MIME-Version: 1.0
References: <CAPapNH28iCxEcTOKt3YC+zuZzxbM=AudbbYByjS3aUZAgFHUag@mail.gmail.com>
 <CAPv7TjZFN1r84EXON_gpNmJm2=x0x6-=5SqdCP5_n2EaObUEtA@mail.gmail.com>
In-Reply-To: <CAPv7TjZFN1r84EXON_gpNmJm2=x0x6-=5SqdCP5_n2EaObUEtA@mail.gmail.com>
From: El_Hoy <eloyesp@gmail.com>
Date: Tue, 4 Oct 2022 16:08:34 -0300
Message-ID: <CAPapNH1US_OPtzgT8dwVh2ieborNg6OxPDz7LoFQkkwB-3Rcyg@mail.gmail.com>
To: Ruben Somsen <rsomsen@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007d8f5a05ea3a30df"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] RFC for a BIP32 recurrent address derivation
	scheme
Precedence: list

--0000000000007d8f5a05ea3a30df
Content-Type: text/plain; charset="UTF-8"

Hi Ruben,

Thanks for your comments.

I've noticed that there are lots of mentions of using a scheme like this,
but there is no framework to ease the usage of such a scheme and to add
interoperability between different implementations. So any implementation
requires some manual work on both parties. The idea is to have a BIP to
make this easy for developers to implement and users to use.

The main advantage against silent payments or BIP47 is just that it should
be easier to implement on both parties involved.

Regarding the `contact`, you are right, it is just a counter, and Carol
simply increments this one with each `contact` created. The association
between a `contact` and the metadata of the contact needs to be stored
off-chain, so when recovering the wallet that information is lost if there
is no backup.

Regarding the gap limit, I think that we can be quite strict with it, to
make it easier to implement, I would use a gap limit of 2 for contacts and
no gap limit for the index, there is no point in someone skipping an
address.

Regards.

---  Eloy


On Thu, Sep 29, 2022 at 7:41 PM Ruben Somsen <rsomsen@gmail.com> wrote:

> Hi Eloy,
>
> Nice idea.
>
> Note I thought about and succinctly described a similar scheme here (which
> in turn was derived from work by Kixunil):
>
> https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing
>
> I agree with your general assessment that this is a scheme that seems like
> an improvement over the status quo. Note that both BIP47 and Silent
> Payments don't require any interaction with the sender, while this scheme
> requires one-time interaction (e.g. this wouldn't be suitable for one-time
> donations). I think this would mostly be a convenience feature that
> improves the regular interactive payment flow (interact once, instead of
> repeatedly asking for addresses with each payment).
>
> >master / purpose' / coin_type' / contact' / index
>
> Despite your explanation, it's still not fully clear to me how "contact"
> is defined, but I assume it's just a counter? Just in case, note that you
> can't let Bob define it for Carol, as then you can't deterministically
> recover your payments without also backing up how it's defined (the seed
> alone won't be enough).
>
> The gap limit also needs to be kept in mind. If we allow each xpub to have
> its own gap limit, you potentially get an exponential blowup (gaps in the
> xpub * gaps in the addresses generated from the xpubs). It may be OK to
> define a low default gap limit for these xpubs, since there should be no
> reason to expect the same sender to leave any gaps, though this may depend
> on how the xpubs are used (e.g. it may also be used to derive addresses for
> others) so it's probably important to be explicit about this.
>
> Cheers,
> Ruben
>
>
>
> On Thu, Sep 22, 2022 at 5:18 PM El_Hoy via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> There is a known issue on bitcoin, that is that every transaction
>> requires a new address to prevent address reuse, making it uncomfortable to
>> make recurring payments, as every payment requires a new off-chain
>> interaction. A scheme is already mentioned on the [on the BIP32 itself][1],
>> but it cannot be implemented as is.
>>
>> Here I propose a scheme that follows the structure described on [BIP44]
>> that should make it possible to send recurring payments using a single
>> offline interaction.
>>
>> The proposed scheme is:
>>
>>     master / purpose' / coin_type' / contact' / index
>>
>> Where the definitions of all the levels follow BIP44, except for
>> `contact` that is described below.
>>
>> Example usage: Bob wants to make recurring payments to Carol, so he asks
>> her for a _contact address_, that is, an extended public key.
>>
>> Bob can use that public key to generate multiple derived addresses to
>> make multiple recurring payments to Carol, the contact address is stored
>> off-chain, anyone inspecting the chain will just see normal transactions
>> on-chain.
>>
>> ## Considerations
>>
>> [BIP47] tries to solve the same issue, but the solution is more complex
>> and involves more on-chain transactions that involve data, this
>> implementation simpler and requires less work to implement.
>>
>> Also, the derivation path might need some adjustments for different
>> address types on bitcoin.
>>
>> Finally, this only works in a single direction and does not make it
>> possible for Carol to send anything to Bob, as it would require Bob sending
>> her a contact address.
>>
>> ## Advantages
>>
>> A positive side effect of using this, is that Bob can choose to send
>> payments to Carol using multiple outputs, giving him more privacy.
>>
>> Also, those payments can be easily labeled by the receiving wallet, as
>> they are received.
>>
>> Regards.
>>
>> ### References
>>
>> [1]:
>> https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-nmih0
>> [BIP47]: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki
>> "Reusable Payment Codes for Hierarchical Deterministic Wallets"
>> [BIP43]:
>> https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki#Purpose
>>
>> --- Eloy
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>

