Pay-to-EndPoint (P2EP) is a cryptographic technique designed to improve financial privacy on transparent blockchains like Bitcoin. It operates as an extension of the CoinJoin concept, where multiple parties combine their funds into a single transaction to break the common-input-ownership heuristic used by blockchain analysts. In a standard P2EP transaction, a user and a cooperating service provider (the "endpoint") create a transaction with two inputs—one from each party—and two corresponding outputs. Crucially, the output belonging to the user is constructed using the provider's public key, and vice-versa, making it computationally difficult for external observers to determine which output belongs to which input owner.
LABS
Glossary
Pay-to-EndPoint (P2EP)
A privacy-enhancing transaction protocol where a single participant pays the network fees for all participants in a CoinJoin, obscuring the true source of fees to improve anonymity.
Chainscore © 2026
definition
BLOCKCHAIN PRIVACY PROTOCOL
What is Pay-to-EndPoint (P2EP)?
Pay-to-EndPoint (P2EP) is a privacy-enhancing protocol that obscures transaction details by mixing a user's coins with those of a trusted service provider within a single, collaborative Bitcoin transaction.
The core innovation of P2EP is its use of Elliptic Curve Diffie-Hellman (ECDH) key exchange. When constructing the transaction, the user and provider exchange public keys and use ECDH to derive a shared secret. This secret is then used to generate a one-time, stealth address for the recipient's output. This process ensures that only the intended recipient can calculate the private key needed to spend the output, while onlookers see only seemingly unrelated public keys. This method effectively breaks the transaction graph by severing the visible link between a user's input address and their new output address, providing stronger anonymity than basic CoinJoin.
A practical implementation of P2EP is found in the BIP 78 PayJoin specification, which standardizes the protocol for Bitcoin. In a PayJoin, a merchant and a customer collaborate: the customer pays for goods, and the merchant adds an input and receives change, creating a transaction that looks like a simple self-transfer or change output to chain analysis tools. This not only enhances privacy for both parties but also improves UTXO management by consolidating coins without creating a privacy leak. The protocol is non-custodial and trust-minimized, as the collaborative construction happens interactively without either party gaining control over the other's funds.
Compared to other privacy solutions, P2EP offers distinct advantages and trade-offs. Unlike Confidential Transactions or zk-SNARKs, it does not require a consensus change or introduce new cryptographic assumptions to Bitcoin; it works within the existing script system. However, it requires active participation from a cooperative counterparty (the endpoint), which can limit spontaneity. Its privacy guarantee is also probabilistic and strengthens with adoption—the more entities that use PayJoin, the harder it becomes for analysts to distinguish private transactions from regular economic activity on the blockchain.
The development and adoption of P2EP represent a significant step toward practical, incremental privacy on Bitcoin. By integrating seamlessly with existing wallets and payment processors, it provides a viable on-ramp for users seeking better financial opacity without relying on separate mixing services or sidechains. As blockchain surveillance becomes more sophisticated, protocols like Pay-to-EndPoint demonstrate how collaborative cryptography can be leveraged to reclaim transactional privacy at the protocol level, making it a foundational tool for a more fungible digital cash system.
how-it-works
BLOCKCHAIN PRIVACY MECHANISM
How Pay-to-EndPoint (P2EP) Works
An explanation of the Pay-to-EndPoint protocol, a privacy-enhancing technique for Bitcoin and other UTXO-based blockchains that obscures transaction links by involving a cooperative third party.
Pay-to-EndPoint (P2EP) is a collaborative transaction protocol designed to enhance privacy on UTXO-based blockchains like Bitcoin by breaking the common-input-ownership heuristic. It works by having two parties—a sender and a cooperative third-party endpoint—jointly create a single transaction where their inputs are mixed. Crucially, the transaction output structure is crafted so that an external observer cannot determine which input belongs to which participant, effectively obfuscating the link between the sender's coins and their ultimate destination. This method provides a form of coin mixing without requiring a dedicated mixing service or complex cryptographic constructs like Confidential Transactions.
