On Jun 15, 2016 12:53, "Daniel Weigl via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> That would be a big privacy leak, imo. As soon as both outputs are spent, its visible
> which one was the P2WPKH-in-P2SH and which one the pure P2WPKH and as a consequence
> you leak which output was the change and which one the actual sent output
>
> So, i'd suggest to even make it a requirement for "normal" send-to-single-address transactions
> to always use the same output type for the change output (if the wallet is able to recognize it)
Indeed, and you can go even further. When there are multiple "sending" outputs, pick one at random, and mimic it for the change output. This means that if you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a P2PKH change output, and 75% chance for a P2SH output.
You can go even further of course, if you want privacy that remains after those sends get spent. In that case, you also need to match the template of the redeemscript/witnessscript. For example, if the send you are mimicking is a 2-of-3, the change output should also use 2-of-3.
--
Pieter