Topic: Accepting Bitcoin donation anonymously (Read 646 times)

What I meant was simply that the public key hash and its verification using OP_EQUALVERIFY will be the same, however the signature verification using OP_CHECKSIG differs.

I wouldn't say it is OP_CHECKSIG which makes them different. The OP_CHECKSIG opcode is identical in every signature it appears in - simply an 0xac byte. What is different is the actual signatures themselves. Your client should obviously be using a different R value for each input, and since you are signing different messages you will always have a different S value. Even if you reused the R value (which would put all the coins on that address at risk of theft!), you will still have different S values and therefore require a separate signature for each input.

Yeah, I think I got a bit confused myself while I was typing the question!
If I understood, the OP is asking about the receivers of the donations, opposing to what I understood in the first place, from the thread title.
My question, without introducing any of my thoughts to keep it simple, is how receiving for instance, 10 different donations in 10 different addresses, keeps you in anonymity or how it protects your privacy... If I totally agree with the answer, then great, I got it, if not, I'll keep asking further questions until I get it.

It is only partly true, because you can use some tricks to make it the same, for example: "300602010102010103 OP_SWAP OP_CHECKSIG". In that case, you can create two UTXO's with the same signature. You can also replace SIGHASH_SINGLE with SIGHASH_ALL, in this case it will still be spendable. If (r;s) pair is equal for two different UTXO's, then you can still switch to a different (Q;z) pair and get a valid signature.

Oh bloody hell, right, I'm sorry! My Bitcoin basics got a little rusty, I guess. I was under the assumption that you can spend multiple UTXOs which are spendable with the same private key, using a single spending script.

In the example you gave, both UTXOs have the same output script:

However, the OP_CHECKSIG is what makes the difference.
I think that's due to Script being stack-based and popping the value after using it. Therefore you need to add it 1 more time for every extra OP_CHECKSIG that you want to perform.

The question that comes to mind is: Why do you have to include your public key to scriptSig 10 times if it's from the same address? Isn't 1 enough?

I might be completely misunderstanding your point, but the single input transactions you have linked to are smaller because they only spend a single UTXO, not because the input address has been reused multiple times.

Here is a transaction which spends two UTXOs from the same address. Each input requires it's own signature, since UTXOs are identified by the TXID which created them and the number of outputs in that transaction, and not by whichever address they end up at.

In the first transaction you link - https://mempool.space/tx/dcc7b78d453f122cba89cc0168a5a079f9b0b391b474e76e7d12646abebf8e06 - only one signature is needed because only one UTXO is spent, specifically the 2nd output (0 based numbering) from this transaction: https://mempool.space/tx/add0611d0b7b1d1bcada5c4d4bdb4df425ffbcffbb06a3ae6181496a730e97ff:2

The second example you give - https://mempool.space/tx/7b63b2d05c665c5ae560e57b087947f106d4996ddba0e9511254f48f807a1439 - has again only spent a single UTXO, specifically the 1st one from this transaction: https://mempool.space/tx/55f932c9334e088f1998a6bb3f232013b12753ca3a67280f0a5988a54717cb44:1

In either of the examples you gave, if the owner of those addresses had chosen to spend multiple UTXOs from those addresses, they would still have had to provide a separate signature for each input, despite them all being present on the same address.

If I spend 10 inputs on the same address or 10 inputs spread across 10 different addresses, then all else being equal the transactions will be of identical size.

Really ? You could've asked for help without naming countries. You've felt important typing them. You're doing a website for new clients who need anonymity because their lives are important. They've contacted you for the website you don't know how to make anonymous bitcoin donations ?

What's really this thread about ?

This is indeed correct, I hadn't thought of it. Thanks!

I think we're nearby the obvious here. If you're going to donate to an organization regarding Ukraine you should either way be cautious. I'll give a better example: If you're going to buy drugs, is it the address reuse that will make you give special importance to your privacy protection?

With option A, those who are donating know in advance there is a privacy risk prior to sending their coin. With option B, those who are donating think they will have privacy, and may not take steps to improve their privacy prior to sending the donation.

Option B will also likely result it in taking longer for privacy to be reduced. I would describe this as a negative because it may result in someone letting their guard down.

Of course, I'm aware of that, but funding it twice means both UTXOs are spendable by the same private key. Think of how the spending script / witness of a transaction looks like when spending funds of 2 addresses versus a single address (no matter how many UTXOs).

For instance, in the latest block we can find a single-input transaction:
https://mempool.space/tx/dcc7b78d453f122cba89cc0168a5a079f9b0b391b474e76e7d12646abebf8e06
It has a size of 286 Bytes and a single spending script.

