Turning privacy into Bitcoin's economic edge

So the reason HTTPS makes sense as an analogy is because before HTTPS, everything on the web was totally unencrypted. And if you and I were having this video call and say we were both on a hotel, say I was on hotel Wi-Fi. The hotel is a sort of third party in the middle that would be able to listen in on the stream and find all the packets. Once we introduced HTTPS, not that streaming was that easy back in the day, maybe it was emails instead, but assume it was. Once we assume HTTPS, then the ability of the third parties that are not us, the counterparties, to read that information was fixed. It was protected by encryption. PayJoin is much the same in that when I'm sending you some money with a PayJoin, you still know my inputs and I still know your address ultimately at the end of the transaction on chain. But without that information of my wallet or your wallet, without those additional details, the second party information, third parties don't know that with any certainty. Dan, welcome.

Sean, thank you. Fresh out of the Department of Motor Vehicles, on to Trust Revolution. Appreciate you making that context switch. Hopefully it's a little more pleasurable doing this than that. Yeah, absolutely. I don't want to be standing in lines and talking through a glass wall. Nobody needs that. We're just talking to glass screens instead. Well, hey, so we have been working on this for a bit since you and I sat beside each other at an event at Bitcoin Park. and started talking about our beloved First and Fourth Amendments here in the United States. And so I am particularly excited to talk with you, to speak with you about your work, about what privacy means in terms of financial transactions and payments specifically. And let's start here. Congratulations on getting PayJoin Foundation off the ground. And for those who may not be familiar with the work and your leadership of it, could you give us a brief background, Dan, on PayJoin and PayJoin Foundation and its relevance to Bitcoin and payments generally?

Sure. Thanks for that tee up. Oh, I need to also thank my team, of course. The whole reason PayJoin and PayJoin Foundation exists now is because we've had around eight independent compensated contributors working on PayJoin for about a year. And we've got a volunteer board. It was time to be able to recruit directly for specific needs that the PayJoin dev kit had. But I'm getting ahead of myself. So pay join is what you can think of as interactive batching. Bitcoin has had batching since, you know, it was became widespread in 2017, I think, when the fees got crazy. But if you make naive Bitcoin transactions, that's one transaction per transfer of money. And if you're moving money often and high volumes, that starts to really add up and become

more expensive than it needs to be so when the fees got high in 2017 people started batching non-interactively where like the common example is an exchange would service multiple withdrawals in one transaction where they'd provide a single input and be able to pay say 100 people all in one transaction, only producing one change, which kept their wallets small, kept their customers served often, and they pay a much smaller fee for making that batch versus making the hundred separate transactions. And that is, if I am a customer of Strike or Cash App or one of the more sort of consumer focused apps of that nature, I want to sweep my Bitcoin. I want to move it into self-custody, whatever that may look like. What you're laying out is sort of the operating process that these exchanges go through, whereby they're not having all their margin eaten up by fees.

And they can process these withdrawals more frequently so that, as you say, I, as a customer, a consumer, get what I want when I want it. That's right. Exactly. And then if I am, again, that individual who, you know, maybe I'm holding IBIT. I want some, as they say, exposure to Bitcoin, but I'm not yet holding Bitcoin in self-custody. Or I am, as I noted, a Striker, a Cash App user, really looking at it more as a neobank with an eye toward how do I enjoy sort of the full benefit or set of benefits of Bitcoin. rewind and explain why any of what you just described sort of matters in that context. What ultimately does PayJoin get us or get that individual? What's the benefit? So in the context of self-custody, this is what you're talking about as opposed to an IBIT or some ETF? Well, more that I'm that person who is looking to take the next step into self-custody or

just progressing, you know, toward using Bitcoin to its fullest extent. What is PayJoin? What's the impact of PayJoin on that individual? So easy. Bitcoin exists to remove intermediaries from the movement of money online. So you want to be able to move money and you don't want to be censored by some party in the middle that says, no, you can't do that because I don't like that. in order to do that we need privacy because without privacy if someone can see how money is moving they don't like someone you paid if you're relying on them to move money or even if they can make a lot of noise that you move some money then they can discriminate based on that so we need some baseline privacy and in the original white paper Satoshi said that there's privacy problems with Bitcoin and that the way bitcoin works with inputs like coins and outputs for each transaction he said all the

inputs necessarily come from the same person which at the time was true based on the wallet software available but it wasn't a consensus constraint and that assumption that all the inputs come from one person is called the multi-input heuristic or the common input ownership puristic and is used to dragnet surveil everyone on bitcoin it's a pretty easy assumption to make that all the inputs come from the same person so you can just look at the chain and kind of follow coins for may to be see how much money someone has um how much money they make on a regular basis who they paid in the past and then in the future even who they might pay so pay join is the simplest way to break that privacy problem that satoshi brought up and i think of it as the next iteration of batching so the batching i mentioned is non-interactive batching with page on you have interactive batching where rather than the batch being made just by the person

