You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* bytes <code>[0..2]</code>: address type flags (2 bytes)
83
-
* bytes <code>[2..36]</code>: compressed public key P (33 bytes)
83
+
* bytes <code>[2..35]</code>: compressed public key P (33 bytes)
84
84
85
85
Payment codes are encoded in bech32m and the human readable part is "pay" for mainnet and "payt" for testnet (all types), resulting in payment codes that look like "pay1cqqq8d29g0a7m8ghmycqk5yv24mfh3xg8ptzqcn8xz6d2tjl8ccdnfkpjl7p84".
86
86
@@ -104,6 +104,8 @@ The remaining flags are reserved for future address types.
104
104
105
105
While payment codes use 2-byte bitflag arrays, notifications use ordinal values in the form of a single byte.
106
106
107
+
All keys are compressed. Using uncompressed keys at any point is illegal.
108
+
107
109
===Notifications===
108
110
109
111
Notifications are performed by publishing transactions that contain a 40-byte <code>OP_RETURN</code> output. The value of the <code>OP_RETURN</code> is constructed using the following formula:
@@ -134,6 +136,8 @@ When Bob notices a 40-byte <code>OP_RETURN</code> starting with ''search key'',
134
136
135
137
Since changing ''x'' yields a completely different sender identity, Alice can always re-notify Bob from a different index when she does not want to be associated with her previous identity. Alice can also re-notify Bob when she wants to start sending to a different address type. Bob must be able to update his watchlist in that case and he can stop watching addresses associated with the old address type.
136
138
139
+
Out-of-band notifications between Alice and Bob are legal (in fact, they may not be prevented), but in that case Bob loses the ability to restore his wallet from <code>OP_RETURN</code> outputs embedded in the blockchain. In that case, Bob has the burden of keeping a valid backup of any out-of-band notifications.
140
+
137
141
===Allowing Notification Collisions===
138
142
139
143
Since ''notification_code'' is a 4-byte truncation of the full value, Bob has a 1 in ~4.3 billion chance of detecting a spurious notification. This is considered acceptable because the cost of doing so is adding a few more addresses to Bob's watchlist. The benefit of this approach is that is saves 28 bytes per notification.
@@ -170,6 +174,12 @@ When Bob wants to spend from such addresses, he calculates his private keys in t
170
174
171
175
''p<sub>c</sub> = p + s''
172
176
177
+
==Backward Compatibility==
178
+
179
+
Private Payments is a new standard which is not compatible with any previous standard based on static payment codes, such as BIP47.
180
+
181
+
While the standard does not support versioning, it reserves unused bits in the address type bitflag array which can be allocated to new address types once they are deemed ubiquitous. Older payment codes (i.e. those generated when fewer address types were available) are readable by software supporting new address types. The reverse is also supported since older software will ignore newer address type flags that are not understood.
0 commit comments