BIP47: Reusable Payment Codes for Hierarchical Deterministic Wallets

Bitcoin privacy isn’t something guaranteed at the protocol level. How an individual stores, transacts or otherwise uses Bitcoin is the difference between remaining virtually anonymous and providing motivated onlookers with permanent access to their transaction history.

Unfortunately, achieving greater privacy oftentimes comes at the cost of convenience. Address reuse is a no-no, but to the lazy/non-tech-savvy, generating a new address and sharing it with counterparties isn’t always simple.

Enter BIP47 wallets.

BIP47, Reusable Payment Codes for Hierarchical Deterministic Wallets, was submitted by Justus Ranvier in 2015. As the title may indicate, it adds functionality to the existing hierarchical deterministic (or HD) wallet structures – notably, by outlining a system that facilitates recurring payments between parties (all while protecting their privacy).

HD wallets make privacy more attainable to the user, by deriving public keys without giving away the 'master' one (or xpub, which should be kept secret). A virtually limitless amount of these public keys can be created and handed out to counterparties, who would only be able to glean the amount held by a particular key (and not the entirety of the wallet).

So far, so good. You avoid the classic 'XYZ learned how much you hold and now your life is in danger' scenario, and you can more effectively partition your activities without constantly rotating through different wallet apps.

A net improvement, to be sure, but still far from optimal when it comes to frequent transactions. Good practice dictates that a new address is used for every payment, so constantly reissuing them can fast become inconvenient.

The Workaround

BIP47 implementations enhance HD wallet functionality for those seeking to establish recurring payment channels with peers, by providing them with reusable payment codes. If you’d care for a horrifically oversimplified analogy, a payment code is a bit like one of those Handcash cashtags that your friends can pay to.

I’ll elaborate shortly. There are a few things to clarify first – you’re not relying on a trusted third party, you’re not technically sending coins to the payment code, and it’s still just a long string of alphanumeric characters (but you should be used to that by now. If you’re not, welcome to Bitcoin!).

The key thing to remember is that these payment codes can be reused for every transaction without harming privacy, as the coins are sent to a new on-chain address every time. As Ranvier put it in a 2015 BitcoinTalk thread, a single payment code would be capable of channelling funds to 4 billion different addresses.

They differ somewhat from alternative stealth address implementations (Kyle Torpey does an excellent comparison here) – one way in which this is manifested is through the use of an on-chain ‘notification transaction’ to establish a payment channel with a peer.

Before funds can be transmitted back and forth, the sender broadcasts a special transaction (using OP_RETURN) to the receiver’s listening address, which kick-starts the channel. By virtue of all of this rolling out on-chain, a user can recover their channels, in case of disaster, provided they keep a backup (again, something you’re undoubtedly used to).

In the Wild

There are surprisingly few implementations out currently – Samourai Wallet and Billion are the ones that spring to mind (Stash Wallet also boasts support, but I couldn’t get it working). On top of regular functionality, the latter further enables private messaging using BIP47, whilst the former builds on the standard with PayNyms for better UI/UX.

BIP47 is a boon to wallet software, introducing privacy in what is perhaps the best manner for mass adoption – that is, Trojan Horse-ing it towards user under the guise of convenience.

Cover art modified from Pixabay.