Bitcoin is genuinely made of cryptographic primitives, and every cryptographer can quickly achieve a state of mindfulness by practicing meditation on numbers represented in a popular among software engineers base sixteen numeral system.

Phil Zimmermann and Hal Finney meditate on numbers represented in hexadecimal numeral system

Yet it was always a goal for many Bitcoin enthusiasts to hide these sacral numbers in such a way that they will not scare folks who are just entering the brave new world of cryptoeconomy.

One such improvement was standardization of a way of generating Bitcoin keys from a mnemonic code known as BIP39. It was clear to everyone — even to engineers and computer scientists who are humans as well, by the way — that operating with long base58check encoded strings every time one needs to back-up another key is an awful experience. The industry switched to mnemonic codes rather quickly[1]. Instead of backing-up large random numbers every time a new bulk of Bitcoin address is generated, one should only keep safe a sequence of quite meaningful and human-readable words.

The original Bitcoin wallet backup file consisted of hundreds of private keys. With a mnemonic sentence, it is much easier to back-up a wallet.

On the other side of private keys, there are Bitcoin addresses that are as well no more pleasant to an eye than a long sequence of random characters. The ritual of exchanging an address by means of QR-code showing/scanning or address copying/pasting every-time a transaction needs to occur persist to this days. For Bitcoin and other cryptocurrencies to go mainstream, there must be an alternative that eases this ritual to a decent level. Reusable Payment Codes provide one of a few key pieces to this new setup. Let’s look into how they work and what benefits they offer without touching low-level cryptographic mechanics.


A Payment Code itself looks very similar to an average cryptocurrency address. That said, it is just a rather long sequence of hexadecimal digits as well:

The main difference here is that in contrast to a classic address that needs to be exchanged prior to every transaction, a user needs to get a payment code of a counter-party only once. After that, the wallet software automatically generates a new address during each payment. No address reused, no need to scan or copy or paste anything — just choose a recipient, enter an amount, and you are ready to pay. More to that, in contrast to classic addresses, payment codes can be freely published everywhere online or offline: no prying eyes would be able to guess what the actual addresses were used to pay to this particular payment code.

Justus Ranvier, author of BIP47 Reusable Payment Codes. Donations accepted to a paycode published on Twitter (https://twitter.com/BlockInTheChain) PM8TJfFccT8JNYN6fWypnkHuWUeH1kyoZzri9qi8gtPajiJmP8TKJvfTzXVry9WWFU6bVuXyhjKJWurFdsZaHN294inAJ1JaSFzP9eEtfS1MQd1BDFda

These two properties of payment codes are essential considering the fully transparent nature of Bitcoin’s blockchain.

The first property eliminates the problem of address reuse. Two people or organizations that have frequent economic activities can establish a long-lasting connection and exchange coins more conveniently without sacrificing privacy. Many wallets provide a feature of ‘labeling’ certain addresses and reusing them as needed; some exchanges give a single address to deposit coins; mining pools make payouts to the same address every time… with payment codes, these practices are a thing of the past.

The second one increases the privacy of users of transparent blockchains. Let’s look at this address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v. We can learn that during the first three weeks of January 2018 this address received more than 180 mBTC. This Litecoin address: LQ3B36Yv2rBTxdgAdYpU2UcEZsaNwXeATk received more than 12 LTC during the same timeframe. On the other hand, no one is able to determine how many coins were sent to this Monero Stealth Address: 47BnvD18P456f4KJUBKPS3Rqa97LrTaeqJ5NFYmjQM6nVoz6TBv4rJ24GZk883BNo22fAKbr8BSuTjhQC6K7DsSJFa8SHDs.

That said, Payment Codes serve the same purpose as Stealth Addresses. In fact, the idea of Stealth Addresses was finalized in a paper by Peter Todd in early 2014[2].

Credit goes to ByteCoin for the original idea. Gregory Maxwell, Adam
Back, and others on #bitcoin-wizards contributed valuable input on the
implementation. Finally thanks goes to Amir Taaki for input on the
general idea of stealth addresses and use-cases.

Moreover, they later became widely used thanks to CryptoNote based cryptocurrencies such as Monero. Other people are familiar with Stealth Payments functionality in Bitcoin Dark Wallet. Payment Codes are like a more flexible incarnation of Stealth Addresses that was developed by Justus Ranvier in 2015[3]:

Payment codes are a technique for creating permanent Bitcoin addresses that can be reused and publicly associated with a real-life identity without creating a loss of financial privacy.
They are similar to stealth addresses, but involve a different set of trade-offs and features that may make them more practical.

