2

I found the only limiting factor is the maximum standard transaction size which is 100k bytes.
The most common transactions we are concerned with are 1 input, 2 outputs and the second most common are be 2 inputs 2 outputs transactions and the sizes of these transactions are about 220 byte and 360 byte.
therefore the maximum achievable anonimity set would go from 270 to 450 (100k/360=270, 100k/220=450).

  1. Am I correct so far?
  2. Is there any more limiting factors?
  3. Does SegWit elevate the size of the signature out of the calculation of maximum standard transaction size, therefore resulting around 30% more anonimity sets? (Signatures are 71 bytes on average.) So in this case 351 to 468.
Murch
  • 71,155
  • 33
  • 180
  • 600
nopara73
  • 796
  • 5
  • 21

2 Answers2

2

Regardless of the maximum size of a single transaction, a CJ anonymity set can be made arbitrarily large (bounded, of course, by participants) by building a multi-stage switching network out of joins.

This was described in the original coinjoin post:

In particular, if you can build transactions with m participants per transaction you can create a sequence of m*3 transactions which form a three-stage switching network that permits any of m^2 final outputs to have come from any of m^2 original inputs (e.g. using three stages of 32 transactions with 32 inputs each 1024 users can be joined with a total of 96 transactions). This allows the anonymity set to be any size, limited only by participation.

There is no atomiticy required between these transactions-- other than if some users drop out the anonymity set will be less than expected.

G. Maxwell
  • 7,676
  • 2
  • 19
  • 46
0

You assumed inputs and outputs were the same size, which they're not. A typical input is 148 bytes, an output is 34. Hence, the maximum anonymity set is 549 inputs to 549 outputs.

I didn't do the maths for SW type outputs, but they'd allow a larger anonymity set, assuming other limits like sig ops (signature operations) and hashing operations are respected.

alcio
  • 1,274
  • 1
  • 13
  • 20
  • > You assumed inputs and outputs were the same size I did not assume, they just don't matter. I simply went with a 1in2out 220byte and 2in2out 360byte tx estimation. Your estmation is 1in1out. Which will likely never happen in a CJ transaction, because CJ transactions must have a common output denomination, therefore a change output is inevitable in almost every case. – nopara73 Jul 26 '17 at 22:34
  • But using small transactions as a basis is not correct either, since there's a fixed 10 bytes overhead per transaction, no matter the number of participants. – alcio Jul 27 '17 at 08:43
  • Indeed, that'd result 5% (in case of 220 bytes tx) and 2.5% (in case of 360 bytes tx) anonimity set increase. – nopara73 Jul 28 '17 at 04:32