1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
|
Return-Path: <symphonicbtc@proton.me>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 8DE29C0032
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 11 Aug 2023 22:04:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 67275402D4
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 11 Aug 2023 22:04:44 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 67275402D4
Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key,
unprotected) header.d=proton.me header.i=@proton.me header.a=rsa-sha256
header.s=ngdhkcn6pfaq7fyoevuw52crhq.protonmail header.b=aThz0tom
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.067
X-Spam-Level:
X-Spam-Status: No, score=-0.067 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LONGWORDS=2.035,
SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id zNuGezDVLn3o
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 11 Aug 2023 22:04:41 +0000 (UTC)
Received: from mail-41104.protonmail.ch (mail-41104.protonmail.ch
[185.70.41.104])
by smtp2.osuosl.org (Postfix) with ESMTPS id 831FF40169
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 11 Aug 2023 22:04:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 831FF40169
Date: Fri, 11 Aug 2023 22:04:23 +0000
Authentication-Results: mail-41104.protonmail.ch;
dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me
header.b="aThz0tom"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
s=ngdhkcn6pfaq7fyoevuw52crhq.protonmail; t=1691791466; x=1692050666;
bh=qOD4tNwZonpIfzv/Mt6nkKw7EvqSzVz65042harKvvo=;
h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
Message-ID:BIMI-Selector;
b=aThz0tomJ+Y2bNakk+TEKFMfsWgZ9YxQ0Wydbqc1VuPSTYm6sj1re0qMotSKGesjw
LJCi4zaTMA5YLjap+AoAUJ5vPl3d9KljGlWADQFo4dXrIY/K3kZjcXDaptU+2NyH5Y
gd1TqJ5P8AtqDYDGzMmdr1LM//B/Mfu8fo+ay+kU6vdD02afGgYWLmY41R8uWqYxJD
tjcEduqzmlclG323DaM1Vb526p3aqW35wIDFmKLhDKvZeV6/PVL/FT0ABz13iVp0qF
eseiz31kAHsdj8yCROcwB4Q2l0ez57br2/NHW0dTU7F9QGyClLs0vWYVA2AsZJKoBa
7Jg7wIWtujisQ==
To: Dan Gould <d@ngould.dev>
From: symphonicbtc <symphonicbtc@proton.me>
Message-ID: <P1bXSK5FgAsqtckOyZmQ4U6XyKJavBuDC92FgE_R4osiQJIIEDndFRPBFJsU6vO0fhioctnDV9MKp1sYoCfSwswUbFfkglxHEvYaNMo67fI=@proton.me>
In-Reply-To: <50A19B79-46A1-4F21-AA53-74356F4B0CBA@ngould.dev>
References: <mailman.130337.1691684480.956.bitcoin-dev@lists.linuxfoundation.org>
<50A19B79-46A1-4F21-AA53-74356F4B0CBA@ngould.dev>
Feedback-ID: 77757318:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 11 Aug 2023 22:28:51 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] BIP for Serverless Payjoin (AdamISZ)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2023 22:04:44 -0000
Hey Dan,
Very interested in such a protocol finally becoming standardized. Quick lit=
tle nit I noticed as well, are you sure base64 encoding is the best choice =
for the psk in the URI? You may find that having to urlencode the special c=
haracters in base64 it impacts readability and adds a layer of complexity i=
f a human wanted to extract the psk from the URI for some reason. I suggest=
using something like [base64url](https://datatracker.ietf.org/doc/html/rfc=
4648#section-5) which modifies base64 slightly to be more suited to this pu=
rpose.
Symphonic
------- Original Message -------
On Friday, August 11th, 2023 at 5:03 PM, Dan Gould via bitcoin-dev <bitcoin=
-dev@lists.linuxfoundation.org> wrote:
> Hi waxwing
>=20
> thanks for the detailed response. You've identified a number of flaws bot=
h in the protocol and the document that can be fixed. I sincerely appreciat=
e it. If more comes to mind, fire away.
>=20
> > I wanted to immediately "nit" a point I saw as I was reading:
> >=20
> > > Because BIP 78 messages are neither authenticated nor encrypted a mal=
icious unsecured payjoin server is able to modify the Payjoin PSBT in fligh=
t,
> >=20
> > Taken as is - i.e. out of context! - this is just wrong. The BIP explic=
itly states:
> >=20
> > "The sender must ensure that the url refers to a scheme or protocol usi=
ng authenticated encryption, for example TLS with certificate validation, o=
r a .onion link to a hidden service whose public key identifier has already=
been communicated via a TLS connection. Senders SHOULD NOT accept a url re=
presenting an unencrypted or unauthenticated connection. "
>=20
>=20
> Nice Catch. I've fixed it in the draft.
>=20
> > Out of band, the receiver of the payment, shares a bitcoin URI with the=
sender including a <code>pj=3D</code> query parameter describing the relay=
subdirectory endpoint and <code>psk=3D</code> parameter with base64 encode=
d 256-bit secret key.
>=20
> > You're sending the symmetric secret key out of band; but isn't this obs=
curing the question of securely sharing the secret key? Did you consider DH=
-ing this as other protocols do? At the very least I would claim that it's =
likely that implementers might be sloppy here; at the most I would claim th=
is is just insecure full stop.