The core mechanism involves the endpoint providing one or more of its own UTXOs as inputs alongside the sender's. The transaction is then constructed with at least two outputs: one that pays the sender's intended recipient and another that returns the endpoint's funds, minus a fee, back to an address they control. Because all participants' inputs are spent together and the outputs are not clearly mapped to individual inputs, blockchain analysts cannot reliably determine which output is the true payment and which is the change. This breaks the fundamental chain analysis assumption that all inputs to a transaction are controlled by the same entity.
A practical example is BIP 78, which standardizes P2EP for PayJoin transactions. In a retail scenario, a customer (sender) pays a merchant (endpoint). Instead of a simple one-input, two-output payment, the merchant contributes an input. The resulting transaction has outputs to the merchant's new receiving address and back to the customer's change address. To an outsider, it appears as a multi-party transaction with no clear spending trail, increasing privacy for both parties. This is more efficient than traditional CoinJoin as it integrates mixing into a legitimate economic transaction.
Key advantages of P2EP include its trust-minimized design—the endpoint cannot steal funds as the transaction is collaboratively signed—and its positive impact on the UTXO set by not creating additional wasteful outputs. However, its privacy guarantees depend on the endpoint's cooperation and the inability of analysts to deanonymize participants through other metadata or timing analysis. It represents a significant step towards practical, incremental privacy for blockchain payments, making surveillance more costly and less reliable without altering the base protocol's security model.
key-features
PAY-TO-ENDPOINT (P2EP)
Key Features & Benefits
Pay-to-EndPoint (P2EP) is a blockchain transaction model where a user pays a service provider's node directly for access to a specific API endpoint, data feed, or computational result, rather than paying the network via gas fees.
01
Direct Service Provider Compensation
P2EP enables direct micropayments from a user's wallet to a service provider's address for a specific data or compute service. This bypasses the need for the provider to monetize via front-running, MEV extraction, or selling user data, creating a transparent and aligned business model.
- Example: Paying 0.001 ETH directly to an oracle node for a price feed.
- Contrasts with the traditional model where users pay the network (miners/validators) for block space, not the service itself.
02
Predictable & Controllable Costs
Users pay a fixed or auction-based fee for a guaranteed service outcome, decoupling cost from volatile network gas fees. This provides cost predictability for applications requiring frequent data queries or computations.
- Use Case: A DeFi protocol can budget for oracle updates without exposure to mainnet gas spikes.
- Mechanism: The fee is specified in the transaction calldata or via a separate payment channel, agreed upon before execution.
03
Enhanced Privacy & Censorship Resistance
By paying the endpoint directly, the transaction's purpose and data payload can be obfuscated from the public mempool, reducing front-running risk. The service provider acts as a shielded relay.
- Privacy Benefit: Sensitive computation inputs (e.g., a private bid) are sent directly to the provider's node.
- Censorship Aspect: Relies on the provider's willingness to include the transaction, but creates a competitive market for honest execution.
04
Modular Architecture & Specialization
P2EP promotes a modular stack where specialized service providers (oracles, verifiable compute, storage) compete on price and quality. This separates the roles of block production (handled by L1/L2) and service provision.
- Architecture: The blockchain secures settlement and payments, while off-chain or layer-2 providers deliver the service.
- Result: Encourages innovation and efficiency in specialized verticals beyond simple value transfer.
05
Protocol-Level Integration Examples
P2EP concepts are implemented in various forms across the ecosystem:
- EIP-4337 (Account Abstraction): UserOperations can include payment to a bundler or paymaster service.
- Oracles (e.g., Chainlink Functions): Users pay LINK directly to the oracle network for computation.
- The Graph: Indexers are paid in GRT for query services, separate from network gas.
- Flashbots SUAVE: Aims to be a decentralized block builder where searchers pay for inclusion.
06
Economic & Security Considerations
P2EP introduces new trust and incentive models that must be carefully designed.
- Provider Trust: Users must trust the provider to execute correctly after payment. This is often mitigated with cryptographic proofs or slashing conditions.