There is even more to tell about them. A single payment code can be safely used across different cryptocurrencies[4]. Imagine that Carol and Dave both use two different wallets that support Bitcoin and Litecoin cryptocurrencies and BIP47 Payment Codes. In a proper setup, once Dave received Carol’s payment code his crypto-wallet recognized that Carol uses Bitcoin and Litecoin, and can generate addresses for these currencies alltogether — with no single public key reused across blockchains![5]

Payment Codes unite many different blockchains into a single-address-space, and this is a super cool feature that none of other stealth-like addresses can provide. One can easily envision a future where WikiLeaks and other vital organizations or individuals who heavily rely on donations no longer provide different addresses for different cryptocoins but a single payment code that can be used for as many cryptocurrencies as needed giving additional privacy to all of them. The more currencies they accept, the more users from distinct communities can support them.

Transactions to and from a transparent address can easily be monitored. If a user has a few favorite coins, he needs to operate with separate addresses for each of them. Bitcoin Stealth Addresses did not get wide support, likely because they were hardly compatible with mobile wallets. A single payment code can be used with many cryptocurrencies, it can be published online or offline, and the set up is friendly to mobile wallets. It is worth noting that in a current implementation not all currencies can be supported but only those that use the same elliptic curve and as Bitcoin and a similar blockchain architecture, for example: it is impossible to use a payment codes with Ethereum, or to generate Monero addresses.

The mechanics of Payment Codes require a user to make a so-called Notification Transaction before further payments, and it costs a regular blockchain fee. With that information in mind let’s think about the use cases for payment codes. The best way to do that is to think in terms of a smartphone address book — once it is clear that further contacts with a particular person are likely to occur sometime in the foreseeable future, an address book entity is created. For as long as the contact is one-time, e.g., a clarification email or a spontaneous phone call, no one bothers performing any additional actions.

It is just the same with payment codes: if a company offers salaries in Bitcoin, once it recruited a new employee the ‘payment tunnel’[6] is established, and biweekly payments go through a blockchain without any additional information from the employee. The ‘payment tunnel’ in this example is unidirectional, and only the company needs to pay the fee.

Nakamoto Industries pays salaries in Bitcoin using transaction batching technique and BIP47 to ease the process to accountants. Payment Codes allow wallet developers to make interfaces that are much easier to use to non-tech-savvy users.

Payment Codes simplify business transactions as well. Once they are exchanged, all payments that are made through the tunnel are automatically identified as belonging to a particular organization and can be processed accordingly. If a refund needs to occur, it is as easy as replying to an email.

Payments are easily identifiable by a counter-party, refundable and can be made at any time without the need of contact prior to each payment.

The payment-identification feature is somewhat important as it opens the doors for pseudo-recurring payments. A tenant can pay for accommodation monthly, and a landlord can always see the payments as made by a particular person. A user can set up a wallet software in such a way that a pre-configured transaction utilizing a newly-generated address will pop-up according to the specified schedule.

With Payment Codes wallets can create transactions according to a specified schedule mimicking recurring payments. A user only needs to approve and broadcast a transaction. This technique can be adopted by organizations that heavily rely on outsize support to encurage recurrent donations.

It is out of the scope of this article to speculate whether everything is Bitcoin-based in the future or other cryptocurrencies can find their place on the market. It is clear though that reusable payment codes give an almost ultimate solution to make on-chain transactions as user-friendly as possible: “Hey Siri, send Jane 120,000¥ in bitcoins using Billion”[7]. So Jane can see a notification on her Android that Mary just paid the rent — cryptoeconomy is over the walled gardens of closed systems. Reusable Payment Codes form an open standard that breaks the walls of operating systems and unites different cryptocurrencies and wallets into a single family.

Payment Codes simplify day-to-day transactions within a family and a circle of friends and colleagues. No need to scan a QR prior to each payment: just choose a recipient from a list of contacts, enter an amount and you are ready to pay. Participants can use an operating system and a wallet of their choice!