>=20
>=20
> At first I thought this would be secure because the relay itself would ne=
ed to discover the key only to uncover privacy, but because of output subst=
itution it would actually open the protocol to a loss of funds attack: If t=
he ask-containing bip21 were discovered by the relay, then the relay would =
have enough information to both find the buffer and forge a Payjoin PSBT pa=
ying itself rather than the receiver, and the sender would send it because =
output substitution is allowed. Even though I handle bip21s and addresses a=
s secret, I know many people post them in unencrypted channels and so they =
should not be assumed secure to pass secrets.
>=20
> I have certainly considered the security trade offs of using a symmetric =
key vs DH. The main reason I chose to use the symmetric psk over DH is beca=
use I thought DH would require another round of communication to establish =
receiver authentication, which is a huge inconvenience in an asynchronous s=
etting. The attack I=E2=80=99ve described can be mitigated inside the same =
message pattern by having receiver share a public key of a per-request keyp=
air Instead, approximately following the NKpsk0 pattern, the sender may pas=
s an ephemeral secret session key under which the Payjoin PSBT response wou=
ld be encrypted and authenticated so no malicious adversary with knowledge =
of the bip21 would be unable to read or forge. Stowaway uses BIP 47 codes f=
or this purpose, but I see no reason to tie buffer identity to the underlyi=
ng wallet. Using ephemeral keys also allows a single receiver to enroll mul=
tiple buffers at a relay simultaneously.
>=20
> > About attack vectors:
> >=20
> > Since relays store arbitrary encrypted payloads to the tragedy of the c=
ommons and denial of service attacks. Relay operators may impose an authent=
ication requirement before they provide relay service to receivers to mitig=
ate such attacks.
> >=20
> > Isn't the most obvious concern with this architecture, that the relays =
have metadata - most obviously, they can time correlate messages, with bitc=
oin network events, so at the least they could tie transactions to clients.=
If both parties use anonymised network connections then this is ameliorate=
d (though not removed) as a vector, but then we'd need to be clear that we =
require those (e.g. Tor). Not sure if it's palatable to do this if otherwis=
e, i.e. if we think the relays can tie network addresses to transactions? W=
ell, not sure, but I'd expect it to be mentioned?
>=20
>=20
> The most obvious concern with this architecture is indeed that the relays=
would have metadata that could be used for timing attacks correlating to a=
Payjoin PSBT buffer being cleared from the relay and a potential payjoin t=
ransaction being broadcast. If a sufficient number of steganographic transa=
ctions are broadcast per quantum, then requiring a sender to broadcast only=
after a random delay based on a poisson distribution could mitigate this p=
roblem somewhat. According to S. Ghesmati 2020 research, between 27% and 42=
% of all transactions conform to the type of unnecessary input heuristic th=
at payjoins conform to (UIH2). So it wouldn=E2=80=99t take long for multipl=
e steganographic candidates to enter the Mempool at any given time.
>=20
> I'm extremely reluctant to require Tor because it severely limits the num=
ber of environments where this proposal could be deployed. If we were to re=
quire Tor, we should then just ignore this proposal and focus on deploying =
hidden service based v1 receivers as in JoinMarket. I'm more inclined to re=
quire Oblivious HTTP but even that seems overkill when the threat would be =
for the relay to correlate steganographic transactions, which don't have a =
single clear sender/receiver interpretation, to two ip addresses.
>=20
> > It just occurred to me that while timing correlation itself might not b=
e much (in usual circumstances, there are tons of other transactions), it's=
, as usual with metadata, the intersection of more than one thing that coul=
d hurt: I know when the tx happens (say within a time window of 10 seconds)=
, but also I might know the size of the message. Perhaps consider random pa=
dding of the Payjoin PSBT message size (iirc chacha is a stream cipher so l=
engths are arbitrary).
>=20
>=20
> The biggest intersection attack is timing correlation of two linked poten=
tial payjoin transactions related to one IP address. Again, a specified del=
ay may help mitigate this concern.
>=20
> I agree that padding ought to be a requirement. 4M block size limit with =
base64 encoding overhead seems like a resonable buffer size, but PSBTs have=
significant overhead compared to consensus transactions, so the exact size=
of a buffer needs more attention.
>=20
> Thanks for the feedback,
> Dan
>=20
> > On Aug 10, 2023, at 12:21 PM, bitcoin-dev-request@lists.linuxfoundation=
.org bitcoin-dev-request@lists.linuxfoundation.org wrote:
> >=20
> > Send bitcoin-dev mailing list submissions to
> > bitcoin-dev@lists.linuxfoundation.org
> >=20
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > or, via email, send a message with subject or body 'help' to
> > bitcoin-dev-request@lists.linuxfoundation.org
> >=20
> > You can reach the person managing the list at
> > bitcoin-dev-owner@lists.linuxfoundation.org
> >=20
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of bitcoin-dev digest..."
