1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
Delivery-date: Wed, 26 Mar 2025 11:24:48 -0700
Received: from mail-oa1-f58.google.com ([209.85.160.58])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDDJ7LVFRIHRBZMMSG7QMGQESLNM4NQ@googlegroups.com>)
id 1txVQl-0001Ez-Ib
for bitcoindev@gnusha.org; Wed, 26 Mar 2025 11:24:48 -0700
Received: by mail-oa1-f58.google.com with SMTP id 586e51a60fabf-2c2545da7b6sf1110458fac.1
for <bitcoindev@gnusha.org>; Wed, 26 Mar 2025 11:24:47 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1743013482; cv=pass;
d=google.com; s=arc-20240605;
b=DRESz7PxnrhVXy7GSuR7Sa3nbRY6nqja/PuBOoNiQT456m8HjEff/JTqn7FDjdQX8o
Q+hhJxumpEHJzmKpveoLTQ7j6oO/ltX8lwWJtNW0MinxR2xIGwzdk5Pb4yuLsDVF7oA1
vJcNe1zkM9Bwv2XmNGRcCFSZr6AaXdMTr3Pn/1EmqPGr1bIGARiLShEFXb91BOJkqcSm
hNWJS6jfESLl06ZaIkrcTZroABzbBWTRvacXvjEj9RvEMmmEhCksBiF6yinNNmfNCQT1
1/vPY7E2IIF18VrV2o8VF0tC5N23MXDh98JpvFxV2pEuiZTE5tPYaNv+2PkpCgMDIaAb
Vadw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:sender:dkim-signature;
bh=7iXvWJI/NMIHgOuLc886uTGer1pRmQxkwoM1ssja+oU=;
fh=s+xnS/fWZcP55UawB/Yz3IK1MWeR6GnOWEt8yPopTMw=;
b=Ymz+VHGzQooaCv0jY/YLx8ZdHHSHhpI8yiZ+ic+DF0ZOx0tittRoyfvKsYQFlZfYli
cBiXBJ2FpoSgnm+mEUSvGAAf5ZDebQe9YrF13csZh1xa7p3PNe3eqkzhU77BF395REQI
NfxIVHO5euxZelcH0MZMYTShHh1O4cLI8HBknDplIGFq+pBbpldFmqGzWLtbcRTEcx2s
e/XWNe0xdRYxd9DYkRpGCYVksUo6I6221CwOZmBY6oOHgniO2YW2hX6rIgLHBnSPZGFN
BMcM0jSPicb6dH2kNSk/q65iCsodIaWnzqnfqPOszINgRm3vWDgpccnGOvpHWNb0EED3
YW1Q==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=jyALDPcz;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1743013482; x=1743618282; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
:references:mime-version:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=7iXvWJI/NMIHgOuLc886uTGer1pRmQxkwoM1ssja+oU=;
b=pwrmsMcsvPGAlW16K3xqEHQZrGVOf8UvV4vIlnMDquwuVfK3iXfrZMnET0IOx7WSgk
ilBjbfRw4A+jMt97g1VFoVc8aeoc3orUMx3yQgH/Pxauun0baTJK0M2NEXzy5SmoS1F+
QM1flTYRR+EavvqsjRKQxW+AFu0AtI3bCRdRrtw0JkphK1GjQBQsUavrC98bJfwCAa8j
O2TLAAqRhLSyBA3bMyT7z8Xj4CmhrZyyfwFClkhjZCsft/b6mtJdnSdTR8Hz6quSNH91
YLoA1axhFdc/QHk+icR4hsmXiu44rZUs1b3AwuID0xMUFgkZF9Cuzt+7puwz068m5Wzf
S33A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1743013482; x=1743618282;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
:references:mime-version:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=7iXvWJI/NMIHgOuLc886uTGer1pRmQxkwoM1ssja+oU=;
b=PxnjPMALeJ6KcD8f+AItaYDaFoohboyhhCLtuZ+brHuy7Vd0wdZXetrH/XOAMn871N
Z9H6z2wSQ986aFE2g/WclvxTVZ0ehKwh17PY6xR/fZ1/RnVRt3ACLinyCDNKE5Pwb76k
m0sdSAJVD24QWJjgtsi6VUNaF1GJY4F3Dydl41z0AXM6ZvyrvCc5BsgymUM8Gt8rOCo+
Sz3uqPoJsUkHbXXKT5EcRpwF7o8CoDWzMNpXQjAxJyUGRlimaVlgXVFPZ7Bf+JNhgZDN
2k9kiQYVXY1VArlaL7yEpw6aERdf9TJVlGgl7jobTpd9mChxK+LHLxZHaTBQfT8UjSJy
oRpA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCXUQAOmiZSPTVro655CYK/HuJGxJquYZhfP6biszcMerGFa6BRRQWZZ4zyZxhhNHZSACVJgp/KlWKhU@gnusha.org
X-Gm-Message-State: AOJu0YwQjh6m+kI0fS0JKFij2u/bXtLmZyIiaF6JT9TpMigt58m/xToe
nvMDO065BqicNrN8SwjCAe5WdtQVQal2QE46cHZKVXkDAeQ3uDpr
X-Google-Smtp-Source: AGHT+IGMlIXZxVgI+krT6ODdJ7xWZbQmfgkYC97JeBzOEguQrrTPY2Gj89nrDixfeCAAC56h22HB/Q==
X-Received: by 2002:a05:6871:6509:b0:2b8:6e0d:6d83 with SMTP id 586e51a60fabf-2c826d60e7bmr3180898fac.16.1743013481791;
Wed, 26 Mar 2025 11:24:41 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPALfFpkSFSDtCKX3L0/eVb7BazDmfPPSd9UFxABA2SdFkg==
Received: by 2002:a05:6870:3329:b0:2b8:5ad7:3608 with SMTP id
586e51a60fabf-2c847050762ls155439fac.2.-pod-prod-00-us; Wed, 26 Mar 2025
11:24:37 -0700 (PDT)
X-Received: by 2002:a05:6808:1a9a:b0:3fe:aebe:dde7 with SMTP id 5614622812f47-3fef9d293e5mr435504b6e.2.1743013477247;
Wed, 26 Mar 2025 11:24:37 -0700 (PDT)
