1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 1A685723
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 15 Jun 2016 17:08:35 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-vk0-f44.google.com (mail-vk0-f44.google.com
[209.85.213.44])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 43BCA230
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 15 Jun 2016 17:08:34 +0000 (UTC)
Received: by mail-vk0-f44.google.com with SMTP id u64so38460488vkf.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 15 Jun 2016 10:08:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=blockstream-io.20150623.gappssmtp.com; s=20150623;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=V1W/4JCtPoashPlFhDjYZwBQf9caoSkx1NYHZX8MMic=;
b=g0yYR6NdojhJ6BAJWEQlPGBT/8vHVX5dgUoPf8K5mFetWxXPvdBXg1ut+EmZFxAteL
U3AWBRfDv536DPusar+w4o8A/vxyu9PtQQ6T5T0+893pHXLeL9kVposuRJDLVuV18Jcx
/eHfoW3da49pFPIWPFaxn/WtenqUEOlKbpVXnj03XtHoslRnm/9J5vcAQkwyLOegPb94
hKhPCct86yGlh+7EWQxYRGwrjgkUscdNFCwJQrer6qWymcvk6wm+jtqZgA5v0MX7HVMM
CDCPGy+EV29ax+BQP4KVM2pO23tinEPDLnt56WSYxu5SzpBkGRIu9msYbz6J3ehwwQFj
JM/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=V1W/4JCtPoashPlFhDjYZwBQf9caoSkx1NYHZX8MMic=;
b=d2qiDTQfexRFeKukVx9Kldft7zqorn/z048J8V+5fIPosXRVVkMEBqKJqJbasxqfDq
Qi5gV0ew2lgyfgdSYxYia/8AvFoe+LI8V/AOilU33uCrRvJen2U+Ey2F6eXdWvmEwY4c
nCpC3sNu+qy1eeFi8Zq1mihtKrwUNIOuK3A+xZ6JYZ7P2dLppe7Oey8g1POsR05knV4K
oYfhI/rMUV5jvV7a081bE6bQuiZGcEYC9oeEreCEtDgSW9Lhk9+McJN9Dm3K1ACCdsGU
z3mvxI0EbK4a36e8sOrT805Egj8kc/Aapr2jcUUc+0A/pYHHRiDBWtOLP402TRyhH2nU
IhiQ==
X-Gm-Message-State: ALyK8tIzTzyqpKquSi3cohMU/9nVsFdDYFezlOMGd2qseRlET2bne1FLRY+taoOEY0ZiDBQMZvgFPXX7KR1QStIT
X-Received: by 10.31.47.85 with SMTP id v82mr11270200vkv.140.1466010513469;
Wed, 15 Jun 2016 10:08:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.67.103 with HTTP; Wed, 15 Jun 2016 10:08:13 -0700 (PDT)
In-Reply-To: <CAPg+sBj_9A8gmqRhs3Yg1+rVubdPLMxUhbcrGovF22RgCfVbrw@mail.gmail.com>
References: <5760259B.7040409@mycelium.com> <57612D67.9080007@gmail.com>
<576133A7.6070004@mycelium.com>
<CAPg+sBj_9A8gmqRhs3Yg1+rVubdPLMxUhbcrGovF22RgCfVbrw@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Wed, 15 Jun 2016 13:08:13 -0400
Message-ID: <CAMZUoKkaJWAo0MUxObJXRwBXzTKL-jGnNZg9d7aTjshP3Au_Ag@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a1143ff38e497430535542bc4
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] RFC for BIP: Derivation scheme for
P2WPKH-nested-in-P2SH based accounts
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 17:08:35 -0000
--001a1143ff38e497430535542bc4
Content-Type: text/plain; charset=UTF-8
On Wed, Jun 15, 2016 at 7:00 AM, Pieter Wuille via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
Indeed, and you can go even further. When there are multiple "sending"
> outputs, pick one at random, and mimic it for the change output. This means
> that if you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a
> P2PKH change output, and 75% chance for a P2SH output.
