Re: [Bitcoin-development] Stealth Addresses
Oh, sorry, I forgot to mention it in my first write-up but you can easily make stealth addresses include a second pubkey for the purpose of the communication that either isn't used in the scriptPubKey at all, or is part of a n-of-m multisig. (n=2) Interestingly that also means you can give a third-party that key and out-source the effort of scanning the blockchain for you. Great point. Even if it's not a 3rd party, I think it's really important to be able to scan for transactions with a key which can't actually spend the funds. The first approach is just one-pass ECDH. I think you're saying the second approach is two rounds of ECDH but re-using the same e/P (usually referred to as r/R in ECIES). I think this is safe, unlike reusing an ephemeral key for signing operations. Payee: Publish Q, Q2 [d, d2 are privkeys, Q, Q2 are pubkeys] Payer: 1) Generate ephemeral key: e / P [e is privkey, P is pubkey] 2) S = e * Q [first shared secret] 3) S2 = e * Q2[second shared secret, reusing 'e'] 4) Q' = Q + H(S) [pay-to stealth address] 5) Q2' = Q2 + H(S2) [stealth 'marker'] Watch: 1) Look for TxOut with OP_RETURN P 2) Q2' = Q2 + H(d2 * P) 3) Check for Q2' elsewhere in the Tx S/MIME for example, allows reuse of the ephemeral keypair. When reusing an ephemeral keypair where A reuses (x, X) to encrypt different messages to more than one user, A should verify the static public keys to prevent small-subgroup attacks.[1][2] Let's say you pay-to Q' and then Q2' value has to be somewhere else in the transaction. You could put it next to the shared P in OP_RETURN. OP_RETURN P Q2' would be 66 bytes. But then Mallory could generate transactions with the right Q2' but with his own pubkey in Step 2 instead of Q. So your scanner would detect a payment, but you wouldn't be able to spend it, and Mallory could. That's a good argument for putting Q2' in a 2-of-2 multisig so that pulling this trick would at least make the transaction unspendable for both parties, which may be good enough deterrent, but you're still going to want to check it against your 'd' before fulfilling a large order. Your online watch process could queue the matching transactions, which you could move to your offline machine, decrypt your key, and verify the transactions are spendable. Now, you would need to get two pubkeys to the payer, throw in a prefix to help standardize it, and end up with addresses that could look like (for example): xSTLxsn59oaupR6ZKt2yddQ4dp5hcFinnTWkvsDiXtHgAEDg5ajNVzTY8MMQsmqnEn3ZMKxQzrfC3pDimfTWMkiUb7x3jX3J26JSX tSTLcpwzupCFL3maVZkSiB9ib3BXsCAfkhMLgckQEyoj8Tk83ANzofeuDdbX6bSPqNRfACLLFYK8EwVo1jdjxNDFNDWxhnQiAy4ba Those addresses are 74 bytes: PrefixCompressedPubKey1CompressedPubKey2Checksum xSTL Prefix = 0xC0CB9270 tSTL Prefix = 0xB2E27D50 NOTE: I do NOT have the corresponding privkeys for these four pubkeys! Those just happened to be the first matching prefixes I found for 74 byte addresses. I could try to find ones which start with a specific byte if that's somehow better, like 0x04 to match BIP32. Unfortunately, I don't think you can just derive a second public key from the first to keep the address shorter, and still keep the first private key secure, even if the second private key is stolen. You only get equivalent security as BIP32 public derivation, where you can't lose a child private key. Do we also want xSTL (or whatever user friendly string) prefixes for single pubkey (41 byte) stealth addresses? I'll wait a couple days for feedback, then I'll try to implement the following prototypes: 1) Pay to STL addresses 2) Watcher process to detect and queue STL payments for a given d2/Q2 3) Offline verifier to take output from Watcher and verify spendable given encrypted d/d2 Obviously extending QT directly for #1 would be ideal, I may even be able to do that since supporting a new address type should be fairly contained. But if not I'll punt to writing a node.js or python script which connects to bitcoind via RPC. Thanks, Jeremy [1] - On Reusing Ephemeral Keys in Diffie-Hellman Key Agreement Protocols http://www.math.uwaterloo.ca/~ajmeneze/publications/ephemeral.pdf [2] - Validation of Elliptic Curve Public Keys http://www.iacr.org/archive/pkc2003/25670211/25670211.pdf -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list
Re: [Bitcoin-development] Stealth Addresses