Received: by 2002:a05:600c:580d:b0:43c:fe31:d01d with SMTP id 5b1f17b1804b1-43d504f6e3dms5e9;
Tue, 25 Mar 2025 06:39:57 -0700 (PDT)
X-Received: by 2002:a05:600c:1909:b0:43d:aed:f7de with SMTP id 5b1f17b1804b1-43d50a1d216mr113009855e9.21.1742909995048;
Tue, 25 Mar 2025 06:39:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742909995; cv=none;
d=google.com; s=arc-20240605;
b=lGR3SHBn+a7bGGNhPByKTi/MaPJrQjXQQgcx5JcEoZ4Tv+pyze1p4WHdvByr4LsoUY
SAoUL6bz1+Mc3fJ2AbnxXeIqdcn1p8wduROjbr5fcFfcam/wTJf10j+9iWf2fuEBL5T4
mlcIh9FMIANzlitUbn5s50vNKomMYLw4XikLOGS78Pwd7oD7+NIcTNKawJZ6wa7l45JB
37Y4V5e2YSKW7aScunxgZTJdBMAbeFOKu+GP+whHVwSY/MCV5RBRZXywb+UrdPAhHRtP
+uirJI48x9zMDuHTYjVdh3YTSvL5F2WaasrwJgo4T9KRLf6QCBHN7xDPI+KXEJUSehMt
1v+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:dkim-signature;
bh=F3O6z3iyT2ZiZb3xO0x6mmK1uPl/+68mBWVUe1nqrcU=;
fh=/Z5NcVUMVZ8cMwdeVyl+pnVvN18j9oDi0GIdPQXgNAU=;
b=fnWJIFwmAJtGfxvHyjav48sVNXfj6zBUswXvG7JzSK1pP+MzWVkkKG4I7y9WgzCgwm
n30heJDLbJXZTh8aHCXjsXzmaoTMPwOtENY9Hpi94hmPF2rb8LDfaH1Yv4fq+g3CNWnN
yCKL2txxQZI5sKdyf7Pyd4QlYPacb6bMLTQbnxTOfVCv/quNjm8Z3iJHxxwRO7Jbuqes
zwWN7haebUufgMTWgwh1DclSH3CJFeaMZIrizt4onvtZ16aRgCslcxnIOdEvGrnrWm2N
CMu0u8JRwP7c2CF65opCNAX1XDtoLPF4T1GxmvYyZM+QmC7NQuQUVJAEVlMy3j7E7CrJ
dgJQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@woobling.org header.s=google header.b=jyALDPcz;
spf=none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) smtp.mailfrom=nothingmuch@woobling.org;
dara=pass header.i=@googlegroups.com
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com. [2a00:1450:4864:20::233])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43d6eaa9aeasi729125e9.1.2025.03.25.06.39.54
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 25 Mar 2025 06:39:54 -0700 (PDT)
Received-SPF: none (google.com: nothingmuch@woobling.org does not designate permitted sender hosts) client-ip=2a00:1450:4864:20::233;
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-30bf5d7d107so47043011fa.2
for <bitcoindev@googlegroups.com>; Tue, 25 Mar 2025 06:39:54 -0700 (PDT)
X-Gm-Gg: ASbGncuYWJh0sAKuY3vpkEJvyRK/Jj1R6odvxCfsQ2DOrMhDIGsBefkL5CcZ7SuSToX
Y3rcuJgBBCxMhGm4x1cLwyULqTNhj91Uo6WDY5t0IYVsPU0OsF5GnPLFPlNz98FI15mdvncqJkd
WY+7fvih7yF2ZagqJXo9xgUQC7Zg==
X-Received: by 2002:a2e:a497:0:b0:300:26bc:4311 with SMTP id
38308e7fff4ca-30d7e234f7bmr59562291fa.18.1742909993724; Tue, 25 Mar 2025
06:39:53 -0700 (PDT)
MIME-Version: 1.0
References: <450755f1-84c5-4f32-abe0-67087ae884d6n@googlegroups.com>
In-Reply-To: <450755f1-84c5-4f32-abe0-67087ae884d6n@googlegroups.com>
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Tue, 25 Mar 2025 14:39:41 +0100
X-Gm-Features: AQ5f1JrRuBxdY212-lmNIr_aV_ieg6KTGX2KSePNK98nilU0T-rVRTZ2c0P3cb0
Message-ID: <CAAQdECADpUOUN9+yBLMR7dVJ2WhsE2uhesSgh=p-jRgzp9AaWQ@mail.gmail.com>
Subject: Re: [bitcoindev] UTXO probing attack using payjoin
To: "/dev /fd0" <alicexbtong@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
X-Original-Sender: nothingmuch@woobling.org
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@woobling.org header.s=google header.b=jyALDPcz; spf=none
(google.com: nothingmuch@woobling.org does not designate permitted sender
hosts) smtp.mailfrom=nothingmuch@woobling.org; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On Tue, 25 Mar 2025 at 12:48, /dev /fd0 <alicexbtong@gmail.com> wrote:
> I think users should be aware of this tradeoff and the information they share with the sender in payjoin. Payjoin should only be used with trusted senders.
In the event that the receiver is actually paid (see below), the
sender can observe what happens to a payment output, same as they
would when a receiver does not support payjoin at all. This will
likely link it to the receiver's other coins eventually, and certainly
