Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 722FFC002D for ; Thu, 29 Sep 2022 23:03:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 39583611C4 for ; Thu, 29 Sep 2022 23:03:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 39583611C4 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=pR1tiNTh X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3u_OhKM0Yt3 for ; Thu, 29 Sep 2022 23:03:47 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E486160BA6 Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) by smtp3.osuosl.org (Postfix) with ESMTPS id E486160BA6 for ; Thu, 29 Sep 2022 23:03:46 +0000 (UTC) Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-131886d366cso3549429fac.10 for ; Thu, 29 Sep 2022 16:03:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date; bh=lMyIagdcnJqBVw9tXvOxK+3Q7JNSaPY10uJxZ9Ncb3w=; b=pR1tiNThvpI/BpnSEqojOU5+Zeh3QSFNc4uUovDeQG2ysPJtEP9GGw7z8rzbEVYL3y wqFDYrIg2cOkN7wWSZ4tT64wjSNuCqVnRgVtr6Viu1NWIl1uVEzrBKHUqQE0q6KBCRnp MHy4Y4r7puXKJWZ1VRPTv8f7S/NN8VUIlrufIXGDAJiQ9p80UNNZ5zB+tDiLNN5c2ioK l9TjG6pjcphM/+m5C4dY5MAFbwQbGGshx1H8Oznm05Nf4Yyhc6WMuGf2MFbp2/cZCUuA CYNPgc1e8WpI2HmaadRe9bPuqQ3E8LXOv1GfjTsznhQ3esLX9tRRvS/Fzm8TnV7TC34i 2m5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date; bh=lMyIagdcnJqBVw9tXvOxK+3Q7JNSaPY10uJxZ9Ncb3w=; b=ZIda9YDXn3DZbRTV7Jbm6tTiYLsTVNPoG0r7pek+2NxhEhUdF3RMh3BMAzYntpqwcR EHL2Pdc2ycaumobm0+lHMRmE0ToFik89PnxoPWP5C4PnPaEhykAOSELU51ebVOkhz9B3 1Q6S7t5RCOpLWnxapzHQA9P+bjZKKFJmgTbRlzHY1MQNdnbjmbmNFNNyA/HvJ5wRETIN 1vtVYckiDogeMLerQPKIInxW62y4j1SWKe0jIY62JZD9XXHx/Fml38LUvG49n8lDcvpr LAIpahMQGqbIj5e5K/jNUDoV+BDLXcHe6WxMjP0qUyxAWYNAn17sTzjic06nxJJNpT9Z J4zw== X-Gm-Message-State: ACrzQf3HGOW9l6orXPPv2Qu+BQ+Yx0Io8mOfp/LtxuZ+j/MIRbgwy3l6 C3wgapMF7jllq/PpuJLyQ3Sh/z00lxLvvcXjTIc= X-Google-Smtp-Source: AMsMyM6cDo8ONti5HXkSuREN2QRNYiOQeTL6Mk8PlmkGVBIy0t83OKrTNhNa97nPjdKu+8AGTOIrftl3Z90nS5csEXU= X-Received: by 2002:a05:6870:c0c9:b0:127:c4df:5b50 with SMTP id e9-20020a056870c0c900b00127c4df5b50mr3258418oad.126.1664492625760; Thu, 29 Sep 2022 16:03:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ruben Somsen Date: Fri, 30 Sep 2022 01:03:36 +0200 Message-ID: To: woltx , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000b096b105e9d8e313" X-Mailman-Approved-At: Thu, 29 Sep 2022 23:10:59 +0000 Subject: Re: [bitcoin-dev] Third version of Silent Payment implementation X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2022 23:03:49 -0000 --000000000000b096b105e9d8e313 Content-Type: text/plain; charset="UTF-8" Hi woltx, Excellent work. >Implements the new scheme suggested by Ruben Somsen that allows multiple silent addresses per wallet with minimal overhead To expand on this, the scheme basically allows the resulting address to be recognizably marked (only recognizable by the recipient of course), which enables you to distinguish between different payment purposes (e.g. some people donate to you for purpose A, others for purpose B). Here's my original comment describing it: "Naively, the issue is that two keys means twice the scanning, but an interesting alternative would be to simply use the same key (assuming you're OK with using the same identity) but add a public identifier f to it when tweaking. So instead of hash(i*X)*G + X you get hash(i*X)*G + X + f*G . This means every additional "address" only costs one additional ECC addition when scanning (relatively cheap compared to doing ECC multiplications). The main downside with this is that f becomes crucial for recovering from backup. If we set f as an index (0, 1, 2, 3...) then you'd only have to remember how many "addresses" you issued (and perhaps overshoot when unsure) to ensure recovery of funds, though of course you'd rather also remember which index is associated with what payment reason. Absolute worst case scenario you could even do something similar to the gap limit where you scan the full history (not just the UTXO set so you don't miss spent outputs) with a default max index of e.g. 100, and then if you find out most of them are in use, you scan the next 100, etc. Costly, but thorough, and only needed as a last resort." Original comment here: https://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sharing Also good to note that f needs to be communicated to the sender somehow, perhaps as part of the address format. Cheers, Ruben On Fri, Sep 30, 2022 at 12:35 AM woltx via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > This new version addresses most (or all) requests made in PR: > > . Implements the new scheme suggested by Ruben Somsen that allows multiple > silent addresses per wallet with minimal overhead. > . Implements a new RPC to retrieve silent addresses, which allows users to > assign different labels to different addresses. That way, the user knows > which silent address the UTXO came from. > > Example: > > ./src/bitcoin-cli -signet -rpcwallet="receiver" getspaddress > tsp001pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq > > # This will return the same address as above (both have no label) > ./src/bitcoin-cli -signet -rpcwallet="receiver" getspaddress > tsp001pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq > > # New label, new address > ./src/bitcoin-cli -signet -rpcwallet="receiver" getspaddress 'donation' > tsp011pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kq80t7lt > > In this new scheme, the address has a new field called identifier, which > tells the receiver and sender how to set the address correctly. > > If the receiver, for whatever reason, doesn't know which identifiers have > been used, there is no problem. The wallet can scan all identifiers from 0 > to 99. Currently, only 100 different identifiers per wallet are allowed. > This limit, however, can be increased at any time in the future. > > Unlike address formats so far, sp addresses are not script-related and may > eventually include any additional information needed, such as an expiration > timestamp (or block height). That way, users don't have to track the > address indefinitely. > > As usual I wrote a step by step tutorial: > https://gist.github.com/w0xlt/c81277ae8677b6c0d3dd073893210875 > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000b096b105e9d8e313 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi=C2=A0woltx,