with the inputs you can have a sender and a receiver both contribute inputs to a transaction So this breaks the heuristic and it saves people money. It's supercharged batching for Bitcoin. Right. And I think that's, you know, exactly what I wanted to convey is that the, in my mind, significant innovation here is that privacy becomes an economic benefit, not a liability. And so as you just teed it up, Dan, I'd like to go from there to let's do talk Fourth Amendment. And so the Fourth Amendment says your papers and effects can't be searched without a warrant. We use physical cash. That protection exists. When we use Bitcoin, as you eloquently noted, so-called chain analysis tracks every transaction. How, in your mind, did we end up with less privacy in the digital version of cash than the physical one?

I love this question because it's kind of like history rhyming, actually. The same sort of thing happened when the telephone was invented. So, you know, we are even the telegraph before that we had all these wires on the ground, people using Morse code. But they passed laws very quickly that made physical taps that arbitrary, like if you if you physically spliced a wire into the phone cable to spy on someone that was illegal. But then someone figured out, oh, you can just wrap a wire, a coil around the wire. You're not physically tapping it and you can read the signal still. And it took until the mid 60s to pass laws that made that Fourth Amendment protected that required police departments and government agents to get warrants to be able to search and seize that information. So how did how did we get here where it's not protected by the Fourth Amendment?

I think it's just new ground. People aren't aware. There was also a sort of a necessity when Bitcoin originally came out. We didn't have zero knowledge proofs, so we weren't able to do that kind of verification without all the amounts being available in this public record. So it's part of it's partly just that the laws and norms take time to catch up and some technological limitations at the time that Bitcoin came out. But all of these things, I believe, are being addressed. And that is certainly another point that I want to underscore is this is the preservation of rights. This is not the assertion of new rights. And so you touched on it. You know, a government agency wants transaction data in the physical world, get a warrant. And so the question with Bitcoin is, you know, why does that standard disappear? And not, Dan, that I expect you to be to act as an historian, but I know that you, by necessity, as a builder of PayJoin, get into this is, you know, what's your sort of understanding as it stands with

regard to the so-called reasonable expectation of privacy. And I'm thinking about, you know, cats versus United States in the 60s, I think it was. And so what is your assessment or understanding of how Bitcoin sits in that sort of that rubric of reasonable expectation of privacy? And where is PageWine pushing us or taking us? Hmm. So yes, cats is sort of what I was talking about, where you have a reasonable expectation of privacy. I think the issue with Bitcoin is specifically that while the system is pseudonymous and has the potential to grant people the ability to preserve their privacy, in practice, everything people do is published to a permanent record on chain, as, like I said, noted by Satoshi. And even before that, if people reuse addresses, if people are relying on a third party to sink. Third party doctrine kicks in.

Well, yeah, not even that. But if you're beyond the legal part, just the strict practicality, if you're depending on someone else to tell you what your balance is and you're not validating, you're revealing your entire history to someone else that you must trust not to reveal that. Never mind if someone goes and knocks on their door and says, give this over because you're a third party and third party doctrine applies. So we don't need to get a warrant. Right, right. Well, and maybe to contrast that, you know, for those paying attention this week, Samurai, the wasabi or pardon me, Samurai mixer. that litigation has come to a head where the government has shown that they're taking a particularly aggressive stance. Prosecutors have claimed that Samurai pooled funds and operated as a so-called financial intermediary, and they're pushing for the maximum sentence of five years. How does payjoins architecture differ from mixing technically? And

And to the degree you want to go there, you know, sort of why does that matter in light of some of these lawsuits and some of these, I would say, witch hunts? Yeah, it's a shame to see the way that's gone. That whole case is a disaster for so many reasons. It is. It absolutely is. The biggest one is just that they pled to the money service business charge and not some of the other charges, which seemed like the most ludicrous of what was on the table. The whole point of pay join is that it happens while you're making a payment. Like I said, it's transaction batching generally rather than some form of mixing. Right. It's in the flow in the process of executing or conducting a payment. it is not a discrete separate activity is that fair even if it were which it's not i don't think that activity makes it more suspicious but it definitely makes it um less convenient so

pay join there's it's got two things that really make it quite different from your classic coordinated coin joy one is that it happens in the typical user experience so you scan a qr code like you would you're trying to pay someone you click send and in the background if both wallets support it it'll try to make a batch based on the configuration of each wallet and therefore it doesn't require an explicit like user action i'm trying to mix and separate old history new history but it also tends not to have this distinguishable fingerprint on chain when you look at a coin join from a samurai or wasabi you're going to see a lot of outputs that are of equal amounts and when money's being transferred whether in a batch or not it wouldn usually look that way that would only happen if you doing a self because payjoin both involves a transfer and only involves uh two people mainly because it involves

