payment with a message

[flatfly]

I was just wondering, is there any Bitcoin client that supports including a short message in a payment transaction (such as "donation", "thanks", "gym subscription", whatever)?

If not, is it in theory feasible in the future (i.e., does the current protocol and blockchain format allow for it?)

[1714884074]

1714884074

[1714884074]

1714884074

[1714884074]

1714884074

[1714884074]

1714884074

[1714884074]

1714884074

[2_Thumbs_Up]

Possible: https://en.bitcoin.it/wiki/Script#Transaction_with_a_message

Preferably the message should be encrypted using the recipients public key as well so it's not stored in clear text in the block chain. I don't know how that would work with more advanced transactions though, such as multisig transactions.

[Etlase2]

unfortunately ECDSA does not work for encryption

however, a hash of a receipt would be fairly private and it would allow the receiver to know what transaction it is

[Pieter Wuille]

In my opinion, it is not the right solution to attach the message to the bitcoin transaction itself.

I'll explain why: everything you attach to the transaction is forever part of it, and will be stored forever (or at least until it can be pruned) by every single node in the system. Yes, this is the intended behaviour for transactions, but there is no need for them to be more than the bare minimum for the network to verify its validity.

When you want to attach a message to a transaction, this is essentially some private communication between you and the receiver of the transaction. Showing it to the world is both a burden, and a decrease of privacy. Indeed it would be possible to encrypt it, but that will not make it anymore necessary.

Realize that in most cases, you as sender of a transaction are already communicating with the receiver by other means. Be it a website, e-mail, instant messaging, real-life communication, .... There is no need to replace this existing communication with the blockchain, which is a very slow and expensive beast to maintain, and it would benefit us all not making it even more expensive than it already is.

Now, only the receiver actually cares about your transaction. In fact, he should be the one responsible for getting it into the block chain if he wants that, and not the sender. The current network and the architecture around it seem to have settled for using the blockchain both for confirming transactions as for getting them to their destination. This is not necessary, as you could easily envision prepared transactions being files that you can just send to someone (who will then verify it, and send it to the p2p network if he cares) via an http protocol, or via e-mail, ...; essentially reusing the communication channel you already had (imagine a merchant's website, you click "click here to pay", that opens your bitcoin client/ewallet, creates the transaction, and sends it directly to the merchant). In such a system, it would be easy to attach whatever message you or the merchant wants you to attach to it to that file. It would travel along with the transaction, and could be checked easily. However, it doesn't need to ever end up in the block chain itself. Nobody cares about it there.

Clearly this requires a different way of using bitcoin than we currently do, but it is closer to how Satoshi envisioned it (the currently deprecated send-to-IP system was how he intended transactions to take place, not via send-to-address). Still, I believe this is how transactions will happen at some point in the future.

[cbeast]

A unique payment address adequately identifies a bill of sale. Payment to that address is verifiable in the blockchain. A message in the transaction itself is of very limited use because they are small.

[Hawkix]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

[cbeast]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

If it is the type of donation that requires documentation, then the benefactor can use an app or service that generates unique addresses.

[Meni Rosenfeld]

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

The amortized cost of storing 32 bytes forever by all nodes is not very high, and can be covered by transaction fees. If anything, we may want to look into how to spread the transaction fees over more than just the first miner.

The receiver can't do anything anyway without the entire network being aware of the transaction (it could be deferred until he wants to spend, but still required), so I don't see the advantage of directly sending transactions.

[Pieter Wuille]

@Meni: I could probably live with a hash of some message being attached to the transaction itself, but I'm still unconvinced it is necessary.

[RaggedMonk]

The simplest way to do this is to SHA256(message) and then send 0.00000001 BTC to this new address in same transaction as your payment.

[Etlase2]

While it is advised to use a different address with each payment, sometimes it is not possible. For example, donation address. Or cases, where you want to show an address, but the viewer may not decide to pay at all. Keeping all that private keys just in case the payment will show up may require a lot of SAFE storage.

forget about donations, how about running a high volume business? A business simply cannot use a different address for each transaction via common sense. If they are ever going to pay for anything, hundreds or thousands of addresses would be combined into a single transaction costing them lots of money in tx fees. Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

32 bytes is way overkill. 8 bytes would be more than sufficient. That is 18,446,744,073,709,551,616 possible hash values, unlikely a hashed receipt or message would incur a collision. And it would also be large enough for a reasonable transaction number.

