Ashigaru Stowaway (PayJoin)

Force blockchain spies to rethink everything they think they know.

Understanding Payjoin transactions on Bitcoin

Payjoin is a specific structure of Bitcoin transaction that enhances user privacy during a payment by collaborating with the payment recipient.

In 2015, LaurentMT first described this method as “steganographic transactions” in a document available here. Samourai Wallet adopted and implemented it as “Stowaway” in 2018. Payjoin concepts are also discussed in BIP79 and BIP78. Common terms you may see:

• Payjoin
• Stowaway
• P2EP (Pay‑to‑End‑Point)
• Steganographic transaction

What makes Payjoin unique is that it produces a transaction that looks ordinary at first glance but is actually a mini coinjoin between two parties. To achieve this, the recipient participates in the inputs alongside the sender. The recipient also includes a self‑payment in the transaction, allowing them to be paid.

Example: if you buy a baguette for 4,000 sats using a 10,000‑sat UTXO and opt for a Payjoin, the baker adds a 15,000‑sat UTXO that belongs to them as an input. They receive that in full as an output, plus your 4,000‑sat payment:

In this example, the baker introduces 15,000 sats as input and receives 19,000 sats as output — a difference of exactly 4,000 sats, the price of the baguette. You input 10,000 sats and end with 6,000 sats in change — a −4,000‑sat balance, i.e., the payment amount.

For clarity, mining fees are omitted here. In practice, they are included and paid by the parties.

What is the purpose of a Payjoin transaction?

Payjoin achieves two privacy goals:

A Payjoin transaction serves two objectives that allow users to enhance the privacy of their payment. First of all, Payjoin aims to mislead an external observer by creating a decoy in chain analysis. This is made possible through the Common Input Ownership Heuristic (CIOH). Usually, when a transaction on the blockchain has multiple inputs, it is assumed that all these inputs likely belong to the same entity or user. Thus, when an analyst examines a Payjoin transaction, they are led to believe that all the inputs come from the same person. However, this perception is incorrect because the payment recipient also contributes inputs alongside the actual payer. Therefore, chain analysis is diverted towards an interpretation that turns out to be false.

Furthermore, Payjoin also allows for deceiving an external observer about the actual amount of the payment that has been made. By examining the transaction structure, the analyst might believe that the payment is equivalent to the amount of one of the outputs. However, in reality, the payment amount does not correspond to any of the outputs. It is actually the difference between the recipient’s output UTXO and the recipient’s input UTXO. In this sense, the Payjoin transaction falls into the domain of steganography. It allows for hiding the actual amount of a transaction within a fake transaction that acts as a decoy.

Definition — Steganography:

Steganography is a technique of concealing information within other data or objects in such a way that the presence of the hidden information is not perceptible. For example, a secret message can be hidden inside a dot in a text that has nothing to do with it, making it undetectable to the naked eye (this is the technique of micropoint). Unlike encryption, which makes information incomprehensible without the decryption key, steganography does not modify the information. It remains displayed in plain sight. Its objective is rather to hide the existence of the secret message, whereas encryption clearly reveals the presence of hidden information, although inaccessible without the key.

Returning to our baguette example:

A typical heuristic might conclude: “Alice merged 2 UTXOs to pay 19,000 sats to Bob.”

That’s wrong. The two input UTXOs do not belong to one person, and the actual payment value is 4,000 sats — the difference between Bob’s output and Bob’s input. The observer’s analysis is led to an erroneous conclusion, protecting participants’ privacy.

If you want to analyze a real Payjoin, here’s one performed on testnet: 8dba6657ab9bb44824b3317c8cc3f333c2f465d3668c678691a091cdd6e5984c

External resources:

• LaurentMT steganography gist
• BIP78: Payjoin
• payjoin.org
• BTC 204 — Privacy on Bitcoin: Part 5 https://planb.academy/courses/65c138b0-4161-4958-bbe3-c12916bc959c

---

Payjoin is implemented in Ashigaru as “Stowaway.” Below is how Stowaway works and how to use it step by step.

How does Stowaway work?

Ashigaru includes a Payjoin tool called Stowaway, available in the Ashigaru Android app. To complete a Payjoin, the recipient (who also acts as the collaborator) must use software compatible with Stowaway — currently, Ashigaru only.

Stowaway belongs to Samourai’s “Cahoots” category — collaborative transactions that exchange information off‑chain. Ashigaru currently offers two Cahoots tools: Stowaway (Payjoins) and Stonewall X2.

Cahoots require exchanging PSBTs (partially signed transactions) between users. Manually, this involves five successive QR scans between participants (suitable when you’re together in person). At a distance, manual exchange is cumbersome; Soroban (an encrypted Tor‑based protocol) automates the PSBT exchange in the background.

Soroban requires an authenticated channel between participants. It uses users’ PayNyms for identification and encrypted communications.

A PayNym is a unique wallet identifier that activates features like encrypted exchanges. It appears as an ID with an illustration (example on testnet):

Summary:

• Payjoin = specific collaborative transaction structure
• Stowaway = Ashigaru’s Payjoin implementation
• Cahoots = Samourai’s name for collaborative transaction types (Stowaway, Stonewall X2), now in Ashigaru
• Soroban = Tor‑based encrypted communications for Cahoots
• PayNym = unique wallet identifier used to establish Soroban communications for Cahoots

Soroban automates PSBT exchange over Tor; PayNyms provide the authenticated channel used by Soroban.

How to establish a connection between PayNyms

First, install Ashigaru and create a wallet:

To do a remote Cahoots (Payjoin/Stowaway), you must “follow” the user you’ll collaborate with, using their PayNym — in Stowaway, this means following the person you intend to pay.

Before initiating Stowaway, ensure both PayNyms follow each other — it’s required to establish the encrypted Soroban channel.

How to do a Payjoin in Ashigaru

Tap your PayNym image (top‑left), then open “Collaborate.” The person participating must do the same — unless you’re exchanging QR codes in person.

Choose:

• “Initiate” if you are the payer (sender)
• “Participate” if you are the recipient (collaborator)

If you’re the recipient/collaborator (remote via Soroban):

• Tap “Participate”
• Choose the account you’ll use
• Tap “LISTEN FOR CAHOOTS REQUESTS” and wait for the payer’s request

For in‑person collaboration:

• Go to wallet home
• Tap the QR icon (top)
• Scan the payer’s QR code

If you’re the payer (initiator):

• Go to “Collaborate” → “Initiate”

• Choose the transaction type “Stowaway” (Payjoin)

• Choose collaboration mode:
  • “Online” (Cahoots via Soroban)
  • “In Person / Manual” (QR exchanges)

Online Cahoots (Soroban)

Select the recipient from the PayNyms you follow.

Tap “Set up transaction,” then choose the spending account.

Enter:

• Amount to send
• Fee rate

No receiving address is needed — the recipient supplies it during the PSBT exchange. Tap “Review transaction setup.”

Check details carefully. Ensure your collaborator is listening for Cahoots requests, then tap the green “BEGIN TRANSACTION” to start the Soroban PSBT exchange.

Wait until both participants finish signing, then broadcast to the Bitcoin network.

Keep both devices online and inside the app during Soroban — interruptions pause the PSBT exchange.

In‑person exchanges (QR)

If you prefer a face‑to‑face exchange, select the transaction type “Stowaway,” then choose “In Person / Manual.”

Tap “Set up transaction,” then choose the spending account.

Enter:

• Amount to send
• Fee rate

No receiving address is needed — the recipient provides it during the PSBT exchange. Tap “Review transaction setup.”

Tap the green “BEGIN TRANSACTION” to start the QR‑based PSBT exchange.

Alternate scanning:

• Tap “SHOW QR CODE” so your collaborator can scan it
• They tap “SHOW QR CODE” for you to scan
• You tap “LAUNCH QR Scanner” to scan theirs
• Repeat until all five steps complete

After all exchanges, verify the transaction details, then slide the green arrow to broadcast.

Broadcasted transaction (testnet)

Its structure looks like this:

Credit: mempool.space

Analysis:

• Inputs: my UTXO (164,211 sats) + recipient’s UTXO (190,002 sats)
• Outputs: my change (63,995 sats) + recipient’s output (290,002 sats)

Comparing inputs and outputs:

• Recipient gains 100,000 sats (payment amount)
• I lose 100,000 sats plus mining fees

I can describe this structure because I built the transaction; but for external observers, it’s generally impossible to determine which UTXOs belong to which participant — inputs or outputs.

Stowaway blurs input ownership and destination; observers cannot reliably assign roles, which strengthens privacy.