Silent payments

[witcher_sense]

Sharing an xpub is also a security risk, due to being able to derive all private keys from an xpub and a single private key.

If, and only if, the recipient also obtains a single private key from your wallet, the recipient can obtain all your private keys and steal your funds, just as if they had your xprv key.

As far as I know, this only applies to non-hardened derivation schemes, where it is possible to calculate parent keys by combining chain code with the child's private keys. In the case where the derivation process is hardened, an attacker would need your master private keys to calculate child keys, or parent private key to calculate a child key. All backward derivation won't be possible when derivation is hardened. In the case of silent payments, however, you don't share your xpub at all, replacing it with a deterministically derived silent payment address, which is basically a hash of a public key (not a master public key) encoded in a special format. In the latest implementation, it was proposed that silent payment addresses should start with the "sp1" prefix.

[n0nce]

In the case of silent payments, however, you don't share your xpub at all, replacing it with a deterministically derived silent payment address, which is basically a hash of a public key (not a master public key) encoded in a special format. In the latest implementation, it was proposed that silent payment addresses should start with the "sp1" prefix.

I know; just wanted to point out that xpub sharing (as alternative to silent payments) is not only less private but also potentially insecure.
Where can I find more information about the latest implementation or proposal? I'm interested to see what the creators think / how they handle SPV wallets and the complexity / burden of scanning for transactions.

Your schema remember me what in Monero is called Stealth Addresses:

Maybe this can be useful to compare the ideas:
https://www.getmonero.org/library/MoneroAddressesCheatsheet20201206.pdf

Yes, this is exactly what sprung to mind when I read this proposal. In my opinion, the biggest disadvantage - just as in Monero - is the need for transaction scanning.

[witcher_sense]

Where can I find more information about the latest implementation or proposal? I'm interested to see what the creators think / how they handle SPV wallets and the complexity / burden of scanning for transactions.

https://gist.github.com/w0xlt/a7b498ac1ff14b8c292a22be789bd93f

[NotATether]

Where can I find more information about the latest implementation or proposal? I'm interested to see what the creators think / how they handle SPV wallets and the complexity / burden of scanning for transactions.

https://gist.github.com/w0xlt/a7b498ac1ff14b8c292a22be789bd93f

That's the same implementation as in the original spec. Hardly anything has changed since then.

It would be interesting to see a silent payment implementation outside of Bitcoin Core.

[witcher_sense]

A pull request has been opened for adding Silent Payments to Bitcoin Core: https://github.com/bitcoin/bitcoin/pull/27827

This PR implements the basic silent payments scheme. In particular:

    Adds support for existing wallets to send to silent payment addresses
    Adds support to the Bitcoin Core wallet for receiving silent payments

The following items are not covered in this PR and are intended for follow-up PRs:

    Adding labels for the receiver wallet
    Creating multiple outputs for the same silent payment address when sending
    Full RPC coverage (only send is covered in this PR)
    Light client support (vending the tweak data per block, either in an index or to serve to an indexer, such as electrum server)
    Add benchmarks to validate that there are no DoS concerns for doing silent payment verification for transactions in the mempool
    More unit / functional test coverage

[RickDeckard]

Considering the current developments being made - namely the BIP352[1] issue tracker[2] - I figured it would be interesting to (re)kindle the discussion. To add to the explanation provided by witcher_sense, this[3] website also provides a considerable amount of information that allows someone that is out of the scope to also understand what silent payments are. Some proof of concepts are being developed[4] - open source[5] - so it will be interesting to see where this goes from here especially regarding adoption for the use cases provided.
[1]https://bips.dev/352/
[2]https://github.com/bitcoin/bitcoin/issues/28536
[3]https://silentpayments.xyz
[4]https://app.silentium.dev/
[5]https://github.com/louisinger/silentium

[AprilioMP]

Considering the current developments being made - namely the BIP352[1] issue tracker[2] - I figured it would be interesting to (re)kindle the discussion. To add to the explanation provided by witcher_sense, this[3] website also provides a considerable amount of information that allows someone that is out of the scope to also understand what silent payments are. Some proof of concepts are being developed[4] - open source[5] - so it will be interesting to see where this goes from here especially regarding adoption for the use cases provided.
[1]https://bips.dev/352/
[2]https://github.com/bitcoin/bitcoin/issues/28536
[3]https://silentpayments.xyz
[4]https://app.silentium.dev/
[5]https://github.com/louisinger/silentium

Correct. Discussions about Silent Payment like this need to be revived even though I just found out about Silent Payment and this topic is only today I know. With active discussion

Not waiting long after reading the topic of dkbit98 entitled Wallets Supporting Silent Payments, I tried at Silentium Wallet. The process to get a silent payment address is very easy and I already have a silent payment address.
Explorer options in Silentum Wallet are two, blockstream and mempool.



I will attend a discussion about Silent Payment here for my knowledge.

[junmisakiro]

I find this silent payment mechanism to be incredibly intriguing, Through the utilization of the public key issued by user A and its combination with user B's private key, we are able to generate a distinct address exclusively accessible to user A. Consequently, it becomes exceedingly challenging for external observers to establish a connection between said address and user A, thereby ensuring the preservation of privacy.
Furthermore, I have also observed that this silent payment mechanism offers incentives for recipients to maintain the operation of their complete Bitcoin nodes. As a result, the network attains a heightened level of decentralization and security. Additionally, by enhancing the fungibility of Bitcoin transactions, this mechanism significantly contributes to safeguarding our privacy and upholding the integrity of transactions.

[tread93]

That's literally what fungibility means

Yep, that was my point.

You could argue it's not possible to "improve fungibility" because it's perfect already.

I don't think there's a reason to put this verb next to it. Something is either fungible or it isn't. You can't have it both ways.

It's like complaining to a bank that the banknotes you received were previously used in a crime. It doesn't matter.

Even worse. The bank rejects your deposit and requires personal info to... Verify you're an idiot? 

Couldn't agree more that something is either fungible or isn't. You can't have something partially fungible, just a little bit of fun. Could you imagine if the bank rejects a deposit into your own account, yikes, the banks & fiat is looking like a not so fantastic future. I wish it could get better and just incorporate bitcoin & then somehow all of us just don't have to pay taxes. That would be incredible lol

[BlackHatCoiner]

Consequently, it becomes exceedingly challenging for external observers to establish a connection between said address and user A, thereby ensuring the preservation of privacy.

It is important to mention this: This de-anonymization becomes "exceedingly challenging" depending on the receiver's behavior. If the receiver consolidates all his donations (as an example of a good use case for silent payment), then the overall privacy gains are reverted, because all the senders can now see all the donations of other people. Therefore, silent payments offer privacy as long as you're careful with coin control. For example, don't consolidate more donations than needed in a transaction, preferably only one each time.

[apogio]

Therefore, silent payments offer privacy as long as you're careful with coin control.

Correct, I think we must have made clear, since we have been a lot vocal about it, that in general, Bitcoin works better with coin control. Not only for privacy reasons, but also for better fee management.

Warning fo people who still haven't realised how important coin control is:

Your Bitcoin wallet -although digital- works exactly like your physical wallet not like your bank account.
If your Bitcoin wallet says: 0.15BTC, it means that all the UTXOs that you have in your wallet sum up to 0.15BTC, but you can spend each UTXO separately. Just like you could have $1000 in your physical wallet, but you could spend each dollar individually. In the bank account, there is only a digital balance and each time you spend money, it reduces the available amount respectively.
Imagine paying for a TV that costs $1000, using 200 x $5 bills. Wouldn't you try to find a more convenient way to pay? Like using 10 x $100 or 5 x $200?
Each actual dollar bill that you have in your physical wallet, corresponds to a UTXO that you hold in your Bitcoin wallet.

You must use UTXOs wisely because if you don't, you will end up either ruining your privacy, or -even worse- overpaying transaction fees.

[LoyceV]

If the receiver consolidates all his donations (as an example of a good use case for silent payment), then the overall privacy gains are reverted, because all the senders can now see all the donations of other people.

That's like a "pay2spy" solution for chain analysis companies. They'll have to donate before they can link transactions.

Your Bitcoin wallet -although digital- works exactly like your physical wallet not like your bank account.

Kinda One large difference is that in Bitcoin, you can choose your own denomination. I've seen altcoins (BlackBytes) that have fixed denominations (like banknotes). In Bitcoin, unlike banknotes, your change is always one input.

[Smartvirus]

The basic idea

The basic idea is the following: user A publishes some identifier (usually a public key), and user B combines his private key with the published key of A and creates a unique address from which only A can spend. User C can also send money to user A by combining his private key with an address of A and deriving another unique address. User A will know that both users B and C sent him money, but B and C won't know about each other. Therefore, that allows user A to receive payments on completely delinked addresses using only one public address.

I think this is a lovely idea but, one of the many things the blockchain technology is known for is the level of transparency that is about the network.
I think to some extent, it’s the role in which mixers operated, given that you lose traces to the source of Bitcoin deposits except for one who is really keen to observe the inputs and outputs.

This silent system, does it also applies to the balance that might be available on an address?
I see this as one key aspect to privacy that we aren’t getting on the network just yet. Having just anyone to see how much is available on an address isn’t a best way to security. Tie that address to a person like we have on the forum, even though to some we are anonymous, it means trouble. The mixers case came close to some of these uneasiness.

It would be a nice incorporation into the system but, one that would be exploited for sure.

[BlackHatCoiner]

That's like a "pay2spy" solution for chain analysis companies. They'll have to donate before they can link transactions.

That's another problem, and this is why silent payments and stealth addresses are not enough. You need to break traceability, and that's only possible if you hide your inputs amongst a crowd, hence mixing. If for each input, there are several other "inputs-suspects", as in Monero, there is minimum information a chain analysis company can extract.

[apogio]

Kinda One large difference is that in Bitcoin, you can choose your own denomination. I've seen altcoins (BlackBytes) that have fixed denominations (like banknotes). In Bitcoin, unlike banknotes, your change is always one input.

One could argue that Bitcoin is a better implementation of cash. I totally agree with you, and it's good that you mention it for newer members to see it.

[LoyceV]

This silent system, does it also applies to the balance that might be available on an address?

Bitcoin doesn't change, the blockchain with all addresses is still public. But nobody else will know which address received a transaction that belongs to a "silent" address. There is no silent address on-chain