[wallet] use P2WPKH change output if any destination is P2WPKH or P2WSH

[Sjors]

If -changetype is not explicitly set, then regardless of -addresstype, the wallet will use a bech32 change address P2WPKH change output if any destination is P2WPKH or P2WSH.

This seems more intuitive to me and more in line with the spirit of BIP-69.

When combined with #11991 a QT user could opt to use bech32 exclusively without having to figure out how to launch with -changetype=bech32, although so would #11937.

[promag]

Does it forces bech32 addresses in the wallet without consent?

[Sjors]

@promag for change addresses yes, so that could be an objection.

More conservative approaches could be:

1. have another UI check box to send change to a bech32 address; this could be checked by default if all destinations are bech32. This won't work for RPC users, but those can be expected to use the -changeaddress flag.

2. add an additional constraint that at least one of the the from addresses is bech32.

[sipa]

Creating a change output AFAIK does not add any address to the wallet.

[promag]

@sipa they are listed in listunspent right?

[promag]

@Sjors IMO the -changetype is enough, eventually it will default to bech32 I guess.

[gmaxwell]

General concept ACK-- but I would suggest that it only do this if the change type is at least p2sh segwit: There might be some compatibility reason that someone is avoiding creating segwit outputs for some reason. That doesn't hold if they're already asking for p2sh output... privacy was the major reason the sw wallet support didn't go 100% native change from the start... but that is even more an argument for this. In fact, I think it's an argument that we should use native change if any (or no more strict than 'most') outputs are native and not just require all.

[Sjors]

@gmaxwell it now uses a bech32 change address if change type is p2sh-segwit and any of the outputs are bech32.

[luke-jr]

Seems to me if the user is explicitly setting a change type, we should respect that.

Instead, I suggest turning OUTPUT_TYPE_DEFAULT into a real value, and handling it specially for change here. Eg, https://github.com/luke-jr/bitcoin/commits/bech32-change

[Sjors]

@luke-jr I like the idea of having OUTPUT_TYPE_DEFAULT so we can distinguish between -changetype being absent or set to p2sh-segwit. Can you make d4e5135 a PR that I can rebase this on?

[luke-jr]

It seems a bit pointless to stand on its own in a PR. It would be better to just include it as a separate commit here (and in another PR I'm about to open).

To get it in your own branch as-is, switch to it and do:

git fetch git://github.com/luke-jr/bitcoin bech32-change && git reset --hard 5efd54745c34ff329d9c75f2f5ee852930b21231

[Sjors]

@luke-jr I'll wait a little bit to see if your commit needs more changes.

I do think it's worth it's own PR, but applied to all launch flags where absence or presence can cause ambiguity about user intention. I've run into this general problem several times now, e.g. with #9527.

[promag]

Why does it matter if any destination is bech32? Should check inputs instead? If there is one p2sh-segwit or bech32 input then use bech32 change?

[promag]

Wrong indentation. Also any_destination_bech32?

[Sjors]

Will fix indentation and check variable name, thanks.

[Sjors]

Fixed.

[promag]

Wrong indentation.

[TheBlueMatt]

Concept ACK. Somewhat agree with @luke-jr, though you can do it simpler - just check if the change address type option has been set - if it has, use it, if it hasn't turn on this new behavior.

[Sjors]

Should check inputs instead?

Or even check if any input or any output is bech32?

[instagibbs]

agreed with @TheBlueMatt just check if it's set

[Sjors]

I can't reproduce this Travis failure on MacOS or Ubuntu 14.04 (I didn't use the depends system).

[gmaxwell]

It seemed like people in the IRC meeting liked: "If the configured change type is not legacy, use p2wpkh if any of the outputs are p2wpkh".

[Sjors]

@gmaxwell by "legacy" you mean p2sh-segwit? -changetype=legacy means p2pkh (in which case we also don't want to use bech32). Maybe we should also rename that legacy option, because the term seems overloaded.

[gmaxwell]

By legacy I mean p2pkh. We should not create native segwit change if the user has specifically asked for non-segwit change. If a user is setting legacy then it's likely that they really don't want segwit outputs for some reason (for example, compatibility with older software).

That argument doesn't apply for p2sh-segwit. The only reason to ever use p2sh-segwit change is for change distinguishability privacy, which, as you note-- doesn't apply when there are segwit outputs.

[gmaxwell]

As a pedantic aside, it's a mistake to say "bech32" -- there is no address involved with change, so no bech32 involved here at all. The question here is to use p2sh-p2wpkh or p2wpkh, which would exist no less even if bech32 had never been specified.

[achow101]

Concept ACK

[promag]

utACK dc2812f.

The only thing that bothers me is the fact that g_address_type = OUTPUT_TYPE_NONE is an error and now g_change_type = OUTPUT_TYPE_NONE is not.

[jnewbery]

Tested ACK dc2812f3e40dbbc7533a2d2e15cf4dfb3ae079af.

A bunch of style nits inline. Otherwise looks great.

[jnewbery]

This is perhaps just personal taste, but I prefer early function return if we already know what change address we'll use without having to look at the outputs. That also means we can remove the local variables any_destination_native_segwit and change_type. It'd look something like:

    // If -changetype is specified, always use that change type.
    if (g_change_type != OUTPUT_TYPE_NONE) {
        return g_change_type;
    }

    // if g_address_type is legacy, use legacy address as change (even
    // if some of the outputs are P2WPKH or P2WSH).
    if (g_address_type == OUTPUT_TYPE_LEGACY) {
        return OUTPUT_TYPE_LEGACY;
    }

    // if any destination is P2WPKH or P2WSH, use P2WPKH for the change
    // output.
    for (const auto& recipient : vecSend) {
        // Check if any destination contains a witness program:
        int witnessversion = 0;
        std::vector<unsigned char> witnessprogram;
        if (recipient.scriptPubKey.IsWitnessProgram(witnessversion, witnessprogram)) {
            return OUTPUT_TYPE_BECH32;
        }
    }

    // else use g_address_type for change
    return g_address_type;

[Sjors]

I find your version more readable as well, so switched to that.

[jnewbery]

please update the lines above to say there are 5 nodes under test, and describe what node4 is for.

[Sjors]

Fixed.

[jnewbery]

update comment: on node5

[Sjors]

Fixed

[jnewbery]

update comment

[Sjors]

Fixed

[jnewbery]

unnecessary double space

[Sjors]

Fixed

[jnewbery]

I think the whole docstring could be updated to reflect better what the test is actually doing:

"""Test that the wallet can send and receive using all combinations of address types.

There are 5 nodes-under-test:
    - node0 uses legacy addresses
    - node1 uses p2sh/segwit addresses
    - node2 uses p2sh/segwit addresses and bech32 addresses for change
    - node3 uses bech32 addresses
    - node4 uses p2sh/segwit addresses for change

node5 exists to generate new blocks.

## Multisig address test

Test that adding a multisig address with:
    - an uncompressed pubkey always gives a legacy address
    - only compressed pubkeys gives the an `-addresstype` address

## Sending to address types test

A series of tests, iterating over node0-node4. In each iteration of the test, one node sends:
    - 10/101th of its balance to itself (using getrawchangeaddress for single key addresses)
    - 20/101th to the next node
    - 30/101th to the node after that
    - 40/101th to the remaining node
    - 1/101th remains as fee+change

Iterate over each node for single key addresses, and then over each node for
multisig addresses.

Repeat test, but with explicit address_type parameters passed to getnewaddress
and getrawchangeaddress:
    - node0 and node3 send to p2sh.
    - node1 sends to bech32.
    - node2 sends to legacy.

As every node sends coins after receiving, this also
verifies that spending coins sent to all these address types works.

## Change type test

Test that the nodes generate the correct change address type:
    - node0 always uses a legacy change address.
    - node1 uses a bech32 addresses for change if any destination address is bech32.
    - node4 always uses p2sh/segwit output for change.
"""

[Sjors]

That's much clearer, thanks. I also ordered the change address tests by node id added node 2 and 3 to the description.

[jnewbery]

Suggest you make all of these logs INFO level

[Sjors]

Done

[jnewbery]

suggest you make these named arguments so it's clear what the "" is for.

[Sjors]

Done

[jnewbery]

Perhaps clearer as:

        self.extra_args = [["-addresstype=legacy"],                             # node0
                           ["-addresstype=p2sh-segwit"],                        # node1
                           ["-addresstype=p2sh-segwit", "-changetype=bech32"],  # node2
                           ["-addresstype=bech32"],                             # node3
                           ["-changetype=p2sh-segwit"],                         # node4
                           []]                                                  # node5

[Sjors]

Fixed

[jnewbery]

I think it's fine to join these lines

[Sjors]

Done

[jnewbery]

Tested ACK 596c446. One comment inline, but it's an observation rather than a suggestion for change.

[jnewbery]

TransactionChangeType() doesn't really need to be a class member function on CWallet, and could be a utility function in walletutil.cpp. In general, it'd be nice to start making the wallet class and wallet.cpp a bit smaller, but that's probably a tidy-up for another day.

[promag]

+1

[laanwj]

Agree, this should be moved at some point.

[maflcko]

utACK 596c446

[ryanofsky]

For the future, it might be a good idea add change_type and address_type fields to CoinControl class, and have this method accept a CoinControl argument, instead of relying on the globals. This would make it easier to ensure that when an RPC is being called that has address type options, that they will take precedence over the globals.

Pieter's suggestion of adding a separate P2SH_SEGWIT_BUT_NATIVE_WHEN_NATIVE_DESTINATION enum value instead of assigning multiple meanings to OUTPUT_TYPE_NONE is also a good idea #12119 (comment).

Other cleanups are also possible. I think a nice refactoring PR that didn't change behavior could be submitted that:

• Changed OutputType from enum to enum class.
• Got rid of DEFAULT enum value and just set P2SH_SEGWIT as default during initialization.
• Got rid of NONE enum value, replacing it with PARSE_ERROR and P2SH_SEGWIT_BUT_NATIVE_WHEN_NATIVE_DESTINATION (or something shorter like MATCH_OTHER_OUTPUTS).

[promag]

Nice wrap up @ryanofsky. In #12194 I'm adding change type to coin control, however I'm not passing coin control here.