payment with a message

[flatfly]

I was just wondering, is there any Bitcoin client that supports including a short message in a payment transaction (such as "donation", "thanks", "gym subscription", whatever)?

If not, is it in theory feasible in the future (i.e., does the current protocol and blockchain format allow for it?)

[1715442392]

1715442392

[1715442392]

1715442392

[2_Thumbs_Up]

Possible: https://en.bitcoin.it/wiki/Script#Transaction_with_a_message

Preferably the message should be encrypted using the recipients public key as well so it's not stored in clear text in the block chain. I don't know how that would work with more advanced transactions though, such as multisig transactions.

[Etlase2]

unfortunately ECDSA does not work for encryption

however, a hash of a receipt would be fairly private and it would allow the receiver to know what transaction it is

[Pieter Wuille]

In my opinion, it is not the right solution to attach the message to the bitcoin transaction itself.

I'll explain why: everything you attach to the transaction is forever part of it, and will be stored forever (or at least until it can be pruned) by every single node in the system. Yes, this is the intended behaviour for transactions, but there is no need for them to be more than the bare minimum for the network to verify its validity.

When you want to attach a message to a transaction, this is essentially some private communication between you and the receiver of the transaction. Showing it to the world is both a burden, and a decrease of privacy. Indeed it would be possible to encrypt it, but that will not make it anymore necessary.

Realize that in most cases, you as sender of a transaction are already communicating with the receiver by other means. Be it a website, e-mail, instant messaging, real-life communication, .... There is no need to replace this existing communication with the blockchain, which is a very slow and expensive beast to maintain, and it would benefit us all not making it even more expensive than it already is.

Now, only the receiver actually cares about your transaction. In fact, he should be the one responsible for getting it into the block chain if he wants that, and not the sender. The current network and the architecture around it seem to have settled for using the blockchain both for confirming transactions as for getting them to their destination. This is not necessary, as you could easily envision prepared transactions being files that you can just send to someone (who will then verify it, and send it to the p2p network if he cares) via an http protocol, or via e-mail, ...; essentially reusing the communication channel you already had (imagine a merchant's website, you click "click here to pay", that opens your bitcoin client/ewallet, creates the transaction, and sends it directly to the merchant). In such a system, it would be easy to attach whatever message you or the merchant wants you to attach to it to that file. It would travel along with the transaction, and could be checked easily. However, it doesn't need to ever end up in the block chain itself. Nobody cares about it there.

Clearly this requires a different way of using bitcoin than we currently do, but it is closer to how Satoshi envisioned it (the currently deprecated send-to-IP system was how he intended transactions to take place, not via send-to-address). Still, I believe this is how transactions will happen at some point in the future.

[cbeast]

A unique payment address adequately identifies a bill of sale. Payment to that address is verifiable in the blockchain. A message in the transaction itself is of very limited use because they are small.

[Hawkix]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

[cbeast]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

If it is the type of donation that requires documentation, then the benefactor can use an app or service that generates unique addresses.

[Meni Rosenfeld]

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

The amortized cost of storing 32 bytes forever by all nodes is not very high, and can be covered by transaction fees. If anything, we may want to look into how to spread the transaction fees over more than just the first miner.

The receiver can't do anything anyway without the entire network being aware of the transaction (it could be deferred until he wants to spend, but still required), so I don't see the advantage of directly sending transactions.

[Pieter Wuille]

@Meni: I could probably live with a hash of some message being attached to the transaction itself, but I'm still unconvinced it is necessary.

[RaggedMonk]

The simplest way to do this is to SHA256(message) and then send 0.00000001 BTC to this new address in same transaction as your payment.

[Etlase2]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

forget about donations, how about running a high volume business? A business simply cannot use a different address for each transaction via common sense. If they are ever going to pay for anything, hundreds or thousands of addresses would be combined into a single transaction costing them lots of money in tx fees. Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

32 bytes is way overkill. 8 bytes would be more than sufficient. That is 18,446,744,073,709,551,616 possible hash values, unlikely a hashed receipt or message would incur a collision. And it would also be large enough for a reasonable transaction number.

[Meni Rosenfeld]

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

32 bytes is way overkill. 8 bytes would be more than sufficient. That is 18,446,744,073,709,551,616 possible hash values, unlikely a hashed receipt or message would incur a collision. And it would also be large enough for a reasonable transaction number.

It needs to be impossible to fake.

