"How do BIP-47 reusable payment codes work?"
Now we go to the other end of the technical questions. This is not an easy one to explain. BIP-47 reusable payment codes are [the technique]
behind the PayNym feature, private payment channels. PayNyms and private payment channels with BIP-47
allow you to receive payments from someone… where the sender and recipient address [are only
known by the sender and receiver of the transaction].
You can have a payment sent from one person to another [without revealing their transaction history]. The way it works is very complex to explain, but imagine Alice and Bob want to pay each other using
these private payment channels or payment codes. Bob sets up a PayNym, [created from a BIP-47 code], which is [derived from] a [type of]
hierarchical deterministic wallet. Bob [could] publish [an address or] public key under
a pseudonym, for example, "Satoshi Nakamoto." Bob is monitoring output transactions to that public key,
and Alice could just pay that public key.
The problem is, everybody who knows
which [address] belongs to Bob, the one advertised as "Satoshi Nakamoto,"
would be able to see all those payments to Bob. That is a problem, if there is no secure mechanism
for Bob to get information out about other addresses… he would want to get paid [to]. So, how do payment codes work around this? Alice constructs and sends a special transaction,
a notification message, to Bob's "watching" address. This [notification message] is not a payment,
instead it is an OP_RETURN data output… that contains 80 bytes which are the basis for
an elliptic curve Diffie-Hellman key exchange. This is the part that is difficult to explain.
Diffie-Hellman key exchanges are a technique invented
in the '70s that allows two parties to construct… a secret key based on their knowledge of each
other's public keys, in such a way that no one can… intercept that secret key, and the two parties
can use it to communicate with each other. This is actually what is used for VPNs. When you [connect to] a VPN, you use the
public key of the VPN provider and your public key…
To set up a secret key, which is used to encrypt that
particular channel for a period of time, as you use it. Alice uses Bob's public key, which was embedded
in the PayNym identity, a payment code. Then she constructs a secret key, which is used by both
Bob and Alice to generate temporary bitcoin addresses.. so they can make payments to each other;
no one else knows which address(es) it will be…
Without having access to the shared
secret between Alice and Bob. Once Alice and Bob have exchanged this shared
secret, through posting notification transactions, they can now exchange more than four billion payments
between each that go to seemingly random addresses. [They] can generate them for each other
without anybody being able to associate… [all the addresses] back to the PayNym. Essentially, the PayNym is a single pseudonym public
address that Bob publishes, so that Alice can pay [him].
That is the only thing that is public. It is only used
to establish the secret / "stealth" payment channels… that allow Alice and Bob to exchange payments
[in a way that the association between addresses]… is not visible on the blockchain. If you were to watch Bob's public address,
all you would see are the notification message, but you wouldn't be able to [calculate] the
[masked payment code] because that is encrypted… to Bob's public key. You wouldn't be able to see the response that Bob
sends back, because that will be encrypted [to Alice]. Once they have a common secret, they will be able to
send [payments], [to] completely different addresses, that you [can't] associate back to the PayNym. So, a PayNym is a public identifier,
"Hey, it's me. Pay me here." [A shared secret is generated through] a series
of [messages, to derive new] addresses so that… [payments] are not associated
with the public PayNym identifier. What do reusable payment codes solve? This [is useful in] a situation where, if I wanted to
be paid by people, I would need to post an address.
In fact, I already do that. I have an
address on my website: '1andreas…' People can send donations to it and give me gifts. The problem is, everyone can see
all the gifts [sent] to that address. If I make a public address available, the payments to
that public address will also be [visible and associated]? I can't [share a] public address [but
keep the] transactions [to it] private. I can [do that] with reusable payment codes. I would be able to post a public identifier that
everyone [can use] to [set up] private payment channels, but none of the payments are visibly [associated to me]. All of the payments are sent based on these privately
negotiated elliptic curve Diffie-Hellman key exchanges.
I hope that was a good explanation.
It is a very difficult topic to explain. If you look at the Bitcoin Improvement Proposal (BIP-47),
it has some very useful charts and diagrams… that show the [process] progression from the
notification [messages] to the subsequent payments, which addresses Alice and Bob are watching, in order
to establish this series of "stealth" addresses..
