis: Blockchain analysis, 2016. https:
//www.chainalysis.com/.
[27] Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi.
Zero-knowledge using garbled circuits: how to prove non-
algebraic statements efficiently. In ACM-CCS, 2013.
[28] Tom Elvis Jedusor. Mimblewimble. 2016.
[29] Benjamin Kreuter, Abhi Shelat, Benjamin Mood, and Kevin RB
Butler. Pcf: A portable circuit format for scalable two-party
secure computation. In USENIX Security, 2013.
[30] Ranjit Kumaresan and Iddo Bentov. How to use bitcoin to
incentivize correct computations. In ACM-CCS, 2014.
[31] Ranjit Kumaresan, Tal Moran, and Iddo Bentov. How to use
bitcoin to play decentralized poker. In ACM-CCS, 2015.
[32] Elliptic Enterprises Limited. Elliptic: The global standard for
blockchain intelligence, 2016. https://www.elliptic.co/.
[33] Yehuda Lindell. Fast cut-and-choose-based protocols for mali-
cious and covert adversaries. Journal of Cryptology, 29(2):456–
490, 2016.
[34] Gregory Maxwell. Zero Knowledge Contingent Payment.
Bitcoin Wiki, 2011.
[35] Gregory Maxwell. CoinJoin: Bitcoin privacy for the real world.
Bitcoin-talk, 2013.
[36] Gregory Maxwell. CoinSwap: transaction graph disjoint trust-
less trading. Bitcoin-talk, 2013.
[37] Gregory Maxwell. The first successful Zero-Knowledge Con-
tingent Payment. Bitcoin Core, February 2016.
[38] S Meiklejohn, M Pomarole, G Jordan, K Levchenko,
GM Voelker, S Savage, and D McCoy. A fistful of bitcoins:
Characterizing payments among men with no names. In ACM-
SIGCOMM Internet Measurement Conference, IMC, 2013.
[39] Sarah Meiklejohn and Claudio Orlandi. Privacy-Enhancing
Overlays in Bitcoin. In Lecture Notes in Computer Science,
volume 8976. Springer Berlin Heidelberg, 2015.
[40] Ian Miers, Christina Garman, Matthew Green, and Aviel D
Rubin. Zerocoin: Anonymous distributed e-cash from bitcoin.
In IEEE Security and Privacy (SP), pages 397–411, 2013.
[41] Pedro Moreno-Sanchez, Tim Ruffing, and Aniket Kate. P2P
Mixing and Unlinkable P2P Transactions. Draft, June 2016.
[42] Malte Möser and Rainer Böhme. Trends, tips, tolls: A longi-
tudinal study of Bitcoin transaction fees. In FC, 2015.
[43] Malte Möser and Rainer Böhme. Join Me on a Market for
Anonymity. Workshop on Privacy in the Electronic Society,
2016.
[44] Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew
Miller, and Steven Goldfeder. Bitcoin and cryptocurrency
technologies. Princeton University Pres, 2016.
[45] Guevara Noubir and Amirali Sanatinia. Honey onions: Expos-
ing snooping tor hsdir relays. In DEF CON 24, 2016.
[46] Henning Pagnia and Felix C. Grtner. On the impossibility of
fair exchange without a trusted third party, 1999.
[47] Morgen Peck. DAO May Be Dead After $60 Million Theft.
IEEE Spectrum, Tech Talk Blog, 17 June 2016.
[48] Joseph Poon and Thaddeus Dryja. The bitcoin lightning
network: Scalable off-chain instant payments. Technical report,
Technical Report (draft). https://lightning. network, 2015.
[49] Guillaume Poupard and Jacques Stern. Short proofs of
knowledge for factoring. In Public Key Cryptography
(PKC), Third International Workshop on Practice and The-
ory in Public Key Cryptography, PKC 2000, Melbourne,
Victoria, Australia, January 18-20, 2000, Proceedings, pages
147–166, 2000. https://link.springer.com/chapter/10.1007%
2F978-3-540-46588-1 11?LI=true.
[50] Certicom Research. Sec 2: Recommended elliptic curve domain
parameters, 2010.
[51] Dorit Ron and Adi Shamir. Quantitative analysis of the full
bitcoin transaction graph. In Financial Cryptography and Data
Security, pages 6–24. Springer, 2013.
[52] Tim Ruffing, Pedro Moreno-Sanchez, and Aniket Kate. Coin-
shuffle: Practical decentralized coin mixing for bitcoin. In
ESORICS, pages 345–364. Springer, 2014.
[53] Jeff Stone. Evolution Downfall: Insider ’Exit Scam’ Blamed
For Massive Drug Bazaar’s Sudden Disappearance. interna-
tional business times, 2015.
[54] the Internet Archive. Http Archive: Trends, 2015. http:
//httparchive.org/trends.php.
[55] Peter Todd. BIP-0065: OP CHECKLOCKTIMEVERIFY. Bit-
coin Improvement Proposal, 2014.
[56] F. Tschorsch and B. Scheuermann. Bitcoin and Beyond: A
Technical Survey on Decentralized Digital Currencies. IEEE
Communications Surveys Tutorials, PP(99), 2016.
[57] Luke Valenta and Brendan Rowan. Blindcoin: Blinded, ac-
countable mixes for bitcoin. In FC, 2015.
[58] Pieter Wuille. Segregated witness and its impact on scalabil-
ity https://www.youtube.com/watch?v=NOYNZB5BCHM, De-
cember 14 2015.
[59] Jan Henrik Ziegeldorf, Fred Grossmann, Martin Henze, Nicolas
Inden, and Klaus Wehrle. Coinparty: Secure multi-party mixing
of bitcoins. In CODASPY, 2015.
A PPENDIX
A. Puzzle-Promise Protocol: Extending to Q payments.
We now extend the puzzle-promise protocol between
Bob B and Tumbler T from its “base case” of allowing
20
a single payment of denomination 1 bitcoin (Figure 4)
to allowing Q payments of denomination 1 bitcoin. The
extended protocol is in Figure 6. The extended protocol
combines some new cryptographic techniques with the
ideas we used in Section III-B (to extend the A-to-T
puzzle-solver protocol to handle Q payments.
The extended puzzle-promise protocol produces Q
puzzles z1 , ..., zQ for Bob B, where the solution to the
j th puzzle allows Bob to “open” a promise cj . The
promise cj contains the Tumbler’s ECDSA signature
on cash-out transaction Tcash(T ,B) (j) that allocates j
bitcoins to Bob and Q − j bitcoins for the Tumbler.
Each transaction Tcash(T ,B) (j) for j = 1, ..., Q points to
the same 2-of-2 escrow transaction Tescr(T ,B) where the
Tumbler escrowed Q bitcoins during the Escrow Phase.
During the Payment Phase, Bob B asks the j th payer to
solve puzzle zj ; this puzzle solution “opens” promise
cj and provides Bob with the Tumbler’s signature on
transaction Tcash(T ,B) (j). As in Section III-B, Bob does
not sign this transaction Tcash(T ,B) (j) and also does not
post it to the blockchain during the Payment Phase.
Instead, Bob waits until the Escrow Phase starts, and
then signs and posts the single cash-out transaction
allowing him to claim the maximum number of bitcoins,
i.e., the Tcash(T ,B) (j) for the last payment Bob received
during the Payment Phase.
How do we ensure that Bob B can open the promise
cj (and thus obtain Tcash(T ,B) (j)) only after he has
opened all prior promises cj−1 , ..., c1 ? (This is crucial,
because otherwise a cheating Bob claim Q bitcoins from
his very first payment, by asking his first payee for the
solution to puzzle zQ . )
We solve this problem by requiring that the solutions
to all of the puzzle z1 , ..., zj be used to open the j th
promise cj . To do this, we repeat the steps of the puzzle-
promise protocol Q times in parallel. We refer to the
Q parallel executions as Q levels. In the j-th level,
B prepares η + µ transactions Tcash(T ,B) (j), each of
which transfers j bitcoins to B. Let zj,` denote a puzzle
and its solution j,` at level j, and let ` ∈ [η + µ]
denote the index for the cut-and-choose as in the base
puzzle-promise protocol in Section VI-A. The promise
is encrypted under the j puzzle solutions 1,` ...j,` as:
cj,` = H(j|j,` ||j−1,` || . . . , 1,` ) ⊕ σj,`
where σj,` is the Tumbler’s signature on the cash-out
transaction Tcash(T ,B) (j) that allocates j bitcoins to
Bob.
Now that we have Q levels, we need to extend the
cut-and-choose to check the behavior of Tumbler across
all Q levels. Recall that for the base case of 1 bitcoin,
B prepares η + µ transactions (η of which are fake) of
1 bitcoin each, each of which will be evaluated by T
to obtain a η + µ puzzle-promise pairs. (See Step 5 in
Figure 4.) We can visualize this as a 1 × (η + µ) vector,
among which B will check the column positions ` ∈ F
that correspond to fake values (Step 8 in Figure 4). Now,
 Public input:(e, N, PK ephT , π).
Tumbler T chooses fresh ephemeral ECDSA-Secp256k1 key, i.e., bitcoin address (SK eph T , PK eph
T ).
π proves validity of (e, N ) in a one-time-only setup phase.
Payee Bob B(Q) Voucher Promise Protocol Tumbler T (Q, d, (e, N ))

1. Set up Tescr(T ,B)

Sign but do not post transaction Tescr(T ,B) timelocked for tw2
offering Q bitcoins under the condition: “the fulfilling transaction
must be signed under key PK ephT and under PK B .”
Tescr(T ,B)
2. Prepare Real Unsigned Tcash(T ,B) . ←−−−−−−−
For j ∈ [Q] and i ∈ 1, . . . , µ:
Choose random pad ρj,i ← {0, 1}λ
Set Tcash(T ,B) j,i = CashOutFormat(j, ρj,i )
htj,i = H 0 (Tcash(T ,B) j,i ).

3. Prepare Fake Set.

For j ∈ [Q] and i ∈ 1, . . . , η:
Choose random pad rj,i ← {0, 1}λ
f tj,i = H 0 (FakeFormat||rj,i ).

4. Mix Sets.
Let R be µ random indices in [µ + η].
Let F be remaining indices F = [µ + η]\R.
Let ireal = 1 and ifake = 1.
For j ∈ [Q] and i = 1, . . . , µ + η:
If i ∈ R: Let βj,i = htj,ireal and ireal = ireal + 1.
If i ∈ F : Let βj,i = f tj,ifake and ifake = ifake + 1.
β1,1 ...β1,µ+η
−−−−−−−−−−→
.
.
.
βQ,1 ...βQ,µ+η
−−−−−−−−−−−→
λ
Choose salt ∈ {0, 1}
Compute: hR = H(salt||R), hF = H(salt||F ) 5. Evaluation.
h ,h
−−R F
−−−→ For j ∈ [Q]:
For i ∈ [µ + η]:
ECDSA sign βj,i to get σj,i = Sig(SK eph T , βj,i )
Randomly choose j,i ∈ ZN .
Compute puzzle zj,i =fRSA (j+1,i , e, N )
Compute cj,i = H shk (j|i|j,i ||j−1,i || . . . , 1,i ) ⊕ σj,i .
{(zj,i ,cj,i )} ∀i∈[µ+η] ∀j∈[Q]
←−−−−−−−−−−−−−−−−−−−−−
R,F,salt
6. Reveal Real and Fake Set. −−−−−→
{rj,i ,ρj,l }i∈R,l∈F,j∈[Q]
−−−−−−−−−−−−−−−−−−→ 7. Check Real and Fake Set.
Check hR = H(salt||R) and hF = H(salt||F )
For all j ∈ [Q]:
For all ` ∈ F : Verify βj,` = H 0 (FakeFormat||rj,` ).
For all i ∈ R, Verify βj,i = H 0 (CashOutFormat(j, ρj,i )).
j,` ,∀`∈F,j∈[Q]
8. Check Fake Set. ←−−−−−−−−−−− Abort if any check fails
If all j,` < N , For j ∈ [Q]; for ` ∈ F :
Validate puzzle zj,` = (j,` )e mod N
Validate promise cj,` :
(a) Decrypt σj,` = cj,` ⊕ H shk (j|i|j,` ||j−1,` || . . . , 1,` )
(b) Verify ECDSA-Ver(PK eph T , H 0 (f tj,` ), σj,` ) = 1
Abort if any check fails. 9. Prepare quotients.
For j ∈ [Q] and for R = {`1 , ..., `µ }:
q1,2 ,...,q1,µ j,` j,`
µ
←−−−−−−−−
− Set qj,2 = j,`
2 , ..., qj,µ = j,`
1 µ−1
.
.
.
qQ,2 ,...,qQ,µ
←
−−−−−−−−−
−
10. Quotient Test.
Let R = {`1 , ..., `µ } .
For each j ∈ [Q] check equalities:
zj,`2 = zj,`1 · (qj,2 )e mod N
...
zj,`µ = zj,`µ−1 · (qj,µ )e mod N
Abort if any check fails. 11. Post transaction Tescr(T ,B) on blockchain
12. Begin Payment Phase.
For j ∈ [Q]: The j th puzzle is zj = zj,`1 .
Choose random rj ∈ ZN and send z̄j = zj · (rj )e to Payer A

Fig. 6. Puzzle promise protocol that allows Bob B to obtain up to Q payments. (d, (e, N )) are the RSA keys for the tumbler T . (Sig,
ECDSA-Ver) is an ECDSA-Secp256k1 signature scheme. We model H, H 0 and H shk as random oracles. In our implementation, H is HMAC-
SHA256 (keyed with salt), H 0 is ‘Hash256’, i.e., SHA-256 cascaded with itself, which is the hash function used in Bitcoin’s “hash-and-sign”
paradigm with ECDSA-Secp256k1. CashOutFormat is shorthand for the unsigned portion of a transaction that fulfills Tescr(T ,B) and transfers
21 the output of CashOutFormat contains sufficent entropy. FakeFormat
j bitcoins to B and Q − j bitcoins to T . The protocol uses ρi to ensure
is a distinguishable string known to all parties.
for the case of Q bitcoins, instead of having a 1×(η+µ)
vector, we have a matrix of Q×(η+µ) elements (Step 5
in Figure 4). B still checks the same column positions
i ∈ F , but instead of checking a single puzzle-promise
pair (c` , z` ), B will check a column of Q puzzle-promise
pairs [(c1,` , z1,` ), . . . , (cQ,` , zQ,` )] (Step 8 in Figure 6).
Finally, recall that in the base case, B additionally
checks that the full level of puzzles zl1 , . . . , zlµ is
consistent with the quotients q1 , . . . , qµ (Step 10 in
Figure 4). Similarly, in the case of Q bitcoins, B will
obtain one set of quotient chain for each of the Q levels.
Bob checks each level individually (Step 10 in Figure 6)
to ensure that by solving puzzle zj for level j, Bob can
also solve all puzzles zj,l1 , . . . , zj,lµ for level j.
Security. The prove security for this protocol, we extend
the definition of the ideal functionality Fpromise-sign in
Section D to the case of Q payments. At high level, this
extended definition has the following additional goal:
to make sure that Bob B cannot cheat by claiming
more than j bitcoins using his j th puzzle solution.
That is, a real puzzle-promise pair (cj,` , zj,` ) for level j
must contain a signature on a cash-out transaction that
transfers exactly j bitcoins to Bob, and no more. Our
extended ideal functionality Fpromise-sign enforces this as
follows: When Bob B submits a request to receive the
promise of a signature on a real message, then the ideal
functionality Fpromise-sign checks that the real messages
confirms to a correct format—namely, that for the j th
level it confirms to the format CashOutFormat which
transfers exactly j bitcoins to Bob—before sending it
off to T . Thus, the security of our protocol follows from
the theorem below, which is proved in Appendix G:
Theorem 3: Let λ be the security parameter. If
RSA trapdoor function is hard in Z∗N , if H, H 0 , H shk
are independent random oracles, if ECDSA is strong
existentially unforgeable signature scheme, then the
puzzle-promise protocol in Figure 6 securely realizes
the extended Fpromise-sign functionality for the case of Q
payments. The security for T is 1 − ν(λ) while security
for B is 1 − µ+η1
− ν(λ).
( η )
B. Ideal Functionalities
We analyze each of the fair-exchange protocols used
in TumbleBit in isolation. For each protocol, we identify
the security (fairness) properties that we require for the
players involved in that phase.
In the Escrow Phase, we consider only interactions
between players B and T in the puzzle-promise protocol
(Section VI-A). We identify the functionality and the
security requirements that we expect by this interaction
and we formally capture them through and ideal func-
tionality Fpromise-sign that we describe in the details in
Section D.
In the Payment Phase, we consider only interactions
between players A and T in the puzzle-solver protocol
22
(Section V-B). We capture the functionality and security
requirements of this interaction in the ideal functionality
Ffair-RSA described in Section C.
We follow the standard ideal/real world paradigm.
To prove that a protocol π securely realizes an ideal
functionality F, one must show that the view obtained
by a real world adversary Adv, corrupting either one of
the parties, and running protocol π, can be simulated
by a PPT simulator S that only has access to the
interface of F. Let us denote by viewπ,Advreal the view
that the adversary Adv, corrupting party Pi and playing
protocol π, with party Pj , playing with input xj . Let us
denote by viewF ,Adv
ideal the view generated by simulator
S, interacting with F and having black-box access to
Adv. Security is defined as follows.
Definition 1 (Secure realization of F.): A two-
party protocol π securely realizes F if, for every PPT
static and malicious adversary Adv corrupting either
party P1 or party P2 , there exists a PPT Simulator
S such that the view viewπ,Adv and viewF ,Adv
real ideal are
computationally indistinguishable.
The Random Oracle Model [9]. Our security proofs are
in the Random Oracle (RO) model [9]; hash functions
are modeled as perfectly random functions, and in the
security proof the simulator can program their answers.
C. Ideal functionality Ffair-RSA
The puzzle-solver protocol allows Alice A to obtain
the solution to a single RSA-puzzle y (chosen by A),
from the Tumbler T (who posses the RSA secret key
d ), in exchange for a bitcoin. Fair exchange for this
protocol entails the following: (1) Fairness for T : After
one execution of the protocol A will learn the correct
solution y d mod N to at most one puzzle y of her
choice. (2) Fairness for A: T will earn 1 bitcoin iff A
obtains a correct solution.
We model the above two requirements with an ideal
functionality, that we call Ffair-RSA , shown in Figure 7.
Ffair-RSA is a trusted party between A and T . Ffair-RSA
receives a puzzle-solving request of the form (y, 1
bitcoin) from A, and forwards the request to T . If T
agrees to solve the puzzle y for A, then T receives 1
bitcoin while A receives the puzzle solution. Otherwise,
if T refuses, A will get 1 bitcoin back, and T gets
nothing. Fairness for T is captured because A can
request a puzzle solution only if she sends 1 bitcoin to
Ffair-RSA . Fairness for B is captured because T receives
1 bitcoin only if he agrees to reveal the puzzle solution.
Remark 1. Note that A can always learn solution to
RSA puzzles that she generates herself without inter-
acting with Ffair-RSA . That is, A can always choose
a random x ∈ Z∗N and generate the puzzle y = xe
mod N ; in this case, she trivially knows the puzzle
solution is x. This is not a problem because TumbleBit
requires Alice A to solve puzzles that were provided
 −1
Ffair-RSA is parameterized by a function (fRSA , fRSA ),
algorithm ValidatePermutation to validate that the
parameters are a permutation wrt to fRSA , a trapdoor
verification algorithm VerifyTrapdoor, and expiration
time tw ∈ N.
Parties. A, T , and adversary S.
Setup. On receiving (Setup, (e, N, d ) from T
If ValidatePermutation(e, N ) = 0
VerifyTrapdoor(e, N, d ) = 0 then do nothing.
Else, send (Setup, e, N ) to A and S.
Evaluation.
Functionality Fpromise-sign
The functionality is parameterized by a format specification
FakeFormat, and parameters µ and η.
Parties. B, T , and adversary S.
Setup. Inform Fpromise-sign if T is corrupt or honest.
Key Generation. Upon receiving message (KeyGen, B)
or from party B, send it to S and receive response
(PK eph
T , Sig). Sig is a signing algorithm.
Send (Setup, PK ephT ) to B and record the pair
(PK eph , Sig).
T

Signature Request. Upon receiving this message from B:

