2

I was revising for my upcoming exam and came across this slide, which I don't completely understand as I find it a bit confusing. Can someone please explain what the lecturer was trying to point out?

I'm still new to the whole topic and I appreciate your clear explanations.

Edit:Thank you all for your answers! They really helped me to understand the slide and Bitcoin transactions in general. I really appreciate it!

Multi Input Transaction Heuristic

Goel77
  • 23
  • 4

3 Answers3

3

It says that if two "coins" are spent in one transaction, they probably belonged to the same person, or organisation.

If that isn't clear maybe it will help to review a little of what is what in Bitcoin.

In Bitcoin, the nearest thing to a coin is an unspent transaction output (UTXO). This is an output from a prior transaction that can be used by the recipient as an input to a subsequent transaction. Thus spending it.

Every transaction output, including the unspent ones (UTXOs) has a Bitcoin locking script associated with it. The address is an abstraction of that script. It is used by a payee to tell a payer how to construct a payement to them - how to create a suitable locking script in a transaction output section. One the payee can subsequently spend as a payer.

So two addresses, when each is associated with two inputs to a transaction, can be inferred to be likely to be under the control of one person.

Of course, people deliberately use "mixers" to prevent this heuristic from being effective. Nowadays, people ony ever use any address once, also to reduce this kind of intrusion into their financial privacy.

RedGrittyBrick
  • 24,039
  • 3
  • 23
  • 47
2

In Bitcoin, all transactions are public information. While the reason for transacting and the identities of the transacting parties remain private, the public information in the transaction graph can be used to infer clusters of addresses and transactions created by the same entity. Once such a cluster is discovered, a surveillant may be able to link either the entity directly or one of the counterparties to a real-world identity to learn even more about them.

One of the heuristics used to discover clusters is the common-input-ownership heuristic described on this slide. The base assumption is that all UTXOs spent in a single transaction were owned by the same party. The common-input-ownership heuristic may be broken when multiple users contribute inputs to a transaction in a CoinJoin transaction, which may confuse a surveillant into falsely categorizing two distinct wallets as owned by one entity. However, a naïve CoinJoin transactions may still only permit a single interpretation of the subtransactions if subsets of inputs and outputs form up to matching amounts.

Combined with other data points from heuristics for change detection, wallet fingerprints, and graph heuristics like taint analysis, a sufficiently motivated surveillant will be able to clearly delineate many wallets’ activities from each other.

Murch
  • 71,155
  • 33
  • 180
  • 600
0

The graph claims that the coins "probably" belong to the same entity however I think what it means to say is that the coins are not shared by more than one person. Many bitcoin transactions send coins from one address to another. That being said, it is a misconception that this implies that every address is only ONE PERSON/ENTITY. We can have multi-signature addresses that require the valid signature of 2/3 parties in order to spend the coins that belong to that address. This means that while the coins are coming from one address it is not assumable that it is coming from one person or entity. This is accomplished because each PERSON/ENTITY has a different PRIVATE KEY, because only the SIGNER knows this key ONLY the signer(s) can disclose the state of how many entities or people are behind the transaction in a prove-able way. We also have Schnorr signatures which allow a very large party of signers to commit to a single transaction, making it look like one large signature that can verify every single input being spent in that transaction. One cryptocurrency called grin even uses this form of signature in each transaction of every block to obfuscate the transaction path for outside users of the chain. On grin's chain only transaction participants have access to the metadata from the transactions they participate in and nothing else, this proves that you cannot assume that the heuristic will hold up forever even if the current Bitcoin privacy model is not utilizing it. It holds up under the assumption that the users are not participating in any privacy preserving signature schemes.

Poseidon
  • 599
  • 2
  • 20
  • You're talking about multiple participants to a single UTXO, which is orthogonal to OP's question (which is about multiple UTXOs belonging to the same person). It's also incorrect that every transactions sends from one address to another (not every UTXO has an address, and transactions can have multiple inputs and multiple outputs). – Pieter Wuille Jan 20 '23 at 18:11
  • I think what I meant to say was that in the case which a UTXO (or group of UTXOs) belong to one address, it is not assumable that this is one person. I absolutely didn't mean my response to assert that each transaction only has one input or output, this is obvious hopefully already to people studying the UTXO model. I think the confusion is that the term entity can be interpreted to mean an owner when it is very possible for the spending of two inputs to come from multiple key owners. Is it not true that multiple key owning 'entities' could sign a transaction to send multiple inputs? – Poseidon Jan 20 '23 at 18:19
  • Yes, you're right that when multiple UTXOs are assigned to the same address, you can't assume that that is one person. That is however unrelated to what OP is asking about (it's not about addresses, but about UTXOs spent by the same transaction - including ones that don't have the same address), so I think this answer is more confusing than enlightening. – Pieter Wuille Jan 20 '23 at 18:55
  • I am willing to accept if this is the case, but the diagram says that the `addresses` b1 and b2 will probably belong to the same entity and the tags talk about `tracking`. UTXOs spent by the same transaction are not the same as addresses being owned by the same entity. It is also not a very foolproof method of tracking ownership due to the reasons I listed. – Poseidon Jan 20 '23 at 19:00
  • 1
    If multiple people control a UTXO together, this quorum is still a single entity that may operate a wallet whose UTXOs got spent together in one transaction, thus fulfilling the assumptions of the common-input-ownership heuristic. – Murch Jan 20 '23 at 19:16
  • Ok but `common-input-ownership heuristic` and `Multi input transaction heuristic` are different concepts as well as the idea that a quorum can be a 'single' entity is extremely questionable to me. A quorum is by definition a group of entities plural. – Poseidon Jan 20 '23 at 19:20
  • I don't understand your interjection. If this quorum has a wallet for a specific purpose together per which they collect and spend funds for that purpose, then identifying and delineating that wallet makes sense and is useful to an observer. E.g. Bitstamp's wallets are multisig, does it now no longer make sense to recognize their activity as belonging together? – Murch Jan 21 '23 at 14:25
  • I guess my point is that it is only as useful as the assumptions made by the person tracing the funds, I was intending to point out that these multi-sigs are a case in which the number of involved parties could be obfuscated. For example a coin-join, sure you can recognize these are belonging together but the privacy mixing will cause the data you get out of it to make tracing difficult nevertheless. – Poseidon Jan 21 '23 at 14:49