MIME-Version: 1.0
References: <rH1Js_T_UWcAg9lS9NDw_Qb6Js5bgs8rPILej69BjqsEZcJZwsvHhZRilkkOQZRGXabai63hrGgbTP2Yk99ojKEN6fU6HT4TmukiafqiKjo=@protonmail.com>
In-Reply-To: <rH1Js_T_UWcAg9lS9NDw_Qb6Js5bgs8rPILej69BjqsEZcJZwsvHhZRilkkOQZRGXabai63hrGgbTP2Yk99ojKEN6fU6HT4TmukiafqiKjo=@protonmail.com>
From: Clark Moody <clark@clarkmoody.com>
Date: Wed, 29 Jun 2022 17:33:26 -0500
Message-ID: <CAHGSxGvfe_quLxrFTPtsHsrtw25h6LiT4m_xrT8aiG-pUf=AYg@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [bitcoin-dev] [BIP proposal] Private Payments
Precedence: list

Alfred,

Thanks for the proposal. This is really interesting, especially the
additional on-chain privacy improvements over BIP47: ephemeral
notifier/sender keys and shielding of the sender key(s) against
seizure of the recipient's wallet.

> A payment code is encoded in base58check and the version byte produces "S=
" for the first character.

This is a bit under-specified, but let me bike-shed here and suggest
going with a Bech32m encoding. We gain more compact QR codes as well
as error detection/correction.

Alternate proposal:

- Bech32m human-readable part =3D "pay"
- Data payload is [watched address type bytes (2), compressed pubkey (33)]

Example:

- Address type bytes =3D c000
- Pubkey 03b54543fbed9d17d9300b508c55769bc4c8385620626730b4d52e5f3e30d9a6c1
- Published payment code:
pay1cqqq8d29g0a7m8ghmycqk5yv24mfh3xg8ptzqcn8xz6d2tjl8ccdnfkpjl7p84

> The owner of a code could simply demand that a notification transaction m=
eets some minimum miner fee or a multiple of some trailing average.

I don't see how this would work, and others have pointed out that the
cost of block space is itself an anti-spam measure.

=3D=3D Notification Service Idea =3D=3D

A third-party service could offer to publish OP_RETURN notification
payloads in the blockchain for a fee, paid over Lightning Network.
This completely de-links Alice's notification from her wallet, while
accepting the less-known privacy implications of a Lightning payment.
The service would remain ignorant of Bob's identity in any event. Such
a service would also be incentivized to charge market rates for the
potential privacy boost and for block space.

=3D=3D Data Service Idea =3D=3D

Another service could publish only the OP_RETURN data pertaining to
this BIP, which is easy to obtain due to the clear tagging scheme.
Light wallets would check in with this service on a regular basis,
performing the ECDH filtering steps on each output. Upon further
request, the service furnishes transaction proofs for the full
transaction containing the OP_RETURN. Care would need to be taken to
avoid leaking too much information to the service, and techniques such
as using separate Tor circuits or requesting tx proofs on a bulk set
of transactions could help obfuscate the exact transaction of
interest. These concerns are similar to those found in BIP157
client-side block filtering (Neutrino filters).

Alternatively, the service publishes the block height along with the
notification data contained within that block. Light clients could
download relevant blocks over the p2p network and perform full
validation.


-Clark

On Mon, Jun 27, 2022 at 2:14 PM Alfred Hodler via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi,
>
> There have been attempts to create static payment codes that function as =
a way for transacting parties to create "private" addresses, where private =
stands for "known only to transacting parties". BIP47 was one such standard=
.
>
> The standard suffered from a number of problems:
>
> 1. The standard promised extensibility through versioning but it never us=
ed that capability to follow innovations in the Bitcoin protocol. It was de=
signed around the idea that legacy p2pkh addresses would always be the prim=
ary and only way to transact. As new standard script types started to emerg=
e (Segwit v0, Taproot), the creators dealt with the problem by stating that=
 implementing wallets should scan for all existing standard scripts. The in=
ability of payment codes to explicitly state which address types they deriv=
e places a burden on more resource constrained wallets.
>
> 2. The standard relied on a notification mechanism in order to connect a =
sender with a recipient, which included either offchain technology (Bitmess=
age), or so called "notification addresses" which a) left a footprint b) cr=
eated toxic change. That type of footprint is particularly harmful because =
it makes it obvious that a particular recipient is going to receive private=
 transactions. If the notifying party performs this process with coins link=
ed to its identity (i.e. tainted or non-anonymized inputs), it forever beco=
mes visible that Alice connected with Bob despite the fact that her payment=
 code was blinded. While future transactions and their amounts aren't visib=
le, this metadata makes it possible to build a social graph.
>
> 3. The standard was implemented only by an entity that disavowed the BIP =
process and didn't wish to use it to keep the standard up to date. Further =
updates did take place but only outside the BIP process, creating a lack of=
 clarity as to what the real specification is. Ultimately the standard was =
abandoned.
>
> I propose to build on the idea of payment codes under a new BIP with the =
following principal differences:
>
> 1. The new standard will allocate a 2-byte bitflag array that will signal=
 address/script types that the receiver is deriving. Since the vast majorit=
y of scripts are p2pkh (47.3%) and p2wpkh (26.2%), bits 0 and 1 will be use=
d for those respectively. Bit 2 will be p2tr. The remaining 13 bits are res=
erved for future standard script types.
>
> 2. Notification transactions still exist but no longer leave a privacy fo=
otprint on the blockchain. Instead, a notification transaction is simply a =
single OP_RETURN containing a value that only Alice and Bob can calculate. =
If Alice's notification transaction uses UTXOs not associated with her iden=
tity, there is never a footprint showing that either her or Bob are using p=
rivate payments. If Alice uses tainted coins, only she is exposed as a user=
 of Private Payments but Bob still isn't.
>
> 3. Payment code versioning is no longer done because it creates the poten=
tial for fragmentation and disparate standard updates by different parties =
that don't follow the BIP process (BIP47 is a good example of that).
>
> 4. Relying on static compressed pubkeys as opposed to extended keys means=
 shorter payment codes.
>
> =3D=3DProposed Payment Code Structure=3D=3D
>
> bytes 0-1: - enabled (watched) address types (16 possible address types)
> bytes 2-35: - compressed public key P
>
> =3D=3DEncoding=3D=3D
>
> A payment code is encoded in base58check and the version byte produces "S=
" for the first character. A code might look like "SwLUHs3UfMUXq956aXLTUPPf=
ow7a8gDfSUUAtafwqHcobf6mKcMbJk".
>
> =3D=3DPubkey Derivation=3D=3D
>
> Recipient's payment code pubkey `P` is derived from a master key using th=
e following path: `m/purpose'/coin_type'/account'`. `purpose` will be defin=
ed once a BIP number is assigned. Its corresponding private key is `p`.
>
> Notifier/sender's pubkey `N` is derived using the following derivation pa=
th: `m/purpose'/coin_type'/account'/*`, where each recipient gets a new ind=
ex. This way send-side privacy is always preserved. Its corresponding priva=
te key is `n`.
>
> =3D=3DNotifications=3D=3D
>
> Alice wants to notify Bob that he will receive future payments from her. =
Alice selects any UTXO in her wallet (preferably not associated with her) a=
nd `n_Alice`. Alice selects the public key contained in Bob's payment code =
`P_Bob`. Alice performs the following process (`*` and `+` are EC operation=
s):
>
> notification =3D SHA256(n_Alice * P_Bob)
>
> Alice then constructs a 72-byte OP_RETURN output whose value is set to `B=
IPXXXX + notification + N_Alice` (`+` is concat) and sends it in a transact=
ion containing no other outputs (XXXX to be replaced once a BIP number is a=
ssigned). Alice MUST now keep track of `n_Alice` or its derivation path as =
it will be used in future transactions exclusively with Bob (not for spendi=
ng but to calculate secret addresses).
>
> Bob's wallet receives whole blocks but doesn't need to waste resources on=
 decoding them if the environment is resource constrained. Bob simply needs=
 find the string BIPXXXX in the binary blob that represents an undecoded bl=
ock. Once found, Bob extracts the subsequent 32 bytes (`notification`) and =
the subsequent 33 bytes (`N_Alice`). The benefit of this approach is that B=
ob doesn't have to decode blocks and extract pubkeys from scriptsigs.
>
> Since ECDH dictates that SHA256(n_Alice * P_Bob) =3D=3D SHA256(N_Alice * =
p_Bob), Bob calculates the expected notification value and checks if it mat=
ches the first value in the payload. If so, Bob found a notification transa=
ction addressed to himself and stores `N_Alice` in order to be able to dete=
ct and spend future payments from Alice. The added benefit of this approach=
 over BIP47 is that Bob doesn't learn Alice's payment code, so Alice can pa=
y Bob without revealing her identity. To take advantage of these privacy be=
nefits, Alice simply has to engage in coin control on her end. A real world=
 scenario where this might be useful is anonymous donations to a party whos=
e wallet may be seized in the future. Seizing such a wallet won't reveal wh=
o Alice is (as long as she engages in coin control), whereas BIP47 would by=
 default leak her identity even if her coins as anonymized.
>
> If this process fails for any reason, Bob assumes a spurious notification=
 or one not addressed to himself and gives up.
>
> =3D=3DTransacting=3D=3D
>
> Now that they are connected, Alice can send transactions to Bob. Alice ne=
eds to keep track of her transaction count toward Bob; let's name that coun=
ter `X`. This process is similar to what BIP47 does.
>
> Alice calculates a secret point:
>
> S =3D n_Alice * P_Bob
>
> Alice calculates a shared secret:
>
> s =3D SHA256(S, X)
>
> Alice calculates Bob's ephemeral public key and its associated address wh=
ere the funds will be sent:
>
> P_Bob' =3D P_Bob + s*G
>
> When Bob detects a payment to `P_Bob'`, he can spend such coins by calcul=
ating the shared secret `s` in the same manner using `N_Alice` and `p_Bob` =
and performing:
>
> p_bob' =3D p_bob + s
>
> The fact that Alice and Bob are using a shared counter means we can do aw=
ay with chain codes and make payment codes much smaller. Bob simply needs t=
o derive a number of addresses to watch with respect to some gap limit (whi=
ch can be as low as 1 in practice).
>
> =3D=3DAnti-spam=3D=3D
>
> While DoS hasn't been a problem with BIP47, it is possible to build anti-=
spam measures into payment codes. The owner of a code could simply demand t=
hat a notification transaction meets some minimum miner fee or a multiple o=
f some trailing average. This would help prevent spam notifications that mi=
ght otherwise overwhelm a payment code with addresses to watch. But that is=
 purely optional.
>
> Looking forward to hearing thoughts and ideas.
>
> Alfred
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev