From the bitcoin whitepaper:
“The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the “tape”, is made public, but without telling who the parties were.”
“As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.”
So what is Bip 78 Payjoin Protocol?
- Introduced in 2019 by Nicolas Dorier
- Solves the privacy problem originally outlined in the bitcoin whitepaper
- Samourai introduced a similar feature in 2021 called Stowaway
- Gained traction with implementation in BTCPayServer hot wallets in 2022
- More recently included in a project by Dan Gould called Payjoin Development Kit (PDK)
So What Exactly is a PayJoin?
From River Financial:
“PayJoin, also known as Pay-to-Endpoint (P2EP), is a special type of Bitcoin transaction where both the sender and receiver contribute inputs in order to break the common input ownership heuristic, an assumption used to strip privacy from bitcoin users.”
What does a PayJoin look like?
From the BIP-78 Specification:
In a payjoin payment, the following steps happen:
– The receiver of the payment, presents a BIP 21 URI to the sender with a parameter pj= describing a payjoin endpoint.
– The sender creates a signed, finalized PSBT with witness UTXO or previous transactions of the inputs. We call this PSBT (Partially Signed Bitcoin Transaction) the original.
– The receiver replies back with a signed PSBT containing his own signed inputs/outputs and those of the sender. We call this PSBT Payjoin proposal.
– The sender verifies the proposal, re-signs his inputs and broadcasts the transaction to the Bitcoin network. We call this transaction Payjoin transaction
Further Information on PayJoin
- Payjoin.org
- BIP-78 Proposal
- PayJoin Adoption
- Dan Gould | Bitcoin Privacy and the Payjoin Dev Kit
- PDK: A Payjoin SDK
- UX Research call #23: Payjoin Case study & User Experience