UTXO probing attack using payjoin

The discussion initiated by Yuval Kogman revolves around the vulnerabilities and mitigations concerning the Payjoin protocol, particularly focusing on a specific attack known as the UTXO probing attack. This type of attack is highlighted within the context of Bitcoin Improvement Proposal 78 (BIP78), with further details accessible through a provided link. The essence of this attack lies in the exposure of unspent transaction outputs (UTXOs) during a transaction, which could potentially be exploited by an attacker to gather information about a merchant's next Payjoin transaction with another peer.

Kogman critiques the proposed mitigations against such attacks, pointing out their insufficiency in guaranteeing the protection of UTXO privacy. The mitigations suggest reusing exposed UTXOs to prevent leaking further information; however, this approach does not assure complete anonymity or security against adversaries, notably including North Korean hackers and government agencies. This vulnerability underlines an inherent conflict between maintaining privacy and achieving scalability or low transaction costs within the Bitcoin ecosystem. Kogman emphasizes that aiming for absolute privacy through never co-spending UTXOs may lead to wallet fragmentation, resulting in numerous UTXOs that compromise privacy when consolidated for cold storage transfers.

Furthermore, the discussion sheds light on the practical implications of these vulnerabilities. It suggests that bitcoin merchants, especially those involved in illicit activities, are at significant risk of being targeted by government agencies through UTXO probing attacks. This kind of attack attempts to entice the victim into spending different UTXOs, making it challenging, yet not impossible, for attackers to trace transactions back to their source. Despite the challenges in completely securing Payjoin transactions from such probing, the acknowledgment of this issue in recent publications, including a PDK blog post, indicates the severity and recognition of the problem within the cryptocurrency development community.

In conclusion, while Payjoin aims to enhance privacy for Bitcoin transactions, it introduces a set of vulnerabilities that can be exploited through UTXO probing attacks. The debate over the sufficiency of current mitigations reflects wider concerns regarding the balance between privacy, scalability, and security in digital currency systems. As the cryptocurrency landscape evolves, addressing these challenges remains crucial for the adoption and trust in such privacy-enhancing protocols.