a transfer it doesn't have this signature you don't produce equal amount outputs it produces typically a transaction that has two outputs which 80 of the transactions on the network have two inputs, I meant to say, not outputs, have two inputs. So it looks like everything else on the chain. It's not really possible for someone to point at something and say with any degree of certainty that is a pay join. It looks like the rest of the traffic on the network. So it's much harder for a third party or even a second party to a transaction to discriminate based on history that includes a pay join activity just because you don't know for certain if it's happening. Right, right, right. And if I am then, if we shift from a user of money, of Bitcoin to a developer, what is the benefit or why should I integrate PayJoin rather than avoiding privacy features altogether in light of Samurai and other scenarios?

Sort of what's the call to action to a developer to build PayJoin into their wallet, into their consumer experience? Yeah, if you're avoiding privacy features altogether, I'm not sure exactly what that means. I mean, you're custodying your users' funds and that's it. You don't go any further than that. If you want to give people control because it's a benefit to them and a selling point for you, then privacy is just another knob. Absolutely. You're giving people the control to reveal their activity or not. and it may even make your life easier because you don't need to manage any sort of personal data take responsibility for that but beyond that i think the reason to integrate payjoin now is because it gives this opportunity to your users to do these automated batches that fall back to the old way of doing things. So it's optimistic and it's not going to break your flow.

And not only do your users benefit with this idea of privacy, but the whole network stands to benefit as the floor upgrades, as this basic common input heuristic becomes less reliable for all. So if I were to send you money, Sean, You might know some details about what I sent to you and vice versa, but our ability to cluster one another, to know, oh, all of these coins belong to Sean. These are the people he transacts with, and this amount becomes much less reliable, and that improves everyone's safety. And in my opinion, the longevity of the whole network, the selling point of Bitcoin is that it is censorship resistance. It's censorship resistant and this element of privacy is necessary to preserve that. Yes, and I think that cannot be overemphasized. This is delivering on the promise, I think, of what so many expect from Bitcoin, whether or not they understand deeply the technical details.

And, you know, as you called out, there were caveats that Satoshi made note of. But peer-to-peer electronic cash is what I hope most people expect of it. And I think what's so exciting about PayJoin is pushing, you know, closer to that vision. And my monologue here is only to say that there are not dedicated business models and firms that I'm aware of that are, you know, spying on me moving cash from point A to point B across a counter or to another individual. And so why should they enjoy that particular benefit or business model with Bitcoin? Beyond that, I think there's one thing I want to touch on with regard to why the time is now. The PayJoin DevKit is the tool that lets developers plug this into their wallet experience. and until now if you wanted to have one of these privacy technologies in your wallet or your service

I mean really if you have an exchange or a custodian or a treasury or a payment processor that's all viable you have a lending product now the payjoin dev kit in about a thousand lines of code with two developers in a weekend you can plug it into that existing flow wire up the RPCs the glue make some database calls. You basically implement how you'd save some data. And because this is approaching stability, we just did a release candidate for the 1.0 API. I think, especially if you want to show people that you do in fact care about user privacy, the time is now because it's just possible now and it wasn't possible a year ago. I was yesterday taking, I was refreshing myself on the Bitcoin design guide and the particular pay join section or elements. And, you know, it's a bit above my pay grade, but what I so value about the Bitcoin design

guide and the team, the group behind it is the sort of classic approach to what is the objective that a particular user has and what are they trying to accomplish to achieve that objective. And I think it lays it out nicely. I'll be sure to include that. But my understanding is that it is uninvasive. And as you say, part of the payment flow, as opposed to some of these other approaches, which I think have interjected a lot of friction, which we do not need, clearly. And I think we're already in a situation where we're sort of chasing a lot of neobanks, a lot of consumer payments apps. And the more privacy we can enjoy, the less friction that it injects into the process, the better, which is great. OK, so with that, let's get into a bit of the details, Dan, and I'll see if we can sort of keep this a little higher level with regard to the mechanics of PayJoin.

And I think, you know, my objective would be for someone who is privacy curious, who is Bitcoin curious and or holding Bitcoin and wants to understand what is this magic that you have created, you and the team have created behind the scenes. Let's get into a little bit of the detail. So most privacy tools, I think, make us choose between convenience and anonymity. PayJoin, which as I've noted, I think what's so powerful is it saves you money on fees while improving privacy. Could you walk us through sort of the Lego brick version of how that works? You've touched on it, but I'll just ask you to sort of go back and walk through. Yeah. If anything gets too deep in the weeds, reel me in for a minute. Yeah. So Bitcoin has inputs and outputs. You know, you have coins. Anytime someone pays you, you get a coin. And if you want to pay someone a certain value, you need to supply sufficient inputs to cover all of the output values you want to pay. So it's kind of like dollar bills, right? If you wanted to pay someone $7 and you had a 10, you would use that 10 and give them a 5 and 2 1s and you'd make change of $3.

Now, we don't need these denominations strictly, but another example, if you needed to pay someone, say, $8 and you only had two fives, you need to spend all, like, the whole input. So, typically when you'd make a transaction, like I say, you use one input and you'd get an output and change. with page one rather than just broadcasting that to the other person when they give you their address the information they share includes a mailbox which is an out of band just like your email place to to put a message that they listen for so instead of broadcasting that transaction them you put it in the mailbox and they're waiting for it they can take that add their own input an output so if they added some input and still wanted to be paid to the same address they then just augment the output by the amount of their input take that same transaction put it back in

the mailbox for you as the sender to take out and then you can check this as the sender verify that it pays only the amount you wish to go to the receiver and gives you sufficient change sign it and broadcast it. And once you broadcast it, the receiver can see that, oh, this is what I, yeah, they get paid. And if for some reason, after putting it back in the mailbox, the receiver doesn't see that on the network, they always have that original that they got in their mailbox that they can broadcast to fall back on. So the interaction, the ability of the center and the receiver to send messages to one another gives the receiver the chance to augment the original transaction with some more transaction intents, whether that's a consolidation, as I described, them including their own inputs and adding it to their outputs, or even forwarding money to another person. So instead of taking the output directly,

they could replace the output that would pay them with outputs that pay other people. That's the high level. Nice. And then what is, was the fundamental breakthrough that made PayJoin possible? Or was this the grind over years to get this implemented? Yeah, I don't know that there was one fundamental breakthrough. It's a little history. In 2018, there was a workshop in London that was Chatham House Rules. A bunch of people came together. I Because even in Greg Maxwell's original CoinJoin Bitcoin talk post, which is, I think, from 2013, where equal output CoinJoin is spoken of, like putting payment amounts was listed there. And so when these folks got together in London, Blockstream wrote an article called Pay to Endpoint that described how this might work. you could use a web endpoint to do communication at a band and combine transactions, preserving

privacy, because these transactions could have multiple interpretations. Like I said, they don't really look like pay joins. I think Adam Gibson dubbed the name pay join to the idea instead of pay to endpoint, P to EP, which rolls off the tongue a little nicer. Absolutely. Much better marketing yeah mr cooks and nicola dorier from btc pay put together bip 78 which was a simple pay join protocol that used http that was implemented quite widely actually i and btc pay server of course samurai not samurai aspero wasabi join market but the issue was you had to run a server yes and not everyone wants to run a server and even if people do run servers that do they want to connect a hot wallet to it there was just a lot of um a lot of barriers to adoption that even were called out on the mailing list craig raw wrote on the mailing list and he's like you know

the server thing is kind of stinky join market fix it fixes it by using uh tor but then even though all these wallets can send pay joins if they don't have tor they can't communicate with So there was this whole fragmented situation. Low ceiling to the adoption curve, I think. So this is around 2021, I'd say. After between 2018, 2019, the spec got made. It got rolled out to quite a few wallets where people did hand-rolled implementations. And it didn't really take off because it was hard to receive. It was really easy to write the sender, but not the receiver because you needed to have the server and it needed to interact with the wallet. it so around 2022 i had noticed i'd been working on equal amount coin joins uh in ios but i kind of realized after some time that the operating system doesn't matter we're not going to solve bitcoin's privacy by taking these manual steps and the page one idea had gotten some

attention it seemed like people got the idea people liked it Armin Saburi and I who he still works on payjoin we won MIT Bitcoin hackathon hacking payjoin into the iOS wallet we were working on and HRF gave us a little grant to productionize it and that's when I really shifted focus I'm like okay there's something here worked on the payjoin dev kit which was a library instead like how do we how do we ship this thing as a library instead of a specific application and in doing that and doing the integrations i realized that the protocol itself was the problem so it's over the past two years we've been working on an async pay join protocol that instead of requiring the receiver to run a server both the sender and the receiver communicate using these mailboxes that are blinded the messages are blinded from the server hosting the mailboxes and the server hosting the mailboxes is called the directory is run by a third party

and because of this now you can take the payjoin dev kit off the shelf which is more or less an http client like a web browser client and some crypto sprinkled on top with partially signed bitcoin transactions so some transaction serialization and with this pure client software any wallet can speak pay join and slip it into their experience so the real the real breakthrough was this async pay join protocol and the ability to use that with an off-the-shelf dev kit so the dev kit is all highly tested performant written in rust it's systems oriented we got the abstraction setup so they very easy to reason about someone can come in and contribute however they want and then we bind to that in all these different languages so if your wallet's in dart or python or kotlin or c sharp you can call this core library

