Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction by Arvind Narayanan & Joseph Bonneau & Edward Felten & Andrew Miller & Steven Goldfeder

Author:Arvind Narayanan & Joseph Bonneau & Edward Felten & Andrew Miller & Steven Goldfeder
Language: eng
Format: mobi
Publisher: Princeton University Press
Published: 2016-07-18T22:00:00+00:00

FIGURE 6.3. Change address. To pay for the teapot, Alice has to create a transaction with one output that goes to the merchant and another output that sends change back to herself.

Going back to our example, suppose the price of the teapot has gone up from 8 BTC to 8.5 BTC. Alice can no longer find a set of unspent outputs that she can combine to produce the exact change needed for the teapot. Instead, she exploits the fact that transactions can have multiple outputs, as shown in Figure 6.3. One of the outputs is the store’s payment address and the other is a “change” address owned by Alice.

Now consider this transaction from the viewpoint of an adversary. They can deduce that the two input addresses belong to the same user. They might further suspect that one of the output addresses also belongs to that same user, but they have no way to determine which one that is. Just because the 0.5 output is smaller doesn’t mean that it’s the change address. Alice might have 10,000 BTC sitting in a transaction, and she might spend 8.5 BTC on the teapot and send the remaining 9,991.5 BTC back to herself. In that scenario, the bigger output is in fact the change address.

A somewhat better guess is that if the teapot had cost only 0.5 BTC, then Alice wouldn’t have had to create a transaction with two different inputs, since either the 3 BTC or the 6 BTC input would have been sufficient by itself. But the effectiveness of this type of heuristic depends entirely on the implementation details of commonly used wallet software. There’s nothing preventing wallets (or users) from combining transactions even when not strictly necessary.

Idioms of Use

Implementation details of this sort are called idioms of use. In 2013, a group of researchers led by Sarah Meiklejohn found an idiom of use that was true for most wallet software and led to a powerful heuristic for identifying change addresses. Specifically, they found that wallets typically generate a fresh address when a change address is required. Because of this idiom of use, change addresses are generally addresses that have never before appeared in the block chain. In contrast, nonchange outputs are often not new addresses and may have appeared previously in the block chain. An adversary can use this knowledge to distinguish change addresses and link them with the input addresses.

Exploiting idioms of use can be error prone. The fact that change addresses are fresh addresses just happens to be a feature of wallet software. It was true in 2013 when the researchers tested it. Maybe it’s still true, but maybe it’s not. Users may choose to override this default behavior. Most importantly, a user who is aware of this technique can easily evade it. Even in 2013, the researchers found that it produced many false positives, in which the technique clustered together addresses that didn’t actually belong to the same entity. They reported that the method needed significant manual oversight and intervention to prune these false positives.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.