path: root/21/7036351af7e0afa2973f9f5675ef1544480a75

Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <mh.in.england@gmail.com>) id 1V7spj-0001JG-Ey
	for bitcoin-development@lists.sourceforge.net;
	Fri, 09 Aug 2013 19:58:47 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.214.169 as permitted sender)
	client-ip=209.85.214.169; envelope-from=mh.in.england@gmail.com;
	helo=mail-ob0-f169.google.com; 
Received: from mail-ob0-f169.google.com ([209.85.214.169])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1V7sph-0001cg-5F
	for bitcoin-development@lists.sourceforge.net;
	Fri, 09 Aug 2013 19:58:47 +0000
Received: by mail-ob0-f169.google.com with SMTP id wc20so6959912obb.28
	for <bitcoin-development@lists.sourceforge.net>;
	Fri, 09 Aug 2013 12:58:39 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.182.242.11 with SMTP id wm11mr1759863obc.26.1376078319685;
	Fri, 09 Aug 2013 12:58:39 -0700 (PDT)
Sender: mh.in.england@gmail.com
Received: by 10.76.84.231 with HTTP; Fri, 9 Aug 2013 12:58:39 -0700 (PDT)
In-Reply-To: <52052D8F.90706@gmail.com>
References: <5AC3FA1D9B1F4FA0A2FE9A67333642B5@LAPTOPAIR>
	<51C21035.9080407@gmail.com>
	<53E406CF0D93498DAECAAE061555B7C9@LAPTOPAIR>
	<51C234FA.5030909@gmail.com>
	<9600E3D1DDC24D1391C1E4433F71684D@LAPTOPAIR>
	<CANEZrP3ZcQEPOPrO_O2-tdLZUSezj1nbhtVFt1e77KEwzhfZ-A@mail.gmail.com>
	<51CB08EE.1050403@gmail.com> <52052D8F.90706@gmail.com>
Date: Fri, 9 Aug 2013 21:58:39 +0200
X-Google-Sender-Auth: 5PXTD3ypLcDyAMCW7tAcN-2XeHY
Message-ID: <CANEZrP1r3XCLpfjZdO5AymdrYi2CndxHH9HcB+NDas1TpOfUhQ@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Alan Reiner <etotheipi@gmail.com>
Content-Type: multipart/alternative; boundary=e89a8ff24ead6d986804e3893317
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(mh.in.england[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1V7sph-0001cg-5F
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Optional "wallet-linkable" address format
	(Re-request)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 19:58:47 -0000

--e89a8ff24ead6d986804e3893317
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Payment protocol is locked down for v1 already. But did you read it? It
doesn't use addresses anywhere. Payments are specified in terms of a list
of outputs which can contain any script. Of course it could be a
pay-to-address script, but pay-to-address uses more bytes in the chain and
there isn't any typeability benefit.

The multiplication trick for deterministic keys is a nice one and worth
doing, but it has to be a v2 feature by this point. It's more important to
get v1 widely implemented and deployed first.


On Fri, Aug 9, 2013 at 7:57 PM, Alan Reiner <etotheipi@gmail.com> wrote:

>  Guys,
>
> I'd like to reiterate my previous request to support this alternate
> address serialization in the payment protocol.  We got caught up in the
> specifics of one use case, but didn't acknowledge that it's still a valid
> address representation that will provide value to those who wish to use i=
t
> and can be safely ignored by others.
>
> Current address format:   binary_to_base58( idbyte + hash160(pubkey) +
> checksum)
> Alternate format:         binary_to_base58( idbyte + parentpubkey +
> multiplier + checksum)
>
> The receiving party will multiply the pubkey by the multiplier, and then
> hash it to get the 20-byte address to send to.  The idea is that you use
> your BIP 32 parent public key, and then you generate whatever child you
> want, and only send them the multiplier used (not the chaincode).  This
> preserves privacy, but if the recipient has your parent public key alread=
y,
> they can identify that address being linked to you, but cannot determine
> any other addresses in your wallet.
>
> This form has no drawbacks to the existing address format except for bein=
g
> longer and requiring an extra EC multiplication by the person sending to
> that address.  But the advantage is that it optionally allows the sender =
to
> provide more information than currently contained in the 25-byte hash160
> form.  The discussion about this got side-tracked with the use case I
> presented, but I believe there are plenty of other uses for this.
>
> The particular use case I had in mind was that certain services could be
> setup (pre-arranged), say between wallet software and a business/exchange=
.
> The exchange would like to be able to reliably send addresses to the user
> for deposit, without risk of MITM, or even if their own public server is
> compromised.  The author of wallet software pre-verifies the public key
> portion of the service, and either hardcodes it into the software, or
> hardcodes their own public key into the software and makes the service's
> signed public key available through query server (allowing the software
> author to offline-sign replacement keys, or add keys for new service
> providers, as needed).
>
> When the user's software receives a payment address, the software can
> verify it belongs to that service.  You can't use dedicated chain
> technique, because it would either have to be exchanged with the user on
> first transaction which half defeats the purpose, or they give them the
> full public key and chaincode which allows the user to see *all *addresse=
s
> ever used by the service.  Neither one is a reasonable solution.
>
> This use case doesn't necessarily scale, but it doesn't have to.  It
> simply allows service providers to skip the SSL and go right to public ke=
y
> exchange/verification for a few of the important services they provide
> access to, and will provide better security than relying on SSL/PKI.  Thi=
s
> would simply be one, coexisting option for providing payment details in t=
he
> absence (or in addition to) SSL/PKI infrastructure.
>
> I'm sure there's other use cases, but it seems simple enough and
> non-disruptive enough that it could be supported easily for no other reas=
on
> than to support that use case (which I intend to implement in Armory to
> help verify high-volume services).
>
> -Alan
>
>
>
>
>
> On 06/26/2013 11:29 AM, Alan Reiner wrote:
>
> Although I'd still prefer my original request, I get much of what I want
> from your guys' recommendation.  It complicates the wallet design, becaus=
e
> it requires tracking and associating a matrix of addresses for each walle=
t,
> instead of a single linear list.  But if this is what it's going to take
> then I will go along.
>
> Right now BIP 32 defines, m/i'/j/k, where j=3D0 is the "external" chain u=
sed
> for distributing addresses, and j=3D1 is the "internal" chain for sending
> change.  The CONOPs (concept of operations) for the extended wallet would
> be like Jeremy described:
>
> - Chains with j>=3D2 would be independent address chains carved out for
> individuals relationships
> - Add wallet code to individually associate each j-value with a particula=
r
> identity
> - Update the wallet code to pool all the addresses in all j-chains when
> calculating the balance of the wallet and/or creating transactions
> - When choosing to generically "Receive Bitcoins", will pick the next
> address from the j=3D0 chain
> - Will have to add extra function to "Receive Bitcoins" button to allow
> creation of new contacts/identities.
> - Change will always go to the next address in j=3D1, no matter which cha=
ins
> are used to provide inputs.
> - Add code to figure out lookaheads for each alternate chain.  Not just
> each chain, but looking ahead a couple chains, too.  Luckily, the lookahe=
ad
> doesn't have to be very big for chains j>=3D1
> - Add an interface to display and choose the different chains in your
> wallet, and export the pubkey&chaincode in some soon-to-be-standardized
> format.
> - Add code and interface to receive and track alternate j-chains from
> other clients/users, and maintain those.  Should we try associating
> incoming and outgoing chains?  What happens if they do it wrong?  Meh...
>
> Just as one final swipe at this idea, you can see that I gotta do quite a
> bit of work to support the multi-chain idea, and adds a little extra burd=
en
> on the user to maintain the organization of the wallet.  This would all b=
e
> totally unnecessary with a simple alternate encoding.  Granted, I think t=
he
> multi-chain idea is good, and one that I will probably implement anyway,
> but it seems like overkill in terms of developer complexity, and interfac=
e
> complexity to achieve something much simpler.  Developers of much
> simpler/lightweight clients would probably find this prohibitive.
