Bitcoin signing mass: Why some UTXOs are more difficult to sign than others
Originally published on the Unchained blog.
UTXO management strategies are an advanced yet important aspect of bitcoin self-custody. In 2022, to help explain this topic, we published a trilogy of articles to explain what UTXOs are and why managing them can significantly affect your future transaction costs and privacy.
In this latest installment, we’ll highlight another interesting phenomenon as it relates to UTXOs: sometimes, hardware wallets can quickly and easily sign a transaction moving dozens of UTXOs, while other times, a device of the same model can struggle while signing a transaction with a much lower UTXO count. As part of a recent research project, I had the chance to take a closer look at this phenomenon and develop an understanding of why it occurs.
What is UTXO signing mass?
While we know signing transactions with too many UTXOs can cause device failures, this general statement still leaves some questions: is there a definite number of UTXOs that would cause a hardware wallet to fail while signing? Can certain UTXOs cause more difficulties than others?
While researching the answers to such questions, I discovered that the time and effort a hardware wallet requires to sign a transaction does not solely depend on the number of UTXOs being sent and how many receiving addresses there will be. It also depends on similar details surrounding the prior transactions that each UTXO came from, a phenomenon I call “signing mass.” I’m not aware of any other publications referencing this concept.
In other words, UTXOs with greater signing mass—explained in more detail below—can be more difficult to sign than others. Even though two UTXOs might use the same amount of data on the blockchain, one can require substantially more processing to sign using a hardware wallet.
This fact extends beyond address types and multisig quorums; one UTXO on a 2-of-3 multisig address can take substantially more effort to sign than another UTXO on that same address (or an equivalent address, and even if the bitcoin amounts and destination addresses are exactly the same).
Why are some UTXOs more difficult to sign?
To understand why two similar-looking UTXOs can have dramatically different signing masses, you have to understand the roundabout method hardware wallets use to verify input amounts without an internet connection and how transaction complexity can differ among the various methods of receiving bitcoin to your wallet.
Input amount safety checks
For any bitcoin transaction, verifying the amounts of the inputs is important; otherwise, large amounts of your bitcoin could accidentally be paid to miners. Why? Because the fees taken by miners are not stated explicitly in the transaction, but calculated implicitly by subtracting the value of the outputs from the value of the inputs. Therefore, if there is a big difference between the two numbers, the fee taken will also be large.
As an example, if you had UTXOs totaling 0.8 BTC and used them to send 0.3 BTC somewhere, if you didn’t send the remaining ~0.5 BTC back to yourself as change, the miner of the block can now claim the 0.5 BTC as a part of their earned fees.
Don’t worry! All modern and respected bitcoin tools include automatic safety mechanisms, so making this mistake would be quite difficult (if not impossible). The process can be as simple as searching the blockchain to verify the amount of the inputs and then comparing their total with the sum of the chosen outputs to determine if the fee is reasonable.
But of course, hardware wallets are designed to function independently of the internet, which is especially evident for air-gapped devices. Without the internet or a node connection, the blockchain cannot be observed. Therefore, most hardware wallets must use an alternative, roundabout method to verify input amounts. Essentially, the device not only needs to import the information describing the transaction it will be signing, but it must also import the history of where each input came from.
Put differently, for each UTXO being moved, the device will want to double-check the transaction details directly prior, which led to the creation of that UTXO. If that transaction were complex, it would involve importing more data, which would be reflected in something like the size of a PSBT file. Let’s take a look at transaction complexity.
Transaction complexity from common sources
Most people receive bitcoin to their wallet one of three ways: from an exchange, from a mining pool, or directly from another person in a peer-to-peer (P2P) transaction. Peer-to-peer transactions usually contain very low complexity, and resulting UTXOs will have a relatively tiny signing mass.
However, exchanges and mining pools tend to distribute funds in batches, sending bitcoin to many people at once within the same transaction. These transactions are more complex, and the resulting UTXOs will have a larger signing mass.
I investigated the distribution tendencies for several mining pools and exchanges popular in America, and my findings are presented in the chart below. The number of outputs indicates the number of people typically sent bitcoin within each distribution. A higher number means more transaction complexity and a more considerable signing mass burden for the recipients.
Notice that the distributions of mining pools are generally larger than exchanges, and certain mining pools such as F2Pool use extraordinarily large distributions. Consequently, if you receive a UTXO directly from an F2Pool payout, that UTXO is more likely to cause certain hardware wallets to have signing difficulties.
A note on SegWit and the BIP 143 vulnerability
In 2017, the segregated witness soft fork occurred, and the signing process was changed for SegWit transactions. A requirement was introduced to include input amounts in the data that users commit to with a signature. As a result, it was believed that any attempt to trick a user or device into inadvertently signing a transaction with absurdly high fees would be prevented. Most hardware wallet manufacturers acted accordingly, removing the input amount safety checks and simplifying the signing process for SegWit transactions.
However, in mid-2020, a vulnerability was found in BIP 143, prompting many hardware wallet manufacturers to reintroduce input amount safety checks for SegWit transactions. At the time of writing, input amount safety checks remain a normal process during a hardware wallet signature. There is some discussion in the community about future changes that could more effectively remove the need for input amount safety checks, such as making fees explicit within each transaction rather than implicit.
How does signing mass affect me?
The variations in signing mass mean that when you are trying to withdraw bitcoin out of your self-custody cold storage wallet, there is some relevance to how you got the bitcoin in the first place. The methods you use to acquire bitcoin can create differences when it comes time to approve transfers.
Anticipating and navigating signing failures
If you hold a UTXO that was moved from a different wallet you control or was received from a peer-to-peer transaction, chances are the transaction was a relatively simple one. The UTXO will have a smaller signing mass and be easier to sign during a future spend. On the other hand, if you received a UTXO directly from a mining pool, or especially a mining pool that makes very large distributions (as shown in the earlier chart), you can expect that UTXO to be harder to sign.
Luckily, if your hardware wallet fails to sign because you are trying to move too many high-mass UTXOs simultaneously, this doesn’t mean your bitcoin is permanently stuck. A quick and easy solution is to break up your transaction into several transactions, moving your bitcoin in chunks. Each chunk will contain only a fraction of the data, and your device will more likely provide a signature successfully.
Another strategy is preventing signing failures in the first place by controlling the number of UTXOs you are holding and the signing mass of those UTXOs. While you can’t change how mining pools and exchanges distribute funds, it is essential to remember that a UTXO’s signing mass is determined by the transaction immediately prior, not any transaction history before that. This means you could receive a UTXO from a mining pool and immediately transfer it to another wallet or address you control, mimicking a peer-to-peer transaction. The resulting UTXO at the new address will have a small signing mass rather than a large one.
Signing mass does not affect transaction fees
It is important to highlight that signing mass only affects the time and effort a hardware wallet requires to sign a transaction, not the network fees you will pay. This is because signing mass is only relevant during the signing process, and will not cause your transaction to take up more data on the blockchain.
This means that you will not necessarily pay more transaction fees if you receive bitcoin from a mining pool such as F2Pool, nor will your transaction fees be decreased by choosing a service that uses fewer outputs for their distributions.
Learn more about UTXOs
To learn more about how transaction fees are calculated, check out our other article that dives deep into this subject. If you are interested in the specifics about how the number of UTXOs you are holding can affect your fees in the future, we have an article about that too!