Skip to content

Commit

Permalink
Merge pull request #2 from justusranvier/bip47
Browse files Browse the repository at this point in the history
BIP-47: version 2 payment codes
  • Loading branch information
Kristov Atlas committed Apr 25, 2016
2 parents 5d0b400 + 283aa14 commit 1d45d84
Showing 1 changed file with 70 additions and 2 deletions.
72 changes: 70 additions & 2 deletions bip-0047.mediawiki
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
RECENT CHANGES:
* (19 Apr 2016) Define version 2 payment codes
* (17 Apr 2016) Clarify usage of outpoints in notification transactions
* (18 Dec 2015) Update explanations to resolve FAQs
* (12 Oct 2015) Revise blinding method for notification transactions
<pre>
BIP: 47
Expand Down Expand Up @@ -84,7 +84,27 @@ Hardened derivation is used at this level.

Except where noted, all keys derived from a payment code use the public derivation method.

==Standard Payment Codes (v1)==
==Versions==

Payment codes contain a version byte which identifies a specific set of behavior.

Unless otherwise specified, payment codes of different versions are interoperable. If Alice uses a version x payment code, and Bob uses a version y payment code, they can still send and receive transactions between each other.

Currently specified versions:

* Version 1
** Address type: P2PKH
** Notification type: address
* Version 2
** Address type: P2PKH
** Notification type: bloom-multisig
===Recommended Versions===

* Wallets which have bloom filtering capabilities SHOULD create version 2 payment codes instead of version 1 payment codes.
* Version 1 payment codes are only recommended for wallets which lack access to bloom filtering capability.
==Version 1==

===Representation===

Expand Down Expand Up @@ -127,6 +147,8 @@ It is assumed that Alice can easily obtain Bob's payment code via a suitable met

Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform Bob of her payment code via the following procedure:

Note: this procedure is used if Bob uses a version 1 payment code (regardless of the the version of Alice's payment code). If Bob's payment code is not version 1, see the appropriate section in this specification.

# Alice constructs a transaction which sends a small quantity of bitcoins to Bob's notification address (notification transaction)
## The inputs selected for this transaction MUST NOT be easily associated with Alice's notification address
# Alice derives a unique shared secret using ECDH:
Expand Down Expand Up @@ -180,6 +202,17 @@ Alice SHOULD use an input script in one of the following standard forms to expos
Compatible wallets MAY provide a method for a user to manually specify the public key associated with a notification transaction in order to recover payment codes sent via non-standard notification transactions.

=====Post-Notification Privacy Considerations=====

Incautious handling of change outputs from notification transactions may cause unintended loss of privacy.

The recipient of a transaction which spends a change output from a prior notification transaction will learn about the potential connection between the sender and the recipient of the notification transaction.

The following actions are recommended to reduce this risk:

* Wallets which support mixing SHOULD mix change outputs from notification transactions prior to spending them
* Wallets which do not support mixing MAY simulate mixing by creating a transaction which spends the change output to the next external BIP44 address
====Sending====

# Each time Alice wants to initiate a transaction to Bob, Alice derives a unique P2PKH address for the transaction using ECDH follows:
Expand Down Expand Up @@ -294,6 +327,41 @@ The sender transmits their payment code in base58 form to the calculated Bitmess

In order to use Bitmessage notification, the recipient must have a Bitmessage client which listens at the address which the senders will derive and is capable of relaying received payment codes to the Bitcoin wallet.

==Version 2==

Version 2 payment codes behave identifically to version 1 payment codes, except as modified below.

===Representation===

====Binary Serialization====

* Byte 0: version. required value: 0x02
===Protocol===

====Definitions====

* Notification change output: the change output from a notification transaction which which resides in the sender's wallet, but can be automatically located by the intended recipient
* Payment code identifier: a 33 byte representation of a payment code constructed by prepending 0x02 to the SHA256 hash of the binary serialization of the payment code
====Notification Transaction====

Note: this procedure is used if Bob uses a version 2 payment code (regardless of the the version of Alice's payment code). If Bob's payment code is not version 2, see the appropriate section in this specification.

# Construct a notification transaction as per the version 1 instructions, except do not create the output to Bob's notification address
# Create a notification change address as follows:
## Obtain the pubkey corresponding to the next change address
## Construct a multisig output in the form:
<pre>OP_1 <Bob's payment code identifier> <change address pubkey> OP_2 OP_CHECKMULTISIG</pre>

The relative ordering of the payment code identifier and change address pubkey in the above script MAY be randomized

Bob detects notification transactions by adding his payment code identifier to his bloom filter.

# When the filter returns a notification transaction, the sender's payment code is unblinded using the same procedure as for version 1 notification transactions.
Alice's wallet should spend the notification change output at the next appropriate opportunity.

==Test Vectors==

* [[https://gist.github.com/SamouraiDev/6aad669604c5930864bd|BIP47 Reusable Payment Codes Test Vectors]]
Expand Down

0 comments on commit 1d45d84

Please sign in to comment.