- Payment Security: Payments must be atomic with service delivery, often requiring cryptographic conditional payments or escrow.
- Sybil Resistance: Providers may need to stake or have reputation to prevent spam and ensure service quality.
privacy-improvements
PAY-TO-ENDPOINT (P2EP)
Specific Privacy Improvements
Pay-to-EndPoint (P2EP) is a privacy-enhancing protocol that obscures transaction links by having a sender and receiver collaboratively construct a single, indistinguishable CoinJoin-style transaction.
01
Core Mechanism
P2EP transforms a simple payment into a collaborative CoinJoin. Instead of a direct A→B payment, both parties (sender A and receiver B) contribute inputs to a single transaction with multiple outputs. This creates a uniform transaction graph where the true payment path is hidden among decoy participants.
- Sender's Role: Contributes the payment amount plus a change output.
- Receiver's Role: Contributes a small, sacrificial input (e.g., dust) to receive the payment.
- Result: The on-chain record shows a multi-party transaction, breaking the direct link between sender and receiver addresses.
02
Breaking Common-Input-Ownership Heuristic
The primary privacy gain of P2EP is defeating the common-input-ownership heuristic, a fundamental assumption in blockchain analysis. This heuristic states that all inputs to a transaction are controlled by the same entity.
By having two independent parties (sender and receiver) provide inputs to the same transaction, P2EP creates a counterexample that invalidates this assumption for observers. This adds plausible deniability and forces chain analysis to treat such transactions as having multiple possible interpretations, significantly increasing the anonymity set.
03
Comparison to Standard & CoinJoin
P2EP sits between a standard transaction and a full CoinJoin in terms of complexity and privacy.
- Standard Payment (A→B): Clear, on-chain link between sender (A) and receiver (B). Low privacy.
- Pay-to-EndPoint (A+B→?): Sender A and Receiver B co-create a transaction. The link A→B is obscured among the transaction's participants.
- Full CoinJoin (A+B+C+...): Multiple independent parties coordinate. Highest privacy, but requires more complex coordination and a larger anonymity set.
P2EP offers a significant privacy boost over standard payments with simpler two-party coordination.
05
Privacy vs. Fee & UX Considerations
Adopting P2EP involves trade-offs between privacy, cost, and user experience.
- Increased Fees: The transaction has more inputs and outputs than a simple payment, leading to a higher virtual size (vbytes) and thus a higher fee.
- Receiver Participation: Requires the receiving wallet/service to be online and configured with a PayJoin endpoint, adding complexity.
- UTXO Management: Creates Unspent Transaction Outputs (UTXOs) for both parties that are now linked in a non-obvious way, which must be managed carefully in future transactions to avoid privacy leaks.
- Network Benefit: Despite individual cost, P2EP transactions improve overall network privacy by poisoning common heuristics.
06
Real-World Adoption & Wallets
P2EP is implemented in several Bitcoin wallets and services, moving from concept to practical use.
- Wallet Support: Wallets like Wasabi Wallet, BTCPay Server, and Samourai Wallet have implemented sender and/or receiver support for PayJoin (BIP 78).
- Merchant Integration: Payment processors can use P2EP to automatically receive payments with enhanced privacy for both the customer and the business.
- Address Reuse Mitigation: It is particularly effective at mitigating the privacy loss from address reuse, as the receiver's address appears in a multi-party context rather than a simple payment.
visual-explainer
MECHANISM
Visualizing a P2EP Transaction
A step-by-step breakdown of the Pay-to-EndPoint (P2EP) protocol, which enhances Bitcoin privacy by combining a sender's and receiver's inputs in a collaborative transaction.
A Pay-to-EndPoint (P2EP) transaction is a collaborative Bitcoin transaction where the payment sender and receiver each contribute at least one input, blending their coins in a way that obscures the true payment path from external blockchain observers. This technique, a form of coinjoin, was first proposed by developers Gregory Maxwell and Tadge Dryja as a practical privacy enhancement for everyday payments. Unlike a standard transaction where only the payer's inputs are visible, P2EP creates a single transaction with inputs from both parties, making it computationally difficult for chain analysis firms to determine which output constitutes the actual payment.