> >=20
> > Today's Topics:
> >=20
> > 1. Re: BIP for Serverless Payjoin (AdamISZ)
> >=20
> > ----------------------------------------------------------------------
> >=20
> > Message: 1
> > Date: Thu, 10 Aug 2023 15:46:18 +0000
> > From: AdamISZ AdamISZ@protonmail.com
> > To: Dan Gould d@ngould.dev, Bitcoin Protocol Discussion
> > bitcoin-dev@lists.linuxfoundation.org
> > Subject: Re: [bitcoin-dev] BIP for Serverless Payjoin
> > Message-ID:
> > qLcrxFA7z6NkweC9HhZS7g9dcchQfVpjClR-nrMvjYmBobfYzbRrF37QztsuAVdM6HSZJ8U=
Hl27QKYAWq0zYQMmYnBmg0YE-7HO9S6A1Rxs=3D@protonmail.com
> >=20
> > Content-Type: text/plain; charset=3Dutf-8
> >=20
> > Sorry for yet another message but:
> >=20
> > It just occurred to me that while timing correlation itself might not b=
e much (in usual circumstances, there are tons of other transactions), it's=
, as usual with metadata, the intersection of more than one thing that coul=
d hurt: I know when the tx happens (say within a time window of 10 seconds)=
, but also I might know the size of the message. Perhaps consider random pa=
dding of the Payjoin PSBT message size (iirc chacha is a stream cipher so l=
engths are arbitrary).
> >=20
> > Cheers,
> > AdamISZ/waxwing
> >=20
> > > Isn't the most obvious concern with this architecture, that the relay=
s have metadata - most obviously, they can time correlate messages, with bi=
tcoin network events, so at the least they could tie transactions to client=
s. If both parties use anonymised network connections then this is ameliora=
ted (though not removed) as a vector, but then we'd need to be clear that w=
e require those (e.g. Tor). Not sure if it's palatable to do this if otherw=
ise, i.e. if we think the relays can tie network addresses to transactions?=
Well, not sure, but I'd expect it to be mentioned?
> > >=20
> > > Cheers,
> > > AdamISZ/waxwing
> > >=20
> > > Sent with Proton Mail secure email.
> > >=20
> > > ------- Original Message -------
> > > On Wednesday, August 9th, 2023 at 11:32, Dan Gould via bitcoin-dev bi=
tcoin-dev@lists.linuxfoundation.org wrote:
> > >=20
> > > > Hi all,
> > > >=20
> > > > The Serverless Payjoin idea has come a long way toward formal speci=
fication of a Payjoin version 2. In the spirit of BIP 2, I?m sharing an int=
ermediate draft of the BIP here before opening a draft on GitHub for the BI=
P editors, and before this exact specification has a complete reference imp=
lementation. The draft does reference two proof of concept payjoin implemen=
tations, one demonstrating use of symmetric cryptography, and the other asy=
nchronous messaging and backwards compatibility.
> > > >=20
> > > > I?ve updated the Serverless Payjoin gist to reflect this draft spec=
ification https://gist.github.com/DanGould/243e418752fff760c9f6b23bba8a32f9=
in order to preserve the edit history before opening a bips PR.
> > > >=20
> > > > The specifics have changed significantly compared to the first mail=
ing list post to reflect feedback. Looking forward to hear your thoughts.
> > > >=20
> > > > Dan
> > > >=20
> > > > <pre>
> > > >=20
> > > > BIP: ???
> > > > Layer: Applications
> > > > Title: Payjoin Version 2: Serverless Payjoin
> > > > Author: Dan Gould d@ngould.dev
> > > >=20
> > > > Status: Draft
> > > > Replaces: 78
> > > > Type: Standards Track
> > > > Created: 2023-08-08
> > > > License: BSD-2-Clause
> > > > </pre>
> > > >=20
> > > > =3D=3DAbstract=3D=3D
> > > >=20
> > > > This document proposes a backwards-compatible second version of the=
payjoin protocol described in [[bip-0078.mediawiki|BIP 78]], allowing comp=
lete payjoin receiver functionality including payment output substitution w=
ithout requiring them to host a secure public endpoint. This requirement is=
replaced with an untrusted third-party relay and streaming clients which c=
ommunicate using an asynchronous protocol and authenticated encrypted paylo=
ads.
> > > >=20
> > > > =3D=3DCopyright=3D=3D
> > > >=20
> > > > This BIP is licensed under the 2-clause BSD license.
> > > >=20
> > > > =3D=3DMotivation=3D=3D
> > > >=20
> > > > Payjoin solves the sole privacy problem left open in the bitcoin pa=
per, that transactions with multiple inputs "necessarily reveal that their =
inputs were owned by the same owner." Breaking that common-input ownership =
assumption and others requires input from multiple owners. Cooperative tran=
saction construction also increases transaction throughput by providing new=
opportunity for payment batching and transaction cut-through.
> > > >=20
> > > > Version 1 coordinates payjoins over a public server endpoint secure=
d by either TLS or Tor onion hidden service hosted by the receiver. Version=
1 is synchronous, so both sender and reciever must be online simultaneousl=
y to payjoin. Both requirements present significant barriers for all but so=
phisticated server operators or those wallets with complex Tor integration.=
These barriers are [[https://lists.linuxfoundation.org/pipermail/bitcoin-d=
ev/2021-January/018358.html|regarded]] as limits to payjoin adoption.
