Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 26D4DC002D for ; Mon, 3 Oct 2022 23:41:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id EEF444013B for ; Mon, 3 Oct 2022 23:41:23 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EEF444013B Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=d3aK9hpl X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npF1jOh8H8oo for ; Mon, 3 Oct 2022 23:41:22 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D8B10400C8 Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) by smtp2.osuosl.org (Postfix) with ESMTPS id D8B10400C8 for ; Mon, 3 Oct 2022 23:41:21 +0000 (UTC) Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-1322fa1cf6fso7492594fac.6 for ; Mon, 03 Oct 2022 16:41:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=cSnD9loJfSpmX5MWFcvxaVjJyQzM3EELzZ1Ic/K00mM=; b=d3aK9hplahAX04jRCSZ4JM5GySBibhV1Elg/N/L7CQtQf2tO2yYuI/ZnkNZDmO7Hwl +rkLTIvjJUz7i1YgLRDUoIFP9Zk3JiM1SRfvQCI5SWAJB8maglxKgE/VwlZdfeStewwV bVKzD51qZ9kRo6hU497KP+JJnOuwbQKBF87No9720+LUozIFDMS5RDh+xJ3uqh5IcK8o mns4lrPL3BxdyeH+iEq8OEDO8D4Svz6O2/bANCrSNhylg1HSQktS6gMB9gF4YkKwS6NL xwrRQ+ozj+EwnpgvV5mVFa4IsI0113B6/qYcRmGrldcnaBz/3KIwKEFzvO9hLv6l92yU 1npw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=cSnD9loJfSpmX5MWFcvxaVjJyQzM3EELzZ1Ic/K00mM=; b=4of4EeDWPJKRCuXYgUXEuEoJnML4Cw4vcK+QBd7MARPiUw53EveIHL3Jy6uE5npSov 9jC8JHmUvx+c7wJwCTJNndhYckV0eFRoRiuquZQ6rKZtjEpMR9c5Mb4fXCOqYdAuSoJX DASngQUJiQyuDS0JhkScyr5+5EWq2GeyyiNPp7xwNxakky8g+Ks5qBh+EUs8nR8AKgvn LDPWs92enJr+1QHTT1/RJ0xyVmGZYGFnUeEFA0wIE63ejLLj/GWeTKMXOt5nKrARUZcY hzm34TPPTfuMzQ3FnSpkfOP2k287951csIAeI7CrLBv5VaXAYVJ05s4bhlnxNyjrTCst 6czg== X-Gm-Message-State: ACrzQf2FSopUcRCQUADD+BUJvnF2+j+RAY+kuoykooew5BeFEaV3bZ7D nZWR8Zw9UENM/KX7wGH+/1IpgGACiZ+PCIilOu59mly8BNI= X-Google-Smtp-Source: AMsMyM7YtO8kWlDEqXFqR1e7wzvUxmULPzO6vn7R0Hua9j6iV73v7/lfbYeT1oSZ+RqW6+sWfP00kfrtQHBHp8TOfZI= X-Received: by 2002:a05:6870:c0c9:b0:127:c4df:5b50 with SMTP id e9-20020a056870c0c900b00127c4df5b50mr6561870oad.126.1664840480726; Mon, 03 Oct 2022 16:41:20 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ruben Somsen Date: Tue, 4 Oct 2022 01:41:10 +0200 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000076231f05ea29e1af" X-Mailman-Approved-At: Mon, 03 Oct 2022 23:42:13 +0000 Subject: Re: [bitcoin-dev] Third version of Silent Payment implementation X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2022 23:41:24 -0000 --00000000000076231f05ea29e1af Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Apologies, the link I sent in my previous post was incorrect and should have been: https://github.com/bitcoin/bitcoin/pull/24897#issuecomment-1218641521 Let me also use this opportunity to share another clarifying comment: "There seems to be some confusion about the function of the identifier. Its function is not to create more than one identity, but to be able to distinguish why someone paid you. For example, when the same entity is raising money on behalf of two different charities and wants to know for which of the two charities the sender intended their donation. To be absolutely clear, the payments that appear on-chain are still absolutely unlinkable by a third party observer, nor are they able to tell which identifier was used. In cases where you don't want people to know that you're the same entity, the identifier is insufficient =E2=80=93 you'll need a completely separate = Silent Payment address which (roughly) doubles your scanning efforts, so it's much more costly in terms of performance." This comment can be found here: https://github.com/bitcoin/bitcoin/pull/24897#issuecomment-1266193417 Cheers, Ruben On Fri, Sep 30, 2022 at 1:03 AM Ruben Somsen wrote: > Hi woltx, > > Excellent work. > > >Implements the new scheme suggested by Ruben Somsen that allows multiple > silent