Topic: Silent payments - page 5. (Read 2469 times)

Yes, but I guess what @oryhp says is that if you communicate without a secure connection you can't be sure there isn't someone spying on you without you knowing it. Sure, he can take the money, but what's more valuable? Depends on your threat model. 

You only need to derive millions of addresses from one master public key, and save those with a balance.

You are right if any exchange did get rid of Bitcoin because of silent payments being implemented they would be giving up >50% of their revenue. Exchanges know that altcoins are generating them money only temporary but the long term is Bitcoin. If governments start requiring exchanges to ban any cryptocurrency with privacy features then P2P exchanges will become more prominent and if you ask me I think that will be a good thing because it encourages privacy and usually means people are not going to be using the web wallets on exchanges.

If an attacker can change public keys, he can steal funds instead of monitor the transaction. That's the same result as an attacker who changes the Bitcoin address.

I was thinking the same thing. Maybe because creating a new address for each visitor means they have generate and monitor millions of addresses.

If Alice and Bob communicate through a secure transfer protocol, such as with SSL certificates, then MITM attack becomes more difficult to execute. And they should, with or without silent payments. Otherwise, their internet provider and the server they use to communicate can de-anonymize them.

So why they don't just generate a brand new address in each refresh, for each visitor?

what if the silent payment gets intercepted by a middle man through "Man in the middle attack" whereby Alice' public key was changed by the attacker to his own public key then sends to Bob and in similar way, Bob's public key gets changed by the attacker and forwards his own public key to Alice instead, so can he control the transaction in his favor and compute the both public keys with his private key? And what are the ways to bypass such attack when using silent payment?

The intent of Silent Payments is to minimize address reuse by not requiring to communicate a new address for every transaction. Instead, it allows the party to generate a new address for the other party without interaction. It's basically a non-interactive counterparty address generation, similar to stealth addresses. This is just an overview without implementation details. In theory, if nobody reused addresses, it would not bring any privacy benefits, but in practice a lot of people reuse them. Something to note is that it is in the interest of both parties to not reuse the address. In a transaction, the sender will, most of the time, automatically generate a new address for his/her change output, but if the receiver address is reused, then you know which output is the change output which brings down the privacy not only for the receiver because they reused the address, but for the sender as well because everyone knows which is the change output.

You are right, I misunderstood what silent payment is, I thought the transaction will not be available on blockchain, but not like that, it will be available on the blockchain.

So far the transaction is available on blockchain and transparent to the public but in a way the recipient can not be known (or linked to the identity of the recipient), then this (layer 2) is not needed.

Apparently, you misunderstood the concept. The silent payment is an on-chain transaction like any other: it exists, is written into the blockchain, and is visible to everyone who has a copy of blockchain data. It doesn't hide the fact of payment: it hides the fact that a certain address in the blockchain was derived from the "silent" address you made public. The sender will know that this new address belongs to you because he used your data to generate it. The receiver will know this new address belongs to him because he scans the blockchain for all addresses he can spend. Others will not know this new address is yours because they can't know a secret that was used to create this new address. However, others can generate their own addresses by modifying the "silent" address you made public. Each of these transactions will be broadcast to the network and written into the blockchain.

As far as I understand, this is incorrect.

Let's say TPB accept Silent payments. Someone sends them a donation, which confirms on-chain. Nobody else can know TPB is the receiver, because they can't know which on-chain address belongs to their Silent payment.

I don't think this helps: when opening a LN channel, there's no need to publish your address publicly.

I do not think any exchange can decide not to accept bitcoin because it will have side effect on the exchange, it is true that the transparent bitcoin blockchain helps in adoption but exchanges can decide to accept only on-chain transactions if they want transparency. Even, in a lightning network payment, only what is most transparent is when opening and closing a channel, lightning payment transaction is not also recorded on blockchain.



But silent payment will not be transparent as it is not even existing on blockchain at all and the public will not know about the transaction. The payment will not be traceable.

If this can be like a layer 2, it will be better, in a way there will be a bridge between silent payment and on-chain transaction just like lightning network.

Why? From the blockchain's perspective, nothing changes. It will just show a transaction from address A to address B, and it doesn't matter how the owner of address B gave their address to the owner of address A.

The bitcoin community has never lived in harmony: there have always been disagreements regarding different aspects of bitcoin, namely how bitcoin should work: block size war, what bitcoin should be: a store of value or medium of exchange, and what is more important: adoption at all costs by flirting with governments and corrupt banksters or self-sovereignty of individual users who value being free and independent. There have always been compliant and non-compliant people; there have always been people who understand the importance of privacy and who don't care because "they have nothing to hide"; there have always been people who despise KYC/AML useless regulations and who readily give up everything to gain a small yield. This community has many faces merely because bitcoin is for enemies and friends, for villains and heroes; it's for everyone because it doesn't judge.