On input (request, sid, y, 1BT C) from A:
0
If y is in the range of fRSA , send (sign-request, PK eph
T , {FkTxni }i∈[η] , {mi }i∈[µ] )
(request, sid, A, y) to T . 0
Start counter tw sid = 0. If PK eph
T 6= PK eph
T , then do nothing.
If ∀i, FkTxni complies with FakeFormat then send to T
On input (evaluate, sid, A, x) from T : (sign-request, B, PK eph
T , {FkTxni }i∈[η] )
If y = fRSA (x, e, N ) then send (sid, x) to A.
Send (payment, sid, 1BTC) to T . Else, do nothing.
Promise. Upon receiving (promise, B, ANS, Set) from T .
If tw sid = tw , send (refund,sid, 1BTC) to A. If ANS = NO, then set all signatures to ⊥.
Else, if Set 6= ∅, compute signatures as follows:
Fig. 7. Ideal Functionality Ffair-RSA . − If T is honest:
Set FkSigni = Sig(FkTxni , PK eph
T ) for i ∈ [η].
− Else T is corrupt:
to her by Bob B, and generated through Bob B’s Send (Sign, FkTxni , B) to adversary S, and obtain
interaction with T during the puzzle-promise protocol. respective signatures.
− Abort if there is a recorded entry
Remark 2. Note that the functionality Ffair-RSA does not (FkTxni , FkSigni , PK eph
T , 0).
provide any privacy for A. Indeed, T learns A’s puzzle − Record entries (FkTxni , FkSigni , PK eph
T , 1) and
y even if T refuses to solve the puzzle. To use Ffair-RSA (mj , PK eph
T , promise).
in our unlinkable TumbleBit scheme, users will have to Send (Sign-promise, ANS) to B.
first blind their inputs to Ffair-RSA .
Signature Verification. Upon receiving
0
(Verify, sid, m, σ, PK eph ) from any party P :
D. Ideal functionality Fpromise-sign T
0
− If PK eph
T 6= PK eph
T , do nothing.
The security requirements for the puzzle-promise − Else, if T is honest:
protocol (Figure 4), which is run in the Escrow Phase ♦ If there is a recorded entry (m, σ, PK eph
T , 1),
of TumbleBit, are captured by an ideal functionality then set ver = 1 (completeness condition).
Fpromise-sign that we describe in Figure 8. ♦ If there is no recorded entry (m, σ, PK eph
T , 1),
then set ver = 0 and set the entry
Fpromise-sign acts a trusted party between B and T , 0) (unforgeability condition).
(m, σ, PK eph
T . Bob B sends the “real” and “fake” transactions to − Else, if T is corrupt:
Fpromise-sign . Fpromise-sign has access to an oracle that can then let ver be set by S. (Corrupt signer case).
compute the Tumbler’s T signatures on any messages. Send (Verified, sid, m, σ, ver) to party P .
Fpromise-sign is designed to guarantee the following two
properties: Fig. 8. Ideal Functionality Fpromise-sign .

(1) Fairness for B: If T agrees to complete the

protocol, then Bob B obtains at least one promise that
contains a valid signature on a real transaction. This
property follows because Fpromise-sign has access to an
oracle that computes the T ’s signature. Specifically,
upon receipt of a real message mj from B, functionality
Fpromise-sign keeps a record (mj , PK eph
T , promise) that
promises to return a valid signature on mj to B.
Importantly, however, Fpromise-sign does not reveal the
actual signature on mj , but only a promise that this
signature will be revealed in the future.
(2) Fairness for T : Bob B learns nothing except
signatures on fake transactions. This property follows
for three reasons. First, Fpromise-sign will only ask its
signing oracle to sign fake transaction, i.e., to sign

23
messages that conform to the fake transaction format
‘FakeFormat’. Second, when Fpromise-sign is asked to
verify signatures, only signatures computed on fake
transactions will be valid and all others will be invalid.
This follows because the only signatures Fpromise-sign
considers to be valid are those that had previously been
computed by its signing oracle. Third, Fpromise-sign does
not reveal the actual signature on a real message mj ,
but only a promise that the signature will be revealed
in the future.
Discussion. In the ideal world, S will be the signing
oracle for Fpromise-sign . This is follows the definition
of the ideal functionality for signatures, per [16]. We
stress that this does not mean that S has an additional
power. The reason being that in the ideal world, the
only signatures that are verified by Fpromise-sign are
the ones on fake messages. Thus, towards ensuring
indistinguishability between the real world and ideal
world, we just need to make sure that (when T is
honest), no party can (in both the ideal and real world)
produce a signature on a real message without breaking
unforgeability of the signature scheme.
Fpromise-sign and the case of Q payments. For the
case of Q payments, we provide an extended version
of the Fpromise-sign functionality that deals with Q sets
of signatures. The main modification that we need to
make—beside having Fpromise-sign provide Q sets of
fake signatures rather than one set—is to additionally
check the format of real messages. We therefore ex-
tend Fpromise-sign with parameters Q and RealFormat(·),
and a validation test that checks that any real mes-
sage mj,i sent for the j-th set, complies with format
RealFormat(j). This is important because in our appli-
cation we need to control the type of messages that
B gets signed. In our application, RealFormat(j) =
CashOutFormat.
Concretely, we extend Figure 8 as follows. First,
Fpromise-sign is parameterized by two format specifica-
tions: FakeFormat and RealFormat, and 3 parameters
Q, µ and η. Second, in the Signature Request step B
one of the following tuples for every j ∈ [Q]:
0 will later ensure that they decrypt to the correct values
(sign-request, PK eph , {FkTxnj,i }i∈[η] , {mj,i }i∈[µ] )
T by programming the random oracle (RO). The key
In other words, B sends a Q×µ-matrix of fake messages
FkTxnj,i and a Q×µ-matrix of real messages mj,i . The
ideal functionality will additionally check that:
mj,i = RealFormat(j)
Then, when T chooses the Set ⊂ [µ] in the Promise
step, then index i ∈ Set means that B is promised that
mj,` will be signed for every j ∈ [Q]. In other words, if
column index i is in Set, it follows that signatures are
promised for the entire column of real messages mj,i
∀j ∈ [Q].
E. Proof of Theorem 1
The proof is divided into two cases.
24
1) Case: A is corrupted: We start with intuition,
and then present the formal proof.
Intuition. We want to prove that, by participating in
(and arbitrarily deviating from) the protocol in Figure 3,
any corrupted A does not learn anything more than the
solution x to the puzzle y, i.e., A learns only the RSA
pre-image x = f −1 (y, d ) = y d . The transcript obtained
by A in the protocol executions contains: (1) pre-images
for all the fake values βi with i ∈ F , that is f −1 (βi , d );
(2) encryptions ci of the pre-images of all “real” βi and
hash hi of the keys used to encrypt these ci . Informally,
such transcript does not leak any information to A for
the following reasons:
1) A learns nothing from the answers to the fake
set: For all βi in the fake set F , A must
provide the pre-images f −1 (βi , ·) to T before
T decrypts ci . Therefore, A does not learn
anything new from T ’s decryptions.
2) For the real βi , A is computationally-bound to
a single puzzle y because in A must provide
values r1 , . . . , rn that demonstrate that, for all
i,
βi = y · (ri )e mod N
Intuitively, due to the hardness of inverting
RSA trapdoor function, such values can be
provided only if βi s were honestly computed.
3) A does not learn the puzzle solution y d unless
T reveals ki used to encrypted the puzzle
solution inside ci . Encryptions ci are statisti-
cally hiding (and in fact, equivocable12 ) in the
Random Oracle model.
Overview of proof. Formally, we shall prove this by
showing that there exists a PPT simulator S that is able
to simulate the transcript between A and T , having in
input only the puzzle solution f −1 (y, d ) = y d . If this
is possible, it means that the transcript reveals nothing
more than the puzzle solution y d to A.
We heavily use the programmability of the RO. In
a nutshell, the S computes all ciphertexts using random
values (instead of by encrypting the actual values) and
observation is that, at any point in the protocol, T
“decrypts” his encryptions only after A has sent some
crucial information. Indeed, T sees the pre-images (i.e.,
ρi ) of the fake set before he sends the keys to decrypt
his ciphertext. This allows the simulator to learn how to
program the RO to decrypt the ciphertext with the values
ρi that A reveals. Similarly, S learns the original puzzle
y in the second phase of the protocol, and S will query
the ideal functionality Ffair-RSA with (y, 1btc) to obtain
the puzzle solution x = y d . Finally, S will program the
RO so that he can equivocate the remaining ciphertexts
so that they decrypt to the correct puzzle solution x.
12 Equivocable means that the encryptions can be later decrypted
by S as any value, by programming the output of the random oracle.
Proof. The formal proof consists of two steps. First,
we describe the simulator S, then we prove that the
transcript generated by S is indistinguishable from the
transcript generated in the real world execution. Let Adv
denote the adversary corrupting player A.
Simulator S.
S internally runs adversary Adv. Let session identifier
be sid. Let QH be the set of queries made to the H
random oracle, and QH prg be the queries made to the
H prg random oracle.
1) Setup. Extract (e, N, d ) from proof π pub-
lished by Adv. Send (Setup, (e, N, d )) to
Ffair-RSA .
2) Upon receiving β1 , . . . , βm+n from Adv; ran-
domly pick ci in {0, 1}λ and hi ∈ {0, 1}λ2 for
i ∈ [m + n] and send it to Adv.
3) Upon receiving F and ρi for i ∈ F , check if
βi = (ρi )e mod N, ∀i. If check fails, output
whatever Adv outputs and halt. Else, run pro-
cedure Equivocate(ci , ρi , hi ) to obtains keys
ki0 . Send ki0 for i ∈ F to Adv.
4) Upon receiving y, ri for i ∈ R from Adv. If
βi = y · (ri )e mod N for all i ∈ R and
transaction Tpuzzle is correctly formed, do as
follows:
− Send (request,sid, y, 1btc) to Ffair-RSA
and obtain x = y d mod N .
− Run Equivocate(ci , x · ri ,hi ) and obtain ki0
with i ∈ R.
− Send transaction Tsolve with values ki0 .
Else, checks have failed so output whatever
Adv outputs and halt.
Procedure RO: Random Oracle Simulation for H, H prg
proceeds as follows. Upon receiving query q for H
(resp., H prg ):
1) if query q ∈ QH (resp., QH prg ), retrieve entry
(q, a) from the set and output a.
2) Else pick a random a ∈ {0, 1}λ2 (resp. λ1 ),
add (q, a) to QH (resp., QH prg ) and output a.
Procedure Equivocate(ci , mi , hi ) is as follows:
1) Pick a random ki0 ∈ {0, 1}λ1 . If ki0 ∈ QH or
QH prg , output Collision and abort.
2) Compute ai = ci ⊕ mi , then add (ki0 , ai ) to
QH prg .
3) Add (ki0 , hi ) to QH .
4) Output ki0 .
Indistinguishability proof.
We prove by hybrid arguments that view
viewAdv,T (T , d ) obtained by Adv interacting with
T playing with secret input d is indistinguishable from
the view S interacting with Ffair-RSA .
Lemma 1: Assume π is a zero-knowledge proof of
knowledge in the random oracle model. Assume RSA
assumption holds in Z∗N , and H prg : {0, 1}λ1 → {0, 1}λ
25
and H : {0, 1}λ1 → {0, 1}λ2 are independent random
oracles. Then, the view generated by S is computation-
ally indistinguishable from the view viewAdv,T (T , d )
obtained by Adv in the real world.
Proof: We use a hybrid argument.
H0 : This is the real game. The transcript is generated
precisely using the procedure of T with secret input
d . The view generated in this hybrid experiment is
viewAdv (T , d ).
H1 : In this hybrid we change the way encryptions ci
are decrypted and pre-image of hash values hi are
computed. Instead of sending keys ki , as computed in
the protocol, send ki0 computed by running procedure
Equivocate(ci , (βi )d , hi ). Note that, in this hybrid we
are still using d (which S does not know), but we are
programming the answers to the RO. The difference
between H0 and H1 is in the way keys ki0 are computed.
Due to the security properties assumed in the
RO, the values ci , hi statistically hide the message
encrypted and the hash-preimage; and probability of
event Collision is negligible. Therefore, the view
generated in hybrid H0 is statistically indistinguishable
from the view generated in H1 .
H2 : This hybrid experiment is exactly as H1 with the
only difference that procedure Equivocate is run with
input Equivocate(ci , ρi , hi ) where ρi is taken directly
from the transcript, and Equivocate(ci , y d ·ri , hi ). where
y d is taken from Ffair-RSA only after Adv hast send
Tpuzzle . The view generated in this hybrid experiment is
identical to view generated hybrid H1 , and correspond
to the simulation strategy S.Note that in this hybrid
argument the entire view is generated only with a single
evaluation y d .
2) Case: Tumbler T is corrupted: We want to show
that any adversary Adv corrupting T will earn 1 bitcoin
if and only if she provides a correct solution to A’s
puzzle. This follows from the following arguments.
Assume that the parameters (N, e) chosen by the
malicious Tumbler T are indeed a permutation for fRSA
over all of ZN . (This is guaranteed by the Setup proof
π.) That means that the puzzle y handed to A is has a
unique inverse. Under these assumptions, define BAD
the following event: (1) T passes the Fake Set Check
(Step 7 in Figure 3), therefore providing n correct
decryptions to ci for i ∈ F , AND (2) all encryptions ci
in the real set i ∈ R are incorrect, i.e., do not decrypt
to a valid puzzle solution.
Since (N, e) is a valid permutation, values
β1 , . . . , βm+n are all invertible and uniformly dis-
tributed in ZN , and consequently do not reveal any
information about sets F, R.
Moreover, since H, H prg are modeled as random
oracles, encryptions of keys are binding, and Adv can-
not changes the values after sets F, R are revealed.
Therefore the probability of event BAD amounts to the
probability of guessing set F , which is
1 1
Pr[BAD] = m+n