The input address has been funded multiple times, yet only one script is needed.
https://mempool.space/address/17A16QmavnUfCW11DAApiJxp7ARnxN5pGX

Another transaction that has multiple inputs, needs multiple spending scripts:
https://mempool.space/tx/15d3611435cc6125758790d13bd2f636559cfc5cac6f58dd9524b7b75b07d733
Hence its size is ‎591 Bytes and it has three scripts:

These input addresses are SegWit though, so it's not much larger than the other transaction indeed. I pasted the witnesses as well, but only the OP_PUSHBYTES_22 lines are ScriptSigs here, whereas in the other transaction the single ScriptSig is quite a bit larger.

---

Maybe a better single-input transaction is this one, since it is also SegWit:
https://mempool.space/tx/7b63b2d05c665c5ae560e57b087947f106d4996ddba0e9511254f48f807a1439
It's just 250 Bytes compared to the 591 Byte transaction with 3 inputs, which costs over twice as much in fees.

The spending script is just:

With the following witness.

If we inspect the address, we can see that a single small script like this spends the funds of 1 address that has seen over 13,000 transactions.
https://mempool.space/address/3J5ZgXpkCffMoDi1snLMw9bY5GCUxyN8nw
After scrolling a bit, they all look like deposits, so tons of UTXOs. All spent with a single private key, a single signature actually.

If you fund an address twice, you have two UTXOs, not one. As said by ETFbitcoin, Bitcoin isn't balance-based.

Right, that was my impression as well. (you may need to correlate inputs from time to time when doing larger payments, but that won't always be required)

How's that? If you use more inputs, your transaction size increases. In option A, there will always only be a single input, which is the smallest payment transaction that you can build. Well, second, after the script for a payment that has a single output.

There's no downside.

If you use option A, you can spend all the inputs at once, which will reduce the fee by a lot, especially if you used a different transaction for each input. If you use option B, you can choose to either sacrifice your privacy and spend all the inputs at once, or retain it with a higher cost.

Anyhow, option B is better, because it leaves you choose to either do it a la option A or even better privacy-wise.

His dilemma is:

• Option A: always hand out the same address - all payments are correlated by having the same output address, but he can spend the whole amount at once without issue.
• Option B: always give a fresh address - all payments are non-correlatable, but if he needs to spend more than what the largest UTXO allows to spend, he has to use multiple inputs which links them.

I believe Option B will still be better, because you may need to correlate inputs from time to time when doing larger payments, but that won't always be required; when taking Option A, you'll always correlate all incoming payments. Biggest downside of Option B is the associated higher cost of multi-input transactions.

On the other hand, as a business / organization, you don't really have to care, because you're at most breaking the senders' anonymity by breaking the unlinkability of their transactions. Basically, if someone wants privacy, that's going to be 'sender privacy' and they'll have to mix their UTXOs before paying, not after receiving.

Can't you do the same with a non-custodial wallet that supports coin selection? (Such as Electrum)

There's no need to trust a third party app. You only need an HD wallet that derives new addresses each time it's queried.

---

Your text is a little bit confusing. In case I haven't understood it correctly, could you elaborate?

I didn't read all the replies but I have a question about using many different addresses for the purpose of anonymity. So, for instance, if I am an organization that needs funds to work and those funds are coming from Bitcoin and I want to keep the organization anonymity, how one will handle the total amount if I need to spend it all at once, or at least, I need to gather the amount of, let's say, 15 different addresses? Like, can one keep the anonymity using a 3rd party wallet that can handle the amounts in all addresses and create transactions for my needs and still keep the anonymity?

I ask this because when we use web blockchain explorers to check addresses balances, most of them show us an anonymity rate and many times the problem is re-using addresses and another is emptying an address of its total amount. So, my dilema here is if I want to keep anonymity, I have to use a new address for every amount received/sent but to do this I need to trust a 3rd party app or code or service (in case of web sites).

Actually, it is non-custodial indeed. Here's from the FAQ.

Disclaimer for clarity: I have used it only twice a long time ago and I have no affiliation, I just remembered something about it not being custodial / trustless when this topic came up.

I have never used Boltz exchange to be honest, but I have heard of it being mentioned on the forums a few times. I have never seen it mentioned in a negative context while there are many accusations and issues with instant swap platforms like the ones listed previously. That leads to the conclusion they aren't operating in the same way and their claims of being non-custodial aren't true (not talking about Boltz here). If those swap platforms were non-custodial, I should have a chance to withdraw my money if I am not happy with certain terms, but I don't think that's what's happening, and if it was possible, they wouldn't have such a bad reputation and instances of the occasional scam here and there.

Actually, they can be non-custodial, if they use some sort of atomic swap (like a submarine swap for Lightning). In that case, nobody can lock up your funds since you don't 'go first'. Not sure if this exists, though. I believe https://boltz.exchange/ is like this (onion), but it only has Bitcoin, Lightning and Ethereum, no Monero.