The protocol works by having the payment receiver generate a special, partially-signed transaction template. This template includes a placeholder for the sender's input and specifies the receiver's change output. The sender receives this template, adds their own input and output for the payment amount, signs their portion, and broadcasts the completed transaction. Crucially, from the perspective of the blockchain, all inputs and outputs appear equally valid, breaking the common-input-ownership heuristic—a fundamental assumption used by surveillance tools to cluster addresses belonging to the same entity.
A key innovation of P2EP is its use of BIP 78, the Pay-to-EndPoint Receiver Protocol, which standardizes the communication between wallets. The receiver's wallet generates a Payjoin URI (similar to a BIP21 Bitcoin URI) that contains the necessary transaction data. When the sender's wallet scans this URI, it initiates the collaborative construction process. This standardization ensures interoperability between different wallet implementations, moving P2EP from a theoretical concept to a deployable feature.
Visualizing the transaction on a block explorer reveals its defining characteristic: multiple inputs from seemingly unrelated parties funding multiple outputs. For example, a transaction might show two inputs (one from Alice, one from Bob's store) and two outputs (one for the payment to Bob, one for Alice's change). Without P2EP, the transaction would clearly show Alice paying Bob. With P2EP, an analyst cannot definitively say if Alice paid Bob, or if Bob paid Alice, or if it was a simple coin swap between peers, thereby providing probabilistic privacy.
While powerful, P2EP has limitations. It requires active cooperation from the receiving wallet/service, which must be online and configured to support the protocol. It also slightly increases transaction size and fees due to the extra input. Despite this, P2EP represents a significant step toward fungibility in Bitcoin, offering improved privacy without requiring changes to the network's consensus rules and making surveillance economically less viable for small-value transactions.
examples
PAYMENT PROTOCOL
Protocols & Implementations
Pay-to-EndPoint (P2EP) is a Bitcoin transaction protocol that combines a standard on-chain payment with an off-chain data transfer, enabling enhanced privacy and functionality.
01
Core Mechanism
P2EP modifies a standard Pay-to-Public-Key-Hash (P2PKH) transaction by having the sender and receiver collaboratively create a single transaction. The receiver contributes one or more inputs, making them a co-signer. This creates a CoinJoin-like structure where multiple parties' funds are mixed in a single, indistinguishable on-chain output.
02
Privacy Enhancement (Dandelion++)
A primary application of P2EP is to bootstrap network-level privacy. By embedding a transaction in an ephemeral message to the receiver's node before broadcast, it can be routed through the Dandelion++ anonymity network. This obfuscates the transaction's origin IP address, breaking the link between the transaction's first peer and the spender's physical location.
03
Data Carrier & OP_RETURN
P2EP can be used to transmit arbitrary data off-chain. The sender creates a transaction that pays to the receiver but includes an OP_RETURN output with encrypted data. Because the receiver is a co-signer, they can see this data in their mempool before the transaction is mined, enabling secure, trustless data exchange without polluting the blockchain if the transaction is canceled.
05
Contrast with PayJoin
Pay-to-EndPoint (P2EP) is often used interchangeably with PayJoin, but they emphasize different aspects. P2EP focuses on the protocol's ability to send data to an endpoint (a node). PayJoin emphasizes the economic outcome: a transaction that looks like a simple payment but actually combines inputs from sender and receiver, improving privacy by breaking common-input-ownership heuristic analysis.
security-considerations
PAY-TO-ENDPOINT (P2EP)
Security & Trust Considerations
Pay-to-EndPoint (P2EP) is a Bitcoin transaction protocol that enhances privacy by obfuscating the link between the payer and the recipient. It achieves this by using a collaborative, multi-party construction that mixes payment data.