+
n
2λ1
Simulator S.
Suppose Adv corrupts Tumbler T . S internally runs
Adv.
After the setup phase, S obtains pair ((e, N ), d )
by extracting the proof π (recall π is a non-interactive
zero-knowledge proof-of-knowledge in the random ora-
cle model). If ValidatePermutation(RSA, N ) = 1 S,
playing in the ideal world, receives (request, sid,
y, 1 bitcoin) from Ffair-RSA . Using input y, S sim-
ulates the transcript that Adv expects to see in the
real world, by honestly following A’s procedure on
input y. Upon receiving {ki } for all i ∈ F from Adv,
S checks if all {ci }i∈F are correct. If so, S sends
message (evaluate,sid, A) to Ffair-RSA which then
passes the puzzle solution x to the ideal world player
A. Meanwhile, S sends Tpuzzle to Adv. Upon receiving
Tsolve from Adv: if all keys {ki } for all i ∈ R decrypt
ciphertexts ci that do not contain valid puzzle solutions,
then S outputs BAD and aborts. Else, S outputs
whatever Adv outputs and halts.
Indistinguishability Proof.
Under the assumption that fRSA is a permutation over
ZN for public key (N, e), and that d is the trapdoor,
the transcript generated by the simulator is distributed
identically to the one generated in the real world, unless
the event BAD happens. To see why, note that, when S
outputs ”BAD” it means that in the ideal world S sent
message (evaluate,sid, A) to Ffair-RSA , so that ideal
player A receives her output. However, in the real world,
A will not get any valid output. So the two worlds
will be distinguishable. The two worlds are therefore
distinguishable with probability Pr[BAD].
F. Proof of Theorem 2
In this section we provide the formal proof of
Theorem 2. We prove that the puzzle-promise protocol
in Figure 4 securely realizes functionality Fpromise-sign
(Figure 8) in the random oracle model.
The proof consists of analyzing two cases: (1) Case
B is corrupted, where we argue that any malicious
B ∗ does not learn anything besides signatures of fake
transactions; (2) Case T is corrupted, where we argue
that, if the protocol successfully terminates, then B
will be able to retrieve a signature (on a real cash-
out transaction Tcash(T ,B) ) from a puzzle-promise pair
(ci , zi ) for some i ∈ R.
1) Case B is corrupted: The proof consists of
showing that for any corrupted B ∗ there exists a PPT
simulator S that corrupts B in the ideal world, and can
generate the entire view of B ∗ while having access only
26
to the information provided by the ideal functionality
Fpromise-sign . Recall that, in the ideal world, Bob B only
receives signatures for the fake messages. With only
this information in hand, S will have to simulate the
view that the real world adversary B ∗ has during its
interaction with T . The idea is that, if we can prove
that the transcript generated by S is indistinguishable
from the one generated by T , then it follows that any
B ∗ learns no more that what B learns from Fpromise-sign .
We stress that the following analysis only consider
the puzzle-promise protocol run during the Escrow
Phase. The analysis works in the stand-alone setting,
where no other protocol, except the puzzle-promise
protocol is executed.
We start with the intuition behind the proof.
Proof Intuition. We have to prove that the transcript
of the protocol between B ∗ and T , reveals nothing
more than signatures on fake messages, i.e., σ` =
Sig(SK eph
T , β` ) for ` ∈ F ; and a “promise” of at least
one valid signatures on a real messages βi for i ∈ R. In
the real world, the promise is the set of puzzle-promise
pairs (ci , zi ) for i ∈ R, where ci is an encryption of a
valid signatures on βi , and zi is an RSA puzzle whose
solution can be used to decrypt ci . The point of the
proof is to show that B learns nothing else beyond the
guarantee that for i ∈ R there is at least one pair (ci , zi )
that has an encryption of a valid ECDSA signatures on
a real message βi .
We prove this by showing that if (1) the encryption
scheme is perfectly secure in the RO model, and (2)
that RSA trapdoor function is hard to invert, then the
transcript obtained by B from the interaction with T
reveals nothing but the signatures on fake messages.
We will show that the entire transcript can be simulated
by a simulator S that only gets the signatures on fake
messages as input.
To build intuition, we list the information that B ∗
obtains from the transcript, and we explain why it gives
no information on the signatures of valid messages. B ∗
obtains the following values:
1. Encryptions (c1 , . . . , cµ+η ) computed as a one-time
pad of the output of the Random Oracle H shk queried
with secret values 1 , . . . , µ+η .
As we work in the (programmable) random ora-
cle, we assume that each encryption perfectly hides
the message. Also, the simulator can equivocate each
decryption, by programming the random oracle. This
means that, encryptions ci alone do not reveal any in-
formation to B ∗ ; indeed the simulator S could generate
such ci by just sending a random value. Here we are
using the unpredictability property of the RO, as well
its programmability.
2. RSA puzzles (z1 , . . . , zµ+η ) where zi =
Ffair-RSA (i , e, N ). Recall that each i is randomly
chosen group element, and that RSA parameters are
computed using the correct procedure. Therefore, under If there is no pair with (·, hR ) or (·, hF ), then
the assumption that RSA trapdoor function is hard in set R = F = ⊥.
the group determined by the chosen parameters, a PPT 2) Send pairs (ci , zi ) to B ∗ prepared as:
B ∗ cannot learn any i from zi . (1) For all i, ci ← {0, 1}s ;
$

(2) For i ∈ F , zi = (i )e where i ← Z∗N ;

 $
3. Quotients (q2 , ..., qµ ), where qj = j ji for ji ∈ R.
i−1 (3) For R = {j1 , . . . , jµ }, zji = (qi )e · zji−1
This is a sequence of connected divisions of the secret
where zj1 , q2 , . . . qµ ← Z∗N .
$
keys j1 , . . . , jµ . Intuitively, to see that these quotients
do not give any more information than what can be (B) Upon receiving (F 0 , R0 , ri ) from B ∗ , do the follow-
learnt from values zj1 , . . . , zjµ , we show that one can ing:
compute zji and qji that pass the “quotient test”, without
knowing any ji . 1) If F 0 6= F or R 6= R0 , then abort.
2) If any (FakeFormat||ri , βi ) ∈ / QH 0 for i ∈ F
To see why, note that the quotient test checks that then abort. For j ∈ R, set mj = γ if there
for each each i = 2, ..., µ, exists (γ, βi ) ∈ QH 0 . Else set mj = ⊥.
zji = zji−1 · (qji )e 3) Send to Fpromise-sign the message
(sign-request, PK eph T , {FakeFormat||r i }i∈F ,
where R = {j1 , ..., jµ }. This means that one can fix {mj }j∈R )
arbitrary zji , qji ∈ Z∗N and compute zji−1 as zji /(qji )e . Obtain response (promise, |B ∗ , ANS,
In this way one can generate zji , qji that pass the test {FkSigni }i∈[η] ).
without knowing the RSA inverse of any of the zji . If ANS = NO, then halt and output whatever
This observation will be crucial in the proof, because B ∗ outputs.
it allows us to show that if there is an adversary B ∗ that 4) Compute hj` = cj` ⊕ FkSign` .
is able to learn some ji for ji ∈ R, then we can build Store in QH shk the pair (j` ,hj` ).
a reduction ARSA that can solve an RSA puzzle z ∗ . 5) Send i for i ∈ F and quotients qj1 , . . . , qjµ .

