Topic: Silent payments - page 6. (Read 2469 times)

Privacy and fungibility are directly related because bitcoins can be discriminated by address and addresses can be associated with people, but I agree that "privacy" is more appropriate.

Anyway, I don't think that this payment method greatly improves privacy because it only removes the need for the receiver to communicate with the sender. If communication is already private, then nothing is gained.

Yep, that was my point.

I don't think there's a reason to put this verb next to it. Something is either fungible or it isn't. You can't have it both ways.

Even worse. The bank rejects your deposit and requires personal info to... Verify you're an idiot? 

That's literally what fungibility means Bitcoin is fungible. You could argue it's not possible to "improve fungibility" because it's perfect already. But some people talk about "dirty Bitcoin", which means they don't think all Bitcoins are equal:
It's like complaining to a bank that the banknotes you received were previously used in a crime. It doesn't matter.

They don't, because there is not such thing as fungibility. It's a made up nonsense. One coin is, and should be equal with any other. Period. The only ones who disagree with this principle are exchanges that cooperate with surveillance companies, and which enforce completely arbitrary rules. They blacklist coins that are either CoinJoined, PayJoined or come from a mixer. It won't surprise me if they asked to provide further info because of "input silence".

You were probably referring to privacy.

I have an idea to somewhat reduce the cost of scanning transactions:

We know that a spending transaction will automatically reveal the sender's public key (in the DER signature area). Each block has on average 10K-20K transactions nowadays (sometimes upwards to 50K). That automatically assumes 50K validations required, which will increase if a transaction has multiple outputs.

In the case of Bitcoin Core, the validation can be multi-threaded if so desired to save time. An additional thread can scan the incoming block to harvest public keys from transactions, and save this to an additional file (perhaps a BDB called pubkeys.dat.xxxx). This will make block validation & wallet balance scanning on startup much quicker as block data doesn't need to be parsed again.

In such a way, we not only have a cache of pubkeys, we can also speed up the silent key scanning process if we so wanted.

Some pseudo [because I don't know libsecp256k1 semantics] C++ that could form the nucleus of validation is given below.

While the complexity could be reduced with software which has nice UI/UX. But looking at adaption of similar proposal (BIP 47 and 75), i have to agree.


If the recipient must calculate/check public key, wouldn't BIP 158 reduce the disadvantage since it's designed for light wallet?

There are differences between public key and address while referring to bitcoin. In the proposal, public key is referred to as address which would be very confusing because public key is different from address. Although, I get the fact that this type of payment is completely different from onchain payment.

The recipient publishes their silent payment address, a single 32 byte public key: X = x*G

It would be quite worth it to discuss more about this, I scanned through the proposal on GitHub but I did not see anything like incentivizing a receiver running node.

To be sincere, the process is kind of complicated and not supporting BIP32 HD keys which even BIP44, 49, 84 and 86 are using its path for HD key generation. I mean which defines HD wallet.

How is this a benefit, according to the proposal?

Which makes address reuse prevention not to be possible and also not favoring light clients. A complicated process that will enhance address reuse should not be recommended like you also commented, it is really a disadvantage.

Never mind my questions, I will also like to know more about fee in relation to silent payment? Having no fee? Or this may lead to more discussion.

Even while using lightning network, onchain transactions are used to open and close a channel and yet the bitcoin would be credited to an address generated by standardized derivation path which this proposal do not include and yet indicating not including the derivation path as a benefit.

Likely, some address types will not be supported which has not happened before.

This is just my opinion, I may not be totally right, but if I am corrected.

After reading it a few times, I think I'm starting to understand it. I would add another Con: something very simple suddenly becomes very complicated.

Your schema remember me what in Monero is called Stealth Addresses:

Maybe this can be useful to compare the ideas:
https://www.getmonero.org/library/MoneroAddressesCheatsheet20201206.pdf

Introduction

In this thread, I would like to discuss an interesting proposal by Ruben Somsen called "Silent payments," which is a privacy-improving technique aimed at making payments between two parties on the blockchain less transparent for an outside observer. It is based on such concepts as "stealth addresses" and "reusable payment codes" and essentially is trying to solve the same problem but in a more elegant way.

