1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <jeremy@taplink.co>) id 1W3bLe-0006SV-Bt
for bitcoin-development@lists.sourceforge.net;
Thu, 16 Jan 2014 01:02:18 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of taplink.co
designates 50.117.27.232 as permitted sender)
client-ip=50.117.27.232; envelope-from=jeremy@taplink.co;
helo=mail.taplink.co;
Received: from mail.taplink.co ([50.117.27.232])
by sog-mx-4.v43.ch3.sourceforge.com with smtp (Exim 4.76)
id 1W3bLc-0001ar-Gp for bitcoin-development@lists.sourceforge.net;
Thu, 16 Jan 2014 01:02:18 +0000
Received: from laptop-air.hsd1.ca.comcast.net ([192.168.168.135]) by
mail.taplink.co ; Wed, 15 Jan 2014 17:11:26 -0800
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "Jeff Garzik" <jgarzik@bitpay.com>, "Adam Back" <adam@cypherspace.org>
References: <CABsx9T2G=yqSUGr0+Ju5-z9P++uS20AwLC+c3DnFMHtcQjQK6w@mail.gmail.com>
<CAAS2fgTz0TaGhym_35V3N2-vHVzU9BeuV8q+QJjwh5bg77FEZg@mail.gmail.com>
<CANEZrP0huBWqgvQik9Yc26Tu4CwR0VSXcfC+qfzsZqvoU4VJGA@mail.gmail.com>
<20140113133746.GI38964@giles.gnomon.org.uk>
<CANEZrP1KAVhi_-cxCYe0rR9LUSYJ8MyW8=6eSJZ65FeY5ZJNuQ@mail.gmail.com>
<20140114225321.GT38964@giles.gnomon.org.uk>
<CANAnSg0tH_bK_19rsRRHOeZgrGYeWMhW89fXPyS4DQGmS4r_7A@mail.gmail.com>
<CALimQCXgc0eXeOcqFGUaCpSF7gKEe87KzvLqHZwUysV3WyjjGw@mail.gmail.com>
<CAAS2fgShChAQryfUOBp60jB-zxn2tH986fu1HfT+LsNdBYnoYg@mail.gmail.com>
<CAJHLa0P5r2+kxy7w8G=h=TAhdk1jUoW5UOiv-euo47uQY0u9ZA@mail.gmail.com>
<20140115230901.GA25135@netbook.cypherspace.org>
Date: Wed, 15 Jan 2014 17:02:10 -0800
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Jeremy Spilman" <jeremy@taplink.co>
Organization: TapLink
Message-ID: <op.w9q85wkhyldrnw@laptop-air.hsd1.ca.comcast.net>
In-Reply-To: <20140115230901.GA25135@netbook.cypherspace.org>
User-Agent: Opera Mail/1.0 (Win32)
oclient: 192.168.168.135#jeremy@taplink.co#465
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
-0.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1W3bLc-0001ar-Gp
Cc: "bitcoin-development@lists.sourceforge.net"
<bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] unlinakble static address? & spv-privacy
(Re: Stealth Addresses)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2014 01:02:18 -0000
On Wed, 15 Jan 2014 15:09:01 -0800, Adam Back <adam@cypherspace.org> wrote:
> I was meaning to comment on the SPV privacy properties.
>
> For full-node use these unlinkable static addresses have quite nice
> properties. It also nicely solves the problem of having to educate users
> and wallet authors to not reuse addresses. But for SPV nodes they have
> no direct-way to find the payments. So then in Peter Todd's variant
> (maybe it was suggested by Greg Maxwell?) there is a second address so
> that the SPV
> client can delegate detection to a full node without giving it the
> private key allowing it to spend! (This is something analogous to bloom
> filtering).
The second pubKey is useful for delegating scanning, or even just being
able to scan for transactions yourself without keeping bitcoin-encumbered
private keys decrypted in memory. So even while running your own full node
there are good reasons to use a second pubKey to derive the shared secret.
> But I think its moderately expensive for the full node because it has to
> do a DH calculation per transaction and its not precomputable so there
> is IO
> per query. (In the P version in fact only payments which are thereby
> reconizable as unlinkable static need to be processed).
And of course, if you have multiple reuseable addresses, then you're doing
this calculation separately to check each one.
So the load on a popular centralized service would be quite high, which
you may consider a feature.
>
> Then an artificial prefix is proposed to constrain the query to a subset,
> however that leaks to everyone so in some ways its a worse privacy leak
> than bloom filtering. It can be used to rule out recipients and could be
> quite a powerful extra lever for statistical analysis.
Choosing how many bits to put in the prefix may be difficult, particularly
if transaction load changes dramatically over time. 0 or 1 bits may be
just fine for a single user running their own node, whereas a central
service might want 4 or 5 bits to keep their computation costs scalable.
But I think it's great people can choose how to trade privacy for
computation/bandwidth however they want, and services can compete to offer
monitoring for 0+ bit prefixes.
> (And also there is proposed a version of the prefix computed via
> brute-force to make it somewhat stealthy still).
I think in this case the hash grinding of the prefix would only being used
if thats how transactions are being indexed. I don't think it adds any
privacy, it's just added work we're forced to do in order for the prefix
to work as designed. Peter, please correct me if I'm wrong.
>
> Maybe in the payment address case the service should choose the
> derivation factor and communicate it and the client with the static
> address, as suggested by Alan Reiner because then it can also serve
> the function of allowing the service to tie the payment to the users
> account.
I think any change which requires more than a single published public
message (e.g. a posting in a forum, or in a README.me in Github) should be
seen as solving an entirely different problem.
If you have directed communication from payee->payer, I think there's
simply no reason to do it this way. (By "this way" I mean ECDH with
OP_RETURN P).
We could try to define a different reusable address type, for when you can
make a single directed message from payer->payee, and in that case there's
probably no need for ECDH or the prefix, like Alan's proposal.
But once you admit having that directed communication, then you are
swimming very close to the payment protocol.
|