[DeathAndTaxes]

forget about donations, how about running a high volume business? A business simply cannot use a different address for each transaction via common sense. If they are ever going to pay for anything, hundreds or thousands of addresses would be combined into a single transaction costing them lots of money in tx fees. Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

Paying with 1000 inputs from one address is going to have the same size and face the same fees as it would if you paid using 1000 inputs from 1000 addresses.

Bitcoin works on inputs and outputs.  Ultimately no matter how many addresses are used same # of inputs = same size.

[Etlase2]

derp, you're right, but there is still essentially nothing gained in anonymity, so why bother

[DeathAndTaxes]

derp, you're right, but there is still essentially nothing gained in anonymity, so why bother

So you often claim.

Please tell me how many coins are controlled by Satoshi.

I will get you started I know he had at least at one time access to the private key linked to this address:
http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

[Etlase2]

It needs to be impossible to fake.

what would be gained by faking a transaction message? All it needs to do is let the receiver tie a transaction to a purchase.

So you often claim.

Please tell me how many coins are controlled by Satoshi.

I will get you started I know he had at least at one time access to the private key linked to this address:
http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

So I often claim? I've never claimed that before. And I believe I said it works for private individuals, but not businesses. When and if satoshi decides to crash the market for his big payday, you will certainly be able to link many of his public keys.

[DeathAndTaxes]

So I often claim? I've never claimed that before. And I believe I said it works for private individuals, but not businesses. When and if satoshi decides to crash the market for his big payday, you will certainly be able to link many of his public keys.

Will you? 

Or is it someone who bought coins off Satoshi and hundreds of other early adopters over the course of years? 
Or was it actually Satoshi who moved coins around making it look like someone else acquired coins off him and other early adopters for years?

[Etlase2]

ok broseph if you want to believe having a different address for every transaction you receive adds some significant amount of anonymity go right on ahead

I don't understand why you are so mouth-foamy about bitcoin

[Meni Rosenfeld]

It needs to be impossible to fake.

what would be gained by faking a transaction message? All it needs to do is let the receiver tie a transaction to a purchase.

Someone other than the sender of the transaction can usurp him.

ok broseph if you want to believe having a different address for every transaction you receive adds some significant amount of anonymity go right on ahead

Using different addresses helps casual anonymity. For secure anonymity you need mixing transactions.

[BubbleBoy]

Clearly this requires a different way of using bitcoin than we currently do, but it is closer to how Satoshi envisioned it (the currently deprecated send-to-IP system was how he intended transactions to take place, not via send-to-address). Still, I believe this is how transactions will happen at some point in the future.

A similar thought pattern let me to make the Friendly address proposal. The address server is always online and records any transaction requests along with their metadata ("payment message"). This info has no place in the blockchain. An interesting twist would be to make the address server responsible for broadcasting the transaction.

Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

Quite the contrary, it greatly reduces the information available in the block chain. If a business uses a single address for all customer payments, it's very easy for a competitor to see things like monthly revenue, expenditures and available cash. That's very sensitive data. If each customer payment has it's own address, and multiple customer payments are aggregated only when a purchase must be made, extracting similar data as in the previous case becomes impossible.

[Etlase2]

Someone other than the sender of the transaction can usurp him.

I don't get it.

Quite the contrary, it greatly reduces the information available in the block chain. If a business uses a single address for all customer payments, it's very easy for a competitor to see things like monthly revenue, expenditures and available cash. That's very sensitive data. If each customer payment has it's own address, and multiple customer payments are aggregated only when a purchase must be made, extracting similar data as in the previous case becomes impossible.

How does it become impossible? Because it's more obscure? Anyone who wants to partake in bitcoin industrial espionage is not going to have much difficulty following the money. I think the unfortunate eventuality is that businesses will be forced to use bitcoin "banks" that will effectively hide any data specific to them. There will have to be an abstraction layer from the protocol itself. Otherwise the possibility of learning too much about their private data will always be a possibility.

[Maged]

Someone other than the sender of the transaction can usurp him.

I don't get it.

Allowing (or at least making standard) a small hash in a transaction would encourage merchant to just use a single address instead of forcing them to use a different address for each transaction. If the hash is too small, it then becomes possible for someone other than the sender of the transactions to impersonate the customer and convince the merchant to "refund" the transaction to their account.

Quite the contrary, it greatly reduces the information available in the block chain. If a business uses a single address for all customer payments, it's very easy for a competitor to see things like monthly revenue, expenditures and available cash. That's very sensitive data. If each customer payment has it's own address, and multiple customer payments are aggregated only when a purchase must be made, extracting similar data as in the previous case becomes impossible.

How does it become impossible? Because it's more obscure? Anyone who wants to partake in bitcoin industrial espionage is not going to have much difficulty following the money. I think the unfortunate eventuality is that businesses will be forced to use bitcoin "banks" that will effectively hide any data specific to them. There will have to be an abstraction layer from the protocol itself. Otherwise the possibility of learning too much about their private data will always be a possibility.

Under the current coin-selection rules used by most clients, this is only presently the case. A business could, instead, make their payments in chunks to several different addresses over several different transactions over multiple days. All except for the last transaction wouldn't contain a change output. However, the other transactions could also include a fake change output that really also just goes to another one of the addresses of the person they're paying, another one of their own wallets that would never again be mixed with the receiving wallet, or even better, someone else that they have to pay.

With such a setup, the most you can learn about are the other transaction outputs that were combined with yours. Even then, they don't even need to do that and just send each output entirely to another unique address.

If you spot any holes in this, I can think of ways to complicate it further.

[Phinnaeus Gage]

derp, you're right, but there is still essentially nothing gained in anonymity, so why bother

So you often claim.

Please tell me how many coins are controlled by Satoshi.

I will get you started I know he had at least at one time access to the private key linked to this address:
http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

I'm the one who added 0.0424242 BTC to the Genesis Block. It's a message. It's my way of thanking Satoshi Nakamoto pseudo-thrice for providing the Ultimate Answer to the Ultimate Question of Life, The Universe, and Everything--Bitcoin.

~Cackling Bear~

[Etlase2]

Allowing (or at least making standard) a small hash in a transaction would encourage merchant to just use a single address instead of forcing them to use a different address for each transaction. If the hash is too small, it then becomes possible for someone other than the sender of the transactions to impersonate the customer and convince the merchant to "refund" the transaction to their account.

I still don't get it. You make a transaction with a merchant with a hashed receipt in the transaction. This receipt lets the merchant know which payment this is. Refunds will still be handled over the internet as usual and the customer can provide a payment address. There is nothing that a birthday attack on 18 quintillion can accomplish here. This hash is not being used to convince anyone of anything, it is only informative. Perhaps if the transaction were completely anonymous like a silk road purchase (lol refunds) there might be some remote issue here, but the would-be attacker would have to somehow know everything about the existing transaction and somehow intercept communications between user and merchant, and even then all they would have to do is replace the payment address, no attack on the hash required.

Under the current coin-selection rules used by most clients, this is only presently the case. A business could, instead, make their payments in chunks to several different addresses over several different transactions over multiple days. All except for the last transaction wouldn't contain a change output. However, the other transactions could also include a fake change output that really also just goes to another one of the addresses of the person they're paying, another one of their own wallets that would never again be mixed with the receiving wallet, or even better, someone else that they have to pay.

With such a setup, the most you can learn about are the other transaction outputs that were combined with yours. Even then, they don't even need to do that and just send each output entirely to another unique address.

If you spot any holes in this, I can think of ways to complicate it further.

Businesses are just going to love having to hire someone to configure their bitcoin transactions. Anyways, all it takes is a few legitimate purchases every so often by the company trying to spy, and then if the payment receiver decides to combine inputs that includes one of those purchases, the spy has a direct link. How is a business supposed to make sure everyone they send payments to will be as thorough as they are? The weakest link in the chain and all. And this does bloat the blockchain if every business works this way. Every small transaction can never (or not often) be combined with another lest obscurity be broken for the previous payer. Once lots of transactions are combined into one, that is only one input that need be in the merkle tree. If every transaction stays separate, all inputs must be maintained. Businesses must keep massive amounts of payment wallets for everyone they work with. It is not very elegant.

[phillipsjk]

• This does not belong in the block-chain.
• Money Service business Guidelines Require information about the sender (including "name, address and, if any, the account number or reference number") to be included in the transaction. International SWIFT MT 103 message transfers are excluded. It is not clear (to me) if simply relaying transactions on the network makes you a MSB.
  
• Including the above information in the public block-chain would likely violate Canadain Privacy legislation.
  
• Given that Bitcoin may be considered illegal in many jurisdictions at some point in the future, we should keep it technically infeasible to include such information in the block-chain.