As for silent payments, they won't make blockchain less transparent; blockchain will remain public, open, and accessible for everyone to subjectively interpret transactions occurring inside it. Let us not confuse "transparency and openness" with "KYCed transactions" where the identities of both the sender and receiver are known to the world. If the privacy of transactions is compromised by attaching KYC information of participants, bitcoin can no longer be a censorship-resistant and decentralized network. These things simply can't work without one another.  Silent payments may help users protect their right to privacy, which is the right to "selectively reveal yourself to the world."

Don't worry about that. The exchanges could only afford to ban Monero because of it's small market cap. If they were to put a similar ban on BTC then they would have to liquidate their BTC holdings [which represent most of their reserves] and most of them would go under.

It looks like btc will go closer to what Monero was am I right? The problem I see with that is Monero was limited in growth because of the mass bans probably because of KYC. If Bitcoin implements silent payments to increase privacy (Woo!) would this put us at risk of meeting the same fate as Monero? or are we too big?

Great Article mate, while more I read more it makes me think about monero... I remember the 'Fungibility' term in the Mastering Monero book, and I would like to quote that section, because that's the way they worked around the 'Silent Payments':


I like the logic behind the 'Silent payments', but thinking about how the bitcoin blockchain should work with this idea makes my mind blows up.

Bitcoin blockchain was made to be public information, if we start obfuscating transactions then the community will divide, and then the fork will come. That's why I think these silent payments should be focused on a new coin and not be implemented in bitcoin.

Does it imply if there are multiple transaction on the address even when the sender and receiver alone knows about the transaction there is still no privacy? I was thinking if no one else knows about the transaction since it's silent payment then a strong privacy is established. I will like to know more about the "fancy method of generating a single, normal, address from a privkey, nothing else."

Exactly. Consider the following possible use case where silent payments may be very helpful. Say, you're applying for a signature campaign or for some other paid activity where many participants are involved whom you don't trust. In the job application, you specify your silent pseudonym instead of a static bitcoin address accessible to literally everyone who can read. Other participants do exactly the same because they don't want others spying on their financial affairs. The employer makes a list of approved silent pseudonyms, imports this in his private bitcoin wallet, and generates corresponding "real" addresses when it is due time to pay. Each time his wallet makes a payment, it adds multiple unique parameters (txid, index, timestamp, etc) into the address construction process in order to prevent address reuse. If you work for ten weeks, you will end up with ten unique addresses completely unrelated to your initial pseudonym or your other addresses. Even if the employer makes his payment transactions public, it will be impossible for an outside observer to determine which coins belong to which pseudonym. In this case, even employees themselves cannot map transactions with pseudonyms due to equal amounts of some transactions. Only the employer (campaign manager) will know to whom he sent a payment, when, and how much, but he should have access to this information anyway.


Could you elaborate on that?

That is correct, but remember, it *only* works if the address is received from exactly once (and is marked as "spend immediately in the next transaction").

Otherwise, it just becomes a fancy method of generating a single, normal, address from a privkey, nothing else.

That's a lot to ask, and I don't expect 99% of the Bitcoin users to ever fully understand it.

I can have a general idea, but I don't have the illusion I'll ever fully understand all the details of cryptography. And I think that's okay, we don't need to fully understand it to be able to use it.
My layman summary: Silent payments allow me to post an "address" on a public website, and someone can pay me without anyone else knowing they paid me. If that's correct, this is brilliant!

Once you get yourself familiar with how Elliptic-curve Diffie–Hellman key exchange scheme works, it becomes much easier to understand the idea of silent payments and other similar cryptographic privacy-enhancing methods of obscuring transaction processes in the bitcoin network. In a nutshell, all bitcoin users, who practice self-custody of their coins and therefore have direct access to private-public keypairs, can create a shared secret between each other using Diffie–Hellman algorithm. Alice and Bob exchange their public keys, multiply the new public key by the private key they control (elliptic curve multiplication, not an ordinary one), and use this new value in some function they both know about. In the case of silent payments, they create a new public key to which only one party will have a private key.


This part is indeed confusing. I think when they say "payment address," they mean a public key encoded in a specific format to be distinguishable from regular non-silent public key.

Your primary "silent public key" can be derived using standard derivation scheme, whereas all derived silent payments addresses constructed by senders will have a strong mathematical relationship with your public address and therefore are always deterministic. If you lose your private or public key, you can calculate them using your main seed, and than search again to find all connected silent addresses.