Bitcoin’s Privacy Problem
Bitcoin is often positioned as freedom tech because it is permissionless, borderless and resilient to censorship. Bitcoin is a powerful tool that people around the world are using to achieve financial freedom. However, one challenge that Bitcoin has is a lack of privacy.
It’s hard to achieve financial freedom if you don’t have financial privacy. Financial privacy is part of a larger conversation - it’s not just limited to Bitcoin or crypto.
Imagine trying to buy a house and the seller knows exactly how much money you have in your bank account. Imagine negotiating for your salary at a new job, and your potential employer has access to all of your past compensation history. Imagine losing access to your bank account because of a political association or personal ideology. These are all reasons why any financial system needs to have privacy in order to give people the freedom to transact fairly.
But Bitcoin is not private—Bitcoin is public by default.
Bitcoin is a public ledger. This means that all Bitcoin transactions are public, including the sender, the receiver and the transaction amount. Silent payments are one approach to making it easier for people to transact with Bitcoin without compromising their privacy.
Bringing better privacy to Bitcoin was a huge motivation for Josie, a Bitcoin core dev and co-author of the Silent Payment BIP (BIP 352). In his words:
“It’s important to remind people that Bitcoin is less private than your bank. You can post your routing number publicly and people can send you money but nobody else can see your transactions, just the bank and whoever they decided to share or sell that information to.
“Privacy work in Bitcoin, to me, is about bringing the SAME level of privacy to this new system that people currently enjoy in Tradfi systems.”
Understanding Onchain Linkability
To understand Bitcoin’s privacy limitations and the potential of silent payments, it’s worth taking a step back to understand what type of information is stored onchain and how it’s stored.
Bitcoin is a UTXO-based system, where UTXO stands for “Unspent Transaction Output”. At a high level, this means that the public Bitcoin ledger is a history of transactions, and an individual user’s balance is the sum of the satoshis associated with all of the outputs held by a particular address.
If an individual uses the same address for all their transactions, then their activity can be linked to one another and easily tracked and monitored onchain, hence onchain linkability. The practice of using the same address is called “address recycling” or using a “static address.”
For account-based systems like Ethereum and Stacks, domain names like .eth or .btc treat the primary address like a username.
This practice offers a familiar UX to users (you use the same information to transact each time), but that comes at the cost of privacy. Conversely, breaking onchain linkability is good for privacy, but it brings a cumbersome UX.
The simplest approach to breaking onchain linkability is using a fresh address every time you want to receive Bitcoin. While this is good for privacy, it’s not very practical. It adds an additional layer of complexity for transacting: the sender either needs to ask you for a fresh address or you need to provide one proactively.
Just like you don’t change your credit card number every time you make a purchase or change your physical address every time you receive mail, why should you have to change your Bitcoin address every time you want to transact onchain? There must be a better way.
Enter Silent Payments
Bitcoin silent payments are a wallet standard that enables people to use static, reusable addresses for transactions on Bitcoin without compromising their privacy. These payments don't require any changes to Bitcoin’s consensus rules in order to work and are made possible by math and modern cryptography. Here's a high-level overview of how it works.
Silent payments are like a P.O. box: a way to create a static address for people to send you bitcoin, without revealing your home address.
To understand silent payments, you first need some background knowledge on Bitcoin addresses. Generally, most Bitcoin addresses have a corresponding public/private key pair.
- Public keys are used to generate static Bitcoin addresses. They give you the ability to receive Bitcoin, but they cannot be used to spend Bitcoin.
- Private keys are your access code. Private keys give you the authority to send Bitcoin and should never be shared.
To frame public/private key pairs in a metaphor, you can think of a public key as your home mailing address, where you can receive mail but people don’t have access to your house. You can think of your private key like the physical key you’d use to unlock your front door.
Following this metaphor, silent payments are like a P.O. box: a way to create a static address for people to send you bitcoin, without revealing your home address.