addresses per wallet with minimal overhead > > To expand on this, the scheme basically allows the resulting address to b= e > recognizably marked (only recognizable by the recipient of course), which > enables you to distinguish between different payment purposes (e.g. some > people donate to you for purpose A, others for purpose B). Here's my > original comment describing it: > > "Naively, the issue is that two keys means twice the scanning, but an > interesting alternative would be to simply use the same key (assuming > you're OK with using the same identity) but add a public identifier f to = it > when tweaking. So instead of hash(i*X)*G + X you get hash(i*X)*G + X + f*= G > . This means every additional "address" only costs one additional ECC > addition when scanning (relatively cheap compared to doing ECC > multiplications). > > The main downside with this is that f becomes crucial for recovering from > backup. If we set f as an index (0, 1, 2, 3...) then you'd only have to > remember how many "addresses" you issued (and perhaps overshoot when > unsure) to ensure recovery of funds, though of course you'd rather also > remember which index is associated with what payment reason. > > Absolute worst case scenario you could even do something similar to the > gap limit where you scan the full history (not just the UTXO set so you > don't miss spent outputs) with a default max index of e.g. 100, and then = if > you find out most of them are in use, you scan the next 100, etc. Costly, > but thorough, and only needed as a last resort." > > Original comment here: > > https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub= -sharing > > Also good to note that f needs to be communicated to the sender somehow, > perhaps as part of the address format. > > Cheers, > Ruben > > On Fri, Sep 30, 2022 at 12:35 AM woltx via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> >> This new version addresses most (or all) requests made in PR: >> >> . Implements the new scheme suggested by Ruben Somsen that allows >> multiple silent addresses per wallet with minimal overhead. >> . Implements a new RPC to retrieve silent addresses, which allows users >> to assign different labels to different addresses. That way, the user kn= ows >> which silent address the UTXO came from. >> >> Example: >> >> ./src/bitcoin-cli -signet -rpcwallet=3D"receiver" getspaddress >> tsp001pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq >> >> # This will return the same address as above (both have no label) >> ./src/bitcoin-cli -signet -rpcwallet=3D"receiver" getspaddress >> tsp001pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq >> >> # New label, new address >> ./src/bitcoin-cli -signet -rpcwallet=3D"receiver" getspaddress 'donation= ' >> tsp011pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kq80t7lt >> >> In this new scheme, the address has a new field called identifier, which >> tells the receiver and sender how to set the address correctly. >> >> If the receiver, for whatever reason, doesn't know which identifiers hav= e >> been used, there is no problem. The wallet can scan all identifiers from= 0 >> to 99. Currently, only 100 different identifiers per wallet are allowed. >> This limit, however, can be increased at any time in the future. >> >> Unlike address formats so far, sp addresses are not script-related and >> may eventually include any additional information needed, such as an >> expiration timestamp (or block height). That way, users don't have to tr= ack >> the address indefinitely. >> >> As usual I wrote a step by step tutorial: >> https://gist.github.com/w0xlt/c81277ae8677b6c0d3dd073893210875 >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > --00000000000076231f05ea29e1af Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

