* [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions
@ 2016-02-10 21:36 Kristov Atlas
2016-05-19 4:18 ` Kristov Atlas
0 siblings, 1 reply; 4+ messages in thread
From: Kristov Atlas @ 2016-02-10 21:36 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 8081 bytes --]
BIP: TBD
Title: Best Practices for Heterogeneous Input Script Transactions
Author: Kristov Atlas <kristov@openbitcoinprivacyproject.org>
Status: Draft
Type: Informational
Created: 2016-02-10
# Abstract
The privacy of Bitcoin users with respect to graph analysis is reduced when
a transaction is created that merges inputs composed from different
scripts. However, creating such transactions is often unavoidable.
This document proposes a set of best practice guidelines which minimize the
adverse privacy consequences of such unavoidable transaction situations
while simultaneously maximising the effectiveness of privacy-improving
techniques such as CoinJoin.
# Copyright
This BIP is in the public domain.
# Definitions
Heterogenous input script transaction (HIT): A transaction containing
multiple inputs where not all inputs have identical scripts (e.g. a
transaction spending from more than one Bitcoin address)
Unavoidable heterogenous input script transaction: An HIT created as a
result of a user’s desire to create a new output with a value larger than
the value of his wallet's largest unspent output
Intentional heterogenous input script transaction: An HIT created as part
of a protocol for improving user privacy against graph analysis, such as
CoinJoin
# Motivations
The recommendations in this document are designed to accomplish three goals:
1. Maximise the effectiveness of privacy-enhancing transactions:
Privacy-sensitive users may find that techniques such as CoinJoin are
counterproductive if such transactions have a distinctive fingerprint which
enables them to be censored or subjected to additional scrutiny.
2. Minimise the adverse privacy consequences of unavoidable heterogenous
input transactions: If unavoidable HITs are indistinguishable from
intentional HITs, a user creating an unavoidable HIT benefits from
ambiguity with respect to graph analysis.
3. Limiting the effect on UTXO set growth: To date, non-standardized
intentional HITs tend to increase the network's UTXO set with each
transaction; this standard attempts to minimize this effect by
standardizing unavoidable and intentional HITs to limit UTXO set growth.
In order to achieve these goals, this specification proposes a set of best
practices for heterogenous input script transaction creation. These
practices accommodate all applicable requirements of both intentional and
unavoidable HITs and render the two types indistinguishable to the maximum
extent possible.
In order to achieve this, two forms of HIT are proposed: Standard form and
alternate form.
# Standard form heterogenous input script transaction
## Rules
An HIT is Standard form if it adheres to all of the following rules:
1. The number of unique output scripts must be equal to the number of
unique inputs scripts (irrespective of the number of inputs and outputs).
2. All output scripts must be unique.
3. At least one pair of outputs must be of equal value.
4. The largest output in the transaction is a member of a set containing at
least two identically-sized outputs.
## Rationale
The requirement for equal numbers of unique input/output scripts instead of
equal number of inputs/outputs accommodates privacy-enhancing UTXO
selection behavior. Wallets may contain spendable outputs with identical
scripts due to intentional or accidental address reuse, or due to dusting
attacks. In order to minimise the adverse privacy consequences of address
reuse, any time a UTXO is included in a transaction as an input, all UTXOs
with the same spending script should also be included in the transaction.
The requirement that all output scripts are unique prevents address reuse.
Restricting the number of outputs to the number of unique input scripts
prevents this policy from growing the network’s UTXO set. A standard form
HIT transaction will always have a number of inputs greater than or equal
to the number of outputs.
The requirement for at least one pair of outputs to be of equal value
results in optimal join transactions, and causes intentional HITs to
resemble unavoidable HITs.
Outside controlled laboratory conditions, join transactions will not
involve identically-sized inputs due to a lack of accommodating volume.
Without the ability to cryptographically blind output values on the
blockchain, every join transaction leaks information in the form of output
sizes. Requiring a pair of identically sized outputs creates the desired
ambiguity for spend outputs, but in most cases makes change outputs
linkable to inputs.
# Alternate form heterogenous input script transactions
The formation of a standard form HIT is not possible in the following cases:
The HIT is unavoidable, and the user’s wallet contains an insufficient
number or size of UTXOs to create a standard form HIT.
The user wishes to reduce the number of utxos in their wallet, and does not
have any sets of utxos with identical scripts.
When one of the following cases exist, a compliant implementation may
create an alternate form HIT by constructing a transaction as follows:
## Procedure
1. Find the smallest combination of inputs whose value is at least the
value of the desired spend.
i. Add these inputs to the transaction.
ii. Add a spend output to the transaction.
iii. Add a change output to the transaction containing the difference
between the current set of inputs and the desired spend.
2. Repeat step 1 to create a second spend output and change output.
3. Adjust the change outputs as necessary to pay the desired transaction
fee.
