Published on: 2014-01-03T20:39:39+00:00
In an email exchange, Adam Back and Nadav discuss a proposal for a payment scheme using key derivation. This proposal aims to address the limitation of lack of Simple Payment Verification (SPV) compatibility by allowing the recipient to test each payment or the sender to send the derivation key out of band. Adam believes that this proposal has the potential to be more SPV compatible compared to other alternatives. He suggests using prefix filters to receive unlimited unrelated payments with a fixed bandwidth/anonymity set size tradeoff.Adam also points out that approaches such as BIP38 with UI's for creating a new address for every payment have drawbacks. They either increase bandwidth consumption, decrease anonymity set size, or result in lost payments. He acknowledges that most of the bitcoin infrastructure currently uses the bitcoin broadcast channel as the communication channel, which supports payer and payee not being simultaneously online. However, he emphasizes the importance of ensuring that the key is not lost and subsequent data loss events do not result in the loss of money for the recipient.In response to Nadav's suggestion, another user named Gregory Maxwell introduces a different payment scheme. In this scheme, the payee publishes two public keys and the payer picks a k value for signatures. The payer pays to a pubkey derived from multiplying PP2*k with r in the first signature or in an OP_RETURN additional output. The payer advises the payee that PP+(pp2_secret*r) can be redeemed. This scheme offers advantages such as funds not being lost if the payer's computer crashes and complete confidentiality. However, there are downsides, including breaking deterministic DSA unless an OP_RETURN is used.The message also discusses deterministic signatures, which involve generating an ECDSA k value using a private key and HMAC construction. The buyer could generate a random number from a root key, allowing them to recreate their receipts. However, storing the master root on the buyer's computer is necessary. The writer suggests that the payment protocol should already have a similar mechanism.Nadav's proposed payment scheme involves the payer deriving addresses using a random "receipt number" and the payee's master public key. The payer pays to this derived address and sends the receipt to the payee, who derives a private key with it and adds it to their wallet. This scheme offers increased privacy by avoiding address reuse and is asynchronous. It can be used as a replacement for cases where re-used addresses are the most viable solution. The receipt serves as proof of payment, and if the master is known, the payer can prove the payment to a third-party. However, losing the receipt numbers means losing access to funds, and a better-defined channel for sending the receipt to the payee would be beneficial.Overall, the proposed payment schemes aim to improve SPV compatibility, privacy, and convenience in Bitcoin transactions. They introduce various approaches such as key derivation, prefix filters, and deterministic signatures. While they have advantages, there are also limitations and considerations to address.
Updated on: 2023-08-01T07:10:55.609045+00:00