It’s 2016 and people are still scanning QR codes or copying and pasting long strings of letters and numbers (Bitcoin addresses) to make bitcoin payments. The time for a simpler, more user-friendly wallet is now (or yesterday), but solutions to this issue have not been available until recently.
BIP-47 (Reusable Payment Codes for Hierarchical Deterministic Wallets) and BIP-75 (Out of Band Address Exchange using Payment Protocol Encryption) are two proposals for simplifying the Bitcoin payment process, while also maintaining user privacy. The key goal is to avoid allowing those watching the blockchain to track payments between users, which means Bitcoin addresses must not be linked to a real-world identity and address reuse, which is a key issues with Bitcoin privacy noted in a recent report from Coinlab, must be avoided.
Let’s take a look at how BIP-47 and BIP-75 intend to make Bitcoin wallets more like mainstream payment apps, such as Venmo, while also improving privacy for all users.
The Weakness of BIP-32 vs BIP-47
Before talking about BIP-75, we must compare BIP-47 to BIP-32. CoinJournal reached out to a former developer of Samourai Wallet (who preferred to remain anonymous), which is a bitcoin wallet that has implemented BIP-47. BIP-47 creates a payment protocol between two parties, which cannot be observed from the outside. It also facilitates refunds because the payment relationship can be reversed once the relationship has been established.
According to the anonymous Samourai Wallet developer, an issue with BIP-32 is that it creates a “one to many” payment relationship. This means anyone with a user’s xpub key can observe all of the payments and Bitcoin addresses associated with it.
“BIP-47 is currently an extension of BIP-32,” said the wallet developer. “Later on, as BIP-47 gains traction, it could be seen as a replacement for BIP-32. One can easily imagine an SPV wallet that uses BIP-47 as the primary or even sole means of generating payment addresses.”
James MacWhyte, who is a co-author of the BIP-75 proposal and director of product management at Breadwallet, agrees with this assessment of BIP-32. “This is true,” he told CoinJournal. “BIP-32 is great for managing your addresses internally, or giving out a different chain of addresses to each party you do a lot of business with. But it doesn’t help at all if you want a static, public destination for payments.”
MacWhyte agreed that BIP-47 is a better option than BIP-32 for those who want a static, public address. “BIP-32 and BIP-47 were designed for different use cases, so it doesn’t make much sense to compare them,” he added. “It’s like comparing a hammer and a pipe wrench in terms of how well they can drive a nail. The wrench will work, but that’s not really what it’s designed for (BIP-32 addresses were not intended to be made public).”
BIP-75 Fixes BIP-32’s Problem
Although BIP-75 uses BIP-32, it also adds features that protect against the key privacy weakness pointed out by the Samourai Wallet developer. MacWhyte explained, “The argument between BIP-47 and BIP-75 makes more sense because BIP-75 basically adds the protocol support needed to set up a system to allow users to use BIP-32 addresses the same way BIP-47 can (e.g. with a static destination that doesn’t sacrifice privacy).”
When BIP-75 is used, counterparties do not receive each other’s xpub keys, which means they cannot track all of each other’s payments and addresses. Instead, a new Bitcoin address is generated from the xpub key locally whenever a new payment request is sent. According to Netki CEO and BIP-75 co-author Justin Newton, users have the option of requiring their permission for the generation of each new Bitcoin address or allowing their counterparty to generate an endless number of Bitcoin addresses at will.
The Benefits of BIP-47
According to BIP-47 author Justus Ranvier, the feature was designed primarily as a usability improvement for bitcoin wallets that also has the effect of improving privacy without requiring extra effort from the user.
In comments to CoinJournal, Ranvier described the design goals of BIP-47 as follows:
- Create an address that behaves in the way Bitcoin users wish Bitcoin addresses behaved.
- Specifically, BIP-47 payment codes are bidirectional and reusable.
- Like an email address, when someone sends you a BIP-47 payment you see a valid “from address” which you can safely use for sending refunds.
- Do no harm to privacy: Reusing a payment code does not result in the same harmful privacy effects as reusing legacy addresses
- Do not compromise wallet safety: One of the most important safety improvements of modern Bitcoin wallets compared to first generation wallets is the ability to recover from a seed that must only be backed up once. BIP-47 preserves this capability.
- Do not create dependence on third party servers. This was the major failing of Stealth Addresses as used in Dark Wallet. Dependence on third party servers can reduce or eliminate the privacy benefits as well as creating reliability and/or censorship issues.
- Be compatible with existing BIP-44 wallets. BIP-47 is designed as an extension to BIP-44. Any mechanism that a BIP-44 wallet uses to obtain its balance is compatible with BIP-47.
When designing BIP-47, Ranvier did not want to rely on any third-party services, which is a philosophy in line with Bitcoin’s original ethos. “BIP-47 does not depend on third party servers, meaning that users enjoy as much autonomy with payment codes as they do with existing legacy addresses,” he said.
