justusranvier
commented
3 years ago The issue with scripts are that 20 bytes hashes aren't as secure as we would like them to be in the specific situation of derived keys.
If your script type includes a 20 byte hash (P2PKH, P2WPKH, P2SH, P2WSH) then the sender can generate a colliding hash with only 80 bits of work on average and reclaim the payment.
80 bits of work is still a lot and it's probably not worth giving up on 20 byte hash scripts entirely, but original though was that end users never see raw scripts anyway so it shouldn't matter if the script is swapped out for P2PK behind the scenes for added security. It's interesting that your wallet does display those details by default, but I'm hesitant to change a wallet-agnostic protocol based on a particular ui design decision that is not common to multiple implementation.
The point about server side burden only applies to wallets that use a server backend, which is again not common to all implementations. Payment codes can be implemented with BIP-157 client-side filters which eliminates the server backend load issue.
I am open to revising the list of scripts though.
On chains with excessive fees, then P2WPKH is probably the best choice since if the user is concerned about the security of high-value payments they can sweep receive funds to non-derived keys.
If we're going to modify the list entirely then I can see dropping P2WSH since it's kinda pointless and was only listed for the sake of consistency. P2PK has to stay since it would be the preferred, most secure, script type. P2PKH is also kinda pointless because in situations where you don't want to use P2PK then you should use P2WPKH.
P2SH-P2WPKH is also pointless because if a sender wallet has to be taught the payment protocol anyway they it can just be taught to send native P2WPKH, and what receiving wallet that would be implementing v3 payment codes doesn't already support native segwit by now?
Regarding adding a byte - we can't. The improvements to the notification protocol are only possible if a payment code is 33 bytes payload + 1 byte version.
We can define more than one version though.
If there is a wallet that absolutely can't support receiving to P2PK for some reason that could be defined as version 4, whereas version 3 is implied to accept either P2PK or P2WPKH.
craigraw
Hi,
I'm lead maintainer of Sparrow Wallet. I'm interesting in supporting the reusable payment codes specification, but I've run into an issue (that might be a misunderstanding on my part) regarding payment output scripts:
The BIP47 specification (payment code versions 1 & 2) supports receiving at P2PKH addresses only. This is simple enough, but by now this legacy script is discouraged by most wallet software as being fee inefficient.
For version 3, a much wider range of script types is allowed, including P2WPKH and P2WSH (Off-topic: I'm not sure what the P2WSH script would look like here given multisig is not supported. Additionally, P2PK is recommended which seems anachronistic? What about P2SH-P2WPKH?)
The issue however is this: Some wallet software, like Samourai, supports multiple script types behind the scenes based off a seed. Others, like Sparrow, configure a user's wallet with a specific script type. While it's technically possible for Sparrow to listen for payments to other script types based off the ephemeral public key, it has no place in the UI to display payments to these script types. It just doesn't fit the UI model, which aims to provide visibility into the Bitcoin protocol rather than abstracting these details from the user.
A related problem is that the receiving wallet must support listening to a wide and loosely defined variety of script types, which increases the server-side burden considerably given that a reasonable lookahead must be supported for all of the 'payment channels' that have been established.
As a remedy, I propose that the v3 payment code includes information on the script type it supports receiving on, from the following list:
This could be encoded into the v3 payment code at the cost of an extra byte, making it much safer to support receiving BIP47 style payments across a wide variety of wallet software, and in addition reducing the risk of losing access to funds when moving from one to another.