Author: Kalle Rosenbaum 2015-06-16 12:12:49
Published on: 2015-06-16T12:12:49+00:00
The conversation between Tom Harding, Pieter Wuille, and Kalle Rosenbaum focused on the importance of merchants ensuring that they only accept a Proof of Payment (PoP) provided as a response to their challenge. Kalle Rosenbaum emphasized that merchants should check the nonce in the PoP to ensure that it matches the nonce in the PoP request.Pieter Wuille expressed confusion about the purpose of PoP, stating that having paid is not the same as having had access to the input coins. Kalle Rosenbaum clarified that PoP is intended to be a proof that one has paid for something, not that they have the intent to pay for something. Kalle Rosenbaum also proposed a list of alternative names for PoP but still preferred "Proof of Payment" as the most descriptive to non-technical people.PoP is described in a BIP proposal authored by Kalle Rosenbaum, with the purpose of proving ownership of the credentials needed to unlock all the inputs of a transaction. It can be used in various scenarios where it would be useful to prove that you have paid for something without any personal information being involved. A PoP has the same structure as a bitcoin transaction with the same inputs as the transaction it is proving, but with each sequence number set to 0. There is exactly one output, called the pop output, with value 0. The lock_time of the PoP must be set to 499999999 to prevent the PoP from being included in a block if it appears on the bitcoin p2p network. The PoP is signed using the same signing process that is used for bitcoin transactions, and the nonce is used to make it harder to use a stolen PoP.The PoP protocol involves creating a proof that can be verified by the server, starting with the user initiating a transaction T. The wallet creates an unsigned PoP (UPoP) for T, which the user signs. The UPoP(T) is signed by the wallet, creating PoP(T), which is sent to the destination. The server receiving the PoP validates it and responds with "valid" or "invalid". To validate a PoP, the server checks the format of the PoP and that there is exactly one output with value 0 conforming to the OP_RETURN output format outlined above. The nonce must also be the same as the one requested. The inputs of the PoP must be exactly the same as in transaction T, except that the sequence numbers must all be 0. All scripts of the inputs must return true, and the txid in the PoP output must be the transaction you actually want proof for.Security considerations include the possibility of interception and alteration of the PoP request, which can be mitigated by using secure connections. The server should have a mechanism for detecting a brute force attack of this kind or at least delay the PoP request by some 100 ms or so. Even if a wallet has no funds, it might still be valuable as a generator for PoPs, making it important to keep the security of the wallet after it has been emptied. The reference implementation for PoP can be found on Github, along with a Mycelium fork. The BIP0021 URI Scheme and BIP0070 Payment Protocol are referenced, as well as btcpop scheme BIP.
Updated on: 2023-06-09T22:21:51.459744+00:00