--0000000000007d8f5a05ea3a30df
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>Hi Ruben,</div><div><br></div><div>T=
hanks for your comments.</div><div><br></div><div><div>I&#39;ve noticed tha=
t there are lots of mentions of using a scheme like this, but there is no f=
ramework to ease the usage of such a scheme and to add interoperability bet=
ween different implementations. So any implementation requires some manual =
work on both parties. The idea is to have a BIP to make this easy for devel=
opers to implement and users to use.</div><div><br></div><div>The main adva=
ntage against silent payments or BIP47 is just that it should be easier to =
implement on both parties involved.</div><div><br></div><div>Regarding the =
`contact`, you are right, it is just a counter, and Carol simply increments=
 this one with each `contact` created. The association between a `contact` =
and the metadata of the contact needs to be stored off-chain, so when recov=
ering the wallet that information is lost if there is no backup.</div><div>=
<br></div><div>Regarding the gap limit, I think that we can be quite strict=
 with it, to make it easier to implement, I would use a gap limit of 2 for =
contacts and no gap limit for the index, there is no point in someone skipp=
ing an address.</div></div><div><br></div><div>Regards.</div><div><br></div=
><div><div><div><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=
=3D"gmail_signature"><div dir=3D"ltr"><span style=3D"color:rgb(56,118,29)">=
<span style=3D"font-family:arial,helvetica,sans-serif">---=C2=A0 Eloy</span=
></span><br></div></div></div><br></div></div></div><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Sep 29, 2022 at 7:41 =
PM Ruben Somsen &lt;<a href=3D"mailto:rsomsen@gmail.com">rsomsen@gmail.com<=
/a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
div dir=3D"ltr">Hi Eloy,<div><br></div><div>Nice idea.<br><div><br></div><d=
iv>Note I thought about and succinctly described a similar scheme here (whi=
ch in turn was derived from work by Kixunil):</div><div><a href=3D"https://=
gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing" =
target=3D"_blank">https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77=
eec6dbb46b8#xpub-sharing</a></div><div><br></div><div>I agree with your gen=
eral assessment that this is a scheme that seems like an improvement over t=
he status quo. Note that both BIP47 and Silent Payments don&#39;t require a=
ny interaction with the sender, while this scheme requires one-time interac=
tion (e.g. this wouldn&#39;t be suitable for one-time donations). I think t=
his would mostly be a convenience feature that improves the regular interac=
tive payment flow (interact once, instead of repeatedly asking for addresse=
s with each payment).</div><div><div><br></div><div>&gt;master / purpose=
9; / coin_type&#39; / contact&#39; / index</div><div><br></div><div>Despite=
 your explanation, it&#39;s still not fully clear to me how &quot;contact&q=
uot; is defined, but I assume it&#39;s just a counter? Just in case,=C2=A0n=
ote that you can&#39;t let Bob define it for Carol, as then you can&#39;t d=
eterministically recover your payments without also backing up how it&#39;s=
 defined (the seed alone won&#39;t be enough).</div><div><br></div><div>The=
 gap limit also needs to be kept in mind. If we allow each xpub to have its=
 own gap limit, you potentially get an exponential blowup (gaps in the xpub=
 * gaps in the addresses generated from the xpubs). It may be OK to define =
a low default gap limit for these xpubs, since there should be no reason to=
 expect the same sender to leave any gaps, though this may depend on how th=
e xpubs are used (e.g. it may also be used to derive addresses for others) =
so=C2=A0it&#39;s probably important to be explicit about this.</div><div><b=
r></div><div>Cheers,</div><div>Ruben</div><div><br></div><div><br></div></d=
iv></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gma=
il_attr">On Thu, Sep 22, 2022 at 5:18 PM El_Hoy via bitcoin-dev &lt;<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex"><div dir=3D"ltr">There is a known issue on bi=
tcoin, that is that every transaction requires a new address to prevent add=
ress reuse, making it uncomfortable to make recurring payments, as every pa=
yment requires a new off-chain interaction. A scheme is already mentioned o=
n the [on the BIP32 itself][1], but it cannot be implemented as is.<br><br>=
Here I propose a scheme that follows the structure described on [BIP44] tha=
t should make it possible to send recurring payments using a single offline=
 interaction.<br><br>The proposed scheme is:<br><br>=C2=A0 =C2=A0 master / =
purpose&#39; / coin_type&#39; / contact&#39; / index<br><br>Where the defin=
itions of all the levels follow BIP44, except for `contact` that is describ=
ed below.<br><br><div>Example usage: Bob wants to make recurring payments t=
o Carol, so he asks her for a _contact address_, that is, an extended publi=
c key.</div><div><br></div>Bob can use that public key to generate multiple=
 derived addresses to make multiple recurring payments to Carol, the contac=
t address is stored off-chain, anyone inspecting the chain will just see no=
rmal transactions on-chain.<br><div><br></div><div>## Considerations</div><=
div><br></div><div>[BIP47] tries to solve the same issue, but the solution =
is more complex and involves more on-chain transactions that involve data, =
this implementation simpler and requires less work to implement.<br></div><=
div><br></div><div>Also, the derivation path might need some adjustments fo=
r different address types on bitcoin.<br></div><div><br></div><div>Finally,=
 this only works in a single direction and does not make it possible for Ca=
rol to send anything to Bob, as it would require Bob sending her a contact =
address.</div><div><br></div><div>## Advantages<br></div><br><div>A positiv=
e side effect of using this, is that Bob can choose to send payments to Car=
ol using multiple outputs, giving him more privacy.</div><div><br></div><di=
v>Also, those payments can be easily labeled by the receiving wallet, as th=
ey are received.</div><div><br></div><div>Regards.</div><div><br></div>### =
References<br><div><br></div><div>[1]: <a href=3D"https://github.com/bitcoi=
n/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transa=
ctions-nmih0" target=3D"_blank">https://github.com/bitcoin/bips/blob/master=
/bip-0032.mediawiki#recurrent-business-to-business-transactions-nmih0</a><b=
r></div>[BIP47]: <a href=3D"https://github.com/bitcoin/bips/blob/master/bip=
-0047.mediawiki" target=3D"_blank">https://github.com/bitcoin/bips/blob/mas=
ter/bip-0047.mediawiki</a> &quot;Reusable Payment Codes for Hierarchical De=
terministic Wallets&quot;<br>[BIP43]: <a href=3D"https://github.com/bitcoin=
/bips/blob/master/bip-0043.mediawiki#Purpose" target=3D"_blank">https://git=
hub.com/bitcoin/bips/blob/master/bip-0043.mediawiki#Purpose</a><br><br>--- =
Eloy</div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div></div>

--0000000000007d8f5a05ea3a30df--