Clients which create intentional HITs must have the capability to form
alternate form HITs, and must do so for a non-zero fraction of the
transactions they create.
# Non-compliant heterogenous input script transactions
If a user wishes to create an output that is larger than half the total
size of their spendable outputs, or if their inputs are not distributed in
a manner in which the alternate form procedure can be completed, then the
user can not create a transaction which is compliant with this procedure.
----
A working draft of this document is here:
https://github.com/OpenBitcoinPrivacyProject/rfc/blob/master/bips/obpp-03.mediawiki
A few points of anticipated discussion:
1. It's possible for a CoinJoin transaction to decrease privacy by adhering
to the Standard Form in this BIP, depending on the utxos available for
creating it. For example, a typical two-person CoinJoin might look like:
input_A, input_B => spend_A, change_A, spend_B, change_B
In order to comply with the standard form, one or more parties would have
to add inputs to make this something like:
input_A_1, input_A_2, input_B_1, input_B_2 => spend_A, change_A, spend_B,
change_B.
If spend_A and spend_B are the same value, then input_A_1 and input_A_2 may
be linked based on the value of change_A and input_B_1 and input_B_2 may be
linked based on the value of change_B via sudoku analysis.
In that situation, wallets can opt to use the alternate form instead, or
stick with the standard form but enjoy a non-utxo set increase and a
significantly increased inter-transactional privacy set from other BIP
adherents.
2. In a naive simulation of a wallet randomly containing 1 to 10 utxos of
random value 1 to 10 and a desired spend of random value between 1 and the
sum of the utxos, the simulated wallet is able to create an alternate form
HIT 40% of the time. If we assume that half of all desire spends are a
value half or less of the total wallet balance, this improves to around
60%. Unfortunately, I don't have any good data on what values are found in
average wallets and what desired spends look like on average.
3. In the long-run it's better for all clients to participant in
CoinJoin-like operations, but this should significantly increase the cost
and decrease the signal of passive blockchain analysis attacks until that
becomes feasible.
Thanks in advance for your feedback.
[-- Attachment #2: Type: text/html, Size: 8566 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions
2016-02-10 21:36 [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions Kristov Atlas
@ 2016-05-19 4:18 ` Kristov Atlas
2016-05-23 17:44 ` T. DeV D
2016-05-26 0:00 ` Luke Dashjr
0 siblings, 2 replies; 4+ messages in thread
From: Kristov Atlas @ 2016-05-19 4:18 UTC (permalink / raw)
To: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 5803 bytes --]
I've updated the language of the BIP. New version:
<pre>
BIP: TBD
Title: Best Practices for Heterogeneous Input Script Transactions
Author: Kristov Atlas <kristov@openbitcoinprivacyproject.org>
Status: Draft
Type: Informational
Created: 2016-02-10
</pre>
==Abstract==
The privacy of Bitcoin users with respect to graph analysis is reduced when
a transaction is created that contains inputs composed from different
scripts. However, creating such transactions is often unavoidable.
This document proposes a set of best practice guidelines which minimize the
adverse privacy consequences of such unavoidable transaction situations
while simultaneously maximising the effectiveness of user protection
protocols.
==Copyright==
This BIP is in the public domain.
==Definitions==
* '''Heterogenous input script transaction (HIT)''': A transaction
containing multiple inputs where not all inputs have identical scripts
(e.g. a transaction spending from more than one Bitcoin address)
* '''Unavoidable heterogenous input script transaction''': An HIT created
as a result of a user’s desire to create a new output with a value larger
than the value of his wallet's largest existing unspent output
* '''Intentional heterogenous input script transaction''': An HIT created
as part of a user protection protocol for reducing uncontrolled disclosure
of personally-identifying information (PII)
==Motivations==
The recommendations in this document are designed to accomplish three goals:
# Maximise the effectiveness of user-protecting protocols: Users may find
that protection protocols are counterproductive if such transactions have a
distinctive fingerprint which renders them ineffective.
# Minimise the adverse consequences of unavoidable heterogenous input
transactions: If unavoidable HITs are indistinguishable from intentional
HITs, a user creating an unavoidable HIT benefits from ambiguity with
respect to graph analysis.
# Limiting the effect on UTXO set growth: To date, non-standardized
intentional HITs tend to increase the network's UTXO set with each
transaction; this standard attempts to minimize this effect by
standardizing unavoidable and intentional HITs to limit UTXO set growth.
In order to achieve these goals, this specification proposes a set of best
practices for heterogenous input script transaction creation. These
practices accommodate all applicable requirements of both intentional and
unavoidable HITs while maximising the effectiveness of both in terms of
preventing uncontrolled disclosure of PII.
In order to achieve this, two forms of HIT are proposed: Standard form and
alternate form.