>
> On another note:  I thought we weren't encouraging automatic payments
> without requesting from the other party...?  It makes me uneasy, but it
> sounds like group thought has converged on that being acceptable.  I brin=
g
> it up, because there are situations where it makes sense, but it sounds
> unsafe for general users.   Alice will give Bob his own chain for sending
> Alice money, then a year later Bob will send money automatically to Alice
> not realizing that the wallet was lost, retired or compromised.  It's not
> that Bob can't ask for a new address, it's that if the interface says "Se=
nd
> Money to Alice", that looks legit enough that Bob may not feel it necessa=
ry
> to check with Alice first.   That's more of an interface issue though.  W=
e
> can add a warning to "check with the recipient that they still have acces=
s
> to wallet 3cQ398x", etc.   But I just know someone is going to lose money
> anyway...
>
> -Alan
>
>
>
>
>
> On 06/20/2013 03:32 AM, Mike Hearn wrote:
>
> Agree with Jeremy and once the payment protocol work is further along I'd
> like to see us define an extension that lets you send payment requests
> containing public keys+chain codes, so further payments can be made
> push-style with no recipient interaction (e.g. for repeated billing). How
> apps choose to arrange their chains internally seems like an area for
> experimentation. I definitely want to implement HD wallets in bitcoinj to
> allow this and if that means not using the same tree structure as in the
> BIP then so be it.
>
>
> On Thu, Jun 20, 2013 at 5:54 AM, Jeremy Spilman <jeremy@taplink.co> wrote=
:
>
>> > BIP 32 already specifies how to use the first three tree levels:
>>  M/i/j/k,
>> > i~wallet, j~Internal/External, k~address.  The first level is actually
>> > type-1 derived, and thus we cannot create an arbitrary number of them
>> > without pre-computing them from the offline wallet.  So it's not "free=
"
>> to
>> > create new wallets unless we redefine how the levels work.
>>
>>  Initially I was thinking that you would share the public key and chain
>> code
>> from [m/i'/0] so that you can receive payments at [m/i'/0/k], for a uniq=
ue
>> value of 'i' for each receive chain.
>>
>> For the case of generating new receive chains from a *watch-only* wallet=
,
>> as
>> you say, the options are to either keep a cache of PubKey/ChainCode for
>> unused [m/i'] or simply increment 'j' past 1 for an existing [m/i'/j] --
>> the
>> concept of 'internal/'external' and change addresses at Depth=3D2 don't =
make
>> sense for handing out receive chains to lots of people anyway, and
>> certainly
>> BIP32 doesn't *require* 0 <=3D j <=3D 1.  So I think incrementing 'j' is=
 the
>> way
>> to go here...
>>
>> The "default" layout of BIP32 does NOT mean that implementations should
>> not
>> check for transactions with j > 1. That would be a useless constraint an=
d
>> obviously self-limiting. It might be helpful to add to the 'Compatibilit=
y'
>> section some minimum expectations about how a wallet should be 'probed'
>> when
>> imported. If you don't feel completely free to monotonically increment '=
j'
>> to your hearts content to achieve major usability benefits, then I say
>> BIP32
>> could use some clarifying.
>>
>> BTW - the spec calls for addition not multiplication now, so we should
>> call
>> it the 'Addend' not the 'Multiplier' :-)
>>
>> > Do these extra wallet chains behave as different wallets, or
>> sub-wallets?
>>
>>  They could, but they certainly don't need to!  A single-wallet
>> implementation treats this merely as an address-generation algorithm, an=
d
>> does not expose any hierarchy to the user interface.  The user just
>> =E2=80=9Cmagically=E2=80=9D gets the ability to send multiple payments t=
o their contacts
>> without immediately sacrificing their privacy
>> (http://www.wired.com/wiredenterprise/2013/06/bitcoin_retai/). Everythin=
g
>> goes into the same ledger, balance, coin pool, etc. Most of the code bas=
e
>> is
>> unaware BIP32 is even in use.
>>
>> While it is *possible* to support separate ledgers, balances, etc. it is
>> certainly not required, and you get all the benefits either way.
>>
>> I think, since your proposal generates and receives payments into
>> BIP32-style addresses, we both need similar underlying wallet code. The
>> only
>> difference is that you are passing the Kpar for [m/i'/0/k] and the
>> *result*
>> of CKD'((Kpar, cpar), k), and instead I proposed passing Kpar and cpar,
>> and
>> leaving 'k' out of it, letting the receive choose 'k'.
>>
>> > For instance, maybe there's a benefit to using the same parent pubkey
>>  > across multiple services, as a form of identity.   If I don't want
>> that, I
>> > use your method.  If I do want that, I use my method.
>>
>>  I think it's a interesting idea using static public keys as a means for
>> persistent identity and hence security from MitM. If you want a shared
>> public key across multiple services we could just combine both ideas and
>> get
>> all the benefits, by making the data structure { ParentPubKey, Addend,
>> ChainCode }:
>>
>>    ParentPubKey: Public key of m/i' -- 33 bytes
>>    Addend: I[L]*G from CDK'(m/i', j) -- 33 bytes
>>    ChainCode: I[R] from CDK'(m/i', j) -- 32 bytes
>>
>> All that remains secret is the ChainCode from [m/i'] -- and of course th=
e
>> private keys.  The ParentPubKey is a common value across multiple
>> services,
>> corresponding to user's identity rooted in [m/i'].  Each service gets
>> their
>> own 'j'.  ParentPubKey + Addend gives you the PubKey of [m/i'/j].  With
>> the
>> ChainCode, the receiver then can generate [m/i'/j/k] for monotonically
>> increasing 'k'. Again, from the user perspective all transactions under
>> [m/i'] can be presented in a single ledger, or not.
>>
>> Anyway, fundamentally my feedback is if you are designing for persistent
>> long-term relationships, you could build in a mechanism for generating
>> address chains so you don't need any further communication after the
>> initial
>> exchange, and it need not complicate the wallet.
>>
>> Thanks,
>> --Jeremy
>>
>>
>>
>>
>> ------------------------------------------------------------------------=
------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>
>
>
>
> -------------------------------------------------------------------------=
-----
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
> http://p.sf.net/sfu/windows-dev2dev
>
>
>
> _______________________________________________
> Bitcoin-development mailing listBitcoin-development@lists.sourceforge.net=
https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
>
>
> -------------------------------------------------------------------------=
-----
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&iu=3D/4140/ostg.=
clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--e89a8ff24ead6d986804e3893317
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Payment protocol is locked down for v1 already. But did yo=
u read it? It doesn&#39;t use addresses anywhere. Payments are specified in=
 terms of a list of outputs which can contain any script. Of course it coul=
d be a pay-to-address script, but pay-to-address uses more bytes in the cha=
in and there isn&#39;t any typeability benefit.<div>
<br></div><div>The multiplication trick for deterministic keys is a nice on=
e and worth doing, but it has to be a v2 feature by this point. It&#39;s mo=
re important to get v1 widely implemented and deployed first.</div></div>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Fri, Aug 9=
, 2013 at 7:57 PM, Alan Reiner <span dir=3D"ltr">&lt;<a href=3D"mailto:etot=
heipi@gmail.com" target=3D"_blank">etotheipi@gmail.com</a>&gt;</span> wrote=
:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-le=
ft:1px #ccc solid;padding-left:1ex">

 =20
   =20
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF">
    Guys, <br>
    <br>
    I&#39;d like to reiterate my previous request to support this alternate
    address serialization in the payment protocol.=C2=A0 We got caught up i=
n
    the specifics of one use case, but didn&#39;t acknowledge that it&#39;s
    still a valid address representation that will provide value to
    those who wish to use it and can be safely ignored by others.<br>
    <br>
    <tt>Current address format:=C2=A0=C2=A0 binary_to_base58( idbyte +
      hash160(pubkey) + checksum)</tt><tt><br>