Silent payment addresses are generated using a clever combination of the public/private key pairs of both the transaction sender and receiver. More specifically, this standard uses the ECDH (elliptic-curve-Diffie-Hellman) protocol to create a shared secret between the sender and receiver.
Static silent payment addresses are only known to the sender and the receiver—they are never shared or posted publicly onchain. To understand this concept a little better, we first have to clarify the term “address.”
The term “address” as it is generally understood (and how we’ve been using it in this blog) can be a bit misleading. Technically, there are no addresses in the Bitcoin blockchain. Instead, there are script pubkeys, which are the public keys we referred to earlier. What most people mean by “address” is the encoding of the actual scriptPubKey, which is the data that shows up onchain.
Currently, if you want to receive Bitcoin, you might post your Bitcoin address publicly—that is to say, the encoding of your scriptPubKey. This would enable anyone to decode that address, access your scriptPubKey, and send you Bitcoin. But that also allows anyone watching the chain to monitor your past and future transactions using that address.
That’s where the innovation with silent payments comes in. The silent payment protocol is a set of instructions for the sender on how to create a scriptpubkey just for the recipient. This scriptpubkey is unique, and only known to the sender and recipient. In other words, the scriptPubKey encodings don’t need to be shared publicly in order for a sender and receiver to successfully transact.
Anyone watching the chain can still decode a silent payment address and get two public keys. The difference is that those two public keys cannot then be linked back to any other onchain scriptPubKeys that derive from it. That information is only knowable with the private keys of either the sender or the receiver.
If you’re interested in the underlying cryptography, BitBox has a great explainer.
Anonymity onchain
To any outside 3rd party observer, a silent payment transaction looks just like any other Taproot transaction. The technical term for this is steganographic, where the onchain footprint is indistinguishable from other Taproot transactions. Take that fun factoid to your next crypto-trivia night!
Since silent payments hide in the crowd, how does the receiver know when they’ve gotten a transaction?
In addition to a public key and a private key, silent payments use something called a scan key. The scan key helps the receiver find incoming transactions. Just as is the case with regular Bitcoin transactions, the way you find out if you’ve received BTC to an address you own is by scanning the mempool and confirmed blocks for UTXO that matches one of yours.
For regular Bitcoin transactions, most wallets will keep track of a database of pre-generated addresses tied to a user, which is called a derivation path. These types of scans take a lot of storage since you have to pre-generate large batches of addresses to monitor (though not so large that scanning becomes infeasible).
With silent payments, wallet applications or users don’t need to check a database of pre-generated addresses. Instead, they can simply check transactions in the mempool or recent blocks against a single scan key. This can be done by the individual user or scanning can be outsourced to the wallet or application they use.
Silent payments are detailed in BIP 352. While the status of the BIP is “pending,” it does not require a consensus change and is already in use today, supported by a handful of Bitcoin wallets such as Cake Wallet and BitBox. Adoption for silent payments depends on wallets adopting this new address format and implementing logic for sending to this new address format.
Future Work to Improve Silent Payments
Like any shiny new advancement on Bitcoin, there’s still plenty of work to be done to improve the standard. For example, the silent payment standard still needs support in popular Bitcoin libraries like libsecp and BDK.
Many Bitcoin wallets today are built around the Electrum server protocol, which doesn’t currently support silent payments. This means that devs either need to add silent payment support to Electrum or completely rethink their backend and move to another standard, such as like BIP 158, a structure that uses compact block filters for light clients.
To progress these workstreams, you can find a list of open-source bounties on the silent payments website.
More Privacy Is Good for Bitcoin
Bitcoin builders continue to ship innovation that pushes what’s possible on Bitcoin, and silent payments are a way to bring greater financial privacy to Bitcoin, a critical improvement to bring more users onchain to Bitcoin.
If you’re building on Bitcoin, you’re in good company. Curious to learn more about silent payments? Check out these resources below: