Delivery-date: Fri, 28 Mar 2025 12:45:25 -0700
Received: from mail-yw1-f188.google.com ([209.85.128.188])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDI23FE35EIBBSPYTO7QMGQES4SJRHQ@googlegroups.com>)
id 1tyFdr-0006ke-UB
for bitcoindev@gnusha.org; Fri, 28 Mar 2025 12:45:25 -0700
Received: by mail-yw1-f188.google.com with SMTP id 00721157ae682-6f2bc451902sf35565467b3.3
for <bitcoindev@gnusha.org>; Fri, 28 Mar 2025 12:45:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1743191117; x=1743795917; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=vdcBGBqMIisLFXtaSDaB7UBBJ6reKBiAA44FE3+XasM=;
b=pAh+aWt4zu3fysZT77X++OioP0dpvbnKGj2vjSroVsqyZbemBAlGbH9DlmLzo3UwI6
KK/3pOjMzUneGBNcZZPsgYK2Sc5INiKtpQxZFufM9A8GW9GCnGi4mp7FRZZQxrb8DHsL
o3gbmN6xhXJtzckisaxMEaD5A+gpkn4SKdwmb43Rgpyz3vGz+w16bW9Bm7c2uc3kMfJZ
/AmfSLfab/Zea0HgBB4MDw4DFNW40YlvD8IAoB9ADNc3Oh3QYv9uT+dqvG7NNvsEzrMP
+F2s5GnCnl/G4S6eNIqSCCJb66v3wvv3BIiLNEzD+1gCLc3DHeTXYVV6U9CTqxydP1+V
TuDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1743191117; x=1743795917; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=vdcBGBqMIisLFXtaSDaB7UBBJ6reKBiAA44FE3+XasM=;
b=fvwufQJMB1uJzHliEJZkFvSqYbIliQGgAwJZWgCdB7DyWlK8zD5Ob2hT8uiGUK7o+G
3SrvMfrcVfsgoiRDb1Stnxzzb55AlYZcfOpcZf+4Yg5PPqJyRSzHHwkXwnEbVo7QGA3o
jDOK1YWVQzI20SqmBMYWLkxzNb/YWOacdpr8HXv6HYXX0dHdqA/mOemBuQ8NwEm6C5Al
AsVtFsYYa/Slo/Q8w3FKAKENC4N1q9D7P38lum+mMRj7AwAxFCTufFFWVQDUms/M6Vna
YpJq2pqRjf47nmjXIzgglRoO2orixK0za6/SwK+5n9q3d4fJvA8LuL+kuRA+aRdBc7no
PJaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1743191117; x=1743795917;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=vdcBGBqMIisLFXtaSDaB7UBBJ6reKBiAA44FE3+XasM=;
b=CVENa7ylQ+tlQVSeN452/DIDXgV7bYlQL/a2R3KmJmBLufeYaEBnh+UQ9KKDyV2R5g
+g1OQVrZyWMRUsMvDY24SN4+4bF6NChqYZTGpLZuEoPHLIeJ17Xn4FwGmVcGxEIu0kL4
Im5uf9xe/lLHwhnKMuCJlNJD6NoLE2BoRH5j4IPJAu/mrSxKvl8UqQAmFqOllPbcKUx5
pXat7W9sgAQFgqO4BYk6MS2mfq6nkIQdIlv7K5gN2hweSlacZrt9VBzo9OYg0NvetzCQ
6tZH4b9RLB/JAprPqP7paye+fJj7BuCnZGLwQNu6MIZYl1HL1Gxb/AfI6PSRiBehdKaT
JoHA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCXlcWEupeOHEQy/8GGiMMHJ/GzUnfbNRSA8yZMz1DEXk3Y64G9/x065PAFFleo1r+urXGJnY1VPYD0P@gnusha.org
X-Gm-Message-State: AOJu0YydYdWT11u7G8/sV7FwHkgrRzU5OvVu8OkoZki2+q0WqC23QZd/
0p18Ljf8crTpOGqkocqeZ4RnBYVKJ1rplI/dvyBa8zeheJ/njiEK
X-Google-Smtp-Source: AGHT+IEYpyAUwwIOrEkZH9+u6gU576p4t4TeHKwaN1cJLtzT88a1r0scugAA2NGJvCWMIJE8Trs0ew==
X-Received: by 2002:a05:6902:2006:b0:e5e:14d4:e63d with SMTP id 3f1490d57ef6-e6b838d3265mr670683276.9.1743191117321;
Fri, 28 Mar 2025 12:45:17 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAKPWK2T0oZaaKdfiKNLpM68HNXPvlYWkgLInKHAYNj4IQ==
Received: by 2002:a25:aa4d:0:b0:e60:8901:aead with SMTP id 3f1490d57ef6-e6942e6855fls621127276.2.-pod-prod-07-us;
Fri, 28 Mar 2025 12:45:13 -0700 (PDT)
X-Received: by 2002:a05:690c:6e09:b0:6fd:3d82:f900 with SMTP id 00721157ae682-70257275106mr9299177b3.20.1743191112870;
Fri, 28 Mar 2025 12:45:12 -0700 (PDT)
Received: by 2002:a05:690c:f09:b0:6fe:b496:fc0e with SMTP id 00721157ae682-70210e65fc6ms7b3;