[Meni Rosenfeld]

@Pieter: I don't think it's too much to ask for a 32-byte hash to tie the transaction with the real world. The actual real-world data will be somewhere else but this connection is necessary to make the transaction meaningful.

32 bytes is way overkill. 8 bytes would be more than sufficient. That is 18,446,744,073,709,551,616 possible hash values, unlikely a hashed receipt or message would incur a collision. And it would also be large enough for a reasonable transaction number.

It needs to be impossible to fake.

[DeathAndTaxes]

forget about donations, how about running a high volume business? A business simply cannot use a different address for each transaction via common sense. If they are ever going to pay for anything, hundreds or thousands of addresses would be combined into a single transaction costing them lots of money in tx fees. Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

Paying with 1000 inputs from one address is going to have the same size and face the same fees as it would if you paid using 1000 inputs from 1000 addresses.

Bitcoin works on inputs and outputs.  Ultimately no matter how many addresses are used same # of inputs = same size.

[Etlase2]

derp, you're right, but there is still essentially nothing gained in anonymity, so why bother

[DeathAndTaxes]

derp, you're right, but there is still essentially nothing gained in anonymity, so why bother

So you often claim.

Please tell me how many coins are controlled by Satoshi.

I will get you started I know he had at least at one time access to the private key linked to this address:
http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

[Etlase2]

It needs to be impossible to fake.

what would be gained by faking a transaction message? All it needs to do is let the receiver tie a transaction to a purchase.

So you often claim.

Please tell me how many coins are controlled by Satoshi.

I will get you started I know he had at least at one time access to the private key linked to this address:
http://blockchain.info/address/1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

So I often claim? I've never claimed that before. And I believe I said it works for private individuals, but not businesses. When and if satoshi decides to crash the market for his big payday, you will certainly be able to link many of his public keys.

[DeathAndTaxes]

So I often claim? I've never claimed that before. And I believe I said it works for private individuals, but not businesses. When and if satoshi decides to crash the market for his big payday, you will certainly be able to link many of his public keys.

Will you? 

Or is it someone who bought coins off Satoshi and hundreds of other early adopters over the course of years? 
Or was it actually Satoshi who moved coins around making it look like someone else acquired coins off him and other early adopters for years?

[Etlase2]

ok broseph if you want to believe having a different address for every transaction you receive adds some significant amount of anonymity go right on ahead

I don't understand why you are so mouth-foamy about bitcoin

[Meni Rosenfeld]

It needs to be impossible to fake.

what would be gained by faking a transaction message? All it needs to do is let the receiver tie a transaction to a purchase.

Someone other than the sender of the transaction can usurp him.

ok broseph if you want to believe having a different address for every transaction you receive adds some significant amount of anonymity go right on ahead

Using different addresses helps casual anonymity. For secure anonymity you need mixing transactions.

[BubbleBoy]

Clearly this requires a different way of using bitcoin than we currently do, but it is closer to how Satoshi envisioned it (the currently deprecated send-to-IP system was how he intended transactions to take place, not via send-to-address). Still, I believe this is how transactions will happen at some point in the future.

A similar thought pattern let me to make the Friendly address proposal. The address server is always online and records any transaction requests along with their metadata ("payment message"). This info has no place in the blockchain. An interesting twist would be to make the address server responsible for broadcasting the transaction.

Obscurity through many addresses may work for private individuals, but it will not work on a large scale and does not offer any real additional anonymity.

Quite the contrary, it greatly reduces the information available in the block chain. If a business uses a single address for all customer payments, it's very easy for a competitor to see things like monthly revenue, expenditures and available cash. That's very sensitive data. If each customer payment has it's own address, and multiple customer payments are aggregated only when a purchase must be made, extracting similar data as in the previous case becomes impossible.