Dark wallet : How to send change when spending a dark coin ?

[Nicolas Dorier]

For the following usecase DarkBob wants to send money to DarkAlice (both have a StealthAddress):

• DarkBob have a coin of 1 BTC
• DarkBob wants to send 0.7 BTC to DarkAlice

My question is : where does DarkBob sends back the change (0.3 BTC) without leaking his privacy ?

He can't use a Stealth Payment, to its StealthAddress, because he already use the OP_RETURN for sending money to DarkAlice.
He can't use a non Stealth Address, since this address will probably be tracked to correlate all payments using it.

The only solution I see, is having in HD wallet, just for change addresses. And whenever money is sent on such address, immediately funds are sent back to DarkBob.
But this is cumbersome and weak to malleability since it needs a chain of 2 transaction.

Am I missing something ?

[laurentmt]

Stealth addresses are only one part of the "privacy pack", helping to protect privacy of the payee (ability to get a public address without address reuse).

On the other hand, privacy of the payer is protected by no address reuse (but most wallets already manage a new address for every change) and by Coinjoin transactions which decrease linkability between inputs and outputs of the tx.

Seems to me that one-time change address can be generated randomly or in HD fashion without requiring an additional tx but I don't know which path was selected by DW.

[inBitweTrust]

Additionally, coinjoin and soon to be implemented coin shuffle protect the buyer.

[caedes]

change can be sent using stealth too, there is no limitation about number of OP_RETURN, each one is working on the output next to it.

[Nicolas Dorier]

change can be sent using stealth too, there is no limitation about number of OP_RETURN, each one is working on the output next to it.

Actually, there is. I know the Stealth spec accept multiple OP_RETURN, but Bitcoin nodes will not accept it.

[TimonPeng]

I think that should be similar to the blockchain.info Shared Coin function.
https://i.imgur.com/3N48Mof.png

[dabura667]

Man, I don't even know where to start...

You must have an image of Stealth Addresses that are waaaaay more complicated than they actually are.

Let's break it down:

1. Normal Addresses:
How do you maintain privacy?
Not showing publicly and only sending it to people who need to pay you. Not reusing addresses, etc.

2. Stealth Addresses:
How do you maintain privacy?
As far as addresses are concerned, Stealth is as anonymous as a static address can get.. You can post it online and no one can search your balance on a block explorer... PLUS every time someone sends bitcoin to it, a BRAND NEW address (begins with a "1" or "3") is generated.

HOWEVER! 1 and 2 have one thing in common:
Anyone who sends bitcoin to a single use normal address, AND anyone who sends bitcoin to a stealth address can still FOLLOW THEIR COINS FOR AS LONG AS YOU USE THEM.

So if StealthBoB accepted 10 payments for varying amounts to his stealth. No one on bitcointalk can look up his balance from the Stealth Address in his signature, BUT if one of them sends 60 bits to the stealth address, AND Stealth Bob uses it in a transaction along with the other 10 payments received, that person can now see "ok, the transaction signing for my 60 bits I sent (which I know is Bob) also signed for the other 10 inputs for over 10 BTC!!! Bob must have 10 BTC!!!"


This is why Dark Wallet implements CoinJoin. If everyone jumbles their inputs together into lump transactions, that weakness is no longer present (as the assumption that could be made before about ownership of the inputs can no longer be made) and privacy on the address front and on the transaction front is maintained.


Now that you know what a Stealth Address achieves (forces new addresses for each transaction AND prevents anyone who hasn't sent money to it from seeing any of its transactions) it's easy to see how change should be handled.

Just use change addresses like a normal HD wallet. No need to "chain 2 transactions together"... No one is fooled.

If you pay someone and they see you signed a 100BTC input, then sent them 2 BTC... and then sent the 98 BTC change to another stealth address... it would just generate a normal address (beginning with "1") and send it there... Whereas a change address is a one time use address anyways (you don't give out your change address, so it is in effect the same security-wise as an address generated from a Stealth Address.) so you can just generate a new change address and send the change there.


In the end, If there's only 1 input, no matter what you do with the change, ANYONE who knows ANYTHING about bitcoin will assume whatever isn't going to them is going back to the sender.



This brings up a new topic: keeping your inputs in varying amounts and low amounts... THIS is also a big part of privacy.



Also, Using Dark Wallet doesn't turn your bitcoins into darkcoins, btw. "Darkcoin" is a completely separate cryptocurrency from bitcoin, and you must purchase those independantly.

[Nicolas Dorier]

Thanks dabura,

I'm interested to that, since I implemented TransactionBuilder, and wanted a good way to send change without complexity.

If you pay someone and they see you signed a 100BTC input, then sent them 2 BTC... and then sent the 98 BTC change to another stealth address...

The problem is if this someone is a stealth address, then the OP_RETURN is already taken, preventing you to send back the 98 BTC to another stealth address. (except if you store the StealthMetadata relating to the change inside a database instead of inside the OP_RETURN)

So the easiest after all is either to generate the change with an HD key. Or generate an address with the StealthAddress (+ ephem key) and storing the StealthMetadata out of the transaction.
Which one is used in DW ?

Also, Using Dark Wallet doesn't turn your bitcoins into darkcoins, btw. "Darkcoin" is a completely separate cryptocurrency from bitcoin, and you must purchase those independantly.

I don't think I talked about DarkCoin, if that's the case, it was a mistake.
I'm well aware how Stealth Transaction are constructed and scanned since I implemented that on NBitcoin and the TransactionBuilder. But was puzzled about the change.

By the way, it motivated me to implement CoinJoin in NBitcoin. I'll think about that !

[dabura667]

So the easiest after all is either to generate the change with an HD key. Or generate an address with the StealthAddress (+ ephem key) and storing the StealthMetadata out of the transaction.
Which one is used in DW ?

Dark Wallet doesn't use Stealth Addresses for change.

There is 0 benefit to using Stealth Address for change.

So if I send a 5 BTC input in Dark Wallet to a Stealth Address for 1 BTC... the 4 BTC change will just go to the next change address on my HD wallet change chain. No Stealth.