diff options
author | Luke-Jr <luke_github1@dashjr.org> | 2016-04-26 00:00:18 +0000 |
---|---|---|
committer | Luke-Jr <luke_github1@dashjr.org> | 2016-04-26 00:00:18 +0000 |
commit | 6015939b3be21ae7bc7bba0f20668660818b612c (patch) | |
tree | b7306b1a8a764c7bab962313a36042c1f34bf299 | |
parent | cf51071ccd4a4e4086a3f8a3fbbb064a30bd8bcb (diff) | |
parent | 1d45d84db6c9ede80a07185db07a19b1463db9aa (diff) |
Merge pull request #377 from OpenBitcoinPrivacyProject/bip47
BIP-0047: version 2 payment codes
-rw-r--r-- | bip-0047.mediawiki | 72 |
1 files changed, 70 insertions, 2 deletions
diff --git a/bip-0047.mediawiki b/bip-0047.mediawiki index 0720eb4..b1145b3 100644 --- a/bip-0047.mediawiki +++ b/bip-0047.mediawiki @@ -1,7 +1,7 @@ RECENT CHANGES: +* (19 Apr 2016) Define version 2 payment codes * (17 Apr 2016) Clarify usage of outpoints in notification transactions * (18 Dec 2015) Update explanations to resolve FAQs -* (12 Oct 2015) Revise blinding method for notification transactions <pre> BIP: 47 @@ -84,7 +84,27 @@ Hardened derivation is used at this level. Except where noted, all keys derived from a payment code use the public derivation method. -==Standard Payment Codes (v1)== +==Versions== + +Payment codes contain a version byte which identifies a specific set of behavior. + +Unless otherwise specified, payment codes of different versions are interoperable. If Alice uses a version x payment code, and Bob uses a version y payment code, they can still send and receive transactions between each other. + +Currently specified versions: + +* Version 1 +** Address type: P2PKH +** Notification type: address +* Version 2 +** Address type: P2PKH +** Notification type: bloom-multisig + +===Recommended Versions=== + +* Wallets which have bloom filtering capabilities SHOULD create version 2 payment codes instead of version 1 payment codes. +* Version 1 payment codes are only recommended for wallets which lack access to bloom filtering capability. + +==Version 1== ===Representation=== @@ -127,6 +147,8 @@ It is assumed that Alice can easily obtain Bob's payment code via a suitable met Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform Bob of her payment code via the following procedure: +Note: this procedure is used if Bob uses a version 1 payment code (regardless of the the version of Alice's payment code). If Bob's payment code is not version 1, see the appropriate section in this specification. + # Alice constructs a transaction which sends a small quantity of bitcoins to Bob's notification address (notification transaction) ## The inputs selected for this transaction MUST NOT be easily associated with Alice's notification address # Alice derives a unique shared secret using ECDH: @@ -180,6 +202,17 @@ Alice SHOULD use an input script in one of the following standard forms to expos Compatible wallets MAY provide a method for a user to manually specify the public key associated with a notification transaction in order to recover payment codes sent via non-standard notification transactions. +=====Post-Notification Privacy Considerations===== + +Incautious handling of change outputs from notification transactions may cause unintended loss of privacy. + +The recipient of a transaction which spends a change output from a prior notification transaction will learn about the potential connection between the sender and the recipient of the notification transaction. + +The following actions are recommended to reduce this risk: + +* Wallets which support mixing SHOULD mix change outputs from notification transactions prior to spending them +* Wallets which do not support mixing MAY simulate mixing by creating a transaction which spends the change output to the next external BIP44 address + ====Sending==== # Each time Alice wants to initiate a transaction to Bob, Alice derives a unique P2PKH address for the transaction using ECDH follows: @@ -294,6 +327,41 @@ The sender transmits their payment code in base58 form to the calculated Bitmess In order to use Bitmessage notification, the recipient must have a Bitmessage client which listens at the address which the senders will derive and is capable of relaying received payment codes to the Bitcoin wallet. +==Version 2== + +Version 2 payment codes behave identifically to version 1 payment codes, except as modified below. + +===Representation=== + +====Binary Serialization==== + +* Byte 0: version. required value: 0x02 + +===Protocol=== + +====Definitions==== + +* Notification change output: the change output from a notification transaction which which resides in the sender's wallet, but can be automatically located by the intended recipient +* Payment code identifier: a 33 byte representation of a payment code constructed by prepending 0x02 to the SHA256 hash of the binary serialization of the payment code + +====Notification Transaction==== + +Note: this procedure is used if Bob uses a version 2 payment code (regardless of the the version of Alice's payment code). If Bob's payment code is not version 2, see the appropriate section in this specification. + +# Construct a notification transaction as per the version 1 instructions, except do not create the output to Bob's notification address +# Create a notification change address as follows: +## Obtain the pubkey corresponding to the next change address +## Construct a multisig output in the form: +<pre>OP_1 <Bob's payment code identifier> <change address pubkey> OP_2 OP_CHECKMULTISIG</pre> + +The relative ordering of the payment code identifier and change address pubkey in the above script MAY be randomized + +Bob detects notification transactions by adding his payment code identifier to his bloom filter. + +# When the filter returns a notification transaction, the sender's payment code is unblinded using the same procedure as for version 1 notification transactions. + +Alice's wallet should spend the notification change output at the next appropriate opportunity. + ==Test Vectors== * [[https://gist.github.com/SamouraiDev/6aad669604c5930864bd|BIP47 Reusable Payment Codes Test Vectors]] |