Onchain Coinjoin




CoinJoin provides a useful, non-intrusive, and convenient way for anonymizing transactions by mixing users’ inputs and outputs in one transaction and thus obfuscating the source and destination of each individual user’s transaction. Although current CoinJoin protocol can work in a decentralised way, it becomes convenient only when there is a central server. However such centralised service faces potential legal issues and service maintenance time, which limit its availability.

In this article, we introduce a fully decentralised and always available onchain CoinJoin service based on the Litecoin blockchain.


The main idea is to use the always online Litecoin blockchain to facilitate communication between users that want to conduct CoinJoin together. It works as the following.

Phase 1

Each user submits their request including the source address and the amount of Litecoins they want to mix to the Litecoin blockchain. This can be done by sending to the blockchain an OP_RETURN transaction with a mark indicating that this is a CoinJoin request. The source Litecoin address of the OP_RETURN transaction needs to be the one containing the Litecoins to be mixed.

In order to collect enough requests, phase 1 ends after a fixed number of Litecoin blocks are generated, e.g. 5 blocks.

Phase 2

In this phase, an unsigned transaction including all inputs and outputs need to be created. To break the tie, this is done by the one who sends the last request in Phase 1.

Please notice that in Phase 1, each user does not need to include the destination Litecoin address in the OP_RETURN data. This is because once the address is included, everyone will be able to see the destination, and thus it defeats the purpose of CoinJoin.

To solve the problem, the transaction creator generates an address for each user, and makes sure this user is also the only one knows the private key of the newly generated address. This can be done in the following way:

Suppose Litecoin’s elliptic curve base point is G, and the public key of this user’s Litecoin address is P. The transaction creator randomly chooses a random non zero integer a and calculate aG + P, which is the pub key of the new address, and then takes HASH160 of the pub key and gets the new address.

Please also notice that if the original private key for P is x, i.e. P = xG, the private key for the new address is then x + a, because (x+a)G = P + aG.

To tell this user his/her new address, the transaction creator still needs to send him/her a in a secrete way. This can be done by encrypting a using the user’s public key first and then including the encrypted a in a OP_RETURN output immediately after the normal output for this user.

This phase should be fast because it only requires an OP_RETURN transaction containing the unsigned transaction including all users’ inputs and outputs and all encrypted as. Suppose the number of blocks this phase takes is 1.

If after one block there is no transaction created, to avoid DDoS attack, the one before the last one should create the transaction excluding the last one’s input and output. This should continue until the transaction is seen on the blockchain.

A small fee can be paid to the transaction creator to motivate the user to complete the whole process.

Phase 3

Every user checks whether he/she is included in the outputs with the correct amount or not. If everything is OK, the user signs the transaction and send the partially signed transaction to the blockchain using another OP_RETURN transaction.

This phase can take 1 block. If anyone refuses to sign, to avoid DDoS attack, his/her input and output should be excluded from the transaction and a new transaction should be created in the next block. This continues until everyone signs the transaction.

Phase 4

The user who created the transaction in Phase 2 collects all signed transactions and combine them into a complete signed transaction and broadcast it to the Litecoin network. Actually this step can be done by anyone, so no DDoS attack is possible.

For this phase, one block should be needed.


In the above description, one round starts immediately after the end of the previous round. However, pipelining and parallelism can be used to boost the throughput of this protocol. The length of each phase can be modified accordingly during implementation.

Confidential transactions (CT) do not hide the source of a transaction, while this onchain CoinJoin can. Therefore, the two can complement each other and can be used together to enhance privacy.