Historical question: When did Bitcoin client software implement privacy features

[nimuh]

I assume that at some point Bitcoin client software (the major one being bitcoin/bitcoin-qt/Bitcoin Core) implemented measures to generate intermediate public keys in order to increase user privacy. Is that true?

Looking at https://letstalkbitcoin.com/blog/post/the-state-of-the-blockchain-addresses (Paragraph "Throwaway Intermediate Zero Balance Public Keys") we see that over the lifetime of the Blockchain, the proportion of intermediate throwaway addresses has increased significantly over time. And I assume one reason is changed code in client software that encourages the use of new public keys  

I browsed through all public changelogs and could not find any annoucements over such implementations. Does anyone know what historic events/releases have increased the proportion of new intermediate keys over time? Please correct me if I am totally on the wrong path here . Thanks!

[1714016152]

1714016152

[1714016152]

1714016152

[1714016152]

1714016152

[1714016152]

1714016152

[1714016152]

1714016152

[1714016152]

1714016152

[SebastianJu]

I cant tell when when it was implemented but i doubt that it brings anonymity at all. I mean if you see a transaction coming from one address going to two other addresses while clearing the sending address with it. What would you think. One of the target addresses is owned by the sending user most probably. So its a pretty good guess if you can identify the other address as connected to an exchange or so.

Even worse, the change addresses collect the coins and mostly users dont care about that sending coins out of them, is connecting different change addresses. So its possible to further say what addresses belong to that user.

The only solution to real anonymity is not to connect your addresses by sending from more than one address at a time. If an exchange or service has a fixed addresss, which unfortunately happens quite often, then you can reveal your own addresses too if you send to the same address from different addresses you own.

So anonymity isnt really helped by change addresses in my opinion. It might even get worse if you dont have full control about sending addresses.

[gmaxwell]

Bitcoin has implemented the single use addresses since the very first version. Actually in the earliest versions is was impossible to reuse addresses  due how the software worked.

Non-reuse of addresses is fundamental to the Bitcoin privacy model as is covered in the Bitcoin whitepaper.  A basic level of privacy is an essential feature of a money like system, few would chose to use a money which made their suppliers and costs open to their customers, their balance open to thieves, and their customer lists and volumes open to competition. The open public ledger needed to prevent double spending is difficult to reconcile with the basic need for privacy, but it can be with pseudonymous identities.

Unfortunately, most implementers of wallet software outside of Bitcoin core and most users of bitcoin are seemingly unaware of this; and many users are basically forced into reusing their identifiers, but this is not something that the reference implementation has ever done.

The page you're citing seems to be misleading you about the history and simply mistaking the low traffic of yesteryear relative to today for a lack of activity. The whole description of "zero balance" is at odds with how the Bitcoin system works at a technical level. (Bitcoin does not have a model of account balances in its design).

[Cryddit]

The way the wallet selects coins to spend completely disregards which previous tx those coins originated in, so generally it winds up 'connecting' as many different previous transactions as the number of txOuts it uses to make a payment.  Recursion, rinse, repeat, and on a practical level anybody can build a record of all the transactions made by any particular wallet.

A more privacy-conscious wallet would take care not to use txOuts originating in more than one previous tx, and to use *ALL* the txOuts originating in that previous tx as inputs regardless of the amount owed, insofar as possible.  It would set a minimum amount corresponding to a smallest payment you ever expect to make, below which it would simply give change to the miner as a "fee" rather than getting it back in the wallet where it would eventually be spent along with a txOut from a different transaction.

In response to your question; privacy features aren't meaningfully implemented in Bitcoin yet. 

[gmaxwell]

The way the wallet selects coins to spend completely disregards which previous tx those coins originated in,

That code was written at a time when it wasn't even possible through the user interface to end up with multiple payments to the same scriptpubkey. In the case where you're not reusing addresses existing code is the same as the linkage avoiding code.

Careful with your assumptions about linking, it's estimated that coinjoining is now fairly common, and it totally scrambles the results from that assumption.

[SebastianJu]

Is there a wallet with automatically mixing coins in order to not connect your own addresses in your wallet? Its a bit offtopic but seeing gmaxwell writing here...

At the moment i do it manually through exchanges. Though thats time intensive. And the way mixers try to create anonymity is often stupid and expensive.

It would help if every bitcoin website would have the option to get a new bitcoin address but thats not the case unfortunately.

[Cryddit]

The way the wallet selects coins to spend completely disregards which previous tx those coins originated in,

That code was written at a time when it wasn't even possible through the user interface to end up with multiple payments to the same scriptpubkey. In the case where you're not reusing addresses existing code is the same as the linkage avoiding code.

I don't think that it is.  A transaction is an event that consumes inputs and creates outputs.  Those outputs later become inputs in another transaction.

Someone analyzing the block chain can see which TxOuts are being used as inputs in any transaction, which means knowing what transactions those TxOuts were created by.

When I make a transaction buying a peacoat from overstock.com, using both the change I got from buying alpaca socks a couple years ago and the change I got from a tx buying coffee that I paid for out of my paycheck - then someone looking at the block chain can see a transaction that links the transaction that purchased the alpaca socks and the coffee purchase to the peacoat buy.   If they go another level out, they'll see the paycheck - which is one output of a lot of similar-sized outputs all originating in the same place, so they can tell it's a paycheck - and they can see the coffee house, where all these similar-sized inputs from people buying coffee get aggregated and used for business-purchase sized items (and more paychecks).  So they can probably use that peacoat purchase to associate that ancient purchase of Alpaca socks to my current paycheck and coffee purchase, if they want to.

[SebastianJu]

The way the wallet selects coins to spend completely disregards which previous tx those coins originated in,

That code was written at a time when it wasn't even possible through the user interface to end up with multiple payments to the same scriptpubkey. In the case where you're not reusing addresses existing code is the same as the linkage avoiding code.

I don't think that it is.  A transaction is an event that consumes inputs and creates outputs.  Those outputs later become inputs in another transaction.

Someone analyzing the block chain can see which TxOuts are being used as inputs in any transaction, which means knowing what transactions those TxOuts were created by.

When I make a transaction buying a peacoat from overstock.com, using both the change I got from buying alpaca socks a couple years ago and the change I got from a tx buying coffee that I paid for out of my paycheck - then someone looking at the block chain can see a transaction that links the transaction that purchased the alpaca socks and the coffee purchase to the peacoat buy.   If they go another level out, they'll see the paycheck - which is one output of a lot of similar-sized outputs all originating in the same place, so they can tell it's a paycheck - and they can see the coffee house, where all these similar-sized inputs from people buying coffee get aggregated and used for business-purchase sized items (and more paychecks).  So they can probably use that peacoat purchase to associate that ancient purchase of Alpaca socks to my current paycheck and coffee purchase, if they want to.

Exactly... thats what most bitcoin users dont think about. I really would like to have real anonymity and not a bunch of addresses that can be connected pretty easy for the normal bitcoin user.

But then... Satoshi Nakamoto is the NSA anyway...  Its not a bug, its a feature.

[gmaxwell]

I don't think that it is.  A transaction is an event that consumes inputs and creates outputs.  Those outputs later become inputs in another transaction.

You've moved the goal-post there.    The change outputs are _always_ to new addresses, they're in random order,  that someone might guess that they were associated is true... but not something that selection policy can do much about.

[Cryddit]

You've moved the goal-post there.    The change outputs are _always_ to new addresses, they're in random order,  that someone might guess that they were associated is true... but not something that selection policy can do much about.

Well, that's where I thought the goal posts were.

Anyway, the coin selection policy *could* refrain from associating more than one past transaction with the current transaction whenever possible.  It'll always associate at least one past tx with any tx its making because those txIns have to come from somewhere.  But assuming that any past tx created txOuts equal to the current need, it can avoid linking *more* than one.  And if at some point the user bites the bullet and sends change too small to make another purchase with to a miner instead of letting the wallet aggregate it into a tx that links more than one past tx, that user would have multiple, separate, linked chains of transactions that never cross-linked with each other.   Which isn't real privacy, but it's a heck of a lot better than the current wallet does.