This is an interesting idea (although I still feel like there's something I'm missing):
Traditional coinjoins mix multiple users' Bitcoin into a single transaction, breaking the trail between inputs and outputs. WabiSabi revolutionized this approach by introducing keyed-verification anonymous credentials —think of them as digital stamps that prove you deposited a certain amount without revealing which deposit was yours. When a coordinator issues these credentials, they're cryptographically blind to the amounts and cannot link them back to specific users.
Kompaktor extends this concept beyond mixing into the realm of payments.
if credentials can represent value anonymously within a coinjoin round, why not use them to make actual payments? A sender can transfer credentials to a merchant, who then claims fresh outputs—all within the same coordinated round, with neither party revealing their coins to the other.
How it worksHow it works
The magic happens through coordinated rounds —time-bounded periods where multiple participants simultaneously register inputs, receive credentials, and claim outputs. Here's the simplified flow:
A merchant creates an invoice (say, 0.1 BTC) and generates a unique key, sharing this via a payment URI that includes a Nostr relay address for encrypted communication. The customer generates their own key and signals intent to pay through that specific Nostr relay. When the customer joins an active coinjoin round, they register their inputs (Bitcoin they already own) and receive credentials from the coordinator equal to their deposit minus fees.
The customer then "reissues" these credentials—splitting them into the exact payment amount needed—and transfers a 0.1 BTC credential to the merchant via encrypted Nostr message. The merchant reissues this received credential under their own control and registers a fresh Bitcoin address to receive the output. Neither party sees the other's coins. The coordinator, despite facilitating the entire process, cannot link any input to any output. Finally, all participants sign, and the transaction broadcasts.
Crucially, dozens of similar payment flows can occur within the same round. The coordinator batches all of them into one efficient transaction, with multiple senders' payments potentially consolidated into single outputs where recipients share common characteristics.
TradeoffsTradeoffs
The tradeoff is timing: payments must complete within a coinjoin round (typically minutes to an hour), unlike ecash tokens which can be held indefinitely.
My two main questions are what kind of liveness assumption does one need to participate in a round and how does the previous owner of a credential "forget" it. I suspect they already have solutions in both cases, I just don't understand them.
A lot. All senders and receivers have to be online, and the coinjoin round may take several attempts to get signatures from every participant. Payment finality requires the transaction to get confirmed on the blockchain.
When a sender passes a credential to another owner, the new owner reissues it with the coordinator for a new credential. The previous owner doesn't "forget" it, but they can't double spend it since the coordinator will recognize it and reject it.
When Kompaktor's credentials expire at the end of each round, they settle as onchain UTXOs. The solution for this limited lifespan is for participants to claim their coins as Ark VTXOs.
Thanks for the info. I saw that Ark was mentioned in it a number of times (and that the dev is an Arkade dev) but I didn't understand how the Ark part works. So this business of "one output" is one Ark VTXO?
The "one output" thing is basically reverse batching: Normally, an exchange will delay customer withdrawals for a few minutes and then send a bulk transaction with many outputs.
Instead, an exchange would delay deposits (which customers would send in the form of anonymous credentials) until the coinjoin round ends, and then accept a bulk transaction with many inputs.
Ark service providers can fill the UX gaps, allowing participants to "exit" from a different round than they "entered" from.