and know that your implementation is going to be interoperable so this confluence of factors i I would say mainly the async protocol that Yuval Kogman and I co-authored, BIP77, are the reason that we've been able. Yeah, we're here. We've been able to go from this thing that was sort of fragmented and difficult to use to something that is now in CakeWallet and BullBitcoin Mobile. You know, half a million monthly active users approximately can just scan a QR code and it'll happen in the background. Brilliant. And so on the back of seven years of grinding, here is a, you know, and I know you're a humble guy, but here is a significant breakthrough that fast forward gives us the ability, if you are a developer, if you're a builder, if you're a product person, to drop PayJoin into your consumer experience and off you go.

That's right. And you said, Dan, I believe that you've compared page one adoption to HTTPS. Yeah. And most of us, you know, we take that little lock in our browser for granted. So, again, for those who may be coming sort of up that curve, why is that the apt analogy? And then what does that network effect curve look like as a result? i'm glad you asked both of these questions because they're exactly why i frame it as https so the reason https makes sense as a an analogy is because before https everything on the web was totally unencrypted and if you and i were having this video call and say we were both on hotel say i was on hotel wi-fi uh the hotel is a sort of third party in the middle that would be able to listen in on the stream and find all the packets once we introduced https um not the streaming was

that easy back in the day maybe it was emails instead but assume it assume it was once we assumed https then the ability of the third parties that are not not us the uh counterparties to to read that information was was fixed it was protected by encryption page one is much the same and that when I'm sending you some money with a pay join, you still know my inputs and I still know your address ultimately at the end of the transaction on chain. But without that information of my wallet or your wallet, without those additional details, the second-party information, third parties don't know that with any certainty. The reason the network effects can take off as well is because HTTPS became seamless and embedded in the browser. Any browser has this now. I think this year Chrome is going to release an update where if you go to an HTTP website, it's going to give you a big warning.

It's not for an invalid certificate, just if the thing doesn't have a certificate at all. It's going to say, do you really want to even go to this website? We've come so far in large part thanks to Let's Encrypt making certificates free. Yes, thank you to them. You can start up a server. Yeah. And that was a very similar model as well. That's a nonprofit, the Internet Security Research Group, supported by all sorts of, you know, the browsers and EFF. And they were able to roll out the software that automated HTTPS so that it's expected everywhere. PageLine is much the same. We've got the nonprofit. We've got the development kit. you can include it in your wallet with a couple weekends you can make a proof with a couple engineers in a weekend's time you can make a proof of concept and the last reason to call it HTTPS is because it contrasts with something like Tor so this is beyond your initial questions

but Tor gives you second party privacy so you connect to some website and that website doesn't know your origin ip address even though you connect to them directly so right yeah true the third party can't see the traffic because all parties are blind to the origin yes but the tor protocol uh onion routing protects the ip address and i think i know payjoin can go that direction in the future but what we've shipped right now is the closest to HTTPS. Yes. And I think, you know, the thing again that I would like to underscore is this is not nefarious. This is would you visit a website where the lock is open on your browser? Of course you wouldn't. Would you engage with a bank that didn't implement HTTPS SSL? Of course you wouldn't. Can you imagine? No. Yeah. I mean, so I love that. And I think it's it is, dare I say, appropriate and powerful to make that comparison because that is what should be,

is that same level of protection from snooping and from invasions of privacy. So, bull Bitcoin, cake wallet, I believe foundation devices? Is that a – did I imagine that? They probably – the device itself will sign a pay join. I don't know if it works with either of those two pieces of software. You might be able to sign a pay join with like Sparrow from that, the old protocol, but yeah, it would work. The protocol is backwards compatible. So there's that. Like I said, Wasabi, Sparrow, Join Market, Bitmask, Wallet, and BTC Pay, of course. Cake and Bull Bitcoin have the new protocol. That's why I bring them up. Yeah, I installed the Bull Bitcoin app last week. Brilliant. And so, you know, you're getting real adoption. This is not an academic paper. This is not a white paper. This is not aspirational. It's real. And so, you know, what then would be, and you've touched on this, we talked about sort of to a developer, if we shift a bit, Dan, to a CFO, COO of an exchange, what is the message to them as to how they should, it's a reiteration of what you said,