links it to the receiver's subsequent transactions.
It seems to me like your reasoning applies to any on chain wallet
(with or without payjoin), unless the receiver is using e.g. coinswap
after each received payment. In the payjoin setting, the receiver is
using coinswap in that manner, then as a payjoin receiver they can
elect to only use coinswapped coins as contributed inputs to payjoin
transactions.
> Sometimes we are curious and want to know about UTXOs in other wallets. Payjoin allows you to do this and the recipient would never doubt it because it's a privacy tool.
I'm not sure what you mean by "the recipient would never doubt it
because it's a privacy tool", it sounds to me like this is mainly a
criticism of the UX of payjoin supporting wallets, or of wallets in
general for not educating users that privacy is not a binary thing? If
that's the case then I'm not sure how to convert that critique into an
actionable suggestion.
UTXO enumeration is a potentially serious concern in the context of
clustering deanonymization attacks, *especially* if coins can be
linked without spending them, as that is independent from any common
input ownership leaks that may arise when those coins are actually
spent.
The same leak concern also applies to lightning dual funding, and a
similar one (revealing coin relatedness to coordinators) applies to
coordinated coinjoins where vendors have made outright false claims...
In relation to your statement about users being none the wiser since
"it's a privacy tool", that seems part of a broader challenge of
communicating nuances and tradeoffs to non-technical users, and one
isn't specifically related to payjoin?
> It's possible to find UTXO in recipient's wallet without sending any bitcoin. It's called UTXO probing attack and described in BIP 77-78.
"Without sending any bitcoin" is not entirely accurate, in all payjoin
protocol specs the receiver only responds after validating the initial
unilateral transaction from the sender. This transaction is not yet
confirmed, and can of course be double spent by the sender, but that
is not costless as the mining fees for double spending or replacing
that transaction (depending on whether or not the receiver has
broadcast it) must be paid.
Probing was initially described in BIP 79
(https://github.com/bitcoin/bips/blob/master/bip-0079.mediawiki#contributed-input-choice):
>> To prevent an attack where a receiver is continually sent variations of the same transaction to enumerate the receivers utxo set, it is essential that the receiver always returns the same contributed inputs when it's seen the same inputs.
This is again described in BIP 78
https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#user-content-span_idprobingattackspanOn_the_receiver_side_UTXO_probing_attack
And mentioned in BIP 77 (that could be made more explicit but BIP 77
depends on BIP 78 and refers to it extensively):
https://github.com/bitcoin/bips/blob/799e8c145da0304d847abfe59bd2311a1cf78968/bip-0077.mediawiki#request-expiration--original-psbt
Note that in all of these specifications of payjoin UTXO probing is
not costless since the sender must send a fully signed transaction in
order to learn such a UTXO, and this transaction although not
confirmed still imposes a fee cost on the sender if broadcast (even if
it is replaced). The trust assumption you point out has been described
throughout these protocols' evolution, and attempts to minimize that
trust to the extent possible have been made in that the leaks are
bounded by correctly implemented receivers, and a cost is imposed on
the attacker.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAAQdECADpUOUN9%2ByBLMR7dVJ2WhsE2uhesSgh%3Dp-jRgzp9AaWQ%40mail.gmail.com.
|