Fri, 28 Mar 2025 12:28:55 -0700 (PDT)
X-Received: by 2002:a05:690c:fd3:b0:6fb:968b:d8f5 with SMTP id 00721157ae682-70257302dc5mr7950227b3.36.1743190133880;
Fri, 28 Mar 2025 12:28:53 -0700 (PDT)
Date: Fri, 28 Mar 2025 12:28:53 -0700 (PDT)
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <d0a0e344-d777-49bc-8b3c-a3462f0d6836n@googlegroups.com>
In-Reply-To: <CALiT-Zrq0Nr9uNWDTMj3=VJ6TCcmeL3s+Jau+nEGHqYqFcfB+g@mail.gmail.com>
References: <450755f1-84c5-4f32-abe0-67087ae884d6n@googlegroups.com>
<1c7130d4-cbac-4404-968c-9eb7b4e2e4cbn@googlegroups.com>
<CALiT-Zrq0Nr9uNWDTMj3=VJ6TCcmeL3s+Jau+nEGHqYqFcfB+g@mail.gmail.com>
Subject: Re: [bitcoindev] Re: UTXO probing attack using payjoin
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_161136_807255403.1743190133581"
X-Original-Sender: ekaggata@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_161136_807255403.1743190133581
Content-Type: multipart/alternative;
boundary="----=_Part_161137_1217636125.1743190133581"
------=_Part_161137_1217636125.1743190133581
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi /dev/fd0 and all,
> The original transaction can be replaced by the attacker, and it would=20
only cost a few hundred sats or nothing if it's payjoin transaction. I=20
think such attacks could still be effective if the attacker has the budget=
=20
and motivation to spy on someone's wallet.
That is true but it is also directly addressed with a mitigation in the=20
section on the attack in BIP78; (already linked here but just to repeat:=20
https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#user-content=
-span_idprobingattackspanOn_the_receiver_side_UTXO_probing_attack=20
)
specifically it says "When the receiver detects an original transaction=20
being broadcast, or if the receiver detects that the original transaction=
=20
has been double spent, then they will reuse the UTXO that was exposed for=
=20
the next payjoin.".
However it is unclear whether that's part of the protocol specification, or=
=20
whether it should be. So there's at least something to discuss there.
In the blog post on substack, I don't see any discussion of whether the=20
mitigations proposed make sense. I think they do. Also that blog post=20
discusses altering the sender code to prevent sending the tx. An=20
implementation might differ, but at least in BIP78 it should be the=20
receiver who broadcasts the initial non-payjoin version after a short=20
timeout. That difference connects with the next point also:
One other important thing that is discussed in BIP78, there is a=20
difference between a "merchant" (or in any case, payment-receiving-server)=
=20
case vs. a peer to peer payments case. In the latter case you cannot simply=
=20
continuously ask for more and more "invoices" (payjoin urls) from the=20
counterparty. In the former case, you certainly can, and the mitigations=20
mentioned make sense there to prevent the "utxo collection" algorithm of=20
continuously failing to complete or double spending, across multiple=20
payment amounts.
