I would like to discuss the possibility of implementing a feature similar to a stealth identity for wallets, where payments can be received using the same QR code, address, or URIs. For this proposal, we could refer to this feature as the “Silent RPA” mode that’s compatible with CashFusion for Bitcoin Cash wallets that:
-
Receives all payments on one-time addresses derived via ECDH from a static SRPA public key (stealth-address logic similar to BIP352, but using BCH’s existing P2PKH/P2PKT scripts rather than Taproot).
-
Feeds those UTXOs into CashFusion, with all fusion outputs (including change) sent to fresh SRPA-derived addresses.
-
Sends to third parties using the same ECDH derivation against the recipient’s SRPA public key.
The result is a wallet living entirely in “SRPA space” infinite receive → fuse → send cycles, with full compatibility with existing CashFusion rounds and HD-wallet participants.
Motivation
-
Maintain CashFusion interoperability: fusion transactions byte-for-byte identical, regardless of participant type.
-
Silent Payments enhance stealth addresses by eliminating all on-chain hints or metadata linking sender and receiver upfront, preventing the creation of identifiable trails to begin with.
-
Bring Monero-style privacy to BCH without adding confidential-amount layers where our chain arithmetic calculation of the supply remains fully auditable.
Specification
- SRPA Keypair
- Wallet holds a static keypair (sk, PK = sk·G).
- Backup: sk plus last-scanned block height.
- One-Time Address Derivation (BIP352-style)
For any chosen input UTXO with ephemeral pubkey P_in:
shared = ECDH(P_in, sk) # = P_in · sk
addr_bytes = HASH(shared ∥ “srpa”) # domain separation
one_time_script = standard_P2PKH(addr_bytes)
- Receive Flow
- Sender uses the above derivation (analogous to BIP352) to compute your one-time address.
- Wallet scans every new block’s inputs, computes shared for each P_in, and detects UTXOs to its one-time scripts.
- CashFusion Integration
- Fusion rounds include SRPA and HD participants interchangeably.
- All fusion outputs (including change) are generated via the ECDH derivation above.
- On-chain txs remain standard CashFusion format (identical scripts and values).
- Send Flow
- To pay another SRPA user, pick any fused UTXO’s input P_in, derive the recipient’s one-time address via the same function, and build the tx.
Backward Compatibility
- No protocol changes: CashFusion tx format and script templates unchanged.
- Standard wallets ignore SRPA outputs.
- SRPA wallets track both SRPA and HD outputs, mixing seamlessly with non-SRPA users.
Deployment
- Opt-in “Full Silent RPA Mode” in Electron Cash (or other wallets).
- No consensus upgrade required wallet-level only.
- Testnet rollout first; use compact Neutrino-style filters for faster input scanning. Scanning performance via Bloom or Golomb filters (e.g., Neutrino).
Disadvantages
- Wallet recovery: if you lose sk, re-scan from the genesis block.
Mitigation and improvement for better UX
- Optional Prefix & Suffix Filtering for light client as defined in the RPA spec by im_imaginaryusername, wallets may optionally support the prefix_size field (0, 4, 8, 12, or 16 bits) encoded in the paycode: string to embed that many bits of the shared-secret hash in each output allowing receivers to scan only 2^prefix_size × fewer inputs (e.g. ~256× fewer with an 8-bit prefix) at the cost of a proportionally smaller anonymity set. Wallets should also parse any URI suffix parameters to configure off-chain relay methods. Implementations must ignore unknown or reserved fields for forward compatibility. Both features should be exposed as advanced, opt-in toggles in the UI (e.g. “Fast Scan (prefix filter)” and “Off-chain Relay Settings”) with clear disclosure of the privacy vs usability trade-offs.
Reference