how they should perceive PayJoin and what's in it for them, not as a dev, an engineer, a product person, but as sort of CFO, COO. What's the message to them? The biggest reason for someone in such a position to use PayJoin is just that they can raise their bottom line. They can save on fees. We've got an example on our website of a 16% fee savings, pretty modest with some basic batching. um so and this is assuming you're already doing some some batching right um that's that's the main thing um i i often get asked in terms of the compliance department like oh what do i what do i do about this i want people not like this um i'm not gonna go there but by all means go there yeah no i i'd like to go there i think it's i think it's related because it always comes up as the next question um and the thing is there's nothing preventing it's it's an

independent problem because these kyc measures if you're obligated to do them are a data collection with regard to like who you're dealing with and it doesn't nothing prevents you from collecting that information um so when i'm talking to someone in a cfo position this is naturally going to come up the the bottom line can increase you can save on fees you basically take your batching strategy to the next level and you also can get higher velocity of money because you can do something like cut through so if you're in exchange as this example your depositors can directly fund your withdrawals so you don't have to take the deposit wait for confirmation and then spend that utx so you can actually spend it in the same block with page interesting okay Right. Right. So, yeah, you're not you don't have that carrying cost. And what is that? You know, you touched on it. I won't say this is your perspective or your position, but having had many of those conversations myself, I know that.

some, hopefully more and more over time, of these forward-thinking executives are looking at how to reduce the exposure that they carry to keeping so much personal data. Is there a scenario in which, as you said, you know, if they're obligated, they'll do it because nobody wants to get perp walked out the front door. And that's a different conversation than we're having today as to KYC and FinCEN and Travel Rule and all this stuff. But, you know, is there a benefit to sort of shrinking that attack surface if you're that head of compliance, if one implements PayJoin? Are you sitting on less data? The reason I hesitate to answer is because as PayJoin is implemented today, the current protocol, it's actually about the same amount of data. You still know who your counterparty is, what funds were sent to you, and what address was used.

The biggest difference is that even if you give that information to a third party for analysis, the ability of the analysis is greatly reduced. now beyond that i can imagine a future where an upgraded protocol has more effective batching where as the recipient to a transaction you don't necessarily know which coins were sent to you or as a sender you don't necessarily know which address or addresses those funds ended up in you just end up with a proof this is would be very similar to lightning which as far as I can tell has proliferated and is possible to use within compliant regimes. So I think there's a future for that too. But to answer the question right now with PayJoin, you actually don't even need to consider that question because you have the same information you've always had with on-chain Bitcoin.

And again, worth pointing out an exchange intermediated approach versus truly peer-to-peer. appreciating that those are quite different. So if we, as you say, you know, fast forward, I'll just pick a number, 30% of transactions implement or use PayJoin. What happens to the surveillance model, Dan? Who will think of the chain analysis firms? There are more problems that we need to address, actually. So yes, the common input heuristic might be gone but we still have a lot of work ahead of us in terms of privacy every wallet tends to have a fingerprint so there's things like unlock time sequence number the script you're using amount correlations generally timing analysis of when transactions are made if you can figure out a pattern so their their pay join in its current form common input heuristic is not the end of the story it does make the very most useful tool that chain analysis has obsolete especially if

with 30 penetration it's you're taking almost a 50 flip every two input transaction on the interpretation and truth be told i did arrive at that number on purpose so uh right yeah of course yeah it's also difficult to measure like how do you even know how many transactions and what volume is using PayJoin. Right. Yeah. Which is itself wonderful. So, you know, I think the takeaway that I wanted to pull out, and of course you nailed it, is it's a great start, but there's a lot more work to do. And in that vein, does PayJoin lay a foundation for doing some or more of what you've just laid out sort of breaking some of these common heuristics or is that the domain of a different BIP, a different set of technologies? I would say both. Like I would probably still call some of this stuff PayJoin, but it will require new specs

and new tech. The cool thing about PayJoin DevKit is we deliver this off the shelf package with all the goodies you want and we can have some what i like to call a chain surveil yourself tools to do analysis within your wallet and inform your transaction construction um so you can get some counterfactuals you can figure out what the privacy effects of your wallet would be just by using the software that's being developed in the dev kit and the next big protocol change that'll happen over the next year or so for payjoin is a multi-party payjoin. So like I said, when you involve more than two people in a payjoin, then there can be some real indistinguishability from the counterparty. So I pay you, and I don't know what address you necessarily had. It's more interactive. You have to send more messages around.