> It was costless in the demo which could be fixed by bullbitcoin
Yeah I see a couple of related things there, BIP77 is more nuanced on the=
=20
"receiver broadcasts original after short delay" saying that an expiration=
=20
MAY be set and applied by receivers, which relates ack to the earlier point=
=20
that for a p2p payment arranged with both parties live is not exposed to a=
=20
repeated request attack, hence it may not be needed. I do think it comes=20
back to the "don't change the currently available utxo until it gets used"=
=20
statement in that BIP78 section mentioned above.
With that nuance even your modified-code-sender could be argued not to be=
=20
an issue, though I think I prefer the BIP78 inclusion of "receiver=20
broadcasts after an expiration" being a requirement, not a "MAY".
> Payjoin should only be used with trusted senders.
I mean, obviously, I don't agree with that.
And then there's the 10000ft view: if an attacker doesn't mind spending=20
coins, they can just .. do sender-side actual payjoins, over and over, to=
=20
try to collect utxos. After all the very first blockchain analysis paper by=
=20
Meiklejohn et al focused on exactly this; see how much info you can get by=
=20
actually paying at a merchant.
I think that whether this is a problem or not is deeply tied to that=20
inevitable conflict between the desire for privacy and the desire for=20
scalability/low cost. To never co-spend utxos means a wallet fragments to=
=20
infinite utxos. But to cospend maximally (as a naive merchant *might* do -=
=20
receive 1000 payments then send all of them at the same time into a cold=20
wallet) wipes out, at least most of the time, the privacy gain from not=20
reusing addresses in the first place. A payjoin based merchant flow, in the=
=20
simplest version, would end up linking the 1000 anyway (think a chain of=20
1000 payjoins with 1 merchant in and 1 merchant out), but with=20
substantially more deniability/lack of certainty at each step in terms of=
=20
both utxo and amount, and never being hit with "huge transaction during fee=
=20
spike". It should at least be *better*.
If those 1000 payjoins were an attacker, he only really learns about the=20
first utxo, if you snowball like that. To "read" your current wallet, he=
=20
somehow has to pay for a huge range of different amounts to try to entice=
=20
you to spend *different* utxos; it's not easy, but equally it's ridiculous=
=20
to claim that it doesn't leak anything.
Cheers,
AdamISZ/waxwing
On Thursday, March 27, 2025 at 9:19:38=E2=80=AFAM UTC-3 /dev /fd0 wrote:
> Hi jbesraa,
>
> > While the possibility of UTXO probing via Payjoin is a valid concern=20
> regarding privacy, it's important to note that it might not always come=
=20
> without cost for the attacker. The Payjoin recipient > needs to validate=
=20
> the initial request, ensuring the sender's inputs are broadcastable. This=
=20
> means the recipient could, in practice, broadcast the initial transaction=
=20
> even if the sender aborts the > Payjoin.
>
> > Furthermore, implementing strategies like maintaining a set of 'seen=20
> inputs' can make such probing attempts more easily detectable and less=20
> effective.
>
> The original transaction can be replaced by the attacker, and it would=20
> only cost a few hundred sats or nothing if it's payjoin transaction. I=20
> think such attacks could still be effective if the attacker has the budge=
t=20
> and motivation to spy on someone's wallet.
>
> /dev/fd0
> floppy disk guy
>
>
> On Wed, Mar 26, 2025 at 11:54=E2=80=AFPM jbesraa <jbe...@gmail.com> wrote=
:
>
>> While the possibility of UTXO probing via Payjoin is a valid concern=20
>> regarding privacy, it's important to note that it might not always come=
=20
>> without cost for the attacker. The Payjoin recipient needs to validate t=
he=20
>> initial request, ensuring the sender's inputs are broadcastable. This me=
ans=20
>> the recipient could, in practice, broadcast the initial transaction even=
if=20
>> the sender aborts the Payjoin. Furthermore, implementing strategies like=
=20
>> maintaining a set of 'seen inputs' can make such probing attempts more=
=20
>> easily detectable and less effective. While these measures don't elimina=
te=20
>> the privacy considerations entirely, they do highlight that recipients h=
ave=20
>> potential defenses and that probing isn't necessarily a risk-free endeav=
or=20
>> for the attacker.
