Payment Code (BIP47)

A payment code is the static identifier at the heart of BIP47, "Reusable Payment Codes for Hierarchical Deterministic Wallets." Technically it is an extended public key with associated metadata bound to a particular identity or account. Unlike a raw Bitcoin address, a payment code can be published once, printed on a card, or tipped on a profile, yet every party who pays it derives a brand-new, unlinkable address for each transaction. The shareable code never appears on-chain in the clear, so a public observer cannot scrape an address book or tally a balance from it.

How a payment code stays private

The first time Alice pays Bob, her wallet performs elliptic-curve Diffie-Hellman (ECDH) between her code and his, producing a shared secret. From that secret both wallets deterministically generate the same sequence of one-time addresses: the recipient's public key B is tweaked as B' = B + sG, where s = SHA256(Sx) derives from the shared ECDH point. Bob recovers the matching private key as b' = b + s. Neither the code nor the shared secret is ever broadcast, so the link between payer and payee remains off-chain.

Why it matters for self-defense

Address reuse silently merges a Bitcoiner's history into one fingerprint that chain-analysis firms exploit. A payment code restores the donation-button or recurring-payment convenience of a fixed address while preserving the unlinkability that protects fungibility. It is the foundation for PayNyms and a conceptual cousin of silent payments.

Bootstrapping a payment-code channel requires a one-time notification transaction, and the friendly identifiers built on top are explained under PayNym.