Du kannst diesen Artikel auch auf Deutsch lesen.
In order to send a letter to a friend or family member, you first need to know their postal address. This means that some sort of interaction is required between you and the recipient, that is exchanging the address details, before the actual process of sending the letter can start. However, once the address details have been exchanged once, you can send as many letters as you want without even telling your friend about it. This works because even if your friend is not home, their mailbox is certainly able to receive letters non-interactively – allowing you to surprise your loved ones!
Most readers of this article would probably rather send bitcoin transactions than letters, but the underlying process is actually quite similar: After the initial interaction of exchanging a bitcoin address, you can send as many payments to the recipient as you want, as the address will never expire. And just like a mailbox, a bitcoin wallet does not require any attention or to be “online” to receive payments – allowing you to surprise your loved ones with bitcoin as well!
There is a catch, though, which is the receiver’s privacy. Bitcoin address balances are public, which means that all transactions belonging to an address can be looked up. You might have noticed how the BitBoxApp will always generate new receiving addresses instead of displaying already used ones; a common practice to make it harder for others to associate multiple bitcoin transactions with your identity. The downside of using new addresses all the time is quite obvious: You have to somehow communicate these new bitcoin addresses with your transaction partners each time, which, for some use-cases, can get a bit annoying.
Unsatisfying solutions
As bitcoin addresses are just a small piece of information, they can be communicated in many different shapes and forms. While addresses themselves are not secret information, they are still vulnerable to tampering, which is why the communication channel used to exchange addresses should be reasonably secure – a topic with entirely different problems arising which we explored more thoroughly in a different blog post.
The main issue we want to focus on, for now, is the user experience of repeatedly exchanging bitcoin addresses. Let’s explore a few already established ways to go about this:
- Ignoring it: As mentioned before, bitcoin addresses can be shared once and reused at whim, at the cost of the user’s privacy, of course.
- Manual sharing: Whenever someone wants to pay us in bitcoin, we can manually share a new address with them. While effective in terms of preserving privacy, this method can be inefficient and is not always practical.
- Extended public keys: By sharing the extended public key (xpub) of an entire bitcoin account, the sender can create new addresses on their own. This only solves the problem for single transaction partners at a time, though, because sharing a single extended public key with multiple entities would, again, be a major privacy compromise.
- Addresses on-demand: More advanced users who depend on receiving bitcoin on a business level can use services like BTCPay which take care of the communication part, allowing senders to request new addresses on-demand. This is a great solution for both privacy and user experience, but still requires time and effort to set up and is therefore probably beyond the scope for personal use.
You might notice how none of these solutions are ideal when it comes to day-to-day usage of a bitcoin wallet. All proposals from above seem to come with an unavoidable compromise between privacy and usability, which often leads to users becoming negligent, opting against privacy in favor of ease-of-use.
Exchanging with cryptography
For a more elegant solution to the problem above, we can use a communication channel which is going to be used anyway: the Bitcoin network. With a little cryptography magic, we can exchange the necessary information to create and agree on a new address directly through (or with the help of) a bitcoin transaction. With a mechanism like this, the user would only have to share a single, never changing “payment code”, allowing others to derive new addresses from it, without compromising privacy.
There are mainly two Bitcoin Improvement Proposals for this method today: BIP-47 payment codes and Silent Payments (BIP-352). Let’s take a look at how they work and see if they can really solve the underlying problem adequately.
BIP-47
Payment codes following the BIP-47 specification are already implemented by some wallets today, such as the popular Sparrow Wallet, and are often encoded as “PayNyms”, which are a bit longer than regular bitcoin addresses and can be identified by their starting characters “PM8T”. You might have spotted a PayNym encoded as a fun robot in someone else’s profile picture already:
These BIP-47 payment codes can not only look similar to regular bitcoin addresses, they actually contain one: the notification address. This address is publicly available to everyone with access to the payment code and never changes. To agree on a new bitcoin address, the sender first creates a notification transaction to the notification address, containing a small piece of information in an OP_RETURN output.
This only needs to happen once and allows the sender and recipient to exchange a shared secret by performing a Diffie-Hellman key exchange, a common procedure in cryptography that does not reveal any secret information out in the open.
In short, the sender can now create an arbitrary amount of new bitcoin addresses, without the need to directly communicate with the recipient. By looking at their notification address and the corresponding transactions, the recipient can easily re-create these bitcoin addresses anytime and scour the network for incoming payments.
While preserving privacy and removing the bottleneck of requiring interaction for every new address, BIP-47 payment codes come with an obvious downside: an additional on-chain transaction, which might put an additional price tag on privacy in the future, assuming rising transactions fees. It is also worth noting that even though the final addresses themselves are only shared between the sender and the recipient, the notification transactions are essentially available to everyone – revealing metadata such as the total amount of transaction peers.
Silent Payments
This is where another proposal, silent payments, enters the discussion. In principle, silent payments work very similarly to BIP-47 payment codes, but without the need for a dedicated notification transaction. Anyone with access to a silent payment address can derive a new address from it and send a transaction right away.
At first thought, this sounds like a perfect solution, as all downsides previously mentioned don’t apply here: Addresses remain private, no interaction between the transaction parties is required, and there is no need for more bitcoin transactions than strictly necessary.
However, getting rid of the notification transaction creates an entirely new problem for the recipient: Yes, anyone can easily pay them to a new bitcoin address, but how would they even know about it? The notification transaction previously notified the recipient of a new potential transaction peer, including their public key – information that is now missing.
Instead, the recipient needs to check whether every single new Taproot transaction in the network includes a payment belonging to their silent payment address. This greatly increases the computational burden for the recipient, or their wallet software, respectively, and can make recovery of the wallet quite time-consuming.
Still, silent payments pose a promising solution to the address exchange problem in general and ongoing developments demonstrate that the computational complexity could be at least further reduced in the future. In general, for users of hardware wallets like the BitBox02, payment codes could also help to establish a secure “contact book” by registering them directly on the device. When creating a new address for an already known payment code, no additional verification would be required by the user, as the device can do so on its own. Support for sending to silent payment addresses is currently something we are looking into and may add to the BitBox02 in the future, which would be an important step to accelerate widespread adoption.
Conclusion
The way we share bitcoin addresses with others should ideally not be a compromise between usability and privacy. Even though manually generating new receive addresses involves a few extra steps, it currently remains the most straightforward way to safeguard your privacy with the BitBox02 and BitBoxApp. Payment codes like in BIP-47 or silent payments present an interesting approach to this problem, featuring an important focus on privacy, even though some compromises have to be made along the way.
Don’t own a BitBox yet?
Keeping your crypto secure doesn't have to be hard. The BitBox02 hardware wallet stores the private keys for your cryptocurrencies offline. So you can manage your coins safely.
The BitBox02 also comes in a Bitcoin-only version, featuring a radically focused firmware: less code means less attack surface, which further improves your security when only storing Bitcoin.
Shift Crypto is a privately-held company based in Zurich, Switzerland. Our team of Bitcoin contributors, crypto experts, and security engineers builds products that enable customers to enjoy a stress-free journey from novice to mastery level of cryptocurrency management. The BitBox02, our second generation hardware wallet, lets users store, protect, and transact Bitcoin and other cryptocurrencies with ease - along with its software companion, the BitBoxApp.