>
This isn't quite perfect because if there is only 1 P2PKH output and you
know the person is using the above algorithm then you know the P2PKH output
isn't the change.
I don't know what the perfect method is. My guess is that it is to let p
be the probability that a P2PKH output is produced over the entire network
and to pick P2PKH for your change output with probability p (and similarly
for other output types).
On Wed, Jun 15, 2016 at 7:00 AM, Pieter Wuille via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> On Jun 15, 2016 12:53, "Daniel Weigl via bitcoin-dev" <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > That would be a big privacy leak, imo. As soon as both outputs are
> spent, its visible
> > which one was the P2WPKH-in-P2SH and which one the pure P2WPKH and as a
> consequence
> > you leak which output was the change and which one the actual sent output
> >
> > So, i'd suggest to even make it a requirement for "normal"
> send-to-single-address transactions
> > to always use the same output type for the change output (if the wallet
> is able to recognize it)
>
> Indeed, and you can go even further. When there are multiple "sending"
> outputs, pick one at random, and mimic it for the change output. This means
> that if you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a
> P2PKH change output, and 75% chance for a P2SH output.
>
> You can go even further of course, if you want privacy that remains after
> those sends get spent. In that case, you also need to match the template of
> the redeemscript/witnessscript. For example, if the send you are mimicking
> is a 2-of-3, the change output should also use 2-of-3.
>
> --
> Pieter
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
--001a1143ff38e497430535542bc4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Wed, Jun 15, 2016 at 7:00 AM, Pieter Wuille via bitcoin-dev <span di=
r=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targ=
et=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<b=
r><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex"><span class=3D""></span>Indeed, and yo=
u can go even further. When there are multiple "sending" outputs,=
pick one at random, and mimic it for the change output. This means that if=
you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a P2PKH =
change output, and 75% chance for a P2SH output.<br></blockquote><br></div>=
<div class=3D"gmail_quote">This isn't quite perfect because if there is=
only 1 P2PKH output and you know the person is using the above algorithm t=
hen you know the P2PKH output isn't the change.<br><br></div><div class=
=3D"gmail_quote">I don't know what the perfect method is.=C2=A0 My gues=
s is that it is to let p be the probability that a P2PKH output is produced=
over the entire network and to pick P2PKH for your change output with prob=
ability p (and similarly for other output types).<br></div></div></div><div=
class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed, Jun 15, 2016 =
at 7:00 AM, Pieter Wuille via bitcoin-dev <span dir=3D"ltr"><<a href=3D"=
mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev=
@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex"><span class=3D""><p dir=3D"ltr"><br>
On Jun 15, 2016 12:53, "Daniel Weigl via bitcoin-dev" <<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>> wrote:<br>
><br>
> That would be a big privacy leak, imo. As soon as both outputs are spe=
nt, its visible<br>
> which one was the P2WPKH-in-P2SH and which one the pure P2WPKH and as =
a consequence<br>
> you leak which output was the change and which one the actual sent out=
put<br>
><br>
> So, i'd suggest to even make it a requirement for "normal&quo=
t; send-to-single-address transactions<br>
> to always use the same output type for the change output (if the walle=
t is able to recognize it)</p>
</span><p dir=3D"ltr">Indeed, and you can go even further. When there are m=
ultiple "sending" outputs, pick one at random, and mimic it for t=
he change output. This means that if you have a P2PKH and 3 P2SH sends, you=
'll have 25% chance for a P2PKH change output, and 75% chance for a P2S=
H output.</p>
<p dir=3D"ltr">You can go even further of course, if you want privacy that =
remains after those sends get spent. In that case, you also need to match t=
he template of the redeemscript/witnessscript. For example, if the send you=
are mimicking is a 2-of-3, the change output should also use 2-of-3.</p><s=
pan class=3D"HOEnZb"><font color=3D"#888888">
<p dir=3D"ltr">-- <br>
Pieter<br>
</p>
</font></span><br>_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
<br></blockquote></div><br></div>
--001a1143ff38e497430535542bc4--
|
