<div dir="ltr"><div>Hi Wei,<br><br></div>As you know, I'm not a developer of Bitcoin-Qt, but we'll need to make our best guesses for these answers if the developers won't reply. I'm going to post my best guesses here so that people reading the list have a short window of opportunity to correct me if they wish.<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 7, 2015 at 2:46 PM, Wei via bitcoin-dev <span dir="ltr"><<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Transaction Formatting<br>
<br>
1. Does your application take any steps to create ambiguity between transactions which unavoidably spend from multiple addresses at the same time and intentional mixing transactions?<br></blockquote><div><br></div><div>No, Bitcoin-Qt does not try to make non-mixing transactions look like mixing transactions.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
2. What algorithms does your application use for ordering inputs and outputs in a transaction? In particular, how do you handle the change output and do you take into account common practices of other wallet applications when determining ordering?<br></blockquote><div><br></div><div>Not yet BIP 69. These notes suggest that outputs are randomized: <a href="https://bitcoin.org/en/release/v0.8.1">https://bitcoin.org/en/release/v0.8.1</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
3. Does your application minimize the harmful effects of address reuse by spending every spendable input (“sweeping”) from an address when a transaction is created?<br></blockquote><div><br></div><div>Unknown <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
4. Does your application fully implement BIP 62?<br></blockquote><div><br></div><div>Here's a detailed answer on stack exchange: <a href="http://bitcoin.stackexchange.com/questions/35904/how-much-of-bip-62-dealing-with-malleability-has-been-implemented">http://bitcoin.stackexchange.com/questions/35904/how-much-of-bip-62-dealing-with-malleability-has-been-implemented</a><br><br></div><div>By item, my extremely brief interpretation:<br><br>Non-DER encoded ECDSA signatures: BIP66 soft fork has happened, so this is presumed to be implemented<br>Non-push operations in scriptSig: Implemented<br>Push operations in scriptSig of non-standard size type: Implemented in 0.9.0<br>Zero-padded number pushes: Implemented in 0.10.0 (current available version is 0.11.0)<br>Inherent ECDSA signature malleability: ...implemented?<br></div><div>Superfluous scriptSig operations: implemented 0.6.0<br>Inputs ignored by scripts: Only partly addressed by 0.10.0. It appears that the rest would require changes to consensus rules, so Bitcoin-Qt is as compliant as it can be.<br>Sighash flags based masking and New signatures by the sender: Can't be implemented without changes to consensus rules.<br><br></div><div>I would summarize this as a "yes."<br></div><div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Mixing<br>
<br>
5. If your application supports mixing:<br></blockquote><div><br></div><div>It doesn't. There's an issue for CoinJoin here: <a href="https://github.com/bitcoin/bitcoin/issues/3226">https://github.com/bitcoin/bitcoin/issues/3226</a><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
a. What is the average number of participants a user can expect to interact with on a typical join transaction?<br>
b. Does your application attempt to construct join transactions in a way that avoids distinguishing them from non-join transactions?<br>
c. Does your application perform any kind of reversibility analysis on join transactions prior to presenting them to the user for confirmation?<br>
d. Is the mixing technique employed secure against correlation attacks by the facilitator, such as a CoinJoin server or off-chain mixing service?<br>
e. Is the mixing technique employed secure against theft of funds by the facilitator or its participants?<br>
<br>
Donations<br>
<br>
6. If your application has a fee or donation to the developers feature:<br></blockquote><div><br></div><div>No donation feature last time I checked.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
a. What steps do you take to make the donations indistinguishable from regular spend in terms of output sizes and destination addresses?<br>
<br>
Balance Queries and Tx Broadcasting<br>
<br>
7. Please describe how your application obtains balance information in terms of how queries from the user’s device can reveal a connection between the addresses in their wallet.<br>
a. Does the application keep a complete copy of the blockchain locally (full node)?<br></blockquote><div><br></div><div>Yes<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
b. Does the user’s device provide a filter which matches some fraction of the blockchain while providing a false positive rate (bloom or prefix filters)?<br></blockquote><div><br></div><div>No, it just downloads the whole blockchain and performs local queries.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
i. If so, approximately what fraction of the blockchain does the filter match in a default configuration (0% - 100%)?<br></blockquote><div><br></div><div>100%, unless a user bootstraps downloading the blockchain. Bootstrapping will potentially limit the user's anonymity set to other people who have downloaded that bootstrap.dat file.<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
c. Does the user’s device query all of their addresses at the same time?<br></blockquote><div><br></div><div>N/A<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
d. Does the user’s device query addresses individually in a manner that does not allow the query responder to correlate queries for different addresses?<br></blockquote><div><br></div><div>No. Just download blocks and processes that information locally.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
e. Can users opt to obtain their balance information via Tor (or equivalent means)?<br></blockquote><div><br></div><div>If Tor is set up as a SOCKS proxy, you can configure Bitcoin-QT download the blockchain and broadcast txs through a single Tor circuit. This can be configured once before opening Bitcoin-Qt.<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
8. Does the applications route outgoing transactions independently from the manner in which it obtains balance information? Can users opt to have their transactions submitted to the Bitcoin network via Tor (or an equivalent means) independently of how they obtain their balance information?<br></blockquote><div><br></div><div>No, you can only configure a single proxy.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
9. If your application supports multiple identities/wallets, does each one connect to the network as if it were completely independent from the other?<br></blockquote><div><br></div><div>No built-in support for multiple identities. You can hotswap wallet files to crudely simulate this. You'd have to manually change the Tor connection outside of Bitcoin-Qt to create the effect of making the network connections independent.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
