Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WjyuB-0004Ll-1t for bitcoin-development@lists.sourceforge.net; Mon, 12 May 2014 22:41:07 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.216.173 as permitted sender) client-ip=209.85.216.173; envelope-from=ctpacia@gmail.com; helo=mail-qc0-f173.google.com; Received: from mail-qc0-f173.google.com ([209.85.216.173]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WjyuA-0001Cq-1V for bitcoin-development@lists.sourceforge.net; Mon, 12 May 2014 22:41:07 +0000 Received: by mail-qc0-f173.google.com with SMTP id i8so8515897qcq.4 for ; Mon, 12 May 2014 15:41:00 -0700 (PDT) X-Received: by 10.224.166.9 with SMTP id k9mr43126380qay.25.1399934460586; Mon, 12 May 2014 15:41:00 -0700 (PDT) Received: from [192.168.1.4] (pool-72-73-200-73.cmdnnj.east.verizon.net. [72.73.200.73]) by mx.google.com with ESMTPSA id l10sm23637214qaa.19.2014.05.12.15.40.59 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 12 May 2014 15:41:00 -0700 (PDT) Message-ID: <53714DCE.7020803@gmail.com> Date: Mon, 12 May 2014 18:40:14 -0400 From: Chris Pacia User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net References: <20140509150325.GA30436@savin> <20140509152715.GA12421@savin> <20140509181353.GB27819@savin> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (ctpacia[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WjyuA-0001Cq-1V Subject: Re: [Bitcoin-development] ECDH in the payment protocol X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 22:41:07 -0000 Just a thought. Using the payment protocol for stealth would mean we would likely have to return to backing up wallets all the time would it not? The nonces cannot be derived from your wallet seed and, since they aren't in the blockchain, would have to be stored in your wallet. I suppose they could be stored on the server, but you would probably want a backup for that anyway. So we would end up having to back up all the time, something we're trying to get away from. Am I correct about this? On 05/09/2014 02:38 PM, Pieter Wuille wrote: > On Fri, May 9, 2014 at 8:13 PM, Peter Todd wrote: >> I don't think we're going to find that's practical unfortunately due to >> change. Every payment I make ties up txouts, so if we try to base the >> atomicity of payments on whether or not the payee decides to broadcast >> the transaction the payor is stuck with txouts that they can't use until >> the payee makes up their mind. That leads to lots and lots of nasty edge >> cases. > I haven't talked much about it except for on IRC, but my idea was this: > * PaymentACK messages become signed (with the same key as the payment > request, or using some delegation mechanism, so that the same key > doesn't need to remain online). > * Instead of a full Bitcoin transaction, a Payment message contains a > scriptSig-less Bitcoin transaction + a limit on its byte size (and > perhaps a limit on its sigop count). > * The sender sends such a Payment to the receiver before actually > signing the transaction (or at least, before revealing the signed > form). > * The receiver only ACKs if the transaction satisfies the request, is > within time limits, isn't unlikely to confirm. > * If the sender likes the ACK (the refund and memo fields are intact, > the transaction isn't changed, the signature key is valid, ...), he > either sends the full transaction (with receiver taking responsibility > for broadcasting) or broadcasts it himself. > > Together, this means that a paymentACK + a confirmed matching Bitcoin > transaction can count as proof of payment. Both parties have a chance > to disagree with the transaction, and are certain all communicated > data (apart from transaction signatures) in both directions happened > correctly before committing. It would completely remove the chance > that the Bitcoin transaction gets broadcast without the receiver > liking it (for legitimate or illegitimate reasons), or without the > backchannel functioning correctly. > > It's also compatible with doing multiple payments in one Bitcoin > transaction - you can ask for ACKs from multiple parties before > signing the transaction. > > Of course, the sender can still withhold the signed transaction (in > which case nothing happened, but we probably need a second timeout), > or the receiver can always claim to have never received the > transaction. The sender can broadcast the transaction himself in order > to prevent that, after obtaining an ACK. >