Excellent wor= k.

>Implements the new scheme suggested by Ruben Somsen that allows multi= ple silent addresses per wallet with minimal overhead
=
To expand on this, the sche= me basically allows the resulting address to be recognizably marked (only r= ecognizable by the recipient of course), which enables you to distinguish b= etween different payment purposes (e.g. some people donate to you for purpo= se=C2=A0A, others for purpose B). Here's my original comment describing= =C2=A0it:=

"Naively, the issue is that two keys means= twice the scanning, but an interesting alternative would be to simply use = the same key (assuming you're OK with using the same identity) but add = a public identifier f to it when tweaking. So instead of hash(i*X)*G + X yo= u get hash(i*X)*G + X + f*G . This means every additional "address&quo= t; only costs one additional ECC addition when scanning (relatively cheap c= ompared to doing ECC multiplications).

The main downside with this i= s that f becomes crucial for recovering from backup. If we set f as an inde= x (0, 1, 2, 3...) then you'd only have to remember how many "addre= sses" you issued (and perhaps overshoot when unsure) to ensure recover= y of funds, though of course you'd rather also remember which index is = associated with what payment reason.

Absolute worst case scenario yo= u could even do something similar to the gap limit where you scan the full = history (not just the UTXO set so you don't miss spent outputs) with a = default max index of e.g. 100, and then if you find out most of them are in= use, you scan the next 100, etc. Costly, but thorough, and only needed as = a last resort."

Original comment here:
ht= tps://gist.github.com/RubenSomsen/c43b79517e7cb701ebf77eec6dbb46b8#xpub-sha= ring

Also good to note that f needs to be communicated to the se= nder somehow, perhaps as part of the address format.

Cheers,
Rube= n

On Fri, Sep 30, 2022 at 12:35 AM woltx via bitcoin-dev <bitcoin-dev@lists.linuxfoundation= .org> wrote:

This new version addresses most (o= r all) requests made in PR:

. Implements th= e new scheme suggested by Ruben Somsen that allows multiple silent addresse= s per wallet with minimal overhead.
. Implements a n= ew RPC to retrieve silent addresses, which allows users to assign different= labels to different addresses. That way, the user knows which silent addre= ss the UTXO came from.

Example:

./src/bitcoin-cli -signet -rpcwallet=3D&qu= ot;receiver" getspaddress
tsp001pjgcwd9p6f2rcgf= 35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kqxn48tq

# This will return the same address as above (both have no label)
./src/bitcoin-cli -signet -rpcwallet=3D"receiver= " getspaddress
tsp001pjgcwd9p6f2rcgf35dlgvj77h2= afylg6lp5cdn0cztrk4k54w99kqxn48tq

# N= ew label, new address
./src/bitcoin-cli -signet -rpc= wallet=3D"receiver" getspaddress 'donation'
<= div>tsp011pjgcwd9p6f2rcgf35dlgvj77h2afylg6lp5cdn0cztrk4k54w99kq80t7lt=

In this new scheme, the address has= a new field called identifier, which tells the receiver and sender how to = set the address correctly.

If the rec= eiver, for whatever reason, doesn't know which identifiers have been us= ed, there is no problem. The wallet can scan all identifiers from 0 to 99. = Currently, only 100 different identifiers per wallet are allowed. This limi= t, however, can be increased at any time in the future.
Unlike address formats so far, sp addresses are not scri= pt-related and may eventually include any additional information needed, su= ch as an expiration timestamp (or block height). That way, users don't = have to track the address indefinitely.

As usual I wrote a step by step tutorial:

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000b096b105e9d8e313--