    </tt><tt>Alternate format:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 binary_to_base58( idbyte +
      parentpubkey + multiplier + checksum)</tt><br>
    <br>
    The receiving party will multiply the pubkey by the multiplier, and
    then hash it to get the 20-byte address to send to.=C2=A0 The idea is
    that you use your BIP 32 parent public key, and then you generate
    whatever child you want, and only send them the multiplier used (not
    the chaincode).=C2=A0 This preserves privacy, but if the recipient has
    your parent public key already, they can identify that address being
    linked to you, but cannot determine any other addresses in your
    wallet.<br>
    <br>
    This form has no drawbacks to the existing address format except for
    being longer and requiring an extra EC multiplication by the person
    sending to that address.=C2=A0 But the advantage is that it optionally
    allows the sender to provide more information than currently
    contained in the 25-byte hash160 form.=C2=A0 The discussion about this
    got side-tracked with the use case I presented, but I believe there
    are plenty of other uses for this.<br>
    <br>
    The particular use case I had in mind was that certain services
    could be setup (pre-arranged), say between wallet software and a
    business/exchange.=C2=A0 The exchange would like to be able to reliably
    send addresses to the user for deposit, without risk of MITM, or
    even if their own public server is compromised.=C2=A0 The author of
    wallet software pre-verifies the public key portion of the service,
    and either hardcodes it into the software, or hardcodes their own
    public key into the software and makes the service&#39;s signed public
    key available through query server (allowing the software author to
    offline-sign replacement keys, or add keys for new service
    providers, as needed).=C2=A0 <br>
    <br>
    When the user&#39;s software receives a payment address, the software
    can verify it belongs to that service.=C2=A0 You can&#39;t use dedicate=
d
    chain technique, because it would either have to be exchanged with
    the user on first transaction which half defeats the purpose, or
    they give them the full public key and chaincode which allows the
    user to see <i>all </i>addresses ever used by the service.=C2=A0
    Neither one is a reasonable solution.<br>
    <br>
    This use case doesn&#39;t necessarily scale, but it doesn&#39;t have to=
.=C2=A0 It
    simply allows service providers to skip the SSL and go right to
    public key exchange/verification for a few of the important services
    they provide access to, and will provide better security than
    relying on SSL/PKI.=C2=A0 This would simply be one, coexisting option f=
or
    providing payment details in the absence (or in addition to) SSL/PKI
    infrastructure.<br>
    <br>
    I&#39;m sure there&#39;s other use cases, but it seems simple enough an=
d
    non-disruptive enough that it could be supported easily for no other
    reason than to support that use case (which I intend to implement in
    Armory to help verify high-volume services).<br>
    <br>
    -Alan<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <div>On 06/26/2013 11:29 AM, Alan Reiner
      wrote:<br>
    </div>
    <blockquote type=3D"cite">
     =20
      Although I&#39;d still prefer my original request, I get much of what
      I want from your guys&#39; recommendation.=C2=A0 It complicates the w=
allet
      design, because it requires tracking and associating a matrix of
      addresses for each wallet, instead of a single linear list.=C2=A0 But
      if this is what it&#39;s going to take then I will go along.=C2=A0 <b=
r>
      <br>
      Right now BIP 32 defines, m/i&#39;/j/k, where j=3D0 is the &quot;exte=
rnal&quot;
      chain used for distributing addresses, and j=3D1 is the &quot;interna=
l&quot;
      chain for sending change.=C2=A0 The CONOPs (concept of operations) fo=
r
      the extended wallet would be like Jeremy described:<br>
      <br>
      - Chains with j&gt;=3D2 would be independent address chains carved
      out for individuals relationships<br>
      - Add wallet code to individually associate each j-value with a
      particular identity<br>
      - Update the wallet code to pool all the addresses in all j-chains
      when calculating the balance of the wallet and/or creating
      transactions<br>
      - When choosing to generically &quot;Receive Bitcoins&quot;, will pic=
k the
      next address from the j=3D0 chain<br>
      - Will have to add extra function to &quot;Receive Bitcoins&quot; but=
ton to
      allow creation of new contacts/identities.<br>
      - Change will always go to the next address in j=3D1, no matter
      which chains are used to provide inputs.<br>
      - Add code to figure out lookaheads for each alternate chain.=C2=A0 N=
ot
      just each chain, but looking ahead a couple chains, too.=C2=A0 Luckil=
y,
      the lookahead doesn&#39;t have to be very big for chains j&gt;=3D1=C2=
=A0 <br>
      - Add an interface to display and choose the different chains in
      your wallet, and export the pubkey&amp;chaincode in some
      soon-to-be-standardized format.=C2=A0 <br>
      - Add code and interface to receive and track alternate j-chains
      from other clients/users, and maintain those.=C2=A0 Should we try
      associating incoming and outgoing chains?=C2=A0 What happens if they =
do
      it wrong?=C2=A0 Meh...<br>
      <br>
      Just as one final swipe at this idea, you can see that I gotta do
      quite a bit of work to support the multi-chain idea, and adds a
      little extra burden on the user to maintain the organization of
      the wallet.=C2=A0 This would all be totally unnecessary with a simple
      alternate encoding.=C2=A0 Granted, I think the multi-chain idea is
      good, and one that I will probably implement anyway, but it seems
      like overkill in terms of developer complexity, and interface
      complexity to achieve something much simpler.=C2=A0 Developers of muc=
h
      simpler/lightweight clients would probably find this prohibitive.<br>
      <br>
      On another note:=C2=A0 I thought we weren&#39;t encouraging automatic
      payments without requesting from the other party...?=C2=A0 It makes m=
e
      uneasy, but it sounds like group thought has converged on that
      being acceptable.=C2=A0 I bring it up, because there are situations
      where it makes sense, but it sounds unsafe for general users. =C2=A0
      Alice will give Bob his own chain for sending Alice money, then a
      year later Bob will send money automatically to Alice not
      realizing that the wallet was lost, retired or compromised.=C2=A0 It&=
#39;s
      not that Bob can&#39;t ask for a new address, it&#39;s that if the
      interface says &quot;Send Money to Alice&quot;, that looks legit enou=
gh that
      Bob may not feel it necessary to check with Alice first.=C2=A0=C2=A0 =
That&#39;s
      more of an interface issue though.=C2=A0 We can add a warning to &quo=
t;check
      with the recipient that they still have access to wallet 3cQ398x&quot=
;,
      etc.=C2=A0=C2=A0 But I just know someone is going to lose money anywa=
y...<br>
      <br>
      -Alan<br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <div>On 06/20/2013 03:32 AM, Mike Hearn
        wrote:<br>
      </div>
      <blockquote type=3D"cite">
        <div dir=3D"ltr">Agree with Jeremy and once the payment protocol
          work is further along I&#39;d like to see us define an extension
          that lets you send payment requests containing public
          keys+chain codes, so further payments can be made push-style
          with no recipient interaction (e.g. for repeated billing). How
          apps choose to arrange their chains internally seems like an
          area for experimentation. I definitely want to implement HD
          wallets in bitcoinj to allow this and if that means not using
          the same tree structure as in the BIP then so be it.</div>
        <div class=3D"gmail_extra"><br>
          <br>
          <div class=3D"gmail_quote">On Thu, Jun 20, 2013 at 5:54 AM,
            Jeremy Spilman <span dir=3D"ltr">&lt;<a href=3D"mailto:jeremy@t=
aplink.co" target=3D"_blank">jeremy@taplink.co</a>&gt;</span> wrote:<br>
            <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex">
              <div>&gt; BIP 32 already specifies how to use
                the first three tree levels: =C2=A0M/i/j/k,<br>
                &gt; i~wallet, j~Internal/External, k~address. =C2=A0The
                first level is actually<br>
                &gt; type-1 derived, and thus we cannot create an
                arbitrary number of them<br>
                &gt; without pre-computing them from the offline wallet.
