Bitcoin’s privacy model

Bitcoin has a remarkably simple yet robust privacy model at scale.

Section 10 of the white paper details the privacy model in what I thought was a remarkably simple manner. That said, most people seem to not understand it. As a consequence, I will expand it out and provide more detail to explain the section fully. To this end, I have separated the image from the white paper in a manner that allows it to be more easily viewed.


Bitcoin’s privacy model

On the left of the image, we have the parts of the system that are private. On the right, those that are open and can be seen. This is where most fail to understand Bitcoin. The Core team started with the concept of Bitcoin being analogous to banking, and started to remove most of what makes Bitcoin a peer-to-peer private system.

The traditional model

In the traditional privacy model, a user will need to complete an AML/KYC process with a third party such as a bank. The third party now sits in the middle of all transactions, and has information on the entire movement of funds in and out of the account. No information is made available to the public, and any breach is catastrophic — requiring a system to remain secure over long periods.

The result is a system that is fragile by design.


Banks are a long way from being immune to illicit disclosure. More importantly, PII (Personally Identifiable Information) allows the breach of trust to be made wider. A disclosure of information in this model not only leaks the actions of the parties involved directly, but allows an attacker (criminals) to use this information in crimes such as identity theft.

Bitcoin solves this in creating a true peer environment. P2P is not about nodes nor mining. P2P is person to person. Your peer is the other party to the exchange. Ideally, the use of IP-2-IP would allow this or even a direct exchange from the client to the merchant. The only time a miner is involved is when the negotiations are complete and the receiving party sends the transaction to the blockchain.

The person sending the transaction never even needs to be online. They do not require a node, nor even an IP address. Using NFC, they can log in, download the headers, and update their change address at a later time (or even have this key on a completely separate system).

In the traditional model, the trusted third party knows everything you do. The bank or credit agency maintains a record of all withdrawals, the locations, and the details of the transactions — who you deal with and how. They do not want this to change as such data is actually valuable information.

In this model, the bank (or other TTP) has a record of every move you make, every transaction, and can model all your spending behaviours. From the perspective of Visa and MasterCard, this information allows them to know where they need to push to make consumers go into more debt. It allows TTPs to hold enough information to allow them to control markets. It allows them to be able to manipulate consumers.

Such data has value, and is information. As information, it allows them to direct advertising and sell this information at a premium. This is the outcome of the old, insecure, and manipulative former privacy model. It is the model that is replicated in Bitcoin Core and others with Lightning and Plasma. Your information is the most valuable thing a bank has right now, and this is why they oppose Bitcoin. They do not want to lose it. This is why we have seen Bitcoin hijacked and why teams of people try and tell you that it is not secure, that it is not private, and all the other lies you hear. These people want to keep your data, and it is valuable.

The traditional banking model based privacy through the limitation of access to information to those parties involved AND the trusted third party. This is what you have with Bitpay, Coinbase, and most Bitcoin corporate systems today.

It is not what Bitcoin was designed to be.

Bitcoin’s new model

The new privacy model is incredibly simple. The transactions are all public, as they are not connected to your identity, and they are also not associated with any particular merchant. Importantly, merchants will also want to remain private. The ability for the competition to analyse companies leads to merchants setting up multiple addresses, just as users do.

So, if a merchant does not want to advertise how many sales they make and the amount of each sale, they need to ensure that they do not re-use addresses and that these are not linked in a manner that the public or the competition can determine.

The key idea is that we do not re-use keys.

Coin splitting

There are always debates about child transactions and the change. Like most things in Bitcoin, people try and make things far more complex than they should be. In order to have a large set of coins that can be spent at will and quickly, we can take these and split and combine them as we need. There are cases where a shopper may need to go to many places in a small amount of time. They can do this safely in dividing their coins.

If they do this ahead of time, the mining fee will be fractions of a cent.


