Re: [bitcoin-dev] BIP47 Prague Discussion

From: Paul Sztorc <truthcoin@gmail•com>
To: Ruben Somsen <rsomsen@gmail•com>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP47 Prague Discussion
Date: Sat, 11 Jun 2022 10:30:13 -0400	[thread overview]
Message-ID: <CA+XQW1gYpv5BNBP07xP5RVRF4KD=K+tN8-3uxU3nai9x5Z5eZA@mail.gmail.com> (raw)
In-Reply-To: <CAPv7TjYXSStBWCnFcuJjVv8AAD6EGN9Vxg30XCF2UHyS5z89mw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 5536 bytes --]

FYI there is a version 3 of bip47 (which Ranvier published somewhere else
[0]). It already gets them down to a marginal 64 bytes, with a small
privacy drawback.

The transaction from A can be double used as both a notification to Bob and
a payment to Bob. The notification output is multisig OP [Key1] [Key2]
[Key3] , one being change for A (a sunk cost), K2 being the signal to B,
and K3 being a blinded code only B can read.

From there you can simply insert another output to Bob (to actually pay
him), insert decoy change outputs, or swap Key1 for Bobs key, making it
impossible (at least) to tell *how much* someone is paying to Bob and how
much is change for Alice.

But everyone does know that a new bidirectional relationship to Bob (from
someone) is being established, of course.

[0]
https://github.com/OpenBitcoinPrivacyProject/rfc/blob/master/obpp-05.mediawiki

Paul

On Sat, Jun 11, 2022, 6:03 AM Ruben Somsen via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:

> This discussion took place at Pizza Day Prague 2022[0] after a brief
> discussion on Silent Payments[1]. The main points have been summarized
> below.
>
> The discussion was mainly between Alekos Filini, Martin Habovštiak, and
> myself, as well as Daniela Brozzoni, Eric Sirion, Pavol Rusnak, Salvatore
> Ingala, and others.
>
> Also available as a gist:
> https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae
>
> And my personal opinion can be found in the comments:
>
> https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae?permalink_comment_id=4197284#gistcomment-4197284
>
>
> Improving BIP47
>
> BIP47 requires a notification transaction prior to making payments. This
> transaction takes up on-chain space and can easily leak privacy if not
> handled with extreme caution. In practice this is quite hard.
>
> The discussion revolved around whether we can a.) minimize the on-chain
> space required and b.) outsource the notification transaction so the link
> between the sender and recipient is no longer apparent on-chain.
>
>
> BIP47 space requirements
>
> As currently implemented, BIP47 (V1/V2)[2] requires an input key for
> blinding, the blinded sender payment code in an op_return, and the
> recipient key in an output.
>
> The first question that came up was whether it is necessary for the
> recipient to learn the payment code of the sender. The benefit is that this
> enables the recipient to send a notification transaction and subsequent
> payment to the sender, but in practice this never happens. It therefore
> seems acceptable to forego this requirement, as this potentially saves
> space. The minimum notification payload that seems required is a fresh
> sender key and a static recipient key.
>
> The sender key should ideally be deterministically derived from the sender
> xpub based on the recipient key. If the user checks all the keys that were
> registered with the recipient prior to notification, it can statelessly
> find out whether the sender key was already previously registered. This
> step can be skipped, which is easier for light clients, but means the
> notification transaction will have to be resent if the user ever forgets
> they already sent a notification (such as when restoring from backup).
>
>
> Outsourcing the notification
>
> The next part of the discussion revolved around the idea of putting
> multiple notifications in a single transaction that can be outsourced to a
> third party in order to break the sender/recipient link. This third party
> could be paid over the Lightning Network for their services.
>
> One idea was to use the taproot annex to insert the notification payload
> as (discounted) witness data. One downside with this approach is that it
> requires custom software for the recipient to notice the notification,
> since it's not tied to an easily noticeable output. The middle ground
> solution would be to put the sender keys there but still create an output
> for each recipient key.
>
>
> Allowing collisions
>
> One interesting point that came up was that you could represent the
> recipient key using e.g. only 4 bytes (provided you put it in the annex).
> This leaves a window of 1 in ~4.3 billion for a collision, but the extra
> work that needs to be performed when it does happen is negligible
> (essentially expecting a payment while there is none). This would reduce
> the payload from 64 bytes to 36 bytes of witness data.
>
> While this did not come up in the discussion, it should be noted that
> using the annex makes the transaction non-standard[3]. It could either be
> standardized as the first use case for the annex, or perhaps an alternative
> method[4] should be considered.
>
>
> [0] Pizza Day Prague 2022: https://www.pizzaday.cz
>
> [1] Silent Payments:
> https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8
>
> [2] BIP47: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki
>
> [3] Annex non-standard:
> https://github.com/bitcoin/bitcoin/pull/17977/files#diff-ea6d307faa4ec9dfa5abcf6858bc19603079f2b8e110e1d62da4df98f4bdb9c0R250
>
> [4] Using p2wsh:
> https://gist.github.com/RubenSomsen/21c477c90c942acf45f8e8f5c1ad4fae?permalink_comment_id=4189419#gistcomment-4189419
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 7428 bytes --]