> > > >=20
> > > > The primary goal of this proposal is to provide a practical coordin=
ation mechanism to be adopted in a vast majority of wallet environments. Th=
is is realized as a simple protocol built on bitcoin URI requests, web stan=
dards, common crypto, and minimal dependencies.
> > > >=20
> > > > =3D=3D=3DRelation to BIP 78 (Payjoin version 1)=3D=3D=3D
> > > >=20
> > > > The message payloads in this version parrallel those used in BIP 78=
while being encapsulated in authenticated encryption, forgoing HTTP messag=
ing for WebTransport streaming of asynchronus interactions, and leveraging =
PSBT version 2.
> > > >=20
> > > > The BIP 78 standard allows for an [[https://github.com/bitcoin/bips=
/blob/master/bip-0078.mediawiki#unsecured-payjoin-server|unsecured payjoin =
server|]] to operate separately from the so-called "payment server" respons=
ible for generating [[https://github.com/bitcoin/bips/blob/master/bip-0021.=
mediawiki|BIP 21]] request URIs. Because BIP 78 messages are neither authen=
ticated nor encrypted a malicious unsecured payjoin server is able to modif=
y the Payjoin PSBT in flight, thus requiring [[payment output substitition]=
] to be disabled. Output substitition is useful for a number of block space=
optimizations, including payment batching and transaction cut-through. Thi=
s proposal introduces authentication and encryption to secure output substi=
tion while using a relay without compromising sender or receiver privacy.
> > > >=20
> > > > Although unsecured payjoin server separation is mentioned in BIP 78=
, no known specification or implementation of one exists. This document spe=
cifies one to be backwards compatible with version 1 senders. Receivers res=
ponding to version 1 senders must disable output substitution their payload=
s are plaintext so they may payjoin without the risk of the relay stealing =
funds.
> > > >=20
> > > > The protocols in this document reuse BIP 78's BIP 21 URI parameters=
. A Fallback PSBT timeout parameter is introduced which may also help coord=
inate the synchronous version 1 protocol.
> > > >=20
> > > > =3D=3D=3DRelation to Stowaway=3D=3D=3D
> > > >=20
> > > > [[https://code.samourai.io/wallet/ExtLibJ/-/blob/develop/doc/cahoot=
s/STOWAWAY.md|Stowaway]] is a payjoin coordination mechanism which depends =
on Tor, a third-party relay, and the [[https://samouraiwallet.com/paynym|Pa=
yNym]] [[https://github.com/bitcoin/bips/blob/master/bip-0047.mediawiki|BIP=
47]] Payment codes directory for subdirectory identification and encryptio=
n. The payjoin version 2 protocol uses one-time symmetric keys for relay su=
bdirectory identification, authentication, and encryption instead of BIP 47=
public keys derived from the wallet. Payjoin version 2 also supports async=
hronous messaging, in contrast to online Stowaway's synchronous HTTP-based =
messaging. Offline stowaway may depends on manual message passing rather th=
an an asynchronous network protocol. Successful Stowaway execution results =
in 2-output transactions, while BIP 79, 78, and this work may produce batch=
ed transactions with many outputs.
> > > >=20
> > > > =3D=3DSpecification=3D=3D
> > > >=20
> > > > =3D=3D=3DOverview=3D=3D=3D
> > > >=20
> > > > Payjoin requests are made using familiar BIP 21 URIs. Instead of a =
public HTTP endpoint, this scheme allows a WebTransport client to enroll wi=
th a relay server to receive payjoin. Relays may optionally require an auth=
orization credential before allocating resources in order to prevent DoS at=
tacks. Sender and receiver payloads are buffered at the relay to support as=
ynchronous interaction. Symmetric authenticated encryption (ChaCha20-Poly13=
05 AEAD) prevents the relay from snooping on message contents or forging me=
ssages. Aside from a pre-shared secret and relayed asynchronus networking, =
the version 2 messaging takes much the same form as the existing BIP 78 spe=
cification.
> > > >=20
> > > > =3D=3D=3DBasic scheme=3D=3D=3D
> > > >=20
> > > > The recipient first generates a 256-bit key <code>psk</code>. This =
pre-shared key will be the basis of end-to-end authenticated encryption and=
identification of a particular payjoin over the relay.
> > > >=20
> > > > Rather than hosting a public server, they start a streaming session=
to receive messages and allocate a subdirectory from which to relay messag=
es. The first message must include the first 4 bytes of the Sha256 hash of =
their <code>psk</code> to be enrolled as a subdirectory identifier. The nex=
t message streamed from the relay to sender includes the enrolled subdirect=
ory payjoin endpoint. After enrollment, they await a payjoin request on a s=
ession identified by the subdirectory. Out of band, the receiver shares a [=
[https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP 21]] pa=
yjoin uri including the relay endpoint in the <code>pj=3D</code> query para=
meter and the pre-shared key in a new <code>psk=3D</code> query parameter.
> > > >=20
> > > > The sender constructs an encrypted and authenticated payload contai=
ning a PSBT and optional parameters similar to BIP 78. The resulting cipher=
text ensures message secrecy and integrity when streamed to the recipient b=
y the relay-hosted subdirectory <code>pj=3D</code> endpoint.
> > > >=20
> > > > The sender's request is relayed to the receiver over a streaming se=
ssion at the subdirectory identified by the hash of <code>psk</code>. Messa=
ges are secured by symmetric cipher rather than TLS or Onion routing sessio=
n key. Sender and receiver may experience network interruption and proceed =
with the protocol since their request and response are buffered at the Payj=
oin relay subdirectory.
> > > >=20
> > > > =3D=3D=3DPayjoin version 2 messaging=3D=3D=3D
> > > >=20
> > > > Payjoin v2 messages use [[https://github.com/bitcoin/bips/blob/mast=
er/bip-0370.mediawiki|BIP 370 PSBT v2]] format to fascilitate PSBT mutation=
.
> > > >=20
> > > > The payjoin version 2 protocol takes the following steps:
> > > >=20
> > > > * The recipient sends the first 4 bytes of <code>H(psk)</code> and =
optional authentication credential according to [[#receiver-relay-enrollmen=
t|receiver relay enrollment]] protocol. It may go offline and replay enroll=
ment to come back online.
> > > >=20
> > > > * Out of band, the receiver of the payment, shares a bitcoin URI wi=
th the sender including a <code>pj=3D</code> query parameter describing the=
relay subdirectory endpoint and <code>psk=3D</code> parameter with base64 =
encoded 256-bit secret key. To support version 1 senders the relay acts as =
an unsecured payjoin server so <code>pjos=3D0</code> must be specified in t=
he URI. Version 2 senders may safely allow output substitution regardless.
> > > >=20
> > > > * The sender creates a valid PSBT according to [[https://github.com=
/bitcoin/bips/blob/master/bip-0078#receivers-original-psbt-checklist|the re=
ceiver checklist]] formatted as PSBTv2. We call this the <code>Fallback PSB=
T</code>. This Fallback PSBT and optional sender parameters are encrypted a=
nd authenticated with the <code>psk</code> using ChaCha20Poly1305 and strea=
med to the relay subdirectory endpoint.
> > > >=20
> > > > * The sender awaits a response from the relay stream containing an =
encrypted <code>Payjoin PSBT</code>. It can replay the <code>Fallback PSBT<=
/code> to request a response if it goes offline.
> > > >=20
> > > > * The request is stored in the receiver's subdirectory buffer.
> > > > * Once the receiver is online, it awaits a stream of request update=
s from the relay. The receiver decrypts aund authenticates the payload then=
checks it according to [[https://github.com/bitcoin/bips/blob/master/bip-0=
078#receivers-original-psbt-checklist|the receiver checklist]]. It updates =
it to include new signed inputs and outputs invalidating sender signatures,=
and may adjust the fee. We call this the <code>Payjoin PSBT</code>.
> > > >=20
> > > > * It responds with the <code>Payjoin PSBT</code> encrypted then aut=
henticated under <code>psk</code> using ChaCha20Poly1305.
> > > >=20
> > > > * The relay awaits a connection from the sender if it goes offline.=
Upon connection, it relays the encrypted <code>Payjoin PSBT</code> to the =
sender.
> > > >=20
> > > > * The sender validates the <code>Payjoin PSBT</code> according to [=
[#senders-payjoin-psbt-checklist|the sender checklist]], signs its inputs a=
nd broadcasts the transaction to the Bitcoin network.
> > > >=20
> > > > The encrypted Fallback PSBT and Payjoin PSBT payloads are sent as b=
ytes.
> > > >=20
> > > > The Fallback PSBT MUST:
> > > >=20
> > > > * Include complete UTXO data.
> > > > * Be signed.
> > > > * Exclude unnecessary fields such as global xpubs or keypath inform=
ation. <!-- I believe PSBTv2 obviates this requirement -->
> > > >=20
> > > > * Set input and output Transaction Modifiable Flags to 1
> > > > * Be broadcastable.
> > > >=20
> > > > The Fallback PSBT MAY:
> > > >=20
> > > > * Include outputs unrelated to the sender-receiver transfer for bat=
ching purposes.
> > > > * Set SIGHASH_SINGLE Transaction Modifiable Flags flags to 1
> > > >=20
> > > > The Payjoin PSBT MUST:
> > > >=20
> > > > * Include all inputs from the Fallback PSBT.
> > > > * Include all outputs which do not belong to the receiver from the =
Fallback PSBT.
> > > > * Include complete UTXO data.
> > > >=20
> > > > The Payjoin PSBT sender MAY:
> > > >=20
> > > > * Add, remove or modify Fallback PSBT outputs under the control of =
the receiver (i.e. not sender change).
> > > >=20
> > > > The Payjoin PSBT MUST NOT:
> > > >=20
> > > > * Shuffle the order of inputs or outputs; the additional outputs or=
additional inputs must be inserted at a random index.
> > > > * Decrease the absolute fee of the original transaction.
