[wallet] Shuffle transaction inputs before signing #12699
Conversation
instagibbs
changed the title
|
Concept ACK - haven't reviewed yet but this looks like a lot of changes for just an additional input shuffle step? |
|
Ok, I can make this smaller. A bit annoying due to inner-loop behavior, but I'll see what I can do. |
|
Maybe just use the same ordering as BIP-69? |
|
@Sjors I'd prefer to something slightly less bad now, and converge on a standard later. I have some quibbles with BIP69, which I think are out of scope for this thread. |
|
TIL the Core wallet doesn't use BIP-69 (which is a separate discussion), so that does weaken the case for using it here. (and TIL coin selection function also determines the order, not just the set) See also #12457 |
instagibbs
force-pushed
the
shuffleinputs
branch
from
263389f to
8712bbd
Compare
|
Smaller changeset now, had to move the final input creation further output to avoid storing shuffle ordering. |
|
Turns out that we're ~this far away(in master) from having the input part compliant with BIP69:
The inputs are being sorted by BE rather than LE as per the BIP. We also currently aren't really shuffling outputs randomly(except the case of 2 outputs, 1 destination and 1 change. This is fixed by a single shuffle line. BIP69 compliance would be another comparison struct. I still prefer this changeset for the time being, due to ease of implementation and complementary nature with #12709 |
|
BIP 69 contradicts SIGHASH_SINGLE usage, and its concerns seem unrealistic (if you use malicious closed source wallet software, you're already compromised regardless). Randomising seems fine. |
|
utACK 8712bbd |
instagibbs
force-pushed
the
shuffleinputs
branch
from
8712bbd to
2fb9c1e
Compare
|
rebased onto #12742 to avoid code churn |
|
utACK 2fb9c1e |
|
If you want to remove the erroneous diff from the GitHub web view: EDITOR=true git commit --allow-empty -m empty && git push [email protected]:instagibbs/bitcoin.git shuffleinputs && git reset --hard 2fb9c1e && git push [email protected]:instagibbs/bitcoin.git shuffleinputs -f |
instagibbs
force-pushed
the
shuffleinputs
branch
from
f652665 to
2fb9c1e
Compare
|
utACK 2fb9c1e |
6acb02d add release note for sendmany output shuffling (Gregory Sanders) cf6ef3c shuffle sendmany recipients ordering to shuffle tx outputs (Gregory Sanders) Pull request description: Unless there is something important I'm missing, we're just possible leaking information by preserving whatever ordering json object ordering is giving us (no guarantees at all). This is unneeded for `sendtoaddress` since there is only 1 or 2 outputs, and the change output is shuffled in. This will not effect `*raw` behavior by design, since users generally want full control using those apis. Further PRs could add optional args to over-ride that behavior. Alternative ideas would be to sort the outputs by some deterministic ordering. (this would require more refactoring since change outputs are created and handled by caller) related: #12699 Tree-SHA512: afdd990dde6a4a9e7eef7bb2e3342a46d11900d7fe6e6e4eb0cc6b5deed89df989fa7931a4bdcbf49b7c2d7a13c90169af3a166466e5760948bacabe3490f572
|
utACK 2fb9c1e, looks good.
At least the test framework doesn't rely on the order. |
|
PR title seems outdated now (the shuffle happens after |
instagibbs
changed the title
|
updated title |
|
utACK 2fb9c1e |
2fb9c1e shuffle selected coins before transaction finalization (Gregory Sanders) Pull request description: Currently inputs are ordered based on COutPoint ordering, which while doesn't leak additional internal wallet state, likely further fingerprints the wallet as a Core wallet to observers. Note: This slightly changed behavior of `fundrawtransaction` in that the newly-appended inputs will now be shuffled rather than in outpoint-order. This does not break API compatibility. Simple shuffling of the coins being returned will hopefully allow the wallet to blend in a bit more, in lieu of additional data to find what other wallets are doing, or another standard, ala @gmaxwell's suggested of ordering via scriptPubKey. Tree-SHA512: 70689a6eccf9fa7fc6e3d884f2eba4b482446a1e6128beff7a98f446d0c60f7966c5a6c55e9b0b3d73a9b539ce54889a26c7efe78ab7f34af386d5e4f3fa6df2
Summary: 6acb02d add release note for sendmany output shuffling (Gregory Sanders) cf6ef3c shuffle sendmany recipients ordering to shuffle tx outputs (Gregory Sanders) Pull request description: Unless there is something important I'm missing, we're just possible leaking information by preserving whatever ordering json object ordering is giving us (no guarantees at all). This is unneeded for `sendtoaddress` since there is only 1 or 2 outputs, and the change output is shuffled in. This will not effect `*raw` behavior by design, since users generally want full control using those apis. Further PRs could add optional args to over-ride that behavior. Alternative ideas would be to sort the outputs by some deterministic ordering. (this would require more refactoring since change outputs are created and handled by caller) related: bitcoin/bitcoin#12699 Tree-SHA512: afdd990dde6a4a9e7eef7bb2e3342a46d11900d7fe6e6e4eb0cc6b5deed89df989fa7931a4bdcbf49b7c2d7a13c90169af3a166466e5760948bacabe3490f572 Backport of Core PR12709 bitcoin/bitcoin#12709 Test Plan: make check test_runner.py Reviewers: deadalnix, Fabien, jasonbcox, O1 Bitcoin ABC, #bitcoin_abc Reviewed By: deadalnix, O1 Bitcoin ABC, #bitcoin_abc Differential Revision: https://reviews.bitcoinabc.org/D3897
10 participants
Currently inputs are ordered based on COutPoint ordering, which while doesn't leak additional internal wallet state, likely further fingerprints the wallet as a Core wallet to observers.
Note: This slightly changed behavior of
fundrawtransactionin that the newly-appended inputs will now be shuffled rather than in outpoint-order. This does not break API compatibility.Simple shuffling of the coins being returned will hopefully allow the wallet to blend in a bit more, in lieu of additional data to find what other wallets are doing, or another standard, ala @gmaxwell's suggested of ordering via scriptPubKey.