_ __ _ ___ __ __
| | / /___ (_)___/ / | / /__ / /_
| | / / __ \/ / __ / |/ / _ \/ __/
| |/ / /_/ / / /_/ / /| / __/ /_
|___/\____/_/\__,_/_/ |_/\___/\__/
π©πππππππΎππ πΎπ ππ½π πΆπππ½ππ. π
--------------------------------β
Bitcoin Privacy Issues With |
Integrating Bech32 |
|
Privacy harm when combining |
script types, or why one |
should 'upgrade' their |
legacy addresses |
--------------------------------|
Kevin Froman |
VoidNetwork LLC |
March 3, 2021 |
kev[-@-]voidnet.tech |
--------------------------------β
Bitcoin and cryptocurrencies as a whole have reputations of being
private among some in the cryptocurrency community, and completely traceable
among others. The true matter is that Bitcoin and similar cryptocurrencies
can be anonymous, but require effort on part of the user.
Unfortunately it is far from trivial to transact anonymously.[1]
In this article I discuss one particular privacy issue with Bitcoin that
came about in recent years with the introduction of Bech32 as a part of
SegWit.
In most cryptocurrencies, one cannot send transact partial values.[2]
Instead, wallets must use an owned address (called a Change Address)
to receive the funds not being sent to another person. If one does not do this,
the 'un-sent' coins will be claimed by the miner of the block that the
transaction is included in. In most normal transactions, it is not trivial
to tell apart a change address from a true recipient.
Bech32, is a modern Bitcoin address format that has seen good adoption
as of 2021[3], including in Litecoin[4]. Bech32 as part of Segwit, was
a backwards compatible change. In March 2021, Bech32 addresses still
only hold approximately 8% of all Bitcoin.[5]
It is my guess that many users will not ever transfer funds over from
legacy addresses to Bech32 ones as long as their wallet software still supports
legacy (for the sake of upgrading). This means that the first time some funds
touch Bech32 wallets will be when they are sent as part of an exchange
or purchase.
----------------------------------
|Legacy <-> Bech32 Privacy Leaks |
----------------------------------
In Bitcoin, every coin is locked behind a script. The standard behaviour
for scripts is in short, to check a signature that would unlock a balance. Scripts
come in common forms, but they can be arbitrary.[6] Of course, few users use anything
but the standard scripts that their wallets default to using.
When a user sends from a legacy address (non-Bech32/SegWit) to a Bech32
address (or vice-versa), a wallet may default to using the same script type
as the input(s) for the change address. This makes it obvious which output address
is a change address and which is the 'actual' recipient.[7] This harms the privacy
of both the sender and recipient(s) of funds, by associating ownership and revealing
the amount of coin paid.
While mixing script-types is by far not the only deanonymization method,
users on legacy addresses should send their balances to Bech32 addresses they own,
effectively 'upgrading' their wallets before sending coins to anyone else.
If sending from Bech32 to a legacy addresses, downgrade. This will restore the
change output privacy that Bitcoin is intended to have, and helps to avoid being
low-hanging fruit during blockchain analysis.
MMMMMMMMWXOdc;.. ..;cdOXWMMMMMMMM
MMMMMWXkc'. .'ckXWMMMMM
MMMWKd,. .,dKWMMM
MMNk, .;:'. ,kNMM
MXo. .....oKXd':xc. .oXM
Xl. :O0OOXWNOd0Xo. .lX
d. 'dNMWX0O0NWKx:. .d
, .oNMXl...;dXMWO' ,
. ;0WWO;.. .;OWMX: .
.oNMWKOOOkOXWN0l.
;0WNO:,;:oONMNx,
. .,:kWMKc .xWMNx. .
c .lOKNMMXxc;;;;l0WMNd. c
O, ..;dXN0KNNXXXNNNKo. ,O
Wk, lKx;oKOoc;;;'. ,kW
MWO:. .;..cx:. .:OWM
MMWXd, ,dXWMM
MMMMWXx;. .;xXWMMMM
MMMMMMMN0d:'. .':d0NMMMMMMM
MMMMMMMMMMN0xo;.. ..;lx0NMMMMMMMMMM
---------------------------------------------
1: https://en.bitcoin.it/wiki/Privacy
2: https://en.bitcoin.it/wiki/Change
3: https://en.bitcoin.it/wiki/Bech32_adoption
4: https://www.coindesk.com/litecoins/segwit-activation-why-it-matters-and-whats-next
5: https://txstats.com/dashboard/db/bech32-statistics?orgId=1&from=1584170494100&to=1615447294100
6: https://en.bitcoin.it/wiki/Script
7: https://en.bitcoin.it/wiki/Privacy#Sending_to_a_different_script_type