BIP47

What is the opinion of BIP47 here? I keep finding myself circling around the concept but I dislike the complexity and the onchain footprint for initial handshake. However, the onchain handshake feels important as a ddos prevention mechanism so that malicious users do not "handshake" with you infinite times and you end up following x amount of xpubs.

Lucas Ontivero Apr 5th at 6:13 PM
We have discussed it a million times and there is not unanimous decision.
IMO it allows the best UX at a quite high technical cost. From the privacy point of view there are many things that bother me too. The cost is also something to have in mind once onchain fees are high forever. Finally if we are right and in the near future all devices will be on and connected all the time then there will be no need for things like bip47 because my wallet will ask your wallet for an address in a very similar way as p2ip was working in bitcoin nodes (edited)

48 replies
Also sent to the channel

Kukks 5 days ago
Ah sorry for bringing it up then, slack is the destroyer of useful history

Lucas Ontivero 5 days ago
no no, we have discussed it during meetings.

Lucas Ontivero 5 days ago
that are not recorded

Kukks 5 days ago
I am also on the same boat, but find that a 1:1 handshaked identity could also be useful beyond a simple address sharing

Lucas Ontivero 5 days ago
yes, of course. Samourai use it for creating shared keys and encrypt the communication with their "soroban" server

Kukks 5 days ago
I've been looking at some much simpler online-based alternatives, which wcould probably be extended to provide a similar functionality to bip47 without the footprint, but the ddos vector is my biggest issue since blockchain scanning is also expensive in its own way

Lucas Ontivero 5 days ago
You don't really need bip47 for having a DH shared secret with other, you only need pubkeys

Lucas Ontivero 5 days ago
with taproot script the pubkeys will be in the scriptpubkey so you will be able to do DH with anyone

Kukks 5 days ago
I've been very interested in the simplicity behind a project called Paystring (paystring.org) but it was spearheaded by Ripple and all their initial ideas complete go against all privacy practices so I have a few proposals that I need to flesh out on that

Kukks 5 days ago
Ah i'm not particularly worried about the crypto, just the UX for the end users, which is what appeals to most users of the curren BIP47 userbase

Lucas Ontivero 5 days ago
if you don't need to be compatible with other then you can implement very cool things

Kukks 5 days ago
for example, it would let users running a btcpay to just publish a public identity as kukks$btcpay.org and then you can resolve addresses, handshake with public keys, p2ep, etc

Lucas Ontivero 5 days ago
you could generate an ouputdescriptor ancoded as a qr code and import that in your wallet and then you have the same

Kukks 5 days ago
yeah exactly, though you need to generate an output descriptor per user, and make sure there is some good form of dos protection as you'll end up tracking a thousand xpubs (edited)

Kukks 5 days ago
which is what cricles me back to bip47, because the handshake serves as a good dos protection, albeit very wasteful..

Lucas Ontivero 5 days ago
anyway, we discuss this same thing so many times that nopara is starting to hate me. @nothingmuch is on the side of those who thinks bip47 is good

Lucas Ontivero 5 days ago
perhaps he can provide more useful comments than me

Kukks 5 days ago
Thanks for the input

Kukks 5 days ago
Constant discussion means there is something that needs to be built, so I think there's no reason for any hate

nothingmuch 5 days ago
i don't think bip 47 is good actually

nothingmuch 5 days ago
i think it works in a very constrained set of use cases, but one of them is important - being able to receive donations while offline without address reuse

nothingmuch 5 days ago
i think the biggest problem is there's no clear way to revoke these codes

nothingmuch 5 days ago
and that for most payment use cases p2ep is strictly better in many regards

nothingmuch 5 days ago
and the notification transaction thing is a big problem even for the use case it's good for… with wabisabi we might be able to make it less painful but i don't know

nothingmuch 5 days ago
i think the right building block is strong, PKI less authentication in two scenarios: point of sale or customer merchant case, where customer authenticates client (once or repeatedly), or mutual authentication case where two parties verify each other (i.e. adding a contact)
in physical space QR codes allow ~256 bits of entropy to be exchanged, enough to give a strongly authenticated hidden service address
when humans are part of the channel, i think PAKE gives the nicest UX - use a one time code (~3 seed words), the clients rendezvous with a centralized server, do PAKE and exchange hidden service addresses
once the wallets have that they can communicate over tor in a variety of settings and do P2EP or exchange single use addresses, i think that would be better than BIP 47 in almost every scenario

nothingmuch 5 days ago
another approach that is interesting is something like Gnunet's GNS

nothingmuch 5 days ago
especially more recently, now that gnunet supports user IDs and messaging (i need to look into that)

nothingmuch 5 days ago
also i think paystrings are analogous to this kind of authentication, but ultimately they delegate authentication to CAs/DNS since they are just fancy URLs

Lucas Ontivero 4 days ago
with Tor, cjdns and i2p the authentication problem is solved and then these paystrings are just the p2ep that we have in mind

nothingmuch 4 days ago
i think they are a bit overly complex personally

nothingmuch 4 days ago
i.e. the discovery protocol to get that syntax working assumes a lot of infrastructure

nothingmuch 4 days ago
there's lots of hidden trust

nothingmuch 4 days ago
but yeah once at least one party has a cryptographic identify of the other side that should be enough to do any p2ep protocol

nothingmuch 4 days ago
so i think that's really the fundamental problem - how to make a smooth UX that (mutually) authenticates ~32 bytes of data used to establish that

Kukks 4 days ago
Yeah and one thing i would love to focus on is making it dead easy for interopability. BIP47 never took off because it is arguably complex to integrate. I especially like the DNS option since any noob web dev can get it running most likely

Kukks 4 days ago
at least for the simplest option of wanting to send X to user Y

nothingmuch 4 days ago
that makes sense both for public, human meaningful identifiers, as well as for authenticated contacts

nothingmuch 4 days ago
UX wise I think that should flow very similarly for both

Kukks 4 days ago
then we can do user X "pairs" with user Y and creates a bond – where both share an output descriptor to one another for the offline payment capability of a bip47

Kukks 4 days ago
and then p2ep of course is natural

Kukks 4 days ago
and then we can start creating trade agreements with DLCs but that's for when we're at a bar during a bitcoin conference ad we're drunk

nothingmuch 4 days ago
isn't it a single p2ep to establish a blockspace-cost-free alternative to bip47 notofications?

Kukks 4 days ago
sure, yeah, i was thinking thinking of a from-to dual thing where you establish a pair between identities

Kukks 4 days ago
but yes, 1 p2ep would be enough as well

Kukks 4 days ago
it depends on what capabiltiies you aim for i guess

nothingmuch 4 days ago
if it's p2ep it needs no special tagging for discovery since it includes a spend by the receiver, that's very nice

nothingmuch 4 days ago
if payjoin p2ep

transisto 2 days ago
I'd like to add that Samourai paynym has always been buggy AF for me, I don't think that many people use it. (edited)