Looking ahead, in order to carry out the reduction,
we need to make sure that adversary ARSA can identify
the set R in advance, so that he can place his challenge
value as z ∗ = zji for some ji in the real set. To achieve
this, we exploit the observability of the RO. Namely, the
reduction ARSA can obtain the set F and R by observing
the RO queries made by B ∗ to obtain the values hR and
hF .
Formal Proof. The formal proof consists of two
steps. First we show a PPT simulator S generates
a simulated transcript for B ∗ , by using only the in-
formation that B would get in the ideal world (that
is, only signatures of fake values obtained through
interaction with Fpromise-sign ). S exploits the extractabil-
ity/programmability properties of the RO. Second, we
prove that the view generated by the simulator S in the
ideal world is computationally indistinguishable from
the transcript in the real world.
Simulator S.
S, interacting with Fpromise-sign , internally runs adver-
sary B ∗ and simulates the messages that B ∗ expects
from T as follows.
First, inform Fpromise-sign that T is honest. Then,
compute (PK eph eph
T , SK T ) = GenKey(1 ), and send
λ
eph
PK T to B and to Fpromise-sign .
∗ a sequence of hybrid experiments we change the way
(A) Upon receiving hR , hF , and {β1 . . . βµ+η } from B ∗ ,
do the following:
1) Extract sets F and R from RO. To do this, look
at the set of queries QH made by B ∗ and ex-
tract the pairs (salt||R, hR ) and (salt||F, hF ).
(C) Finally, output whatever B ∗ outputs and halt.
Procedure RO1: Random Oracle simulation for H
proceeds as follows. Upon receiving query γ for H:
1) If query γ ∈ QH , retrieve (γ, a) from QH .
2) Else pick random a ∈ {0, 1}λ2 . Add tuple
(γ, a) to QH .
3) Output a.
Procedure RO2: Random Oracle simulation for H shk
proceeds as follows. Upon receiving query γ for H shk :
1) If query γ ∈ QH shk , retrieve (γ, a) from QH shk .
2) If (γ)e = (zi ) for some i ∈ R and no pair
(γ, a) has been recorded yet in QH shk , then
output RSA failure.
3) Else, pick a random a ∈ {0, 1}λ2 . Add tuple
(γ, a) to QH shk .
4) Output a.
Indistinguishability Proof.
We now show that the transcript generated by S is
indistinguishable from the transcript generated by T in
the real world. This is done via a sequence of hybrid
experiments. We start with the real world transcript,
hybrid H0 , where the transcript of the protocol is
computed following algorithm T (Figure 4). Then, in
we compute the values βi , ci , zi , qi until we reach the
final hybrid experiment where all values are computed
following the algorithm S defined above.
H0 . This is the real world. The transcript is computed
according to Protocol in Figure 4. Namely, the simulator
follows exactly the same steps as the Tumbler T .

27
H0.5 (Learn R, F using observability of RO). In this hy-
brid experiment the simulator uses the observability of
the RO H during the protocol execution. Namely, upon
receiving message (hF , hR , βi ) from B ∗ , we extract the
queries (salt||F, hF ) and (salt||R, hR ) made to QH to
identify the real and fake sets R, F . If no such query is
found, but later B ∗ sends a well formed message, the
simulator aborts.
The difference between the distribution of the tran-
script obtained in H0 and that in H0.5 is that the
simulator aborts in H0.5 if the RO H was not queried
when forming hR , hR ). The probability of aborting
corresponds to the probability of correctly guessing the
output of H. As H is modeled as a RO, this probability
amounts to 1/2λ2 . Therefore experiments H0 and H0.5
are statistically close.
H1 (Equivocate encryptions using programmability of
RO). In this hybrid we change the way encryptions ci
are computed. Instead of computing
ci = H shk (i ) ⊕ σi
In H1 , the simulator sets ci ← {0, 1} and stores the
$ s
pair (i , ci ⊕ σi ) in QH shk . Hybrids H0.5 and H1 are
statistically close due to the unpredictability of the RO
H shk (when answers to RO H shk are processed as in
procedure RO2 of S above).
H2 (Change computation of values for real set R using
RSA security). In this hybrid the simulator computes
zji , qi for i ∈ R, following the algorithm S described
above. The differences are the following. For ji ∈ R,
in H1 we have that
zji = (ji )e
while in H2 we have that
e has observed an RSA pre-image some some zi . If zi =
zji = (qi ) · zji−1
where zj1 , q2 , . . . qµ ← Z∗N . Note that in H2 , ji is
$
neither computed nor stored in QH shk . Thus, H2 is
different from H1 because in H2 procedure RO2 can
trigger a RSA failure event and abort. (Because
the RSA failure event happens when B ∗ queries
oracle QH shk with the pre-image of a real puzzle zji ,
it follows that the probability of an abort in H2 is
related to the probability of B ∗ of (RSA)-inverting zji
for some ji ∈ R.) Therefore, to argue that H1 and H2
are computationally indistinguishable, we need to show
that the distinguishing event – event RSA failure –
happens only with probability that is negligible in λ.
Lemma 2: Assuming that RSA is hard in Z∗N , with
N > 2λ then
P r[RSA failure] ≤ ν(λ)
Proof: We can construct a reduction AdvRSA to the
hardness of RSA trapdoor function using an adversary
28
B ∗ that causes hybrid H2 to abort due to an RSA
failure event.
AdvRSA plays the RSA game, receiving values
(e, N ), z ∗ from a challenger. The goal of AdvRSA is to
output a the pre-image x = (z ∗ )d with non-negligible
probability.
Meanwhile, the reduction’s high-level goal is to
place the challenge value z ∗ among the values
zj1 , . . . , zjµ with ji ∈ R. Because B ∗ causes hybrid H2
to abort due to RSA failure event, there exists some
i such that B ∗ queries H shk with ji = (zji )d , with
non-negligible probability. Thus, if AdvRSA places z ∗ in
position ji , then AdvRSA wins the game with the same
probability (discounted by a 1/µ polynomial factor of
guessing ji correctly). The crux of the reduction is to
show how AdvRSA generates the entire transcript for
B ∗ —and in particular the quotients q2 , . . . , qµ —without
knowing the the pre-image of zji . To do this, we have
AdvRSA generate all zj` for j` ∈ R, without knowing
their pre-image.
Reduction AdvRSA .
AdvRSA receives (e, N, z ∗ ) from the RSA chal-
lenger. AdvRSA chooses ECDSA ephemeral key
(SK eph eph
T , PK T ). AdvRSA activates B
∗
on input
eph
((e, N ), PK T ) and follow procedure run in H2 by
computing (zji , qi ) as follows. AdvRSA first randomly
picks an index ji ∈ R and sets zji = z ∗ . Then she
chooses values qj1 , . . . , qjµ and remaining zj1 , . . . , zjµ
as follows.
1) For values preceding zji (i.e., for 0 < ` < i),
pick q`+1 ∈ Z∗N ; compute z` = (qz`+1
`+1
)e .
2) For values following zji (i.e., for i < ` ≤ µ),
pick q` ∈ Z∗N ; compute z` = (q` )e · z`−1
If event RSA failure occurs, then procedure RO2
z ∗ then AdvRSA outputs it and win the game. Else, she
halts.
Summing up, in hybrid H2 , tuples (i , ci ⊕ σi ) for
all i ∈ R are not recorded in QH shk . In other words,
neither i , nor the signature σi for real messages mi
with i ∈ R are computed in this hybrid.
H3 (Obtaining signatures from Fpromise-sign .) In this
hybrid experiment the signatures σi for i ∈ F
are computed using Fpromise-sign . That is, S sends
Fpromise-sign the message
(sign-request, B, PK eph T , {FakeFormat||ri }i∈F ,
{mj }j∈R )
If ANS =yes, S uses answers σi = FkSigni to set
(i , ci ⊕ σi ) in QH shk . From B ∗ ’s the point of view,
hybrid H2 and H3 are identical. Experiment H3
thus corresponds to the exact simulation strategy S
described above. This conclude the proof.
In the above proof we have shown that any PPT
B ∗ does not learn anything from the transcript obtained
in Protocol in Figure 4. We now show that if B ∗ does
indeed output a valid signature σ ∗ for a valid message
Tcash(T ,B) , then B ∗ (who is not getting any information
from the transcript), must have produced a signature
forgery. Define event Eforge as the event where, a PPT
B ∗ runs the protocol in Figure 4 and outputs a pair
(Tcash(T ,B) , σ) where Tcash(T ,B) is a real message rather
than a fake message (i.e., Tcash(T ,B) is a valid cash-
out transaction for Tcash(T ,B) that does not conform to
FakeFormat). We now prove the following.
Lemma 3: If ECDSA is an existentially unforgeable
signature scheme, P r[Eforge ] is negligible.
Proof: We can construct an adversary Advecdsa that
forges a signature on a new message Tescr(T ,B) i using
adversary B ∗ .
Advecdsa plays the signature game and has oracle
access to the signing algorithm O, and has verification
key PK ephT . The goal of Advecdsa is to use B
∗
to
produce a signatures σ on a message that was never
∗
queried to O. Advecdsa simulates the interaction between
B and T using algorithm S. Recall that S obtains
the signatures by interacting with the ideal function-
ality Fpromise-sign and, in particular, S only queries
Fpromise-sign for signatures on fake messages, i.e., , with
messages in f ki ∈ FakeFormat. Thus, the reduction
Advecdsa will simply run S’s algorithm, and when S
queries Fpromise-sign , Advecdsa will use its access to O
to generate the correct signatures. It follows from the
previous hybrid arguments that B ∗ cannot distinguish
whether she is talking to T or S. Therefore, the proba-
bility of B ∗ generating a forgery when interacting with
T is close (up to a negligible factor) to the probability
of B ∗ generating a forgery when interacting with S and
therefore Advecdsa .
If B ∗ outputs the pair (σ, m), and m ∈
/ FakeFormat,
then Advecdsa has obtained her forgery (σ, m). Thus,
P r[Eforge ] = P r[Eforge−ECDSA ] − ν(λ). Which is neg-
ligible assuming EDCSA signature scheme is secure.
2) T is corrupted: We now show that the view of
any corrupted T ∗ , playing with an honest B, can be
simulated by a simulator ST that only has access to the
ideal functionality Fpromise-sign .
Proof Intuition. In the ideal world, T needs to decide
whether to grant signatures to B (that is, set ANS to
yes or no, and the indexes in Set) in a committing
manner: if ANS =yes then T has no power to prevent
B from getting the promised signatures later. This is
because ideal functionality Fpromise-sign has access to
the algorithm Sig, and when ANS =yes the ideal func-
tionality proceeds with the computation of the required
signatures for the fake messages, and has the ability to
sign the real messages in the future.
Now, the goal of the simulator ST , is twofold: (1) To
decide whether T should set ANS to yes or no, and to
29
choose Set in the ideal world. (2) To correctly compute
the signatures requested by Fpromise-sign via Sig. To this
end, ST will do as follows. ST interacts with real world
T ∗ , and if T ∗ provides an accepting transcript, then ST
will play ANS =yes. Then, by using the observability
of the RO H shk , ST will extract the signatures σi for
i ∈ F ∪ Set and uses these signatures to produce the
output of the signing algorithm Sig.
At high-level, a bad case for the simulator ST is
when (1) the transcript is accepting13 and ST sent
promise ’ANS =yes, Set’ to Fpromise-sign , but either
(1) the real T ∗ did not make RO queries that allow ST
to recover σi from ci for all i ∈ F ∪Set, or (2) the pairs
cj , zj for the real set R, will not eventually allows B
to obtain at least one signatures. That is, the bad case
happens when the promise is fulfilled in the ideal world,
but not in the real world.
Thus, the crux of the proof is to show that the
probability of the bad event is negligible if T ∗ provides
an accepting transcript. That is, when the transcript is
accepting and ST plays ANS =yes in the ideal world,
also real world B is guaranteed that will receive the
promised signature. At a high level, this holds due to
the following reasons.
1. Fake-Set Test. Due to the perfect hiding of the RO,
sets F and R are information theoretically hidden for
T ∗ . Thus the probability that T ∗ successfully passes
the cut-and-choose phase, (i.e., the Fake Set Check in
Figure 4) and that there is no i ∈ R such that (ci , zi )
is correctly formed, corresponds to the probability of
correctly guessing the set F . This happens with proba-
bility: η+µ
1
( η )
2. Quotient Test. The quotients q2 , . . . , qµ guarantees
that knowledge of j1 = (zj1 )d for j1 ∈ R, allows B to
learn all remaining keys j2 , . . . , jµ . To see why, notice
that if T ∗ passes the Quotient Test, it means that for
each i, zji = qi · zji−1 . Thus unlocking zj1 recovers j1
that in turns unlocks zj2 which recovers j2 and so on.
Since (N, e) define a permutation over ZN , then zj1 is
invertible and has a unique pre-image j1 . Therefore,
even if only one ciphertext cji contains a valid signature,
B will be able to decrypt cji and recover that signature.
Formal proof. We now proceed with the formal argu-
ment. We present the simulator ST , the algorithm Sig
(which is part of Fpromise-sign , see Figure 8), and finally
argue that the transcript generated by the simulator in
the ideal world is indistinguishable from that in the real
world.
Simulator S.
S runs T ∗ internally.
Upon receiving (KeyGen, B), send request to T ∗ and
obtain PK eph eph
T . Send (PK T , Sig) to Fpromise-sign where
Sig is defined as below.
13 A transcript is accepting if the honest player B completes the
protocol without aborting.
 Upon receiving (sign-request, B, PK eph
T , {FkTxni }i∈[η] ):
Randomly pick R, F with R ∩ T = ∅, compute the RO
outputs hF , hR and β1 , . . . , βη+µ , and send them to
T ∗.
Upon receiving a pair (ci , zi ) from T ∗ :
1) Extract i by observing queries to H shk .
2) Let σi be the signature decrypted from ci using
i .
3) If ci , zi , i , βi , σi for i ∈ F pass all validity
checks, record tuple (FkTxni , βi , σi ) in Lf ake .
4) If ci , zi , i , βi , σi for i ∈ R pass all validity
checks, add i to set Set, and add (βi , σi ) to
Lreal . If no such i exists, set real = no. (Note
that, for the real set, it is sufficient that one a
single l , with l ∈ R is correct. This is because
the quotient chain guarantees that knowledge
of the pre-image of zj1 (i.e., j1 ) allows B to
obtain all the pre-images zj1 (i.e., ji ) for ji ∈
R.)
For all i ∈ F , pick randomness ri , and send it T ∗ .
Add pair (FkTxni ||ri , βi ) to QH 0 .
Upon receiving the ‘openings’ 0i to fake mes-
sages i ∈ F , use 0i to obtain σi0 from ci . If
any (i, ci , zi , 0i , βi , σi0 ) fails any validity check, send
(promise, B, N O, ⊥) to Fpromise-sign . Else, if all checks
pass, send (promise, B, yes, Set).
Now we have two cases:
Case 1: Suppose there exists i ∈ F such that tuple
(i, i , βi , σi ) passes all validity checks but (·, βi , σi )
0 0 0
is not recorded in Lf ake . Then, abort and output
binding-fail!.
Case 2: Otherwise, for all i ∈ F , we have that
(i, 0i , βi , σi0 ) pass all validity tests and (·, βi , σi0 ) is
recorded in Lf ake .
1) If real = no, abort and output
cut-and-choose-fail!.
2) Else, set variables Lf ake and Lreal for algo-
rithm Sig.
If Case 1 and Case 2 do not happen, then it holds
that the transcript generated in the protocol –which
is distributed identically to a real transcript–, contains
enough information for an honest B to decrypt at least
one valid signature, by simply solving puzzle zj1 . The
latter is true, due the fact that zj1 ∈ ZN and have
a unique preimage, since parameters (N, e) define a
permutation.
Algorithm Sig(mi , PK ephT ).
Internal variable Lf ake and Lreal .
If there is tuple (mi , βi , σi ) in Lf ake , output signature
(βi , σi ).
Else if there is tuple (βi , σi ) in Lreal , then add tuple
(mi , β) to QH 0 , and output signature (βi , σi ).
Else, abort.
30
Indistinguishability
Proof.
The protocol messages generated by ST interacting
with T ∗ are distributed identically to the transcript
produced by a real B. The only difference between the
distribution of the output of the real and ideal world
is that the simulator aborts more often. Thus, prov-
ing indistinguishability between the two distributions,
amounts to proving that events binding-fail! and
cut-and-choose-fail! happen with negligible
probability.
Let us look at each event, and argue why they occur
with negligible probability.
Event cut-and-choose-fail! This event hap-
pens when the transcript is accepting and all the fake
values are computed correctly, but all the real values are
incorrect (i.e., ST set real = no). Since (N, e) defines
a permutation for fRSA , we have that all zji ∈ ZN have
a unique inverse ji .
Namely cut − and − choose − fail! happens
when:
1) For all i ∈ F , T ∗ provides consistent re-
sponses i , which were queried to H shk .
2) For all j ∈ R, there exists no j ∈ QH shk that
can be used to decrypt cj to a valid signature
σj on βj .
By the hiding of H, H 0 , probability of
cut − and − choose − fail! corresponds to the
probability that T ∗ guesses the set F which is:
1 1
µ+η + λ1