“All interactions with BIP-47 happen through the blockchain, so they enjoy all the benefits that go with it,” added MacWhyte.
According to MacWhyte, it is not privacy that is necessarily better with BIP-47 when compared with BIP-75. Instead, redundancy and censorship resistance are two key advantages of reuseable payment codes.
“If you were to use BIP-75 with a server, although your communications are completely private, the server could go down or be blocked,” explained MacWhyte. “There’s also the possibility of people sending you insincere requests meant to waste your time (spam), which wouldn’t happen with BIP-47 since every transaction is already on the blockchain and paid for.”
“BIP-75 running on a server is also a single point of focus,” MacWhyte continued. “It would be possible to look at the IP addresses of two parties that are responding to the same message chain, whereas if you were to observe BIP-47 parties you would just see them download the whole blockchain.”
Having said that, MacWhyte added that services could be built to mitigate these risks. Decentralized store-and-forward servers could be used or someone could run a store-and-forward server as a Tor hidden service. But the key point is that these anonymity and anti-censorship features are not built directly into the protocol.
BIP-75’s Attempt at Usability and Efficiency Gains
According to MacWhyte, BIP-75 provides the same level of privacy and convenience as BIP-47 without forcing a payment protocol (Bitcoin) to do the work of a messaging protocol. With BIP-75, channels that are better suited for messaging can be used to communicate where payments should be sent. “This creates a much better user experience and makes it possible to build much more powerful applications on top of it,” he claimed.
BIP-47 also requires users to send two transactions for one-time payments. This is because a notification payment must first be made before a real payment can be made with BIP-47. With BIP-75, one-off payments are more practical.
“With BIP-47, the recipient has to receive the notification payment before any other payments, or their wallet won’t know what to look for,” explained MacWhyte. “If a notification payment and a follow-up payment are sent at the same time, race conditions could cause the recipient to not know about the follow-up payment until it confirms in a block. This makes BIP-47 very slow for first-time payments, unless connections are preemptively established–more on this below.”
MacWhyte also discussed the issues with notification payments further. As an example, he pointed out that 100 people wanting to transact with each other would require 9900 notification payments and nearly $1,000 in bitcoin transaction fees. Currently, Bitcoin blocks usually max out around 2500 transactions. Also, these are just notification payments, which means all of this takes place before any money has been sent.
On the other hand, payment connections could be established between an unlimited number of parties via BIP-75 at practically no cost when store-and-forward servers are used.
BIP-47 also becomes resource intensive at scale. “Each person that sends you a notification payment gets their own chain of addresses,” said MacWhyte. “That means your wallet has to constantly monitor a chain for every person you’ve ever connected with. This gets to be resource intensive, especially if you want to scan the first X addresses of each chain in case the sender makes a mistake and doesn’t send the transaction to the first address in the chain.”
“SPV and mobile wallets rely on bloom filters to receive incoming transactions, but bloom filters only work for a certain amount of data until they degrade,” MacWhyte continued. “Calculating hundreds of thousands of watch addresses and managing the bloom filters is too resource intensive for mobile devices, meaning they would most likely need to rely on a server to do it for them — which negates the privacy gained by using BIP-47.”
With BIP-75, it’s possible to receive payments from many people all on one chain of addresses. This means the resource requirements for mobile wallets are no more than they are now.
BIP-47 vs BIP-75 Recovery
According to Ranvier, the recovery process is an area where BIP-47 shines over BIP-75. “The biggest advantage of blockchain-based notifications is the safety of ensuring that wallet balances can always be recovered from the wallet seed,” he said. “Requiring users to update their backups periodically (because the information needed to recover their incoming payments is not contained in their seed + the blockchain) is a major step backwards for user safety. It takes us back to the bad old days when loss of funds due to outdated backups was a frequent complaint.”
MacWhyte disagrees with this analysis. He points out that using the blockchain for the recovery process is simply not practical in some cases. “BIP-47 requires a full download of the blockchain to restore,” he said. “If you want to do that yourself, it requires 80 GB of hard drive space and can take 24 hours or more to download. The other option is to rely on a third-party server, which eliminates all of the privacy and anonymity [advantages] that BIP-47 is supposed to provide.”
MacWhyte also pointed out that the data stored on the blockchain is not of much use without the local data (the user’s address book) to go with it. Although transactions would be grouped by sender, the identity of each sender would be unknown without the user’s locally-stored address book data.
“Since the BIP-47 recovery process either takes significantly more time or sacrifices privacy, the trade off doesn’t seem worth it for that not-particularly-useful amount of information,” MacWhyte added. “At Breadwallet, we are currently working on a solution to store transaction metadata off-chain, in an encrypted and completely private way, so users can restore their entire transaction history including information on who sent them each payment with nothing more than a 15-minute SPV sync.”
When asked about these points on the recovery process, the anonymous former Samourai Wallet developer clarified that users only need a copy of the blockchain from the point at which their notification address was created to recover data relevant to them. The Bitcoin developer also added that public directories (think PGP key servers) of payment codes are in the works, which would allow users to gain the missing piece of metadata associated with their payment history.
“Any proprietary backup scheme that is used with BIP-75 can be used for BIP-47,” added the former Samourai Wallet developer. “The main difference being that if all else fails BIP-47 can be recovered from the blockchain which, on the technical level, seems like ‘more’ to me, not ‘less.’ In that sense, BIP-47 is a true extension of BIP-32/44 in that the most important data of all, user funds, cannot be lost. The usual caveats as to tradeoffs (speed, performance, privacy) still apply. Personally, I’ll always attempt to err on the side of privacy.
“It appears that BIP-47 is anonymous ‘off the shelf,’” continued the anonymous developer. “Good. With BIP-47 contacts are uniquely identified by their payment code. It is up to the wallet owner to otherwise label each payment code or not, or for the payment code owner to register the code with a directory or lookup service. If done at all, these can be done pseudonymously.”
The former Samourai Wallet developer also disagreed with the points regarding the privacy and anonymity tradeoffs of using a third-party’s copy of the blockchain during the recovery process. “The same techniques that are commonly used by SPV wallets [or an off-chain system] can be applied here,” said the developer.
Wallet Developers Need to Choose a Protocol for Payments
So which BIP should wallets integrate for their users? At the very least, it would make sense for the vast majority of wallets to use the same standard. This would make it much easier to wallet providers to streamline bitcoin payments in their apps.
“Being an absolutist on these issues, I agree with the stand that BIP-75 does not merit implementation,” said the anonymous Samourai Wallet developer. “Personally, I would not use any wallet that implements it. Being an ‘opt-in’ solution doesn’t take the edge off. KYC and AML should not be held at arm’s length, but must be avoided outright.”
“Unfortunately, we are seeing a growing number of mobile wallets seeking partnerships with third-party services that require KYC and AML, so the fact that BIP-75 is even on the radar is not that surprising,” the former Samourai Wallet developer added. To this point, Breadwallet’s Aaron Lasher recently pointed out that brokered third-party services are one of the main ways the bitcoin wallet company intends to make money over the long term. Lasher noted that buying bitcoin would be the first brokered service, which almost always involves KYC and AML compliance.
“Ultimately, I believe that BIP-47 and BIP-75 are targeting different sets of users,” continued the former Samourai Wallet developer. “BIP-75 obviously is out there to promote merchant uptake, while BIP-47 prioritizes absolute privacy and anti-censorship before [point-of-sale] ease-of-use. However, by establishing a beachhead for KYC and AML to build upon, BIP-75 is undesirable.”
Ranvier also stands behind his solution for private and convenient bitcoin payment addresses. He stated:
“I think Bitcoin users will benefit greatly from having addresses that better meet their needs, and I think payment codes achieve this with the best set of available trade-offs. Wallet developers should carefully examine the features of any proposed standard [to] make sure the balance [of] features vs risk is the best fit for their users.”
Indeed, it is up to each bitcoin wallet developer to review both of these proposals (and any others) before deciding which one best fits the needs of their users. Breadwallet and Netki obviously feel they’ve hit the right balance between convenience and privacy, but others, such as Ranvier and the developers behind Samurai Wallet, would obviously disagree. It is up to each individual bitcoin wallet provider to decide whether the efficiency gains offered by BIP-75 are worth any tradeoffs in the areas of anonymity, censorship resistance, and privacy.
Although multiple wallet providers were initially intrigued by BIP-47, Samurai Wallet and Stash appear to be the only ones working on integrating reuseable payment codes at the moment. Dark Wallet began working an implementation of BIP-47, but development on that particular wallet has stagnated.
On the BIP-75 side, Netki has claimed there are implementations in the works at multiple bitcoin wallet providers. “There are a number of large-scale implementations currently underway, but the entities that are in the process have not given us permission to announce such on their behalf — we always prefer to let these companies do their own announcements,” Jeff Handler, who handles business development at Netki, told CoinJournal. “In addition, BIP-75 is a standalone, open-source BIP that is not owned in any way by Netki — meaning that we are ultimately unaware of exactly who has or is thinking about implementing the standard.”
It may make sense to take a look at who has implemented BIP-70 in the past to predict who may implement BIP-75 in the future. Bitcoin services and wallets that have implemented BIP-70 include Coinbase, Bitpay, Copay, Mycelium, Breadwallet, and Bitcoin Core. Although, it should be mentioned that implementing BIP-75 in Bitcoin Core is likely to be controversial.