Apologies, the link I sent in m= y previous post was incorrect and should have been:
https:= //github.com/bitcoin/bitcoin/pull/24897#issuecomment-1218641521

Let me also use this opportunity to share another cla= rifying comment:

"There seems to be some conf= usion about the function of the identifier. Its function is not to create m= ore than one identity, but to be able to distinguish why someone paid you. = For example, when the same entity is raising money on behalf of two differe= nt charities and wants to know for which of the two charities the sender in= tended their donation.

To be absolutely clear, the payments that a= ppear on-chain are still absolutely unlinkable by a third party observer, n= or are they able to tell which identifier was used.

In cases where y= ou don't want people to know that you're the same entity, the ident= ifier is insufficient =E2=80=93 you'll need a completely separate Silen= t Payment address which (roughly) doubles your scanning efforts, so it'= s much more costly in terms of performance."

This c= omment can be found here:

Chee= rs,
Ruben

On Fri, Sep 30, 2022 at 1:03 AM Ruben Somsen <<= a href=3D"mailto:rsomsen@gmail.com">rsomsen@gmail.com> wrote:
= Hi=C2=A0woltx,

Excellent work.

>Implements the n= ew scheme suggested by Ruben Somsen that allows multiple silent addresses p= er wallet with minimal overhead

To expand on this, the scheme basically allows th= e resulting address to be recognizably marked (only recognizable by the rec= ipient of course), which enables you to distinguish between different payme= nt purposes (e.g. some people donate to you for purpose=C2=A0A, others for = purpose B). Here's my original comment describing=C2=A0it= :

"Naively, the issue is that two keys means twice the scanning, b= ut an interesting alternative would be to simply use the same key (assuming= you're OK with using the same identity) but add a public identifier f = to it when tweaking. So instead of hash(i*X)*G + X you get hash(i*X)*G + X = + f*G . This means every additional "address" only costs one addi= tional ECC addition when scanning (relatively cheap compared to doing ECC m= ultiplications).

The main downside with this is that f becomes cruci= al for recovering from backup. If we set f as an index (0, 1, 2, 3...) then= you'd only have to remember how many "addresses" you issued = (and perhaps overshoot when unsure) to ensure recovery of funds, though of = course you'd rather also remember which index is associated with what p= ayment reason.

Absolute worst case scenario you could even do someth= ing similar to the gap limit where you scan the full history (not just the = UTXO set so you don't miss spent outputs) with a default max index of e= .g. 100, and then if you find out most of them are in use, you scan the nex= t 100, etc. Costly, but thorough, and only needed as a last resort."
Original comment here:
https:= //gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing=

Also good to note that f needs to be communicated to the sender= somehow, perhaps as part of the address format.

Cheers,
Ruben
On = Fri, Sep 30, 2022 at 12:35 AM woltx via bitcoin-dev <bitcoin-dev@lists.l= inuxfoundation.org> wrote:

This new version add= resses most (or all) requests made in PR:

.= Implements the new scheme suggested by Ruben Somsen that allows multiple s= ilent addresses per wallet with minimal overhead.
. = Implements a new RPC to retrieve silent addresses, which allows users to as= sign different labels to different addresses. That way, the user knows whic= h silent address the UTXO came from.

= Example:

./src/bitcoin-cli -signet -r= pcwallet=3D"receiver" getspaddress
tsp001p= jgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq

# This will return the same address as above (both ha= ve no label)
./src/bitcoin-cli -signet -rpcwallet=3D= "receiver" getspaddress
tsp001pjgcwd9p6f2r= cgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq

=
# New label, new address
./src/bitcoin-cl= i -signet -rpcwallet=3D"receiver" getspaddress 'donation'=
tsp011pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4= k54w99kq80t7lt

In this new scheme, t= he address has a new field called identifier, which tells the receiver and = sender how to set the address correctly.

If the receiver, for whatever reason, doesn't know which identifier= s have been used, there is no problem. The wallet can scan all identifiers = from 0 to 99. Currently, only 100 different identifiers per wallet are allo= wed. This limit, however, can be increased at any time in the future.

Unlike address formats so far, sp addresse= s are not script-related and may eventually include any additional informat= ion needed, such as an expiration timestamp (or block height). That way, us= ers don't have to track the address indefinitely.

=
As usual I wrote a step by step tutorial:
https://gist.= github.com/w0xlt/c81277ae8677b6c0d3dd073893210875

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000076231f05ea29e1af--