n
2
.
Event binding-fail! This event happens when (1)
T ∗ did not query the random oracle H shk with string 0i ,
but (2) later he sends 0i that passes all validity checks
and is such that
ci = H shk (0i ) ⊕ σi
where σi is a valid signature on βi . This event happens
if somehow T ∗ was able to predict the output of H shk
without actually querying H shk , or if T ∗ finds two i , 0i
such that zi = i and zi = 0i . Due to the fact that RSA
is a permutation and that B checks that i < N , the
latter event happens with probability 0. Due to the one-
wayness of the random oracle, the first event happens
when T ∗ guesses the output of H, which happens with
negligible probability 1/2λ2
G. Proof of Theorem 3: the case of Q payments
We now prove the Theorem 3 for puzzle-promise
protocol that allows Bob B to obtain Q payments. The
proof follows similar arguments used to prove Theo-
rem 2 for the “base case” where Q = 1 in Appendix F.
 1) Case B is corrupt: We outline the key differences
w.t.r to the simulator and the indistinguishability proof
provided in Appendix F.
Simulator.
The simulator for protocol in Figure 6, that we denote
by S Q , follows the same steps as the simulator S shown
for the base case, with the following modifications:
Step (A): S receives hR , hF and βj,i for j ∈ Q, i ∈
[η + µ].
Step (B.2): S additionally receives ρj,i for j ∈
[Q], i ∈ R, checks whether
(CashOutFormat(j, ρj,i ) ∈ QH 0
and, if so, sets the real messages mj,i = H. Case T is corrupt
CashOutFormat(j, ρj,i ), and the fake messages
FkTxnj,i = FakeFormat||rj,i . Else, it aborts. The
difference here is that for the case of Q payments
we also check the semantics of the real messages.
That is, a real message for level j must be a cash-out
transaction that transfers exactly j bitcoins to Bob.
Step (B.3): For each j ∈ Q, S sends
0
(sign-request, PK eph , {FkTxnj,` }`∈F , {mj,i }i∈R )
T
Step (B.4): For j ∈ Q, ` ∈ F , S stores in QH shk the
pair
([j, `, j,` ||j−1,` || . . . , 1,` ], hj,` )
Procedure RO2: The difference here is that in the
case of Q payments, when decrypting a ciphertext at
level j, B ∗ needs to query the RO H shk with all the
j 0 with j 0 < j. Thus, Procedure RO2 is modified as
follows. A query γ is parsed as (j|`|γj |γj−1 | . . . , γ1 ),
and the procedure aborts and outputs RSA failure
if there exits a j ∗ ∈ [j] such that (γj ∗ )e = zj ∗ ,` with
` ∈ R, and no pair ([j ∗ , `, . . . ||γj ∗ || . . .], a) has been
recorded yet in QH shk .
Indistinguishability Proof.
The indistinguishability proof for the output of S Q
follows the same hybrid experiments shown for arguing
indistinguishability of the output of S in AppendixF.
In particular, experiments H0.5 and H3 can be directly
extended for the case of Q payments. Denote the
extended experiments by H0.5 Q
and H3Q .
In experiment H2 , S changes the way the real
RSA puzzles are computed by not recording the RSA-
solutions i` for i` ∈ R in QH shk . This change po-
tentially triggers event RSA failure in the RO2
procedure. The distribution of hybrid H2 is only compu-
tationally indistinguishable from hybrid H1 in the proof
of the base case in of Appendix F. So, when we deal
with of Q payments we use a sequence of sub-hybrids
H2Q , H2Q−1 , . . . , H21 . In sub-hybrid H2j we change the
j-th row of real RSA puzzles. Hence, first we define
31
hybrid H2j as the experiment where: (1) the j-th row of
puzzles zj,i1 , . . . , zj,iµ is computed as:
zj,il = (ql )e · zj,il−1 , ∀l ∈ [µ]
(2) queries (j||`|j,` , j−1,` , . . . , 1,` ) for ` ∈ R are not
recorded in QH shk .
Then, indistinguishability of experiment H2j and
H2j−1 can be argued by following the same argument
as Lemma 2: the RSA reduction AdvRSA will place
its challenge z ∗ among the puzzles of the j-th row
zj,i1 , . . . , zj,iµ (il ∈ R), while computing all the re-
maining rows as in H2j .
Here it will be most convenient to present the full
simulator STQ for the case of Q payment. We then pro-
vide an indistinguishability proof by presenting its key
differences w.r.t. the base case shown in Appendix F.
Simulator.
Conceptually, there is no difference between STQ and
ST (the simulator for the base case in Appendix F). The
both send ANS =yes to Fpromise-sign if the transcript is
accepting, and they both try to extract keys j,i from
the RO H shk , for all i ∈ F and for some i ∈ R. For
both simulators, the bad event corresponds to case when
the transcript is accepting but the simulator does not
observes a RO query that contains an i that allows σi
to be recovered from ci for all i ∈ F ∪ Set.
The only difference between ST and STQ is what
constitutes a good key, that is, a key that allows the
simulator to decrypt a signature. In the base case of 1
payment, a good key is a string i such that H shk (i ) ⊕
ci = σi and σi is a valid signature and zi = (i )e . In
the case of Q payment, we need Q good keys, and the
j-th good key is a chain (j,i , j−1,i , . . . , 1,i ) of good
keys.
Simulator STQ .
STQ runs T ∗ internally.
Upon receiving (KeyGen, B) send request to T ∗ and
obtain PK eph eph
T . Send (PK T , Sig) to Fpromise-sign where
Sig is defined below.
Upon receiving
0
(sign-request, PK eph
T , {FkTxnj,i }i∈[η] , {mj,i }i∈[µ] )
for all j ∈ [Q]. Randomly pick R, F with R ∩ F = ∅,
compute the RO outputs hF , hR and βj,i for j ∈ Q and
i ∈ [η + µ], and send them to T ∗ .
Upon receiving pairs (cj,i , zj,i ) from T ∗ . Then, do
the following for j = 1, . . . , Q:
1) Extract key j,i by observing queries to H shk
that have format (j|i|j,i |j−1,i | . . . |?), where
 j−1,i , . . . 1,i are the keys extracted previ-
ously.
2) Let σj,i be the signature decrypted from cj,i
using j,i , . . . , 1,i .
3) If cj,i , zj,i , j,i , βj,i , σj,i for i ∈ F pass all va-
lidity checks, record tuple (FkTxnj,i , βj,i , σj,i )
in Lf ake .
4) If cj,i , zj,i , j,i , βj,i , σj,i for i ∈ R pass all
validity checks add pair (j, i) to a temporary
set TempSet. Else add (j, ⊥) in TempSet.
If there exist no i such that for all j, tuple (j, i) ∈
TempSet then set real = no. Else, store in Set the in-
dexes i such that (j, i) ∈ TempSet for all j ∈ Q. Then,
only for i ∈ Set, record tuple (mj,i , βj,i , σj,i ) ∈ Lreal
for all j ∈ [Q].
For all j ∈ [Q] and i ∈ F , pick randomness rj,i ,
and send it T ∗ . Add pair (FkTxnj,i ||rj,i , βj,i ) to QH 0 .
For all j ∈ [Q] and i ∈ R, pick randomness ρj,i ,
and send it T ∗ . Add pair (mj,i ||ρj,i , βj,i ) to QH 0 .
For all j ∈ [Q], upon receiving the ‘openings’
0j,i to fake messages i ∈ F , use 01,i , . . . , 0j,i to
obtain σj,i
0
from cj,i . If any (j, i, cj,i , zj,i , 0j,i , βj,i , σj,i
0
)
fails any validity check, send (promise, B, N O, ⊥)
to Fpromise-sign . Else, if all checks pass, send
(promise, B, Y ES, Set).
Now we have two cases:
Case 1: Suppose there exists i ∈ F and j ∈ [Q] such
that tuple (i, 0j,i , βj,i , σj,i
0
) passes all validity checks but
(·, βj,i , σj,i ) is not recorded in Lf ake . Then, abort and
0
output binding-fail!.
Case 2: Otherwise, for all i ∈ F and j ∈ [Q], we
have that (j, i, 0j,i , βj,i , σj,i
0
) pass all validity tests and
(·, βj,i , σj,i ) is recorded in Lf ake .
0
1) If real = no, abort and output
cut-and-choose-fail!.
2) Else, set variables Lf ake and Lreal for algo-
rithm Sig.
Algorithm Sig(mi , PK eph
T ).
Variables: Lf ake and Lreal .
Search for record (mj,i , βj,i , σj,i ) in Lf ake and Lreal
and output (βj,i , σj,i ). Else, abort.
Note that mi,j cannot be found in both lists. This
is because Lf ake is populated only with signatures
of messages in FakeFormat, and Lreal only collects
signatures of messages in RealFormat, and a message
mj,i cannot be both fake and real.
Indistinguishability Proof.
As for the base case, the indistinguishability proof
amounts to show that the probability that STQ aborts
in the simulation is negligible. As in the base case
(Appendix F), STQ will abort if the test phase passes
successfully, but later he finds that T ∗ did not
32
compute any i ∈ R correctly, therefore not de-
livering any promise. We focus only on the event
cut-and-choose-fail!(event binding-fail!
depends only on the failure of the random oracle, and
is independent of the number of payments). We argue
that probability of such event is negligible, due to the
same arguments as the base case. Too see why, consider
the following observations.
In the base case, a coordinate i ∈ F passes the va-
lidity check if the tuple zi , ci , σi is correctly computed.
In the Q-payments case, a coordinate i ∈ F passes the
check if the column zj,i , cj,i , σj,i is correctly computed
for all j ∈ [Q]. That is, starting from j = 1, it holds that
c1,i is correctly computed using keys 1,i , and for j = 2,
c2,i is correctly computed using both keys (2,i |1,i ) and
so on and so forth. Thus, for column i we have that B
is guaranteed that he can decrypt all signatures for all
j = [Q].
Now, recall that this check is performed for all
i ∈ F . This means that for η coordinates T ∗ correctly
computed for all levels j ∈ [Q]. Hence, the probability
that all columns i ∈ F are computed correctly in all Q
levels, but there is no column i ∈ R that is completely
correct in all Q levels, amounts to the probability of
guessing F . Thus, it follows that there exists at one
column i ∈ R, where values (zj,i cj,i , σj,i ) are computed
correctly for all levels j, except with probability µ+η 1
.
( n )
However, we need a second argument that shows
that, even one good index i ∈ R suffices for B to
recover his required signatures. To argue this, we use the
quotient chains provided for each j ∈ Q. The quotient
chain qj,1 , . . . , qj,µ guarantees that for level j, solving
puzzle zj,i1 for i1 ∈ R is sufficient to then unlock all
puzzles in level j. This guarantees that for every level
j, B will be able to unlock keys j,i for all i ∈ R. Thus,
if there is at least on i ∈ R where the entire column
is correctly formed, then B is guaranteed to decrypt at
least one entire column (and STQ is guaranteed to not
abort) except with probability µ+η 1
.
( n )
I. Details of our Bitcoin Scripts
Figure 9 overviews the relationships between the
transactions used in the TumbleBit protocol. We walk
through the details of our transactions, explain why
they conform to the Pay-To-Script-Hash (P2SH) [3]
template, and discuss why TumbleBit protocol is not
affected by the transaction malleability issue [5] of the
