Notification Transaction

A notification transaction is the handshake that bootstraps a BIP47 payment-code relationship. Before a sender can derive private one-time addresses for a recipient, the recipient's wallet must learn the sender's payment code. The notification transaction conveys that code exactly once, after which the two parties transact indefinitely without any further on-chain signalling.

How the blinding works

The sender directs a small output to the recipient's notification address, which is derived from the 0th public key of the recipient's payment code. To stop a public observer from reading the payment code, the sender computes an ECDH shared secret with the recipient and uses it to derive a 64-byte blinding factor via HMAC-SHA512. The sender XORs both the x-value and the chain code of their payment code with that factor and embeds the blinded result in an OP_RETURN output. Only the intended recipient, performing the inverse ECDH with their notification private key, can unblind and validate the code.

Privacy hygiene

Because the notification output is the one place a sender and recipient appear together in plain sight, BIP47 mandates that funds received at a notification address MUST NOT be spent as inputs in later transactions. Reusing them would re-link the two identities that the rest of the scheme works to keep separate. Newer designs such as silent payments avoid the notification step entirely, trading a one-time setup cost for continuous chain scanning.

The reusable identifier this transaction unlocks is the payment code (BIP47), and the broader goal of keeping outputs unlinkable is covered under output linking resistance.