Splitting level-0 TX into many smaller coins at level 1

The reason for groups such as Core opposing the structure listed as Section 9 of the Bitcoin whitepaper is that they oppose scaling Bitcoin. With more transactions, the system is larger and also more private. We can use the fact that Bitcoin allows many large in-and-out transactions to be created and split and joined again to allow the system to be used without large unconfirmed chains of transactions, allowing SPV to function well.

In this case, we have taken a single 2.0 BSV coin and split it as we are travelling to the shops. The coins will be available as settled into a block in an expected period of 5 to 20 minutes in general. From the one UTXO coin, we now have multiple coins that can all be spent in a single block. If we are worried about privacy in any of the transactions we are about to do, we now have created a further level of obscurity. The merchant cannot determine if we have been paid at TX level 1 or if the transactions at level 0 are ours.


Shopping in a single block

In a single block, we now have many split transactions. Each of these coins is linked to that at TX level 0, but there is only a path. A merchant cannot tell when this has been split to another merchant nor if it is just dividing your own coins.

You can make this much more private, if you split the values somewhat randomly. In this, you could use multiple input and outputs, and if the change is not joined again, there is no simple way to link the various spends.

When this method is used, the coin being spent at any time is in the UTXO set as a confirmed transaction within a block. There is no requirement here to have to instantly spend change.

When we start to see that Bitcoin is designed to be a commercial system and not simply a bunk of Raspberry Pi machines, we start to understand how powerful and simple it can be.

Merchant addresses

A major flaw that has been introduced into Bitcoin is the concept of having address re-use. People publish addresses on static pages. The reality of how Bitcoin was designed is that users and merchants should use keys only once.

This acts as a security and privacy firewall, and stops transactions from being linked to a common owner. There is in fact no reason to keep key pairs. Once a key has been signed and used, it can be removed and discarded. The common practice of sending small “spam” amounts of one or two satoshi is a direct consequence of not removing old keys.

If users did not keep keys in the hope of getting money to a used address, there would not be an incentive to send small amounts of bitcoin to these old addresses; it would be the same as sending to a random public-private key pair that has never been seen before. That is of no value to anyone.

A merchant who creates a new address for each and every transaction improves their own privacy. Corporate intelligence gathering is simple if a single common wallet and address structure is used. In changing addresses, the merchant does not leave anything to analyse. It is more private for themselves and their clients.

If I go to Walmart or Tesco, and I was to make a purchase and receive change, the coins are now split. The values of a set of transactions from a Walmart coin would not be determinable. There are over 15 million transactions made each day by Walmart alone. This is around 400 transaction a second plus during operating hours.

Interestingly, there is not a single HPC (Supercomputer) in existence that could analyse the Bitcoin blockchain to match coins from unknown sources, and at the same time, the system is completely traceable (for example in a tax audit) with a minimum search time.

The key to making Bitcoin work well is not to add complexity, but to use it as it was originally designed.

Randomised more private splitting

All things in Bitcoin are based on economic incentives. If we want, we can send between wallets and split coins in a manner that makes our wallet far more secure and private by simulating use. Right now, no wallet does this, and a user would need to have the entire process completed manually. It is something that is simple to achieve in code, but has not been deployed, as the concepts haunting Bitcoin remain biased towards a misuse.

In the example below, we end with coins on a couple of devices (level 2 vs level 3) and in many coins. If the coins remain separate, and we keep colour groups separate, we can now see how an analysis of the sources becomes increasingly difficult.


As we keep this split, the chances of discovering the user’s linked habits decrease exponentially.


The ability exists to have a registered identity and still create related keys securely.

Here, a root public-private key pair is associated to an individual who can create linked sub keys for each use. This could even be linked into a PKI-based system, whilst maintaining a high level of privacy. The root key can be attested and associated with an individual or a company, and the sub keys would then link to individual uses and spending.

Never miss a story from Craig Wright (Bitcoin SV is the original Bitcoin)