current Bitcoin protocol:
Transaction malleability. The transaction malleability
issue is roughly explained as follows. If one bitcoin
transaction Tfulfill fulfills another bitcoin transaction
Toffer , then Tfulfill must contain a pointer to Toffer . The
pointer is the TXID, which is the hash of entire Toffer
transaction, including any signatures on that transac-
tion. Now, bitcoin uses ECDSA signatures over the
Secp256k1 elliptic curve. It is well known that ECDSA
signatures are not deterministic. First, a party that holds
the secret signing key can easily produce multiple valid
signatures on a single message m. Second, even a party
that does not know the secret signing key can take a
valid signature on a message m, and maul it to produce
a different valid signature on m. Now, because TXID
is the hash of the entire Toffer transaction, including all
signatures on that transaction, mauling these signatures
results to a different TXID of Toffer . Such mauling
attacks are not a problem for a transaction that is
already in a blockchain, but they can cause problems
to transactions that are still unconfirmed.
The Bitcoin community is currently considering patch-
ing transaction malleability using a solution called seg-
regated witness [58], but as of this writing it has not
been fully deployed [20]. TumbleBit, however, remains
secure even in the absence of segregated witness.
1) Interaction between Tumbler and Bob.: The right
side of the Figure 9 presents the transactions used for
the interaction between the Tumbler T and Bob B. The
script in the Tescr(T ,B) transaction offers 1 bitcoin to a
fulfilling transaction satisfies the condition (B ∧ T ) ∨
(T ∧ tw2 ), i.e., a transaction that is either (1) signed
by both B and T , or (2) signed by T and posted to the
blockchain after timewindow tw2 . Condition (2) is time-
locked refund condition which is scripted as follows:
locktime
OP_CHECKLOCKTIMEVERIFY
OP_DROP
payer_pubkey
OP_CHECKSIG
where locktime is a timewindow (i.e., an absolute
block height). All subsequent descriptions of our scripts
use refund_condition as a placeholder for the
script above. For Tescr(T ,B) , the refund condition script
has locktime is set to tw2 and payer_pubkey is
set to the Tumbler’s public key.
Now, the full redeem script for the two-of-two
escrow transaction Tescr(T ,B) is as follows:
OP_IF
OP_2
payer_pubkey
redeemer_pubkey
OP_2
OP_CHECKMULTISIG,
OP_ELSE
refund_condition
OP_ENDIF
where payer_pubkey is the Tumbler’s public key,
redeemer_pubkey is Bob’s public key, and the
refund_condition is scripted as described above
with locktime set equal to tw 2 . Note that instructions
33
up to and including OP_CHECKMULTISIG checks for
the condition T ∧ B—checking if a valid Tcash(T ,B) has
been posted that is signed by both Tumbler T and Bob
B. The redeem script above is hashed and its hash is
stored in Tcash(T ,B) . (This ensures that the transaction
conform to the to the Pay-To-Script-Hash (P2SH) [3]
template.)
If Tcash(T ,B) is posted to the blockchain, it contains
(1) the redeem script above and (2) the following input
values that include the required two signatures:
OP_FALSE
payer_signature
redeemer_signature
OP_TRUE
To programmatically validate that Tcash(T ,B) can fulfill
Tescr(T ,B) (per the P2SH template), the redeem script
in Tcash(T ,B) is hashed, and the resulting hash value is
compared to the hash value stored in Tescr(T ,B) . If these
match, the redeem script is run against the input values
in Tcash(T ,B) . Tcash(T ,B) fulfills Tescr(T ,B) if the redeem
script outputs true.
Meanwhile, if Bob B refuses to post Tcash(T ,B)
before the timewindow tw2 ends, then the Tumbler
T can reclaim the bitcoin escrowed in Tescr(T ,B) by
posting a refund transaction Trefund(T ,B) . (See the right
side of Figure 9.) When Trefund(T ,B) is posted to the
blockchain, it contains (1) the redeem script above and
(2) the following input values, where signature is a
signature that verifies under payer_pubkey:
Signature
OP_FALSE
Trefund(T ,B) fulfills Tescr(T ,B) if the hash of the redeem
script in Trefund(T ,B) matches the hash value stored
in Tescr(T ,B) , and if the redeem script in Trefund(T ,B)
outputs true when run against the input values in
Trefund(T ,B) .
Notice that Bob B is not involved in constructing
the refund transaction Trefund(T ,B) ; indeed, Trefund(T ,B)
need only be signed by the Tumbler T . There are two
reasons why this is crucial.
First, Trefund(T ,B) must be posted when B becomes
uncooperative. Thus, Tumbler T can singlehandedly
post Trefund(T ,B) , and reclaim his bitcoin, even in cases
where Bob refuses to interact with T .
The second reason is the transaction malleablity
issue [5] of the current Bitcoin protocol. Suppose that
Bob B mauls14 his signature on transaction Tescr(T ,B)
before it is posted to the blockchain, causing the TXID
for Tescr(T ,B) to change from the TXID value expected
14 In fact, this mauling could even be done by the Bitcoin miner
that confirms Tescr(T ,B) on the blockchain!
by T . This has no effect on the Tumbler’s ability
to post the refund transaction Trefund(T ,B) . Specifically,
before posting Trefund(T ,B) , the Tumbler need only find
Tescr(T ,B) on the blockchain, hash Tescr(T ,B) to obtain
its TXID, and use this TXID when it forming his
refund transaction Trefund(T ,B) . By contrast, suppose
our protocol had instead somehow required Bob to
participate in forming Trefund(T ,B) before Tescr(T ,B) had
been posted to the blockchain. Then a malicious Bob
could give the Tumbler a valid Trefund(T ,B) on Tescr(T ,B) .
Then, Bob could maul the signatures on Tescr(T ,B) ,
and then post the mauled Tescr(T ,B) to the blockchain.
Tescr(T ,B) would still be a valid transaction, but the
Trefund(T ,B) held by the Tumbler would be useless, be-
cause Trefund(T ,B) no longer points to Tescr(T ,B) (because
Bob has mauled the TXID of Tescr(T ,B) ).
2) Interaction between Tumbler and Bob.: The left
side of the Figure 9 presents the transactions used
for the interaction between Alice A and the Tumbler
T . The script in the Tescr(A,T ) transaction offers 1
bitcoin to a fulfilling transaction satisfies the condition
(A ∧ T ) ∨ (T ∧ tw1 ). The redeem script for this
transaction is identical to the one used in Tescr(T ,B) ,
except that now payer_pubkey is Alice’s public key,
redeemer_pubkey is the Tumbler’s public key, and
the locktime in the refund_condition is set
equal to tw 1 . Tcash(A,T ) from Figure 9 is formed analo-
gously to Tcash(T ,B) , and the refund Trefund(A,T ) pointing
to Tescr(A,T ) is formed analogously to Trefund(T ,B) .
Recall from Section V-D, that in the puzzle-solver
protocol, Alice forms and signs Tpuzzle and sends it to
the Tumbler. Transaction Tpuzzle fulfils Tescr(A,T ) via the
condition (A ∧ T ). Thus, (just like Tcash(A,T ) ), a valid
transaction Tpuzzle should contain (1) a hash of redeem
script for Tescr(T ,B) , and (2) input values that include
the required signatures from A and T . If a valid Tpuzzle
is posted to the blockchain, Alice’s bitcoin escrowed in
Tescr(A,T ) is transferred to Tpuzzle . However, this bitcoin
remains locked up in Tpuzzle until Tpuzzle fulfilled by a
transaction the meets the condition (T ∧ A∀j ∈ R :
hj = H(kj )) ∨ (A ∧ tw1) as specified to the following
redeem script:
OP_IF
OP_RIPEMD160, h1, OP_EQUALVERIFY
OP_RIPEMD160, h2, OP_EQUALVERIFY
...
OP_RIPEMD160, h15, OP_EQUALVERIFY
redeemer_pubkey
OP_CHECKSIG
OP_ELSE
refund_condition
OP_ENDIF
The redeemer_pubkey is the Tumbler T public
key, and the refund condition has payer_pubkey as
Alice’s public key and locktime as tw1 . This redeem
script checks that either (1) the fulfilling transaction
34
has input values that contain the correct preimages
(h1 , . . . , h15 from Figure 3) and is signed by T ’s
public key, or (2) the fulfilling transaction is a refund
transaction signed by Alice and posted to the blockchain
after timewindow tw1 . This redeem script is hashed
and its hash is stored in Tpuzzle . To fulfil Tpuzzle , the
transaction Tsolve contains (1) the redeem script whose
hash is stored in Tpuzzle , and (2) the following input
values:
signature
k15
...
k1
OP_TRUE
where signature is a signature under the the Tum-
bler T ’s public key. The preimages k1 , ..., k15 are such
that H(k` ) = h` per Figure 3.
Per Section V-D, however, if all parties are cooper-
ative, the Tumbler T just holds on to Tpuzzle and never
signs or posts Tpuzzle to the blockchain. However, it is
important to note that once Alice A provides Tpuzzle
to the Tumbler T , the Tumbler can claim the bitcoin
escrowed in Tescr(A,T ) . To do this, T just signs and
posts Tpuzzle to the blockchain, and then forms, signs
and posts Tsolve to the blockchain. No involvement
from Alice A is required to do this, and thus the
Tumbler T can claim his bitcoin even if Alice stops
communicating with T . Notice, however, if T decides
to unilaterally claims a bitcoin by posting Tsolve , the
Tumbler T necessarily reveals the puzzle solution (see
Section V-B). Therefore, Alice gets what she paid for
even if she stops cooperating with the Tumbler T . As
a final note, Alice cannot use transaction malleability
to steal her bitcoin from the Tumbler; when Alice A
gives Tpuzzle to the Tumbler T , then Tpuzzle points to
the Tescr(A,T ) transaction which is already confirmed
by the blockchain and thus cannot be mauled.
Finally, recall from Section V-D that if T becomes
uncooperative, T could sign and post Tpuzzle to the
blockchain, and then refuse to sign and post Tsolve . In
this case, Alice never obtains her puzzle solution, and
must reclaim her bitcoin which is locked in Tpuzzle by
posting a refund transaction Trefund(A,T ) that points at
Tpuzzle . (See Figure 9.) Specifically, Trefund(A,T ) points
at Tpuzzle and (1) contains the redeem redeem script
whose hash is stored in Tpuzzle and (2) and the following
input values values, where signature is a signature
that verifies under Alice’s public key:
Signature
OP_FALSE
Once again, Alice can post Trefund(A,T ) without any help
from the Tumbler. Once again, this matters because the
refund transactions must be posted when T becomes
uncooperative, and must still be valid even in the face
of transaction malleability (i.e., if T mauls the TXID
for the transaction fulfilled by Trefund(A,T ) .)