You can always just extend the payment protocol with the new fields as well, vs making very long addresses. If this technique can be made to work well, it would have applicability in both fixed textual address context, and for a fixed/upload-once payment protocol file. That has the advantage of backwards compatibility as well - the new addresses would not be clickable or acceptable by old wallets, but with the payment protocol you can always craft a bitcoin URI that contains a regular current style address, and a link to a fixed payment protocol file (uploaded to a pastebin type site), and modern wallets would ignore the address and use the ECDH based system instead. On Sun, Jan 12, 2014 at 11:33 AM, Jeremy Spilman jer...@taplink.co wrote: Oh, sorry, I forgot to mention it in my first write-up but you can easily make stealth addresses include a second pubkey for the purpose of the communication that either isn't used in the scriptPubKey at all, or is part of a n-of-m multisig. (n=2) Interestingly that also means you can give a third-party that key and out-source the effort of scanning the blockchain for you. Great point. Even if it's not a 3rd party, I think it's really important to be able to scan for transactions with a key which can't actually spend the funds. The first approach is just one-pass ECDH. I think you're saying the second approach is two rounds of ECDH but re-using the same e/P (usually referred to as r/R in ECIES). I think this is safe, unlike reusing an ephemeral key for signing operations. Payee: Publish Q, Q2 [d, d2 are privkeys, Q, Q2 are pubkeys] Payer: 1) Generate ephemeral key: e / P [e is privkey, P is pubkey] 2) S = e * Q [first shared secret] 3) S2 = e * Q2[second shared secret, reusing 'e'] 4) Q' = Q + H(S) [pay-to stealth address] 5) Q2' = Q2 + H(S2) [stealth 'marker'] Watch: 1) Look for TxOut with OP_RETURN P 2) Q2' = Q2 + H(d2 * P) 3) Check for Q2' elsewhere in the Tx S/MIME for example, allows reuse of the ephemeral keypair. When reusing an ephemeral keypair where A reuses (x, X) to encrypt different messages to more than one user, A should verify the static public keys to prevent small-subgroup attacks.[1][2] Let's say you pay-to Q' and then Q2' value has to be somewhere else in the transaction. You could put it next to the shared P in OP_RETURN. OP_RETURN P Q2' would be 66 bytes. But then Mallory could generate transactions with the right Q2' but with his own pubkey in Step 2 instead of Q. So your scanner would detect a payment, but you wouldn't be able to spend it, and Mallory could. That's a good argument for putting Q2' in a 2-of-2 multisig so that pulling this trick would at least make the transaction unspendable for both parties, which may be good enough deterrent, but you're still going to want to check it against your 'd' before fulfilling a large order. Your online watch process could queue the matching transactions, which you could move to your offline machine, decrypt your key, and verify the transactions are spendable. Now, you would need to get two pubkeys to the payer, throw in a prefix to help standardize it, and end up with addresses that could look like (for example): xSTLxsn59oaupR6ZKt2yddQ4dp5hcFinnTWkvsDiXtHgAEDg5ajNVzTY8MMQsmqnEn3ZMKxQzrfC3pDimfTWMkiUb7x3jX3J26JSX tSTLcpwzupCFL3maVZkSiB9ib3BXsCAfkhMLgckQEyoj8Tk83ANzofeuDdbX6bSPqNRfACLLFYK8EwVo1jdjxNDFNDWxhnQiAy4ba Those addresses are 74 bytes: PrefixCompressedPubKey1CompressedPubKey2Checksum xSTL Prefix = 0xC0CB9270 tSTL Prefix = 0xB2E27D50 NOTE: I do NOT have the corresponding privkeys for these four pubkeys! Those just happened to be the first matching prefixes I found for 74 byte addresses. I could try to find ones which start with a specific byte if that's somehow better, like 0x04 to match BIP32. Unfortunately, I don't think you can just derive a second public key from the first to keep the address shorter, and still keep the first private key secure, even if the second private key is stolen. You only get equivalent security as BIP32 public derivation, where you can't lose a child private key. Do we also want xSTL (or whatever user friendly string) prefixes for single pubkey (41 byte) stealth addresses? I'll wait a couple days for feedback, then I'll try to implement the following prototypes: 1) Pay to STL addresses 2) Watcher process to detect and queue STL payments for a given d2/Q2 3) Offline verifier to take output from Watcher and verify spendable given encrypted d/d2 Obviously extending QT directly for #1 would be ideal, I may even be able to do that since supporting a new address type should be fairly contained. But if not I'll punt to writing a node.js or python script which connects to bitcoind via RPC. Thanks, Jeremy
Re: [Bitcoin-development] Stealth Addresses
On Sun, Jan 12, 2014 at 5:33 AM, Jeremy Spilman jer...@taplink.co wrote: ... Now, you would need to get two pubkeys to the payer, throw in a prefix to help standardize it, and end up with addresses that could look like (for example): xSTLxsn59oaupR6ZKt2yddQ4dp5hcFinnTWkvsDiXtHgAEDg5ajNVzTY8MMQsmqnEn3ZMKxQzrfC3pDimfTWMkiUb7x3jX3J26JSX tSTLcpwzupCFL3maVZkSiB9ib3BXsCAfkhMLgckQEyoj8Tk83ANzofeuDdbX6bSPqNRfACLLFYK8EwVo1jdjxNDFNDWxhnQiAy4ba No, please. Make it easy for non-geeks, extend the payment protocol, or we'll spend the next two years writing code that tries to ignore linebreaks and spaces and changing input elements in HTML forms to textarea -- -- Gavin Andrese -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