                =C2=A0So it&#39;s not &quot;free&quot; to<br>
                &gt; create new wallets unless we redefine how the
                levels work.<br>
                <br>
              </div>
              Initially I was thinking that you would share the public
              key and chain code<br>
              from [m/i&#39;/0] so that you can receive payments at
              [m/i&#39;/0/k], for a unique<br>
              value of &#39;i&#39; for each receive chain.<br>
              <br>
              For the case of generating new receive chains from a
              *watch-only* wallet, as<br>
              you say, the options are to either keep a cache of
              PubKey/ChainCode for<br>
              unused [m/i&#39;] or simply increment &#39;j&#39; past 1 for =
an
              existing [m/i&#39;/j] -- the<br>
              concept of &#39;internal/&#39;external&#39; and change addres=
ses at
              Depth=3D2 don&#39;t make<br>
              sense for handing out receive chains to lots of people
              anyway, and certainly<br>
              BIP32 doesn&#39;t *require* 0 &lt;=3D j &lt;=3D 1. =C2=A0So I=
 think
              incrementing &#39;j&#39; is the way<br>
              to go here...<br>
              <br>
              The &quot;default&quot; layout of BIP32 does NOT mean that
              implementations should not<br>
              check for transactions with j &gt; 1. That would be a
              useless constraint and<br>
              obviously self-limiting. It might be helpful to add to the
              &#39;Compatibility&#39;<br>
              section some minimum expectations about how a wallet
              should be &#39;probed&#39; when<br>
              imported. If you don&#39;t feel completely free to
              monotonically increment &#39;j&#39;<br>
              to your hearts content to achieve major usability
              benefits, then I say BIP32<br>
              could use some clarifying.<br>
              <br>
              BTW - the spec calls for addition not multiplication now,
              so we should call<br>
              it the &#39;Addend&#39; not the &#39;Multiplier&#39; :-)<br>
              <div><br>
                &gt; Do these extra wallet chains behave as different
                wallets, or sub-wallets?<br>
                <br>
              </div>
              They could, but they certainly don&#39;t need to! =C2=A0A
              single-wallet<br>
              implementation treats this merely as an address-generation
              algorithm, and<br>
              does not expose any hierarchy to the user interface. =C2=A0Th=
e
              user just<br>
              =E2=80=9Cmagically=E2=80=9D gets the ability to send multiple=
 payments to
              their contacts<br>
              without immediately sacrificing their privacy<br>
              (<a href=3D"http://www.wired.com/wiredenterprise/2013/06/bitc=
oin_retai/" target=3D"_blank">http://www.wired.com/wiredenterprise/2013/06/=
bitcoin_retai/</a>).

