Author: Pieter Wuille 2016-06-15 11:00:42
Published on: 2016-06-15T11:00:42+00:00
In a discussion on the bitcoin-dev mailing list, a user expressed concern about the privacy implications of using different output types for change outputs in transactions. The concern is that if both outputs are spent, it becomes visible which one was the P2WPKH-in-P2SH and which one was the pure P2WPKH, and this would lead to leaking information about which output was the change and which one was the actual sent output. As a solution, it was suggested to make it a requirement for "normal" send-to-single-address transactions to always use the same output type for the change output. To enhance privacy further, it was suggested that when there are multiple "sending" outputs, one should pick one at random and mimic it for the change output. This means that if you have a P2PKH and 3 P2SH sends, you'll have a 25% chance for a P2PKH change output and a 75% chance for a P2SH output. To maintain privacy even after these sends get spent, it is recommended to match the template of the redeemscript/witnessscript as well. For example, if the send being mimicked is a 2-of-3, the change output should also use 2-of-3.
Updated on: 2023-05-19T23:31:21.832959+00:00