Combined summary - Serverless Payjoin Protocol Design

Combined summary - Serverless Payjoin Protocol Design

The discussion in focus addresses the intricacies of implementing payjoin parameters within bitcoin URI schemes, emphasizing the need for an optimal URI encoding method.

The primary challenge lies in ensuring that the resulting QR codes, generated from these URIs, remain efficient and easily scannable. Initially, base64url encoding was employed for its compactness and compatibility with existing payjoin components involved in PSBT encoding. However, concerns have been raised regarding its effect on QR Alphanumeric Encoding's efficiency, as research from Blockchain Commons suggests this approach leads to denser QR codes that are more challenging to scan. Alternatives like bech32m have been put forward as preferable options due to their widespread support in bitcoin software for segregated witness (segwit) addresses, offering benefits such as a prefix and checksum without imposing significant drawbacks. Although base45 was considered for its byte-saving potential, it introduces an extra dependency, which could be seen unfavorably.

The conversation also delves into strategies for mitigating timing attacks in Oblivious HTTP Relay scenarios, particularly when both sender and receiver utilize the same OHTTP proxy, potentially allowing for correlation of IP addresses through traffic analysis. The proposed mitigation strategies include encouraging the adoption of payjoin v2, employing regular HTTP polling instead of long-polling, introducing random delays, and shifting towards larger third-party OHTTP proxies to disperse traffic sufficiently. These measures aim to reduce the feasibility of timing attacks by obfuscating the temporal patterns of payjoin transactions.

A draft BIP has been submitted (BIP draft), marking a significant step towards designing a more adoptable payjoin protocol. This includes discussions around metadata security, where the use of Oblivious HTTP (OHTTP) is highlighted as a means to separate IP addresses from requests, enhancing privacy. The proposal underscores the necessity of authenticated encryption for payjoin transactions, suggesting the sharing of ephemeral public keys between clients for peer-to-peer request authentication and encryption. This approach seeks to circumvent the limitations of relying on third-party public key infrastructures and supports using secp256k1 for Hybrid Public Key Encryption (HPKE), despite standard HPKE not supporting this curve natively.

Furthermore, the importance of choosing an appropriate network transport mechanism that ensures broad client support while securing IP metadata is discussed. Various transport mechanisms were explored, with simple HTTP polling being identified as the preferred option due to its compatibility and ease of implementation. This selection also facilitates seamless backward compatibility with older versions of payjoin relays and senders.

In summary, the ongoing development and discussion around the payjoin protocol aim to enhance its adoption and effectiveness, focusing on encoding methods, mitigation of timing attacks, security enhancements, and network transport choices. The community is encouraged to participate in these discussions, contributing to the evolution of payjoin standards for improved privacy and usability in bitcoin transactions. For further involvement, interested parties can follow community links provided at

Discussion History

bitgouldOriginal Post
September 20, 2023 18:31 UTC
September 21, 2023 04:07 UTC
September 24, 2023 17:21 UTC
April 1, 2024 19:17 UTC