public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Ruben Somsen <rsomsen@gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: [bitcoin-dev] BIP47 Prague Discussion
Date: Sat, 11 Jun 2022 12:01:58 +0200	[thread overview]
Message-ID: <CAPv7TjYXSStBWCnFcuJjVv8AAD6EGN9Vxg30XCF2UHyS5z89mw@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 4170 bytes --]

This discussion took place at Pizza Day Prague 2022[0] after a brief
discussion on Silent Payments[1]. The main points have been summarized
below.

The discussion was mainly between Alekos Filini, Martin Habovštiak, and
myself, as well as Daniela Brozzoni, Eric Sirion, Pavol Rusnak, Salvatore
Ingala, and others.

Also available as a gist:
https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae

And my personal opinion can be found in the comments:
https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae?permalink_comment_id=4197284#gistcomment-4197284


Improving BIP47

BIP47 requires a notification transaction prior to making payments. This
transaction takes up on-chain space and can easily leak privacy if not
handled with extreme caution. In practice this is quite hard.

The discussion revolved around whether we can a.) minimize the on-chain
space required and b.) outsource the notification transaction so the link
between the sender and recipient is no longer apparent on-chain.


BIP47 space requirements

As currently implemented, BIP47 (V1/V2)[2] requires an input key for
blinding, the blinded sender payment code in an op_return, and the
recipient key in an output.

The first question that came up was whether it is necessary for the
recipient to learn the payment code of the sender. The benefit is that this
enables the recipient to send a notification transaction and subsequent
payment to the sender, but in practice this never happens. It therefore
seems acceptable to forego this requirement, as this potentially saves
space. The minimum notification payload that seems required is a fresh
sender key and a static recipient key.

The sender key should ideally be deterministically derived from the sender
xpub based on the recipient key. If the user checks all the keys that were
registered with the recipient prior to notification, it can statelessly
find out whether the sender key was already previously registered. This
step can be skipped, which is easier for light clients, but means the
notification transaction will have to be resent if the user ever forgets
they already sent a notification (such as when restoring from backup).


Outsourcing the notification

The next part of the discussion revolved around the idea of putting
multiple notifications in a single transaction that can be outsourced to a
third party in order to break the sender/recipient link. This third party
could be paid over the Lightning Network for their services.

One idea was to use the taproot annex to insert the notification payload as
(discounted) witness data. One downside with this approach is that it
requires custom software for the recipient to notice the notification,
since it's not tied to an easily noticeable output. The middle ground
solution would be to put the sender keys there but still create an output
for each recipient key.


Allowing collisions

One interesting point that came up was that you could represent the
recipient key using e.g. only 4 bytes (provided you put it in the annex).
This leaves a window of 1 in ~4.3 billion for a collision, but the extra
work that needs to be performed when it does happen is negligible
(essentially expecting a payment while there is none). This would reduce
the payload from 64 bytes to 36 bytes of witness data.

While this did not come up in the discussion, it should be noted that using
the annex makes the transaction non-standard[3]. It could either be
standardized as the first use case for the annex, or perhaps an alternative
method[4] should be considered.


[0] Pizza Day Prague 2022: https://www.pizzaday.cz

[1] Silent Payments:
https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8

[2] BIP47: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki

[3] Annex non-standard:
https://github.com/bitcoin/bitcoin/pull/17977/files#diff-ea6d307faa4ec9dfa5abcf6858bc19603079f2b8e110e1d62da4df98f4bdb9c0R250

[4] Using p2wsh:
https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae?permalink_comment_id=4189419#gistcomment-4189419

[-- Attachment #2: Type: text/html, Size: 5153 bytes --]

             reply	other threads:[~2022-06-11 10:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-11 10:01 Ruben Somsen [this message]
2022-06-11 14:30 ` [bitcoin-dev] BIP47 Prague Discussion Paul Sztorc

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPv7TjYXSStBWCnFcuJjVv8AAD6EGN9Vxg30XCF2UHyS5z89mw@mail.gmail.com \
    --to=rsomsen@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox