PayJoin and PayNym

40 minutes Advanced Privacy

Introduction: Beyond Basic Privacy

In Stage 2, you learned the fundamentals of Bitcoin privacy: UTXO management, avoiding address reuse, and running your own node. Those techniques reduce information leakage, but they don't actively break blockchain analysis heuristics.

This module covers two powerful advanced privacy tools: PayJoin (BIP78) and PayNym (BIP47). These techniques actively confuse blockchain analysts and provide privacy that's "built into" regular transactions.

Active vs. Passive Privacy

Passive privacy (what we learned before):

  • Don't reuse addresses
  • Don't consolidate UTXOs from different sources
  • Run your own node
  • Reduces what you reveal, but doesn't actively obscure

Active privacy (this module):

  • PayJoin: Makes your transactions look like something they're not
  • PayNym: Lets people pay you without revealing your addresses
  • Actively breaks analyst assumptions and heuristics

PayJoin (BIP78): Breaking the Common Input Heuristic

PayJoin (also called P2EP, Pay-to-Endpoint) is a protocol where the receiver contributes inputs to the transaction. This breaks the fundamental assumption that blockchain analysts rely on.

The Common Input Ownership Heuristic

Recall from Stage 2: analysts assume that all inputs in a transaction belong to the same entity. This is how they cluster addresses and track funds.

Normal transaction:

Input 1 (Address A): 0.5 BTC ─┐

Input 2 (Address B): 0.3 BTC ─┼─→ All inputs = same owner (ASSUMED)

Analyst conclusion: Addresses A and B belong to the sender.

How PayJoin Breaks This

In a PayJoin transaction, BOTH the sender AND the receiver contribute inputs:

PayJoin transaction:

Input 1 (Sender's Address): 0.5 BTC ─┐

Input 2 (Receiver's Address): 0.2 BTC ─┼─→ Inputs from DIFFERENT owners!

Output 1 (Receiver): 0.6 BTC

Output 2 (Sender change): 0.1 BTC

Analyst sees: Standard-looking transaction. Assumes all inputs = one owner. WRONG!

The transaction looks completely normal—analysts can't tell it's a PayJoin just by looking at it. But their clustering heuristic is now broken. They'll incorrectly link the sender's and receiver's addresses.

The Privacy Benefit is Mutual

PayJoin benefits BOTH parties:

  • Sender: Their address is now mixed with the receiver's, breaking their cluster
  • Receiver: Their UTXO history is now entangled with the sender's
  • Everyone: Every PayJoin makes analysts less confident about ALL transactions

How PayJoin Works (Technically)

  1. Sender creates a normal transaction (called the "Original PSBT")
  2. Sender sends it to receiver's PayJoin endpoint (a URL, usually via BIP21 URI)
  3. Receiver adds their own input(s) and modifies outputs
  4. Receiver sends back the modified PSBT
  5. Sender verifies it's correct (their payment is still included, no funny business)
  6. Sender signs and broadcasts

PayJoin in Practice

BTCPay Server

BTCPay Server has built-in PayJoin support. When a merchant runs BTCPay with PayJoin enabled, customers paying with a PayJoin-compatible wallet automatically get PayJoin transactions.

  • Merchant enables PayJoin in BTCPay settings
  • Payment invoices include PayJoin endpoint
  • Compatible wallets (Sparrow, Wasabi) use it automatically
  • No extra action needed from either party

Sparrow Wallet

Sparrow supports PayJoin for both sending and receiving:

  • Sending: If a payment URI includes a PayJoin endpoint, Sparrow uses it
  • Receiving: You can run a PayJoin receiver (requires technical setup)

Wasabi Wallet

Wasabi also supports PayJoin for payments to compatible endpoints.

Limitations of PayJoin

  • Requires cooperation: Receiver must run a PayJoin server
  • Receiver must be online: Can't do PayJoin to a static address
  • Limited adoption: Not many merchants/receivers support it yet
  • Detectable if repeated: If a receiver always adds the same UTXO, patterns emerge

PayJoin's Network Effect

Even if PayJoin isn't widely used, its existence creates uncertainty. Analysts can't be sure that ANY transaction isn't a PayJoin. This "plausible deniability" benefits everyone, even those who never use PayJoin.

PayNym (BIP47): Reusable Payment Codes

The second privacy tool in this module is PayNym, based on BIP47 (Reusable Payment Codes). It solves a different problem: how to receive payments repeatedly without reusing addresses or requiring interactive communication.

The Problem: Static Addresses vs. Privacy

Consider a freelancer who wants to put a Bitcoin address on their website for tips:

  • Option 1: Single address — Address reuse destroys privacy. Everyone sees all payments.
  • Option 2: Generate fresh address each time — Requires interaction ("email me for payment address")
  • Option 3: Lightning invoice — Also requires interaction, expires quickly

PayNym provides a fourth option: a public payment code that can generate unlimited unique addresses, without the sender needing to contact you.

How PayNym Works

A PayNym is a public payment code that looks like this:

PM8TJS2JxQ5ztXUpBBRnpTbcUXbUHy2T1abfrb3KkAAtMEGNbey4oumH7Hc578WgQJhPjBxteQ5GHHToTYHE3A1w6p7tU6KSoFmWBVbFGjKPisZDbP97

But humans don't use these directly. Instead, PayNym creates a friendly "Nym" identity:

  • +silentpanda
  • +mellowhawk
  • +brightmoon

These human-readable names map to the full payment code and can be looked up via the PayNym directory.

The Connection Process

Before someone can pay your PayNym, they must "connect" to you. This is a one-time process:

  1. Sender looks up your PayNym (+yourname)
  2. Sender sends a "notification transaction" to establish the connection
  3. Both wallets now share a secret (derived from ECDH key exchange)
  4. Sender can generate unlimited unique addresses for you
  5. Only you can spend from those addresses (your keys)

Why the Notification Transaction?

The notification transaction (sometimes called "opening the channel") is an on-chain transaction that establishes the cryptographic connection. It costs a small amount in fees but only needs to happen once per sender-receiver pair.

After connection, all future payments use regular transactions to unique addresses—no special protocol or extra fees.

Privacy Benefits of PayNym

  • No address reuse: Each payment goes to a unique address
  • No public address leak: Your PayNym is public, but the actual addresses are not
  • Non-interactive: After connection, sender doesn't need your cooperation
  • Stealth addresses: Only you and the sender know which addresses belong to your PayNym

PayNym in Practice

Sparrow Wallet

Sparrow has excellent BIP47 support:

  • Create your own PayNym identity
  • Connect to other PayNyms
  • Send and receive with full BIP47 support
  • Works with your own node

To use: Tools → PayNym → Retrieve PayNym (creates yours) or Add Contact (to connect to someone)

Samourai Wallet (Android)

Samourai pioneered PayNym and has deep integration:

  • PayNym is a core feature
  • One-tap connection to other PayNyms
  • Integrates with other Samourai privacy features

Use Cases for PayNym

  • Receiving donations: Put your PayNym on your website/profile instead of an address
  • Paying friends regularly: Connect once, pay forever with fresh addresses
  • Business payments: Clients connect to your PayNym, pay invoices privately
  • Any recurring payment: Rent, subscriptions, allowances, etc.

Limitations of PayNym

  • Notification transaction cost: First connection requires an on-chain transaction
  • Not widely adopted: Both parties need BIP47-compatible wallets
  • PayNym directory is centralized: The name lookup service (paynym.is) is a central point
  • Notification transaction is visible: Creates an on-chain link (though obfuscated)

Silent Payments: The Future

BIP352 (Silent Payments) is an upcoming improvement that provides similar benefits to PayNym without the notification transaction. It's not yet widely implemented, but it's worth watching. For now, PayNym is the best option for reusable payment codes.

Combining Privacy Techniques

The most powerful privacy comes from combining multiple techniques. Here's how the tools you've learned work together:

Maximum Privacy Stack

  1. Acquire non-KYC: Start with Bitcoin not linked to your identity (Bisq, mining, earning)
  2. CoinJoin: Break the on-chain link to any acquisition history (Wasabi, Samourai, JoinMarket)
  3. PayJoin payments: When spending, use PayJoin to confuse clustering
  4. PayNym for receiving: Give people your PayNym instead of addresses
  5. Lightning for small payments: Off-chain payments leave no on-chain trace
  6. Own node + Tor: No IP address leakage, no third-party address queries

Practical Privacy Levels

Level 1: Basic (Better than average)

  • Never reuse addresses (automatic in modern wallets)
  • Run your own node (from Stage 2)
  • Use coin control for spending (from Stage 2)

Level 2: Enhanced (Significant privacy)

  • Everything in Level 1
  • Use PayNym for receiving
  • Use PayJoin when available
  • Use Lightning for routine payments

Level 3: Maximum (Near-complete privacy)

  • Everything in Levels 1 and 2
  • Acquire non-KYC
  • CoinJoin all incoming funds
  • Tor for all Bitcoin activity
  • Separate identities for different purposes

Interactive: UTXO Visualizer

Visualize how different transaction types affect your privacy. See how PayJoin transactions differ from regular transactions and understand why combining techniques creates stronger privacy.

Launch UTXO Visualizer →

See how transaction graph analysis works and how privacy techniques break tracking heuristics!

Key Takeaways: PayJoin and PayNym

  • PayJoin breaks the common input heuristic. By having the receiver contribute inputs, transactions look normal but fool blockchain analysts.
  • PayJoin benefits both parties. Sender and receiver both gain privacy from the mixed transaction.
  • PayNym provides reusable payment codes. Share your PayNym publicly; senders generate unique addresses for you without interaction.
  • PayNym requires a one-time connection. The notification transaction establishes the cryptographic relationship.
  • Sparrow supports both PayJoin and PayNym. A great all-in-one wallet for privacy-conscious users.
  • Combine techniques for maximum privacy. Non-KYC acquisition + CoinJoin + PayJoin + PayNym + Lightning + own node = strong privacy.
  • Even partial use helps everyone. The existence of these techniques creates plausible deniability for all Bitcoin users.

Next: Emergency Recovery Plans

You've learned to secure your Bitcoin, protect your privacy, and use advanced techniques. But what happens if disaster strikes? The next module covers emergency recovery: backup verification, disaster scenarios, dead man's switches, and ensuring your Bitcoin survives anything life throws at you.

⚡ Apply This Knowledge

Practice on a real Bitcoin test network — free coins, zero risk.

🔐
⚡ Try It Now

Create a Passphrase-Protected Wallet

Use the same 12 seed words with and without a BIP39 passphrase. Confirm that each passphrase produces a completely different wallet — same seed, different keys.

Signet (free) Sparrow / Blue Wallet 20 min
👁️
⚡ Try It Now

Set Up a Watch-Only Wallet

Import your hardware wallet xpub into Sparrow to monitor balances and verify addresses — without ever connecting your private key to the internet.

Mainnet Sparrow + Hardware Wallet 20 min