>>
>> On Tuesday, March 25, 2025 at 1:48:15=E2=80=AFPM UTC+2 /dev /fd0 wrote:
>>
>> Hi everyone,=20
>>
>> Sometimes we are curious and want to know about UTXOs in other wallets.=
=20
>> Payjoin allows you to do this and the recipient would never doubt it=20
>> because it's a privacy tool. It's possible to find UTXO in recipient's=
=20
>> wallet without sending any bitcoin. It's called UTXO probing attack and=
=20
>> described in BIP 77-78.
>>
>> I have shared a demo with all the details in this [post][0]. I have used=
=20
>> bullbitcoin wallet for testing this because it was the only [wallet][1]=
=20
>> which supports payjoin v2 (send, receive) and testnet3.
>>
>> I think users should be aware of this tradeoff and the information they=
=20
>> share with the sender in payjoin. Payjoin should only be used with trust=
ed=20
>> senders.
>>
>> [0]:=20
>> https://uncensoredtech.substack.com/p/utxo-probing-attack-using-payjoin
>> [1]: https://en.bitcoin.it/wiki/PayJoin_adoption
>>
>> /dev/fd0
>> floppy disk guy
>>
>> --=20
>> You received this message because you are subscribed to the Google Group=
s=20
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send a=
n=20
>> email to bitcoindev+...@googlegroups.com.
>> To view this discussion visit=20
>> https://groups.google.com/d/msgid/bitcoindev/1c7130d4-cbac-4404-968c-9eb=
7b4e2e4cbn%40googlegroups.com=20
>> <https://groups.google.com/d/msgid/bitcoindev/1c7130d4-cbac-4404-968c-9e=
b7b4e2e4cbn%40googlegroups.com?utm_medium=3Demail&utm_source=3Dfooter>
>> .
>>
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
d0a0e344-d777-49bc-8b3c-a3462f0d6836n%40googlegroups.com.
------=_Part_161137_1217636125.1743190133581
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div>Hi /dev/fd0 and all,</div><div><br /></div><div>> The original tran=
saction can be replaced by the attacker, and it would=20
only cost a few hundred sats or nothing if it's payjoin transaction. I=20
think such attacks could still be effective if the attacker has the=20
budget and motivation to spy on someone's wallet.</div><div><br /></div><di=
v>That is true but it is also directly addressed with a mitigation in the s=
ection on the attack in BIP78; (already linked here but just to repeat: htt=
ps://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#user-content-sp=
an_idprobingattackspanOn_the_receiver_side_UTXO_probing_attack )</div><div>=
<br /></div><div>specifically it says "When the receiver detects an origina=
l transaction being broadcast, or if
the receiver detects that the original transaction has been double=20
spent, then they will reuse the UTXO that was exposed for the next=20
payjoin.".</div><div><br /></div><div>However it is unclear whether that's =
part of the protocol specification, or whether it should be. So there's at =
least something to discuss there.</div><div><br /></div><div>In the blog po=
st on substack, I don't see any discussion of whether the mitigations propo=
sed make sense. I think they do. Also that blog post discusses altering the=
sender code to prevent sending the tx. An implementation might differ, but=
at least in BIP78 it should be the receiver who broadcasts the initial non=
-payjoin version after a short timeout. That difference connects with the n=
ext point also:</div><div><br /></div><div>One other important thing that i=
s discussed=C2=A0 in BIP78, there is a difference between a "merchant" (or =
in any case, payment-receiving-server) case vs. a peer to peer payments cas=
e. In the latter case you cannot simply continuously ask for more and more =
"invoices" (payjoin urls) from the counterparty. In the former case, you ce=
rtainly can, and the mitigations mentioned make sense there to prevent the =
"utxo collection" algorithm of continuously failing to complete or double s=
pending, across multiple payment amounts.</div><div><br /></div><div>> I=
t was costless in the demo which could be fixed by bullbitcoin</div><div><b=
r /></div><div>Yeah I see a couple of related things there, BIP77 is more n=
uanced on the "receiver broadcasts original after short delay" saying that =
an expiration MAY be set and applied by receivers, which relates ack to the=
earlier point that for a p2p payment arranged with both parties live is no=
t exposed to a repeated request attack, hence it may not be needed. I do th=
ink it comes back to the "don't change the currently available utxo until i=
t gets used" statement in that BIP78 section mentioned above.</div><div><br=
/></div><div>With that nuance even your modified-code-sender could be argu=
ed not to be an issue, though I think I prefer the BIP78 inclusion of "rece=
iver broadcasts after an expiration" being a requirement, not a "MAY".</div=
><div><br /></div><div>> Payjoin should only be used with trusted sender=
s.</div><div><br /></div><div>I mean, obviously, I don't agree with that.</=
div><div><br /></div><div>And then there's the 10000ft view: if an attacker=
doesn't mind spending coins, they can just .. do sender-side actual payjoi=
ns, over and over, to try to collect utxos. After all the very first blockc=
hain analysis paper by Meiklejohn et al focused on exactly this; see how mu=
ch info you can get by actually paying at a merchant.</div><div><br /></div=
><div>I think that whether this is a problem or=C2=A0 not is deeply tied to=
that inevitable conflict between the desire for privacy and the desire for=
scalability/low cost. To never co-spend utxos means a wallet fragments to =
infinite utxos. But to cospend maximally (as a naive merchant *might* do - =
receive 1000 payments then send all of them at the same time into a cold wa=
llet) wipes out, at least most of the time, the privacy gain from not reusi=
ng addresses in the first place. A payjoin based merchant flow, in the simp=
lest version, would end up linking the 1000 anyway (think a chain of 1000 p=
ayjoins with 1 merchant in and 1 merchant out), but with substantially more=
deniability/lack of certainty at each step in terms of both utxo and amoun=
t, and never being hit with "huge transaction during fee spike". It should =
at least be *better*.</div><div><br /></div><div>If those 1000 payjoins wer=
e an attacker, he only really learns about the first utxo, if you snowball =
like that. To "read"=C2=A0 your current wallet, he somehow has to pay for a=
huge range of different amounts to try to entice you to spend *different* =
utxos; it's not easy, but equally it's ridiculous to claim that it doesn't =
leak anything.</div><div><br /></div><div>Cheers,</div><div>AdamISZ/waxwing=
</div><br /><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_att=
r">On Thursday, March 27, 2025 at 9:19:38=E2=80=AFAM UTC-3 /dev /fd0 wrote:=
<br/></div><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; =
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div dir=3D"=
ltr">Hi jbesraa,<div></div></div><div dir=3D"ltr"><div><br>>=C2=A0While =
the possibility of UTXO probing via Payjoin is a valid concern regarding pr=
ivacy, it's important to note that it might not always come without cos=
t for the attacker. The Payjoin recipient > needs to validate the initia=
l request, ensuring the sender's inputs are broadcastable. This means t=
he recipient could, in practice, broadcast the initial transaction even if =
the sender aborts the > Payjoin.<br><br>>=C2=A0Furthermore, implement=
ing strategies like maintaining a set of 'seen inputs' can make suc=
h probing attempts more easily detectable and less effective.<br><br></div>=
</div><div dir=3D"ltr"><div>The original transaction can be replaced by the=
attacker, and it would only cost a few hundred sats or nothing if it's=
payjoin transaction. I think such attacks could still be effective if the =
attacker has the budget and motivation to spy on someone's wallet.</div=
><div><br></div><div>/dev/fd0</div><div>floppy disk guy<br></div><div><br><=
/div></div><br><div class=3D"gmail_quote"></div><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Wed, Mar 26, 2025 at 11:54=E2=80=
=AFPM jbesraa <<a href data-email-masked rel=3D"nofollow">jbe...@gmail.c=
om</a>> wrote:<br></div></div><div class=3D"gmail_quote"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">While the possibility of UTXO probing vi=
a Payjoin is a valid concern=20
regarding privacy, it's important to note that it might not always come=
=20
without cost for the attacker. The Payjoin recipient needs to validate=20
the initial request, ensuring the sender's inputs are broadcastable.=20
This means the recipient could, in practice, broadcast the initial=20
transaction even if the sender aborts the Payjoin. Furthermore,=20
implementing strategies like maintaining a set of 'seen inputs' can=
make
such probing attempts more easily detectable and less effective. While=20
these measures don't eliminate the privacy considerations entirely, the=
y
do highlight that recipients have potential defenses and that probing=20
isn't necessarily a risk-free endeavor for the attacker.<br><br><div><d=
iv dir=3D"auto">On Tuesday, March 25, 2025 at 1:48:15=E2=80=AFPM UTC+2 /dev=
/fd0 wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Hi everyone, <br><br>Some=
times we are curious and want to know about UTXOs in other wallets. Payjoin=
allows you to do this and the recipient would never doubt it because it=
9;s a privacy tool. It's possible to find UTXO in recipient's walle=
t without sending any bitcoin. It's called UTXO probing attack and desc=
ribed in BIP 77-78.<br><br>I have shared a demo with all the details in thi=
s [post][0]. I have used bullbitcoin wallet for testing this because it was=
the only [wallet][1] which supports payjoin v2 (send, receive) and testnet=
3.<br><br>I think users should be aware of this tradeoff and the informatio=
n they share with the sender in payjoin. Payjoin should only be used with t=
rusted senders.<br><br>[0]: <a href=3D"https://uncensoredtech.substack.com/=
p/utxo-probing-attack-using-payjoin" rel=3D"nofollow" target=3D"_blank" dat=
a-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://unc=
ensoredtech.substack.com/p/utxo-probing-attack-using-payjoin&source=3Dg=
mail&ust=3D1743274526874000&usg=3DAOvVaw0wLolOGKRzZQnbyCOXEZdP">htt=
ps://uncensoredtech.substack.com/p/utxo-probing-attack-using-payjoin</a><br=
>[1]: <a href=3D"https://en.bitcoin.it/wiki/PayJoin_adoption" rel=3D"nofoll=
ow" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=
=3Den&q=3Dhttps://en.bitcoin.it/wiki/PayJoin_adoption&source=3Dgmai=
l&ust=3D1743274526874000&usg=3DAOvVaw0YkPehwJD4ULQZ5hkAlz3U">https:=
//en.bitcoin.it/wiki/PayJoin_adoption</a><br><br>/dev/fd0<br>floppy disk gu=
y</blockquote></div>
<p></p></blockquote></div><div class=3D"gmail_quote"><blockquote class=3D"g=
mail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204=
,204,204);padding-left:1ex">
-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href data-email-masked rel=3D"nofollow">bitcoindev+...@googlegro=
ups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/1c7130d4-cbac-4404-968c-9eb7b4e2e4cbn%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter" target=3D"_blank" rel=3D"nofollow" dat=
a-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://gro=
ups.google.com/d/msgid/bitcoindev/1c7130d4-cbac-4404-968c-9eb7b4e2e4cbn%254=
0googlegroups.com?utm_medium%3Demail%26utm_source%3Dfooter&source=3Dgma=
il&ust=3D1743274526874000&usg=3DAOvVaw2y1OIOOeaGSVvx7iAWRU-y">https=
://groups.google.com/d/msgid/bitcoindev/1c7130d4-cbac-4404-968c-9eb7b4e2e4c=
bn%40googlegroups.com</a>.<br>
</blockquote></div>
</blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/d0a0e344-d777-49bc-8b3c-a3462f0d6836n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/d0a0e344-d777-49bc-8b3c-a3462f0d6836n%40googlegroups.com</a>.<br />
------=_Part_161137_1217636125.1743190133581--
------=_Part_161136_807255403.1743190133581--