Anytime you have a distributed system, it becomes more complicated. But the... The team we have focused on this is built to people who have been thinking of this problem for a decade plus. And this problem has only been around for how long has Bitcoin been around? 17 years? Yeah, right. So there are ways to overcome these challenges. And then especially combined with some of the analysis that I see being brought into the clients and not just being done by surveillance firms in a defensive way, we will have very robust privacy for normal, everyday people on Bitcoin very soon. Fantastic. That's the bullish sentiment I was hoping for. If we zoom out a bit Dan and we touched on the Fourth Amendment I like to talk a bit about the first and code of speech We rewind to the 90s

Daniel Bernstein successfully argued that publishing encryption code for PGP was protected speech under the First Amendment. Again, you are not a lawyer, but the samurai prosecution seems to attack that precedent. Some, you know, some are saying it's it's crypto cryptography, not cryptocurrency, sort of crypto wars 3.0. What's your read? And, you know, how well do you sleep at night, frankly, with regard to the ability to enjoy First Amendment protections as a publisher of software? I sleep okay with regard to that. The really screwed up part of that case was, again, the fact that the money transmission was tied in. That really doesn't make sense even for someone that's not just publishing software but running software on a server because that software didn't give them the ability to transmit the funds, to control and transmit the funds.

They did not have custody of funds. No. So I'm glad to see what I think is progress in Congress on codifying the right to publish this kind of transaction and formally enjoy the protections. um but it's it's just until that happens it is a bit uncertain what the behavior will be especially the most concerning part of that case and the roman storm tornado cache case yes was that fincen came out with guidance in 2019 in my view explicitly I mean, they did explicitly carve out anonymizing software providers, people that published and ran software but didn't have control of money. And then the judge, despite seeing this guidance, disagreed.

And in the United States, judges decide matters of law and the case was able to be brought forward. So until we get some greater precedent in the courts or law passed by Congress, it's a bit up in the air. It needs to play out. And in the meanwhile, without naming names, of course, you know, any sort of insights or anecdotes in terms of what you're observing as to chilling effect among Bitcoin developers? the biggest thing is that the coin join coordinators are no longer run by like white market companies there are some gray market pseudonymous centralized equal amount coin join coordinators um i know a lot of people are avoiding the u.s in terms of a lot of foreign people are avoiding the u.s in terms of travel i think that's a it is like a vibe rather than based on reality

because at the same time we've seen, you know, Phoenix come back to the U.S. There's just a lot of uncertainty. But the momentum, it seems, I'm not seeing a slowdown with regard to product ships. No, it's reinvigorated. I think the thing that's been beneficial in some ways is that the need for the actual privacy is here in force. I think before... When you had these companies that were making a profit on running CoinJoin coordinators, they didn't really need to provide privacy guarantees. They were the only game in town. And they made all these claims. Some of them continue to the gray market stuff that's on the edges. And it was hard to. How do I put this? People didn't know any better. Right. People didn't know any better. And I think I think we're seeing some of that analysis come out now. And people's focus is on things that will actually have more of a tangible benefit in terms of privacy and some guarantees, some real protections.

So a bit of Streisand effect on private use of Bitcoin in drawing attention to, well, I would like to think that. Let's put it that way, you know, that in hunting or chasing down, creating these witch hunts, that they're increasing awareness. But maybe that's my aspiration. Well, let's talk about – I think there is. Go ahead. Yeah. No, I think there is some of that. I'm agreeing with what you're saying. There's more momentum and motivation knowing that this problem really needs to be solved at a technological level because the government process, even if it ends up doing the right thing, it just takes so long and causes everyone so much pain in the interim that we need to have a technological solution to enforce it ultimately. Yes. Yeah. Yeah, as some of us have heard far too many times, the all-important regulatory clarity, right?

There's a parallel universe in which we, I'll speak for myself, wish that, you know, we could simply transact in privacy and peace, but such is not the world. But in the meanwhile, the second to that is, okay, tell me what the rules are, right? Just so I know how to play the game. And as you say, that will be slow to arrive, but hopefully we're making progress. If we shift in to practical first steps, if I'm running a Bitcoin business, if I am a builder, a product person, you've touched on the PayJoin dev kit. How should I first approach thinking about privacy? And we've touched on this, so I'm asking you to reiterate. and what do I do next? You know, if I am merely accepting, if I'm an online retailer accepting Bitcoin for payments, if I'm a wallet developer, if I'm building something new and interesting, you know, where should I start to understand

privacy with regard to Bitcoin payments and PageOne specifically? And what do I go do next? If that's a fair question. I would separate thinking about privacy with payjoin fortunately because a lot of the design is that once if you're a business doing e-commerce accepting bitcoin by the time you know payjoin is happening it's been taken care of for you behind the scenes in software thinking about privacy in general much like you would on the internet is about thinking about what information you're revealing and who has it so the first thing to do is to make sure that you're validating transactions yourself ideally or at a bare minimum you really trust the person that is doing the validation for you because they're seeing if you're depending on the third party the whole transaction history as well as all the people you're transacting with how much money you have on a on a normal basis and you need to make sure