The basic idea

The basic idea is the following: user A publishes some identifier (usually a public key), and user B combines his private key with the published key of A and creates a unique address from which only A can spend. User C can also send money to user A by combining his private key with an address of A and deriving another unique address. User A will know that both users B and C sent him money, but B and C won't know about each other. Therefore, that allows user A to receive payments on completely delinked addresses using only one public address.

How it works

Say Bob wants to send a silent payment to Alice.

1) Alice creates a unique identifier (say, a public key) using standard elliptic curve mathematics:

 A = a*G, where

A - Alice's public key (a point on an elliptic curve),
a - Alice's private key (a random number which should be kept in secret), and
G - the generator point (some pre-defined point on an elliptic curve).

2) Alice makes this identifier A public so that Bob (and also other users such as Carol) can know where to send payments.

3) Bob chooses one of the inputs he controls which contains a public key

B = b*G, where

B - Bob's public key (a point on an elliptic curve),
b - Bob's private key (a random integer which only Bob knows), and
G - the generator point.

4) Bob takes Alice's public key A and constructs a new public key using the following formula:

A' = hash(b*A)*G + A, where

A' - a public key to which Bob's payment is made.

5) Bob makes a payment to Alice creating an output associated with a previously constructed public key A'.

6) Given that b*A = b*a*G = a*b*G = a*B, Alice can reconstruct the same public key A' using her private key a with the following formula:

A' = (hash(a*B) + a)*G, where

hash(a*B) + a - Alice's new private key which allows her to spend money from the output corresponding to public key A'.

However, the problem is Alice needs to know Bob's public key B to detect her payment, which is why she continually scans the blockchain trying to figure out which of the public keys can be combined with her private key a to reconstruct existing bitcoin addresses.


Pros:

1) No interaction between senders and receivers is needed. For a sender to make a payment, he only needs to construct one address from the receiver's silent public key.

2) Silent payments use blockspace more efficiently since there is no need for any "announcement" transactions, as in the case of BIP47. Therefore, one transaction equals one payment, which is perfect for one-time donations

3) Silent transactions are indistinguishable from regular transactions (e.g. no OP_RETURN outputs to share an ephemeral public key as in the case of "Stealth addresses"), which means with them, it is trivial for users to hide in the crowd - the anonymity set is the whole blockchain.

4) Addresses derived from the initial silent public key are always deterministic and unique because each sender uses his own unique keys to tweak the receiver's silent public key.

5) Silent payments incentivize a receiver of funds to keep their own Bitcoin full node running, which automatically results in a more decentralized network.

6) No one, except for the sender of the transaction and its receiver, will know that the payment actually occurred.

7) Silent payments greatly improve the fungibility of bitcoin transactions.

Cons:

1) The biggest disadvantage of this technique is the relatively high validation cost. Given that a recipient of payments doesn't know in advance which bitcoin addresses can be spent with a private key he controls, he has to check each input of each transaction, calculating and comparing public keys.

2) Sender's potential for address reuse. When a sender has multiple inputs sharing the same public key, each of these inputs will result in the same calculated address. Reusing the address is considered bad privacy practice and should be avoided at all costs. This could be mitigated by including additional information into the computational process, but creates an additional burden, especially for light clients. Alternatively, a sender can spend all inputs in a single transaction, but this also reveals common ownership, which damages privacy.


References:

1] https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8
2] https://github.com/genjix/bips/blob/master/bip-stealth.mediawiki
3] https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki
4] https://en.m.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman
5] https://bitcoinops.org/en/newsletters/2022/04/06/
6] https://bitcoinmagazine.com/technical/bitcoin-silent-payments-secret-keys
7] https://bitcoinmagazine.com/technical/improving-bitcoin-privacy-with-silent-payments
8] https://gist.github.com/w0xlt/72390ded95dd797594f80baba5d2e6ee