Last but not least, it is necessary to get sight of different ways of exchanging Payment Codes in the first place. If users still need to operate with those hex strings at least once, it is not that much of an improvement after all. Back in 2010, there was a project aimed to extend Bitcoin with a decentralized DNS functionality with a proposed name BitDNS. It was Satoshi Nakamoto who directed this project to be a separate blockchain with a famous quote that, like many others, reveals his genius[8]:

Piling every proof-of-work quorum system in the world into one dataset doesn’t scale. Bitcoin and BitDNS can be used separately. Users shouldn’t have to download all of both to use one or the other. BitDNS users may not want to download everything the next several unrelated networks decide to pile in either. The networks need to have separate fates. BitDNS users might be completely liberal about adding any large data features since relatively few domain registrars are needed, while Bitcoin users might get increasingly tyrannical about limiting the size of the chain so it’s easy for lots of users and small devices. Fears about securely buying domains with Bitcoins are a red herring. It’s easy to trade Bitcoins for other non-repudiable commodities. If you’re still worried about it, it’s cryptographically possible to make a risk free trade. The two parties would set up transactions on both sides such that when they both sign the transactions, the second signer’s signature triggers the release of both. The second signer can’t release one without releasing the other.

A few months later[9] the world’s second blockchain was born and was given a name Namecoin: technically — an altcoin, but practically, with cross-chain atomic swaps in mind, an extension of Bitcoin. Considering its neutrality and low cost of transactions, Namecoin is an ideal candidate to host identities with corresponding payment codes and additional meta-information, such as user’s cryptocurrencies of choice, SegWit support, URL to an avatar and a signature. Wallets from across the industry running on any operating system can fetch this information from Namecoin through Simple Name Verification, or utilize a trusted or local full-node. Finding a payment information trustlessly can be as easy as typing id/eliza.

However, as long as this set-up is yet to be developed, users can enjoy a public repository operated by Samurai Wallet developers. PayNym.is assigns a nice, unique and memorable avatar to each registered code. With open API this is the first major step in a process of breaking the wall and opening the doors for users of different wallets to establish private tunnels!

Each PayNym Bot is unique. The service is the next major step in bringing Payment Codes to masses.

Alternatively, Air Connectivity can be used among Billion Wallet users for server-less near field contact exchange:

We hope to make this cross-platform in the future, in a manner similar to FireChat but as an open implementation.

As of the beginning 2018, there are 3 wallets with BIP47 support: Samurai and Stash for Android and Billion for iOS. We encourage you to give them a try!



[1] BIP39 is not an industry-wide ‘standard’, and some wel-known wallets use different implementations of the same idea. Moreover, among those who support BIP39 there is divergence based on key-derivation paths, such as BIP32 or BIP44. BIP47 further adds to this divergence. Despite the fact that mnemonic sentences look very similar, they are incompatible among different wallet families.

[2] [Bitcoin-development] Stealth Addresses https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03613.html

[3] BIP-47: Reusable payment codes https://bitcointalk.org/index.php?topic=1095800.0; https://www.reddit.com/r/Bitcoin/comments/3alzga/bip47_reusable_payment_codes/

[4] Bip47: define version 3 payment codes https://github.com/OpenBitcoinPrivacyProject/bips/pull/8

[5] It is possible to generate addresses for different cryptocurrencies from a single public key. However, once this public key was used to spend coins, the user becomes more vulnerable to a blockchain analysis. This is why BIP44 specifies ‘coin_type’ parameter. A Payment Code can be used to generate addresses for all cryptocurrencies that use secp256k1 elliptic curve. Sender only needs to know what coins his counter-party is willing to accept.

[6] There is no a well-established term to describe a private connection between two Payment Code users. They used to call it ‘a channel’, yet it is confusing considering Lighting Network has the same terminology. A private payment ‘tunnel’ is a nice alternative: a tunnel is not visible to others and is created somewhere under the surface of a blockchain.

A private tunnel for on-chain payments.

[7] Billion Wallet does not support payments through Siri yet.

[8] BitDNS and Generalizing Bitcoin; #246 https://bitcointalk.org/index.php?topic=1790.msg28917#msg28917

[9] Namecoin — a distributed naming system based on Bitcoin https://bitcointalk.org/?topic=6017


Revision Notes

February 8, 2018. Correction added to reflect that it is impossible to use Payment Codes with Ethereum-like blockchains.

Like what you read? Give Billion a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.