What Is A PayJoin?

btc payjoin

Share this article

Bitcoin runs on an open public ledger that anyone with the know-how can gain access to; the average person can track any bitcoin public address or transaction ID using a hosted block explorer or via their bitcoin full node. Those who want more in-depth monitoring can, in theory, pull this data into a database and match it up with other metadata they’ve scrapped from various sources.

An example would be I could scrape all the public information from Instagram and Twitter profiles that have a bitcoin address in the bio and assume that is your wallet. Overlaying that metadata over what I have on the blockchain, I can start to follow your transactions on-chain and make certain assumptions about where funds are going.

This is just a simple example to give you an idea of how chain analysis companies work. They can pull data from public and private sources and overlay them with the chain to start tracking your behaviour. While bitcoin, without relying on data from the outside world, is pseudonymous, the more data we create, the more of a chance it can be linked to your identity.

This is why so many bitcoin upgrades are centred around providing new layers of privacy and breaking the ability to make assumptions about transactions.

Today we have a host of privacy tools like:

But it’s not stopping there, with more on the way, such as an interesting concept known as a PayJoin.The PayJoin is a variant of the CoinJoin transaction type but offers enhanced privacy properties and a different incentive structure.

This type of heuristic for parsing the Bitcoin blockchain is quite common and the most commonly used. It assumes that the same person signs all the entries inside a transaction. So far, it has been a reasonably close assumption due to the little use of multi-signature addresses. However, developers proposed and created the P2EP protocol to break this assumption and improve Bitcoin’s privacy.

What is a bitcoin PayJoin?

Payjoin is a technique for paying someone while including one of their inputs in the payment to enhance the privacy of the spender, the receiver, and bitcoin users. The general idea is also known under the names Pay-to-EndPoint (P2EP) and Bustapay.

By including inputs from both the spender and the receiver, PayJoin makes it difficult for blockchain analysis companies to determine which inputs and outputs belong to each participant and the amounts that each party holds.

PayJoin is a collaborative transaction between the sender and the receiver of a bitcoin payment, for example, the merchant and the customer. The goal of the protocol is to break the common input ownership heuristic while making it difficult to fingerprint that the transaction is using CoinJoin protocol; it needs to look like a natural transaction to those watching the blockchain.

PayJoin (called pay-to-end-point or P2EP) is a special CoinJoin between two parties where one party pays the other. This CoinJoin type has different privacy properties due to its implementation and aims to break the assumptions made to funds on the chain. The PayJoin transaction that doesn’t have multiple distinctive outputs with the same value, so it’s not so obvious as in the case of equal output, leaves the CoinJoin.

How does a PayJoin work?

To understand how PayJoin provides more privacy, you need to understand the common input ownership heuristic used in chain analysis. It assumes that, in a given transaction, all inputs were signed by the same entity. Until the introduction of PayJoin, this has been a relatively safe assumption, as multi-sig usage remains low. The P2EP proposal was created to break this assumption and improve Bitcoin privacy by leveraging multi-sig and generating combined transactions to break the common input ownership heuristic, an assumption used to strip privacy from bitcoin users.

The P2EP’s syntax resembles bitcoin’s many script types; P2EP is not a script. Rather, it is a protocol which allows two bitcoin users to transact in a privacy-preserving manner. Using a peer-to-peer channel, such as an onion address, a sender and a receiver can exchange information about the UTXOs they would like to use as inputs in a transaction.

They can then cooperatively construct and sign the transaction using the partially signed Bitcoin transaction (PSBT) standard defined in BIP 174. The resulting transaction will resemble a typical bitcoin transaction with multiple inputs and outputs, and no one without prior knowledge of the transaction would be the wiser.

A PayJoin in action

When you conduct a PayJoin, you’re trying to transfer funds from one wallet to another without the chain tracking the amount that has been transferred. Contrary to other CoinJoin implementations, the outputs are not of equal value, so it is not obvious that this transaction is a CoinJoin.

An example of a PayJoin would be Alice has one bitcoin (100 million satoshis), and Bob has 0.5 (50 million satoshis), and Alice needs to pay Bob 0.2 BTC (20 million Satoshis). Instead of seeing Alice draw down her bitcoin by 0.2 and seeing Bob’s balance increase by 0.2, which would be an obvious payment as one balance increases and another decreases.

The outputs are sent out as different values via the PayJoin

Alice input   1 bitcoin   -->   Bob output            0.7 bitcoin
Bob input     0.5 bitcoin -->   Alice change output   0.8 bitcoin

The outputs do not reflect the actual value of the transaction. In our example, the economic transfer is 0.2 bitcoin from Alice to Bob, but the outputs are worth 0.7 bitcoin and 0.8 bitcoin.

This obfuscates the actual amount paid, breaking the assumption of the payment value.

The receiver consolidates his coins, thus saving on future transaction fees. Without the PayJoin, the receiver would have two coins worth 0.2 bitcoin and 0.5 bitcoin, and he would have to pay twice the transaction fee to spend these coins. But because of using PayJoin, he only has one coin worth 0.7 bitcoin (70 million satoshis), thus reducing his future transaction costs when spending this coin.

A tutorial on PayJoins

To learn more about PayJoin, check out this video by Andreas Antonopoulos.

An introduction to PayJoin by Andreas Antonopoulos.

Which bitcoin wallets support PayJoin?

If you’re curious about how PayJoin works practically, there are already certain wallets that allow you to tap into this feature. Popular privacy and self-hosted wallets allow this type of transaction. However, not all have the full functionality. Some only support sending, while others have all the programming logic to send and receive this type of transaction.

To give a PayJoin a try, check out one of the following wallets.

WalletSendReceive
BTCPay ServerYesYes
JoinMarketYesYes
Wasabi WalletYesNo
BlueWalletYesNear Future
Sparrow WalletYesUnknown
Wallets with full or partial PayJoin support

A price to pay for privacy

Remember, PayJoins happen on-chain, so you’ll have to pay on-chain mining fees to obfuscate your transactions; depending on how large your holdings are and the various co-ordinations that need to happen to break assumptions and send you a set of mixed UTXOs to your wallet the pricing can stack up, but this seems like a small price to pay for additional layers of privacy. 

Stay safe, stackers, and happy PayJoining.

Are you a bitcoin privacy advocate?

Are you using privacy methods on-chain or acquiring your bitcoin through non-KYC bitcoin exchanges? Which app is your favourite? Do you have one you’d like us to cover? What are your tips for staying incognito on the bitcoin blockchain?

Let us know in the comments down below.

Disclaimer: This article should not be taken as, and is not intended to provide any investment advice. It is for educational and entertainment purposes only. As of the time posting, the writers may or may not have holdings in some of the coins or tokens they cover. Please conduct your own thorough research before investing in any cryptocurrency, as all investments contain risk. All opinions expressed in these articles are my own and are in no way a reflection of the opinions of The Bitcoin Manual

Leave a Reply

Related articles

You may also be interested in

Datum Launch

What Is DATUM?

Let’s take a journey back to Bitcoin’s early days, when mining was a solitary pursuit. The Bitcoin core of yesteryear was all-encompassing, serving as the

BTC simplicity

What Is Simplicity?

One of the criticisms often levelled at Bitcoin is its limited scripting capabilities, which restrict the complexity of smart contracts. If you ever speak to

Cookie policy
We use our own and third party cookies to allow us to understand how the site is used and to support our marketing campaigns.