> > > >=20
> > > > =3D=3D=3DReceiver's Payjoin PSBT checklist=3D=3D=3D
> > > >=20
> > > > Other than requiring PSBTv2 the receiver checklist is the same as t=
he [[https://github.com/bitcoin/bips/blob/master/bip-0078.mediawiki#receive=
rs-original-psbt-checklist|the BIP 78 receiver checklist]]
> > > >=20
> > > > =3D=3D=3DSender's Payjoin PSBT checklist=3D=3D=3D
> > > >=20
> > > > The version 2 sender's checklist is largely the same as the [[https=
://github.com/bitcoin/bips/blob/master/bip-0078#senders-payjoin-proposal-ch=
ecklist|the BIP 78 checklist]] with the exception that it expects ALL utxo =
data to be filled in. BIP 78 required sender inputs UTXO data to be exclude=
d from the PSBT which has caused many headaches since it required the sende=
r to add them back to the Payjoin proposal PSBT. Version 2 has no such requ=
irement.
> > > >=20
> > > > =3D=3D=3DRelay interactions=3D=3D=3D
> > > >=20
> > > > The Payjoin Relay provides a rendezvous point for sender and receiv=
er to meet. It stores Payjoin payloads to support asynchronous communicatio=
n. It is available on the open internet over HTTPS to accept both WebTransp=
ort for Payjoin version 2, accepting encrypted payloads, and optionally HTT=
P/1.1 to support backwards compatible Payjoin version 1 requests.
> > > >=20
> > > > =3D=3D=3DReceiver interactions=3D=3D=3D
> > > >=20
> > > > =3D=3D=3D=3DRelay enrollment=3D=3D=3D=3D
> > > >=20
> > > > Receivers must enroll to have resources allocated on a relay. Sessi=
ons may begin by having a receiver send the first 4 bytes of the Sha256 has=
h of their <code>psk</code> to the relay. The receiver returns the subdirec=
tory endpoint url. Enrollment may be replayed in case the receiver goes off=
line.
> > > >=20
> > > > Optionally, before returning the uri the receiver may request an au=
thentication token by presenting a message containing only the word <code>A=
uthenticate: <description></code> after which the receiver is required to s=
ubmit an <code>Authenticate: <token></code> including the token from the Re=
lay out of band. If authentication fails an error is returned.
> > > >=20
> > > > In the case a relay is operated by an exchange, it may give out aut=
hentication tokens for users of its app, or may require some proof of work =
out of band. Tokens should be anonymous credentials from the relay describi=
ng the parameters of their authorization. Specific credentialing is out of =
the scope of this proposal.
> > > >=20
> > > > =3D=3D=3D=3DReceiver Payjoin PSBT response=3D=3D=3D=3D
> > > >=20
> > > > The receiver streams the base64 Payjoin PSBT as encrypted bytes fro=
m ChaCha20Poly1305 under <code>psk</code>.
> > > >=20
> > > > =3D=3D=3DSender interactions=3D=3D=3D
> > > >=20
> > > > The sender starts a WebTransport session with the relay at the Payj=
oin endpoint URI provided by the receiver. It sends the following payload a=
nd awaits a relayed response payload from the receiver.
> > > >=20
> > > > =3D=3D=3D=3DVersion 2 Fallback PSBT request=3D=3D=3D=3D
> > > >=20
> > > > The version 2 Fallback PSBT Payload is constructed in JSON before b=
eing encrypted as follows.
> > > >=20
> > > > <pre>
> > > >=20
> > > > {
> > > > "psbt": "<fallback_psbt_data_base64>",
> > > >=20
> > > > "params": {
> > > > "param1": "<value1>",
> > > >=20
> > > > "param2": "<value1>",
> > > >=20
> > > > ...
> > > > }
> > > > }
> > > > </pre>
> > > >=20
> > > > The payload must be encrypted using ChaCha20Poly1305 by the sender =
using the <code>psk</code>.
> > > >=20
> > > > =3D=3D=3D=3DVersion 1 Fallback PSBT request=3D=3D=3D=3D
> > > >=20
> > > > The message should be the same as version 2 but unencrypted, as ver=
sion 1 is unaware of encryption when using an unsecured payjoin server. The=
Relay should convert the PSBT to PSBTv2 and construct the JSON payload fro=
m the HTTP request body and optional query parameters. Upon receiving an un=
encrypted PSBTv2 response from a receiver, it should convert it to PSBTv0 f=
or compatibility with BIP 78.
> > > >=20
> > > > =3D=3D=3DAsynchronous relay buffers=3D=3D=3D
> > > >=20
> > > > Each receiver subdirectory on the relay server has a buffer for req=
uests and one for responses. Each buffer updates listeners through awaitabl=
e events so that updates are immediately apparent to relevant client sessio=
ns.
> > > >=20
> > > > =3D=3D=3DBIP 21 receiver parameters=3D=3D=3D
> > > >=20
> > > > A major benefit of BIP 78 payjoin over other coordination mechanism=
s is its compatibility with the universal BIP 21 bitcoin URI standard.
> > > >=20
> > > > This proposal defines the following new [[https://github.com/bitcoi=
n/bips/blob/master/bip-0021.mediawiki|BIP 21 URI]] parameters:
> > > >=20
> > > > * <code>psk</code>: the pre-shared symmetric key for encryption and=
authentication with ChaCha20-Poly1305
> > > >=20
> > > > * <code>exp</code>: represents a request expiration after which the=
receiver reserves the right to broadcast the Fallback and ignore requests.