that they're careful with that information ideally you're running why you're running a node or some light client software that allows you to sync privately. Beyond that, you want to be broadcasting your transactions in such a way that the whole world doesn't know they're yours. So using something like Tor or a relay, you don't want to be reusing addresses because if you're giving, say, one address to a person to reuse, then it's trivial to cluster them all together. I think those are the real basic things for someone who's starting to take more of a privacy conscious approach to Bitcoin to deal with. And then, you know, just really consider what software you're using. Because some software... And that's kind of, sorry to interrupt, Dan, that was sort of what I should have clarified, is if I am that individual and I'm thinking of, oh gosh, so many that I've interacted with over

the years in various roles who are operating businesses and accepting Bitcoin payments, it's not to say they're going to implement PayJoin, but really why should they ask or even insist that their e-com point of sale, you know, integrates PayJoin, which I think you've touched on the why. Yeah, of course. Look at the reputation of the software vendor. What other people that use Bitcoin think of them? um that'll that'll give you most of what you need it's imperfect it's harder than it's easier than going and looking at github issues and uh commit history right i think that'll give you a good start absolutely and then if you are a builder uh what what are sort of the first two or three steps that one takes to to begin to uh build pocs or pilots with page one what does that look like I know you've said it's quite straightforward and I get that, but maybe what are those two or three steps they should take?

Definitely don't hesitate to reach out. If you go to payjoin.org, we've got a Discord. You can find me and ask me directly and I will help you. Yeah, or you can send me an email, dan at payjoin.org and I will help you. But beyond that, if you go to payjoin.org, we've got some documentation on what the protocol is. it links to the crate, which is approaching a release candidate. There's a reference implementation on Bitcoin Core that I've heard is invaluable when doing an implementation. So you can follow that as an example and plug in and you ask some questions, you shouldn't have a terrible time of it. It should be pretty straightforward. You should maybe even have some fun. Yeah, as Kali said on Nostra today, hey, if you want to stick around, be sure you're having fun. And then lastly, Dan, give us some spoilers, man. What does the next six to 12 months of Pajon look like?

Oh, you're going to see rollouts. Yeah, you're going to see we did proof of concepts at the MIT Bitcoin Expo Hackathon this past year for an integration with Boltz Exchange and Liana. And those have made some pretty significant progress. We've been keeping them off of our priority list. So we got the actual SDK stabilized. But now that it's stabilized, we're shifting in integrations mode again. So you're going to see that and you're going to see some progress in this multi-party pay join protocol. There's even some pay join cross input signature aggregation crossover. There's a lot more savings than you can get even with pay join if you combine these things. And you're familiar with cross input signature aggregation. I am, but I don't want to assume everyone is. Yeah. So cross-input signature aggregation lets you combine all of the witness information in a transaction, all the signatures, into the size of a single signature in the full aggregation case that's been proposed.

there's been some security proofs and some tangible algorithms published in a paper this year at Dahlia's and the biggest question with full aggregation was well what protocol do we use to actually aggregate the signatures to actually because you need to interact much like page join you need to communicate between the different people providing signatures if you're not doing it on your own and because page one already has this sort of interactive protocol we can piggyback one on the other. And then that example that's on our website of a 16% fee savings versus Naive can turn into something like a 25% fee savings. You can get this massive incentive to use Bitcoin by default in a privacy preserving way. So watch out for some explanations and fun pitches of that coming soon. Incredible. And so, I mean, that clearly is the TLDR for anyone counting sats is up to or no guarantees, but a potential saving of 25%.

Yeah. And this is just, this is a simple example of a relatively small transaction. Honestly, I'm talking four inputs, six outputs. I think we can get significantly better than that, but I haven't done napkin math and tried to push the envelope. I'm just like, okay, what's a kind of simple example and do some calcs on it. And I mean, where else, and I'm, you know, thinking through this, where else do you get to increase or improve privacy and pay less for it? I don't know that I've got any examples that come to mind. Well, I think there are, honestly. I think Lightning is a big one. It's hard to use in self-custody, but Lightning is basically a coin join. Like you're combining transfers from different people and settling later. And if you're using eCash, you're giving up custody, but you can have some potential privacy benefits. I mean, anytime you're using a custodian, assuming you trust that custodian completely with your privacy, you are getting fee scaling benefits.

But the problem is you have to trust that custodian. And it's very possible that they just say, oh, this information, I left that on a hard drive and we let the hackers get into it. Or even they have some program where they publish it and sell the information to someone else. Absolutely. Practically on Bitcoin, especially for on-chain wallets, there's nothing like PayJoin. How could we wrap it up any better than that? Dan, really appreciate the time. Thanks so much. Well, stay tuned. I'll get all these links out for everyone to keep track of this fantastic progress. And we'll look for those announcements and all the wallets to get our hands on to use PageOne. Thanks, Sean. Thank you, Dan. Take care.