==Standard form heterogenous input script transaction==
===Rules===
An HIT is Standard form if it adheres to all of the following rules:
# The number of unique output scripts must be equal to the number of unique
inputs scripts (irrespective of the number of inputs and outputs).
# All output scripts must be unique.
# At least one pair of outputs must be of equal value.
# The largest output in the transaction is a member of a set containing at
least two identically-sized outputs.
===Rationale===
The requirement for equal numbers of unique input/output scripts instead of
equal number of inputs/outputs accommodates user-protecting UTXO selection
behavior. Wallets may contain spendable outputs with identical scripts due
to intentional or accidental address reuse, or due to dusting attacks. In
order to minimise the adverse consequences of address reuse, any time a
UTXO is included in a transaction as an input, all UTXOs with the same
spending script should also be included in the transaction.
The requirement that all output scripts are unique prevents address reuse.
Restricting the number of outputs to the number of unique input scripts
prevents this policy from growing the network’s UTXO set. A standard form
HIT transaction will always have a number of inputs greater than or equal
to the number of outputs.
The requirement for at least one pair of outputs in an intentional HIT to
be of equal value results in optimal behavior, and causes intentional HITs
to resemble unavoidable HITs.
==Alternate form heterogenous input script transactions==
The formation of a standard form HIT is not possible in the following cases:
# The HIT is unavoidable, and the user’s wallet contains an insufficient
number or size of UTXOs to create a standard form HIT.
# The user wishes to reduce the number of utxos in their wallet, and does
not have any sets of utxos with identical scripts.
When one of the following cases exist, a compliant implementation may
create an alternate form HIT by constructing a transaction as follows:
===Procedure===
# Find the smallest combination of inputs whose value is at least the value
of the desired spend.
## Add these inputs to the transaction.
## Add a spend output to the transaction.
## Add a change output to the transaction containing the difference between
the current set of inputs and the desired spend.
# Repeat step 1 to create a second spend output and change output.
# Adjust the change outputs as necessary to pay the desired transaction fee.
Clients which create intentional HITs must have the capability to form
alternate form HITs, and must do so for a non-zero fraction of the
transactions they create.
==Non-compliant heterogenous input script transactions==
If a user wishes to create an output that is larger than half the total
size of their spendable outputs, or if their inputs are not distributed in
a manner in which the alternate form procedure can be completed, then the
user can not create a transaction which is compliant with this procedure.
[-- Attachment #2: Type: text/html, Size: 6809 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions
2016-05-19 4:18 ` Kristov Atlas
@ 2016-05-23 17:44 ` T. DeV D
2016-05-26 0:00 ` Luke Dashjr
1 sibling, 0 replies; 4+ messages in thread
From: T. DeV D @ 2016-05-23 17:44 UTC (permalink / raw)
To: Kristov Atlas, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6686 bytes --]
ACK
We have already started work on Coinjoin simulated transactions and are
very interested in working on an implementation of this proposal with a
view towards making wallet footprints less identifiable.
On Thu, May 19, 2016 at 5:18 AM, Kristov Atlas via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> I've updated the language of the BIP. New version:
>
> <pre>
> BIP: TBD
> Title: Best Practices for Heterogeneous Input Script Transactions
> Author: Kristov Atlas <kristov@openbitcoinprivacyproject.org>
> Status: Draft
> Type: Informational
> Created: 2016-02-10
> </pre>
>
> ==Abstract==
>
> The privacy of Bitcoin users with respect to graph analysis is reduced
> when a transaction is created that contains inputs composed from different
> scripts. However, creating such transactions is often unavoidable.
>
> This document proposes a set of best practice guidelines which minimize
> the adverse privacy consequences of such unavoidable transaction situations
> while simultaneously maximising the effectiveness of user protection
> protocols.
>
> ==Copyright==
>
> This BIP is in the public domain.
>
> ==Definitions==
>
> * '''Heterogenous input script transaction (HIT)''': A transaction
> containing multiple inputs where not all inputs have identical scripts
> (e.g. a transaction spending from more than one Bitcoin address)
> * '''Unavoidable heterogenous input script transaction''': An HIT created
> as a result of a user’s desire to create a new output with a value larger
> than the value of his wallet's largest existing unspent output
> * '''Intentional heterogenous input script transaction''': An HIT created
> as part of a user protection protocol for reducing uncontrolled disclosure
> of personally-identifying information (PII)
>
> ==Motivations==
>
> The recommendations in this document are designed to accomplish three
> goals:
>
> # Maximise the effectiveness of user-protecting protocols: Users may find
> that protection protocols are counterproductive if such transactions have a
> distinctive fingerprint which renders them ineffective.
> # Minimise the adverse consequences of unavoidable heterogenous input
> transactions: If unavoidable HITs are indistinguishable from intentional
> HITs, a user creating an unavoidable HIT benefits from ambiguity with
> respect to graph analysis.