> > > >=20
> > > > BIP 78's BIP 21 payjoin parameters are also valid for version 2.
> > > >=20
> > > > =3D=3D=3DOptional sender parameters=3D=3D=3D
> > > >=20
> > > > When the payjoin sender posts the original PSBT to the receiver, it=
can optionally specify the following HTTP query string parameters:
> > > >=20
> > > > * <code>v</code>: represents the version number of the payjoin prot=
ocol that the sender is using. This version is <code>2</code>.
> > > >=20
> > > > BIP 78's optional query parameters are also valid as version 2 para=
meters.
> > > >=20
> > > > =3D=3DRationale=3D=3D
> > > >=20
> > > > =3D=3D=3DRequest expiration & fallback=3D=3D=3D
> > > >=20
> > > > The relay may hold a request for an offline payjoin peer until that=
peer comes online. However, the BIP 78 spec recommends broadcasting reques=
t PSBTs in the case of an offline counterparty. Doing so exposes a na?ve, s=
urveillance-vulnerable transaction which payjoin intends to avoid.
> > > >=20
> > > > The existing BIP 78 protocol has to be synchronous only for automat=
ed endpoints which may be vulnerable to probing attacks. It can cover this =
tradeoff by demanding a fallback transaction that would not preserve privac=
y the same way as a payjoin. BIP 21 URI can communicate a request expiratio=
n to alleviate both of these problems. Receivers may specify a deadline aft=
er which they will broadcast this fallback with a new expiration parameter =
<code>exp=3D</code>. <!-- I also like to for timeout, but it's hard to coor=
dinate in an asynchronous way -->
> > > >=20
> > > > =3D=3D=3DWebTransport=3D=3D=3D
> > > >=20
> > > > Many transport protocols are good candidates for Serverless Payjoin=
functionality, but WebTransport stands out in its ability to stream and ta=
ke advantage of QUIC's performance in mobile environments. In developing th=
is BIP, serverless payjoin proofs of concept using TURN, HTTP/1.1 long poll=
ing, WebSockets, Magic Wormhole, and Nostr have been made. Streaming allows=
the relay to have more granular and asynchronous understanding of the stat=
e of the peers, and this protcol is designed specifically to address the sh=
ortcomings of an HTTP protocol's requirement to receive from a reliable, al=
ways-online connection.
> > > >=20
> > > > While WebTransport and HTTP/3 it is built on are relatively new, wi=
despread support across browsers assures me that it is being accepted as a =
standard and even has a fallback to HTTP/2 environments. Being built on top=
of QUIC allows it to multiplex connections from a relay to multiple peers =
which may prove advantageous for later payjoin protocols between more than =
two participants contributing inputs, such as those used to fund a lightnin=
g node with channels from multiple sources in one transaction, or those wit=
h threat models more similar to ZeroLink CoinJoin.
> > > >=20
> > > > While Nostr is fascinating from the perspective of censorship resis=
tance, the backwards compatibility with Payjoin v1 would mean only custom N=
ostr Payjoin relays exposing an https endpoint would be suitable. Nostr tra=
nsport is also limited by the performance of WebSockets, being an abstracti=
on on top of that protocol. If Nostr authentication were used instead of a =
symmetric <code>psk</code> then those keys would also need to be communicat=
ed out of band and complicate the protocol. There is nothing stopping a new=
version of this protocol or a NIP making Payjoin version 2 possible over N=
ostr should Payjoin censorship become a bottleneck in the way of adoption.
> > > >=20
> > > > WebTransport is already shipped in both Firefox, Chrome, h3 in Rust=
, Go, and all popular languages. There is also [[https://w3c.github.io/p2p-=
webtransport/|a working draft for full P2P WebTransport]] without any relay=
, which a future payjoin protocol may make use of.
> > > >=20
> > > > =3D=3D=3DChaCha20Poly1305 AEAD=3D=3D=3D
> > > >=20
> > > > This authenticated encryption with additional data [[https://en.wik=
ipedia.org/wiki/ChaCha20-Poly1305|algorithm]] is standardized in RFC 8439 a=
nd has high performance. ChaCha20Poly1305 AEAD seems to be making its way i=
nto bitcoin by way of [[https://github.com/bitcoin/bips/blob/master/bip-032=
4.mediawiki|BIP 324]] as well. The protocol has widespread support in brows=
ers, OpenSSL and libsodium. AES-GCM is more widespread but is both older, s=
lower, and not a dependency in bitcoin software.
> > > >=20
> > > > secp256k1 asymmetric cryptography could be used, but symmetric encr=
yption allows for many fewer messages to be sent, a single ephemeral key, a=
nd seems suitable given the one time use of BIP 21 URIs for Payjoin. Payjoi=
n already requires base64 encoding for PSBTs, so we have it available to en=
code the 256-bit <code>psk</code> in the BIP 21 parameter.