a. Does the application ever request balance information for addresses belonging to multiple identities in the same network query?<br></blockquote><div><br></div><div>Blocks are downloaded and tx broadcasts received/relayed rather than querying the utxo set for a particular address. When swapping between wallet files, some information may be leaked e.g. the client may be at the same block height in terms of what it has downloaded from the p2p network, which may leak to global passive adversaries/AS's or sybil attackers the fact that a single client was used for multiple wallets.<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
b. Are outgoing transactions from multiple identities routed independently of each other to the Bitcoin network?<br></blockquote><div><br></div><div>Transactions from multiple identities would not be routed at the same time. I'm not clear what happens if you have a single wallet (identity) open and then open a new wallet (identity) without closing Bitcoin-Qt -- some of the same routing paths may still be used such that an attacker might observe transactions broadast signed by private keys from multiple wallets (identities) and observe that they appear to come from the same wallet client. OBPP should assume the worst unless prevented contrary evidence.<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
c. When an identity/wallet is deleted, does the deletion process eliminate all evidence from the user's device that the wallet was previously installed?<br></blockquote><div><br></div><div>Identity is primarily tied to a wallet.dat file. Deleting it will remove most of the evidence that the wallet was installed on that device, but there may be some extra information in ancillary files that should also be deleted. This is an OS-level function, as there is no operation built into the client to delete a wallet file (identity).<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Network Privacy<br>
<br>
10. When a user performs a backup operation for their wallet, does this generate any automatic network activity, such as a web query or email?<br></blockquote><div><br></div><div>No. Backups are local, and no email or SMS is linked. No web queries related to backup.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
11. Does your application perform any lookup external to the user’s device related to identifying transaction senders or recipients?<br></blockquote><div><br></div><div>No<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
12. Does you application connect to known endpoints which would be visible to an ISP, such as your domain?<br></blockquote><div><br></div><div>Yes, some connections to known p2p full nodes to bootstrap the connection to the Bitcoin p2p network. This is configurable, but there are defaults. An ISP is likely to be able to identify a customer as running the Bitcoin-Qt client in particular on this basis.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
13. If your application connects directly to nodes in the Bitcoin P2P network, does it either use an unremarkable user agent string (Bitcoin Core. BitcoinJ, etc), or randomize its user agent on each connection?<br></blockquote><div><br></div><div>BIP12 specifies format for user agents: <a href="https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki">https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki</a><br><br></div><div>It appears that the Bitcoin-QT leaks specific information about its client version through User Agent. This file defines the current client version:<br><a href="https://github.com/bitcoin/bitcoin/blob/55294a9fb673ab0a7c99b9c18279fe12a5a07890/src/clientversion.h">https://github.com/bitcoin/bitcoin/blob/55294a9fb673ab0a7c99b9c18279fe12a5a07890/src/clientversion.h</a><br><br></div><div>Various other files seem to use this to build up the UA string, which is transmitted to other peers.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Physical Access<br>
<br>
14. Does the application uninstall process for your application eliminate all evidence from the user's device that the application was previously installed? Does it also eliminate wallet data?<br></blockquote><div><br></div><div>Probably depends on the platform. Last time I checked, I think Bitcoin-Qt leaves behind a .bitcoin directory on most platforms even after you run an uninstall script.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
15. Does your application use techniques such as steganography to store persistent wallet metadata in a form not identifiable as belong to a Bitcoin wallet application?<br></blockquote><div><br></div><div>No<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
16. Please describe the degree to which users can use passwords/PINs to protect their data:<br>
a. Can the user set a password/PIN to protect their private keys?<br></blockquote><div><br></div><div>You can encrypt the wallet file with a password. The wallet is "locked" until the password is entered, preventing decryption of the private keys.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
b. Can the user set a password/PIN to protect their public keys and balance information?<br></blockquote><div><br></div><div>No -- any wallet.dat file can be opened and the public keys inspected without the password.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
c. Can the user set a password/PIN to encrypt other wallet metadata, such as address books and transaction notes?<br></blockquote><div><br></div><div><div>No -- any wallet.dat file can be opened and the metadata inspected without the password.<br></div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
d. Does the application use a single password/PIN to cover all protected data, or does it allow the use of multiple passwords/PINs?<br></blockquote><div><br></div><div>A single password for the wallet file.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Custodianship<br>
<br>
17. Do you as a wallet provider ever have access to unencrypted copies of the user’s private keys, public keys, or any other wallet metadata which may be used to associate a user with their transactions or balances?<br></blockquote><div><br></div><div>No custodianship.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Telemetry Data<br>
<br>
18. If your application reports telemetry data, such as usage information or automatic crash reporting, does the user have the opportunity to review and approve all information transmitted before it is sent?<br></blockquote><div><br></div><div>No obvious telemetry data being sent.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Source Code and Building<br>
<br>
19. Can a user of your application compile the application themselves in a manner that produces a binary version identical to the version you distribute (deterministic build system)?<br></blockquote><div><br></div><div>Yes, I think that's the point of the gitian stuff.<br> <br></div>-Kristov<br></div></div></div>