              Everything<br>
              goes into the same ledger, balance, coin pool, etc. Most
              of the code base is<br>
              unaware BIP32 is even in use.<br>
              <br>
              While it is *possible* to support separate ledgers,
              balances, etc. it is<br>
              certainly not required, and you get all the benefits
              either way.<br>
              <br>
              I think, since your proposal generates and receives
              payments into<br>
              BIP32-style addresses, we both need similar underlying
              wallet code. The only<br>
              difference is that you are passing the Kpar for [m/i&#39;/0/k=
]
              and the *result*<br>
              of CKD&#39;((Kpar, cpar), k), and instead I proposed passing
              Kpar and cpar, and<br>
              leaving &#39;k&#39; out of it, letting the receive choose &#3=
9;k&#39;.<br>
              <div><br>
                &gt; For instance, maybe there&#39;s a benefit to using the
                same parent pubkey<br>
              </div>
              &gt; across multiple services, as a form of identity. =C2=A0 =
If
              I don&#39;t want that, I<br>
              <div>&gt; use your method. =C2=A0If I do want that,
                I use my method.<br>
                <br>
              </div>
              I think it&#39;s a interesting idea using static public keys
              as a means for<br>
              persistent identity and hence security from MitM. If you
              want a shared<br>
              public key across multiple services we could just combine
              both ideas and get<br>
              all the benefits, by making the data structure {
              ParentPubKey, Addend,<br>
              ChainCode }:<br>
              <br>
              =C2=A0 =C2=A0ParentPubKey: Public key of m/i&#39; -- 33 bytes=
<br>
              =C2=A0 =C2=A0Addend: I[L]*G from CDK&#39;(m/i&#39;, j) -- 33 =
bytes<br>
              =C2=A0 =C2=A0ChainCode: I[R] from CDK&#39;(m/i&#39;, j) -- 32=
 bytes<br>
              <br>
              All that remains secret is the ChainCode from [m/i&#39;] --
              and of course the<br>
              private keys. =C2=A0The ParentPubKey is a common value across
              multiple services,<br>
              corresponding to user&#39;s identity rooted in [m/i&#39;]. =
=C2=A0Each
              service gets their<br>
              own &#39;j&#39;. =C2=A0ParentPubKey + Addend gives you the Pu=
bKey of
              [m/i&#39;/j]. =C2=A0With the<br>
              ChainCode, the receiver then can generate [m/i&#39;/j/k] for
              monotonically<br>
              increasing &#39;k&#39;. Again, from the user perspective all
              transactions under<br>
              [m/i&#39;] can be presented in a single ledger, or not.<br>
              <br>
              Anyway, fundamentally my feedback is if you are designing
              for persistent<br>
              long-term relationships, you could build in a mechanism
              for generating<br>
              address chains so you don&#39;t need any further communicatio=
n
              after the initial<br>
              exchange, and it need not complicate the wallet.<br>
              <div>
                <div><br>
                  Thanks,<br>
                  --Jeremy<br>
                  <br>
                  <br>
                  <br>
---------------------------------------------------------------------------=
---<br>
                  This SF.net email is sponsored by Windows:<br>
                  <br>
                  Build for Windows Store.<br>
                  <br>
                  <a href=3D"http://p.sf.net/sfu/windows-dev2dev" target=3D=
"_blank">http://p.sf.net/sfu/windows-dev2dev</a><br>
                  _______________________________________________<br>
                  Bitcoin-development mailing list<br>
                  <a href=3D"mailto:Bitcoin-development@lists.sourceforge.n=
et" target=3D"_blank">Bitcoin-development@lists.sourceforge.net</a><br>
                  <a href=3D"https://lists.sourceforge.net/lists/listinfo/b=
itcoin-development" target=3D"_blank">https://lists.sourceforge.net/lists/l=
istinfo/bitcoin-development</a><br>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>--------------------------------------------------------------=
----------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

<a href=3D"http://p.sf.net/sfu/windows-dev2dev" target=3D"_blank">http://p.=
sf.net/sfu/windows-dev2dev</a></pre>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
Bitcoin-development mailing list
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net" target=3D"_bla=
nk">Bitcoin-development@lists.sourceforge.net</a>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a>
</pre>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </div>

<br>-----------------------------------------------------------------------=
-------<br>
Get 100% visibility into Java/.NET code with AppDynamics Lite!<br>
It&#39;s a free troubleshooting tool designed for production.<br>
Get down to code-level detail for bottlenecks, with &lt;2% overhead.<br>
Download for free and get started troubleshooting in minutes.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D48897031&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D48897031&amp;iu=3D/4140/ostg.clktrk</a><br>___________________=
____________________________<br>

Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div>

--e89a8ff24ead6d986804e3893317--