> > > >=20
> > > > =3D=3D=3DPSBT Version 2=3D=3D=3D
> > > >=20
> > > > The PSBT version 1 protocol was replaced because it was not designe=
d to have inputs and outputs be mutated. Payjoin mutates the PSBT, so BIP 7=
8 uses a hack where a new PSBT is created by the receiver instead of mutati=
ng it. This can cause some strange behaviors from signers who don't know wh=
ere to look to find the scripts that they are accountable for. PSBT version=
2 makes mutating a PSBT's inputs and outputs trivial. It also eliminates t=
he transaction finalization step. Receivers who do not understand PSBT vers=
ion 1 may choose to reject Payjoin version 1 requests and only support PSBT=
version 2.
> > > >=20
> > > > =3D=3D=3DAttack vectors=3D=3D=3D
> > > >=20
> > > > Since relays store arbitrary encrypted payloads to the tragedy of t=
he commons and denial of service attacks. Relay operators may impose an aut=
hentication requirement before they provide relay service to receivers to m=
itigate such attacks.
> > > >=20
> > > > Since <code>psk</code> is a symmetric key, the first message contai=
ning the sender's original PSBT does not have forward secrecy. Since relay =
buffers are associated with a single ephemeral relay directory, to support =
request-response simplicity of version 1, this seems appropriate.
> > > >=20
> > > > Since the Fallback PSBT is valid, even where <code>exp=3D</code> is=
specified, the receiver may broadcast it and lose out on ambiguous privacy=
protection from payjoin at any time. Though unfortunate, this is the typic=
al bitcoin transaction flow today anyhow.
> > > >=20
> > > > =3D=3D=3DNetwork privacy=3D=3D=3D
> > > >=20
> > > > Unlike BIP 78 implementations, sender and receiver peers will only =
see the IP address of the relay, not their peer's. Relays may be made avail=
able via Tor hidden service or Oblivious HTTP in addition to IP / DNS to al=
low either of the peers to protect their IP from the relay with without req=
uiring both peers to use additional network security dependencies.
> > > >=20
> > > > =3D=3DBackwards compatibility=3D=3D
> > > >=20
> > > > The receivers advertise payjoin capabilities through [[https://gith=
ub.com/bitcoin/bips/blob/master/bip-0021.mediawiki|BIP21's URI Scheme]].
> > > >=20
> > > > Senders not supporting payjoin will just ignore the <code>pj=3D</co=
de> parameter and proceed to typical address-based transaction flows. <code=
>req-pj=3D</code> may be used to compel payjoin.
> > > >=20
> > > > Receivers may choose to support version 1 payloads. Version 2 payjo=
in URIs should enable <code>pjos=3D0</code> so that these v1 senders disabl=
e output substitution since the v1 messages are neither encrypted nor authe=
nticated, putting them at risk for man-in-the-middle attacks otherwise. The=
relay protocol should carry on as normal, validating based on HTTP headers=
and constructing an unencrypted Version 2 payload from optional query para=
meters, and PSBT in the body.
> > > >=20
> > > > The BIP 78 error messages are already JSON formatted, so it made se=
nse to rely on the same dependency for these payloads and error messages.
> > > >=20
> > > > =3D=3DReference implementation=3D=3D
> > > >=20
> > > > An early proof of concept draft reference implementation can be fou=
nd at https://github.com/payjoin/rust-payjoin/pull/78. It implements an asy=
nchronous payment flow using WebSockets using PSBTv1 without encryption. An=
other reference can be found at https://github.com/payjoin/rust-payjoin/pul=
l/21 which uses HTTP long polling for transport and Noise NNpsk0 for crypto=
. Recently, I've come to realize the rationale for WebTransport, PSBTv2, an=
d ChaCha20-Poly1305 AEAD substitutions and am working on an implementation =
including this exact specification, but wanted to get early feedback on thi=
s design in the spirit of BIP 2.
> > > >=20
> > > > =3D=3DAcknowledgements=3D=3D
> > > >=20
> > > > Thank you to OpenSats for funding this pursuit, to Human Rights Fou=
ndation for putting a bounty on it and funding invaluable BOB Space space s=
upport, who I owe a thank you to as well. Thank you to Ethan Heilman, Nicol=
as Dorier, Kukks, nopara73, Kristaps Kaupe, Kixunil, /dev/fd0/, Craig Raw, =
Mike Schmidt, Murch, D?vid Moln?r, Lucas Ontiviero, and uncountable twitter=
plebs for feedback that has turned this idea from concept into draft, to M=
ike Jarmuz for suggesting that I write a BIP, and to Satsie for writing the=
"All About BIPS" zine which I've referenced a number of times in the draft=
ing process. Thanks to Armin Sabouri, Ron Stoner, and Johns Beharry for hac=
king on the first iOS Payjoin receiver and uncovering the problem that this=
solves in the first place.
> > > > _______________________________________________
> > > > bitcoin-dev mailing list
> > > > bitcoin-dev@lists.linuxfoundation.org
> > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >=20
> > ------------------------------
> >=20
> > Subject: Digest Footer
> >=20
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >=20
> > ------------------------------
> >=20
> > End of bitcoin-dev Digest, Vol 99, Issue 25
> > *******************************************
>=20
>=20
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|