35
 Alice to Tumbler (𝓐→𝓣) Transactions Tumbler to Bob (𝓣→𝓑) Transactions

Tescr(𝓐,𝓣) Tescr(𝓣,𝓑)
Inputs: Inputs:
0. ← 𝓐 0. ← 𝓣
Outputs: Outputs:
0. [1 BTC] → (𝓐 ∧ 𝓣) ∨ (𝓐 ∧ tw1) 0. [1 BTC] → (𝓑 ∧ 𝓣) ∨ (𝓣 ∧ tw2)

⊕ ⊕
Trefund(𝓐,𝓣) Tpuzzle Tcash(𝓐,𝓣) T refund(𝓣,𝓑) Tcash(𝓣,𝓑)
Inputs: Inputs: Inputs: Inputs: Inputs:
0. ← 𝓐 ∧ tw1 0. ← (𝓐 ∧ 𝓣) 0. ← (𝓐 ∧ 𝓣) 0. ← 𝓣 ∧ tw2 0. ← (𝓑 ∧ 𝓣)
Outputs: Outputs: Outputs: Outputs: Outputs:
36

0. [1 BTC] → 𝓐 0. [1 BTC] → (𝓣 ∧ ∀j∈R:hj=H(kj))∨(𝓐 ∧ tw1) 0. [1 BTC] → 𝓣 0. [1 BTC] → 𝓣 0. [1 BTC] → 𝓑

⊕ Uncooperative 𝓑
Trefund(𝓐,𝓣) Tsolve
Inputs: Inputs:
0. ← 𝓐 ∧ tw1 0. ← 𝓣 ∧ ∀j∈R:hj=H(kj)
Outputs: Outputs:
0. [1 BTC] → 𝓐 0. [1 BTC] → 𝓣

Uncooperative 𝓣 Uncooperative 𝓐

Fig. 9. Transaction relationships when Q = 1. Arrows indicate spending. Transactions in dotted line boxes denote transactions that are only published if a party is uncooperative.