01
Core Privacy Mechanism
P2EP improves upon standard CoinJoin by having the payment receiver actively participate in constructing the transaction. Instead of a simple payment, the receiver provides one or more of their own UTXOs to be mixed with the payer's input. This creates a single, collaborative transaction where the true payer among the multiple inputs is cryptographically ambiguous, breaking the common-input-ownership heuristic used by blockchain analysts.
02
Trust Model & Coordinator Role
The protocol requires a semi-trusted coordinator (often the merchant's server) to facilitate the transaction build. This entity learns the association between payer and receiver during the setup phase but does not see the final, signed transaction before broadcast. Trust is minimized as the coordinator cannot steal funds, but its potential to log payment associations is a known trade-off for the usability of the protocol.
03
Security Assumptions & Limitations
P2EP's privacy guarantees depend on specific assumptions:
- Network-Level Privacy: IP addresses must be hidden (e.g., via Tor) to prevent the coordinator from linking transactions to network identity.
- Coordinator Honesty: The coordinator is assumed not to be actively malicious in censoring transactions or permanently storing linkage data.
- UTXO Selection: The receiver's contributed UTXO must not itself be tainted or easily identifiable, or it can weaken the privacy for both parties.
04
Comparison to Other Privacy Tech
P2EP sits between simpler and more complex privacy solutions:
- Vs. Plain Bitcoin: Vastly superior, as it breaks the direct on-chain link.
- Vs. Standard CoinJoin: More private for one-off payments, as the payer isn't just joining with strangers but with the intended recipient.
- Vs. Chaumian CoinJoin (e.g., Wasabi): Less private, as it relies on a single coordinator per transaction rather than a decentralized mixing round with many participants.
06
Adoption & Practical Use
P2EP is primarily used in Bitcoin merchant payment processing. Services like BTCPay Server have implemented BIP 78, allowing merchants to receive more private payments. Adoption challenges include:
- Requiring wallet support from both payer and payee.
- The slight complexity added to the payment flow.
- The privacy benefit is most clear in a one-to-one payment, not for repeated payments to the same endpoint.
PRIVACY PROTOCOL COMPARISON
P2EP vs. Standard CoinJoin vs. Basic Transaction
A technical comparison of privacy-enhancing transaction coordination mechanisms based on their core properties and trade-offs.
| Feature / Metric | Pay-to-EndPoint (P2EP) | Standard CoinJoin | Basic On-Chain Transaction |
|---|---|---|---|
Primary Privacy Goal | Sender-receiver unlinkability | Input-output unlinkability | No inherent privacy |
Coordination Required | Direct peer-to-peer | Central coordinator or peer-to-peer | None |
Minimum Participants | 2 (sender + receiver) | Typically 5-100+ | 1 |
On-Chain Footprint | Single transaction | Single transaction | Single transaction |
Trust Model | Trusted counterparty (receiver) | Trusted coordinator or cryptographic | None |
Deniability | High (appears as standard payment) | Medium (identifiable as CoinJoin) | None |
Network Overhead | Low (direct communication) | High (coordination rounds) | None |
Typical Fee Premium | 0% (sender pays standard fees) | 2-5% coordinator fee | 0% |
PAY-TO-ENDPOINT (P2EP)
Frequently Asked Questions (FAQ)
Pay-to-EndPoint (P2EP) is a privacy-enhancing Bitcoin transaction protocol that obfuscates the link between sender and receiver by using a collaborative, multi-party payment structure. These questions address its core mechanics, benefits, and implementation.
Pay-to-EndPoint (P2EP) is a privacy protocol for Bitcoin that breaks the direct on-chain link between a transaction's sender and receiver by involving a third-party service, called an Endpoint. It works by having the sender and the Endpoint collaboratively create a single transaction where:
- The sender contributes inputs for the intended payment amount.
- The Endpoint contributes a dummy input of equal value to the sender's.
- The transaction creates two outputs: one paying the receiver and one returning the Endpoint's funds.
To an external observer, the transaction appears as a standard 2-input, 2-output payment, making it impossible to determine which output belongs to the actual payer and which is the change address, thereby enhancing transaction graph privacy.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall