David A. Harding on Nostr: It depends a lot on the threat model. Let's consider two scenarios: 1. Mallory is ...

It depends a lot on the threat model. Let's consider two scenarios:

1. Mallory is monitoring all traffic to a given IP address (no Tor, or Tor is completely broken) and wants to learn which outputs it controls. Every transaction downloaded by that IP address which doesn't belong to its wallet increases the anonymity set of the transactions which do belong to that IP addresses's wallet. Because BIP157/8 involves downloading whole blocks (typically a few thousand transactions), it would create decent-sized anonymity sets even if there was never a false positive; adding the occasional false positive block just improves that.

By comparison, Bitcoin Core is like having a 100% false positive rate; now the anonymity set is every transaction in the entire best block chain.

2. Mallory knows a Bitcoin address and wants to find the IP address of the wallet controlling that Bitcoin address (again, no Tor). If Mallory has the ability to surveil IP addresses that the wallet might be using, she can spent a tiny bit of money to that address to get the wallet to download that block. Many other wallets will also download that block, either because they had transactions in it or because of the false positive rate, so that's the initial anonymity set. Mallory can then send another tiny bit of money to the address. The wallet she's interested in will download that new block but many of the other wallets which previously downloaded it won't (they didn't have a tx in that block or it wasn't a false positive for them). This shrinks the anonymity set. Each time Mallory sends a bit more money to the address, the anonymity set shrinks further, until she finds the IP address.

By comparison, Bitcoin Core is immune to this attack. It downloads every seemingly-valid block unconditionally.