> # Limiting the effect on UTXO set growth: To date, non-standardized
> intentional HITs tend to increase the network's UTXO set with each
> transaction; this standard attempts to minimize this effect by
> standardizing unavoidable and intentional HITs to limit UTXO set growth.
>
> In order to achieve these goals, this specification proposes a set of best
> practices for heterogenous input script transaction creation. These
> practices accommodate all applicable requirements of both intentional and
> unavoidable HITs while maximising the effectiveness of both in terms of
> preventing uncontrolled disclosure of PII.
>
> In order to achieve this, two forms of HIT are proposed: Standard form and
> alternate form.
>
> ==Standard form heterogenous input script transaction==
>
> ===Rules===
>
> An HIT is Standard form if it adheres to all of the following rules:
>
> # The number of unique output scripts must be equal to the number of
> unique inputs scripts (irrespective of the number of inputs and outputs).
> # All output scripts must be unique.
> # At least one pair of outputs must be of equal value.
> # The largest output in the transaction is a member of a set containing at
> least two identically-sized outputs.
>
> ===Rationale===
>
> The requirement for equal numbers of unique input/output scripts instead
> of equal number of inputs/outputs accommodates user-protecting UTXO
> selection behavior. Wallets may contain spendable outputs with identical
> scripts due to intentional or accidental address reuse, or due to dusting
> attacks. In order to minimise the adverse consequences of address reuse,
> any time a UTXO is included in a transaction as an input, all UTXOs with
> the same spending script should also be included in the transaction.
>
> The requirement that all output scripts are unique prevents address reuse.
> Restricting the number of outputs to the number of unique input scripts
> prevents this policy from growing the network’s UTXO set. A standard form
> HIT transaction will always have a number of inputs greater than or equal
> to the number of outputs.
>
> The requirement for at least one pair of outputs in an intentional HIT to
> be of equal value results in optimal behavior, and causes intentional HITs
> to resemble unavoidable HITs.
>
> ==Alternate form heterogenous input script transactions==
>
> The formation of a standard form HIT is not possible in the following
> cases:
>
> # The HIT is unavoidable, and the user’s wallet contains an insufficient
> number or size of UTXOs to create a standard form HIT.
> # The user wishes to reduce the number of utxos in their wallet, and does
> not have any sets of utxos with identical scripts.
>
> When one of the following cases exist, a compliant implementation may
> create an alternate form HIT by constructing a transaction as follows:
>
> ===Procedure===
>
> # Find the smallest combination of inputs whose value is at least the
> value of the desired spend.
> ## Add these inputs to the transaction.
> ## Add a spend output to the transaction.
> ## Add a change output to the transaction containing the difference
> between the current set of inputs and the desired spend.
> # Repeat step 1 to create a second spend output and change output.
> # Adjust the change outputs as necessary to pay the desired transaction
> fee.
>
> Clients which create intentional HITs must have the capability to form
> alternate form HITs, and must do so for a non-zero fraction of the
> transactions they create.
>
> ==Non-compliant heterogenous input script transactions==
>
> If a user wishes to create an output that is larger than half the total
> size of their spendable outputs, or if their inputs are not distributed in
> a manner in which the alternate form procedure can be completed, then the
> user can not create a transaction which is compliant with this procedure.
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
--
dev@samouraiwallet.com
PGP public key fingerprint:
ED1A 1280 DEFC A603 14CD 15BF 72B5 BACD FEDF 39D7
[-- Attachment #2: Type: text/html, Size: 8614 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions
2016-05-19 4:18 ` Kristov Atlas
2016-05-23 17:44 ` T. DeV D
@ 2016-05-26 0:00 ` Luke Dashjr
1 sibling, 0 replies; 4+ messages in thread
From: Luke Dashjr @ 2016-05-26 0:00 UTC (permalink / raw)
To: Kristov Atlas, Bitcoin Protocol Discussion
On Thursday, May 19, 2016 4:18:15 AM Kristov Atlas via bitcoin-dev wrote:
> BIP: TBD
This is assigned BIP 126.
> * '''Heterogenous input script transaction (HIT)''': A transaction
> containing multiple inputs where not all inputs have identical scripts
> (e.g. a transaction spending from more than one Bitcoin address)
Transactions are never from Bitcoin addresses, and inputs almost never have
identical scripts (although the UTXOs they are spending often do).
Luke
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-05-26 0:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-10 21:36 [bitcoin-dev] RFC for BIP: Best Practices for Heterogeneous Input Script Transactions Kristov Atlas
2016-05-19 4:18 ` Kristov Atlas
2016-05-23 17:44 ` T. DeV D
2016-05-26 0:00 ` Luke Dashjr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox