* [bitcoin-dev] RFC for a BIP32 recurrent address derivation scheme
@ 2022-09-22 3:06 El_Hoy
2022-09-29 22:41 ` Ruben Somsen
0 siblings, 1 reply; 3+ messages in thread
From: El_Hoy @ 2022-09-22 3:06 UTC (permalink / raw)
To: Bitcoin DEV
[-- Attachment #1: Type: text/plain, Size: 2123 bytes --]
There is a known issue on bitcoin, that is that every transaction requires
a new address to prevent address reuse, making it uncomfortable to make
recurring payments, as every payment requires a new off-chain interaction.
A scheme is already mentioned on the [on the BIP32 itself][1], but it
cannot be implemented as is.
Here I propose a scheme that follows the structure described on [BIP44]
that should make it possible to send recurring payments using a single
offline interaction.
The proposed scheme is:
master / purpose' / coin_type' / contact' / index
Where the definitions of all the levels follow BIP44, except for `contact`
that is described below.
Example usage: Bob wants to make recurring payments to Carol, so he asks
her for a _contact address_, that is, an extended public key.
Bob can use that public key to generate multiple derived addresses to make
multiple recurring payments to Carol, the contact address is stored
off-chain, anyone inspecting the chain will just see normal transactions
on-chain.
## Considerations
[BIP47] tries to solve the same issue, but the solution is more complex and
involves more on-chain transactions that involve data, this implementation
simpler and requires less work to implement.
Also, the derivation path might need some adjustments for different address
types on bitcoin.
Finally, this only works in a single direction and does not make it
possible for Carol to send anything to Bob, as it would require Bob sending
her a contact address.
## Advantages
A positive side effect of using this, is that Bob can choose to send
payments to Carol using multiple outputs, giving him more privacy.
Also, those payments can be easily labeled by the receiving wallet, as they
are received.
Regards.
### References
[1]:
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-nmih0
[BIP47]: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki
"Reusable Payment Codes for Hierarchical Deterministic Wallets"
[BIP43]:
https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki#Purpose
--- Eloy
[-- Attachment #2: Type: text/html, Size: 2762 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [bitcoin-dev] RFC for a BIP32 recurrent address derivation scheme 2022-09-22 3:06 [bitcoin-dev] RFC for a BIP32 recurrent address derivation scheme El_Hoy @ 2022-09-29 22:41 ` Ruben Somsen 2022-10-04 19:08 ` El_Hoy 0 siblings, 1 reply; 3+ messages in thread From: Ruben Somsen @ 2022-09-29 22:41 UTC (permalink / raw) To: El_Hoy, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4112 bytes --] Hi Eloy, Nice idea. Note I thought about and succinctly described a similar scheme here (which in turn was derived from work by Kixunil): https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing I agree with your general assessment that this is a scheme that seems like an improvement over the status quo. Note that both BIP47 and Silent Payments don't require any interaction with the sender, while this scheme requires one-time interaction (e.g. this wouldn't be suitable for one-time donations). I think this would mostly be a convenience feature that improves the regular interactive payment flow (interact once, instead of repeatedly asking for addresses with each payment). >master / purpose' / coin_type' / contact' / index Despite your explanation, it's still not fully clear to me how "contact" is defined, but I assume it's just a counter? Just in case, note that you can't let Bob define it for Carol, as then you can't deterministically recover your payments without also backing up how it's defined (the seed alone won't be enough). The gap limit also needs to be kept in mind. If we allow each xpub to have its own gap limit, you potentially get an exponential blowup (gaps in the xpub * gaps in the addresses generated from the xpubs). It may be OK to define a low default gap limit for these xpubs, since there should be no reason to expect the same sender to leave any gaps, though this may depend on how the xpubs are used (e.g. it may also be used to derive addresses for others) so it's probably important to be explicit about this. Cheers, Ruben On Thu, Sep 22, 2022 at 5:18 PM El_Hoy via bitcoin-dev < bitcoin-dev@lists•linuxfoundation.org> wrote: > There is a known issue on bitcoin, that is that every transaction requires > a new address to prevent address reuse, making it uncomfortable to make > recurring payments, as every payment requires a new off-chain interaction. > A scheme is already mentioned on the [on the BIP32 itself][1], but it > cannot be implemented as is. > > Here I propose a scheme that follows the structure described on [BIP44] > that should make it possible to send recurring payments using a single > offline interaction. > > The proposed scheme is: > > master / purpose' / coin_type' / contact' / index > > Where the definitions of all the levels follow BIP44, except for `contact` > that is described below. > > Example usage: Bob wants to make recurring payments to Carol, so he asks > her for a _contact address_, that is, an extended public key. > > Bob can use that public key to generate multiple derived addresses to make > multiple recurring payments to Carol, the contact address is stored > off-chain, anyone inspecting the chain will just see normal transactions > on-chain. > > ## Considerations > > [BIP47] tries to solve the same issue, but the solution is more complex > and involves more on-chain transactions that involve data, this > implementation simpler and requires less work to implement. > > Also, the derivation path might need some adjustments for different > address types on bitcoin. > > Finally, this only works in a single direction and does not make it > possible for Carol to send anything to Bob, as it would require Bob sending > her a contact address. > > ## Advantages > > A positive side effect of using this, is that Bob can choose to send > payments to Carol using multiple outputs, giving him more privacy. > > Also, those payments can be easily labeled by the receiving wallet, as > they are received. > > Regards. > > ### References > > [1]: > https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-nmih0 > [BIP47]: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki > "Reusable Payment Codes for Hierarchical Deterministic Wallets" > [BIP43]: > https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki#Purpose > > --- Eloy > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 5581 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [bitcoin-dev] RFC for a BIP32 recurrent address derivation scheme 2022-09-29 22:41 ` Ruben Somsen @ 2022-10-04 19:08 ` El_Hoy 0 siblings, 0 replies; 3+ messages in thread From: El_Hoy @ 2022-10-04 19:08 UTC (permalink / raw) To: Ruben Somsen; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 5392 bytes --] Hi Ruben, Thanks for your comments. I've noticed that there are lots of mentions of using a scheme like this, but there is no framework to ease the usage of such a scheme and to add interoperability between different implementations. So any implementation requires some manual work on both parties. The idea is to have a BIP to make this easy for developers to implement and users to use. The main advantage against silent payments or BIP47 is just that it should be easier to implement on both parties involved. Regarding the `contact`, you are right, it is just a counter, and Carol simply increments this one with each `contact` created. The association between a `contact` and the metadata of the contact needs to be stored off-chain, so when recovering the wallet that information is lost if there is no backup. Regarding the gap limit, I think that we can be quite strict with it, to make it easier to implement, I would use a gap limit of 2 for contacts and no gap limit for the index, there is no point in someone skipping an address. Regards. --- Eloy On Thu, Sep 29, 2022 at 7:41 PM Ruben Somsen <rsomsen@gmail•com> wrote: > Hi Eloy, > > Nice idea. > > Note I thought about and succinctly described a similar scheme here (which > in turn was derived from work by Kixunil): > > https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing > > I agree with your general assessment that this is a scheme that seems like > an improvement over the status quo. Note that both BIP47 and Silent > Payments don't require any interaction with the sender, while this scheme > requires one-time interaction (e.g. this wouldn't be suitable for one-time > donations). I think this would mostly be a convenience feature that > improves the regular interactive payment flow (interact once, instead of > repeatedly asking for addresses with each payment). > > >master / purpose' / coin_type' / contact' / index > > Despite your explanation, it's still not fully clear to me how "contact" > is defined, but I assume it's just a counter? Just in case, note that you > can't let Bob define it for Carol, as then you can't deterministically > recover your payments without also backing up how it's defined (the seed > alone won't be enough). > > The gap limit also needs to be kept in mind. If we allow each xpub to have > its own gap limit, you potentially get an exponential blowup (gaps in the > xpub * gaps in the addresses generated from the xpubs). It may be OK to > define a low default gap limit for these xpubs, since there should be no > reason to expect the same sender to leave any gaps, though this may depend > on how the xpubs are used (e.g. it may also be used to derive addresses for > others) so it's probably important to be explicit about this. > > Cheers, > Ruben > > > > On Thu, Sep 22, 2022 at 5:18 PM El_Hoy via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> There is a known issue on bitcoin, that is that every transaction >> requires a new address to prevent address reuse, making it uncomfortable to >> make recurring payments, as every payment requires a new off-chain >> interaction. A scheme is already mentioned on the [on the BIP32 itself][1], >> but it cannot be implemented as is. >> >> Here I propose a scheme that follows the structure described on [BIP44] >> that should make it possible to send recurring payments using a single >> offline interaction. >> >> The proposed scheme is: >> >> master / purpose' / coin_type' / contact' / index >> >> Where the definitions of all the levels follow BIP44, except for >> `contact` that is described below. >> >> Example usage: Bob wants to make recurring payments to Carol, so he asks >> her for a _contact address_, that is, an extended public key. >> >> Bob can use that public key to generate multiple derived addresses to >> make multiple recurring payments to Carol, the contact address is stored >> off-chain, anyone inspecting the chain will just see normal transactions >> on-chain. >> >> ## Considerations >> >> [BIP47] tries to solve the same issue, but the solution is more complex >> and involves more on-chain transactions that involve data, this >> implementation simpler and requires less work to implement. >> >> Also, the derivation path might need some adjustments for different >> address types on bitcoin. >> >> Finally, this only works in a single direction and does not make it >> possible for Carol to send anything to Bob, as it would require Bob sending >> her a contact address. >> >> ## Advantages >> >> A positive side effect of using this, is that Bob can choose to send >> payments to Carol using multiple outputs, giving him more privacy. >> >> Also, those payments can be easily labeled by the receiving wallet, as >> they are received. >> >> Regards. >> >> ### References >> >> [1]: >> https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-nmih0 >> [BIP47]: https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki >> "Reusable Payment Codes for Hierarchical Deterministic Wallets" >> [BIP43]: >> https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki#Purpose >> >> --- Eloy >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 7480 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-04 19:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-22 3:06 [bitcoin-dev] RFC for a BIP32 recurrent address derivation scheme El_Hoy 2022-09-29 22:41 ` Ruben Somsen 2022-10-04 19:08 ` El_Hoy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox