On Wed, Jun 15, 2016 at 7:00 AM, Pieter Wuille via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

Indeed, and you can go even further. When there are multiple "sending"
> outputs, pick one at random, and mimic it for the change output. This means
> that if you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a
> P2PKH change output, and 75% chance for a P2SH output.
>

This isn't quite perfect because if there is only 1 P2PKH output and you
know the person is using the above algorithm then you know the P2PKH output
isn't the change.

I don't know what the perfect method is.  My guess is that it is to let p
be the probability that a P2PKH output is produced over the entire network
and to pick P2PKH for your change output with probability p (and similarly
for other output types).

On Wed, Jun 15, 2016 at 7:00 AM, Pieter Wuille via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> On Jun 15, 2016 12:53, "Daniel Weigl via bitcoin-dev" <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > That would be a big privacy leak, imo. As soon as both outputs are
> spent, its visible
> > which one was the P2WPKH-in-P2SH and which one the pure P2WPKH and as a
> consequence
> > you leak which output was the change and which one the actual sent output
> >
> > So, i'd suggest to even make it a requirement for "normal"
> send-to-single-address transactions
> > to always use the same output type for the change output (if the wallet
> is able to recognize it)
>
> Indeed, and you can go even further. When there are multiple "sending"
> outputs, pick one at random, and mimic it for the change output. This means
> that if you have a P2PKH and 3 P2SH sends, you'll have 25% chance for a
> P2PKH change output, and 75% chance for a P2SH output.
>
> You can go even further of course, if you want privacy that remains after
> those sends get spent. In that case, you also need to match the template of
> the redeemscript/witnessscript. For example, if the send you are mimicking
> is a 2-of-3, the change output should also use 2-of-3.
>
> --
> Pieter
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>