Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id F4052DA8 for ; Wed, 10 Feb 2016 16:39:27 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-yk0-f175.google.com (mail-yk0-f175.google.com [209.85.160.175]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 74878194 for ; Wed, 10 Feb 2016 16:39:27 +0000 (UTC) Received: by mail-yk0-f175.google.com with SMTP id z13so9891599ykd.0 for ; Wed, 10 Feb 2016 08:39:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=Q64jQ3KJa3K5zhUyxQMGZO503slatuRc0Z/XBAlCIN0=; b=TY1fN6HuGZyFzymGiJtJUlzUoGbPNNLGkSNYAxkhKNxSRAigN90PqmVWBcRAYsTPMo yh7cviCuMcA0Enr7xUdmBxrFmWYwG51mUgj/pfd2Mcmu6OsGcNaOd2yJdEabRHfAKQXZ tXPAMI5xi0MehZIYlE6/LNuec75JN8J/gemioQNyx2kwIpraZ447xahwJDmNSy5n9ugm V0DHNVtRfkRX8tYs8rziHnwEvG48JrD1ArHcE0m2MheGCL9SwiXdQnRi9OGELo/00tB+ LGnRkvcBy7t+7uQewSNxZPA8COCMTexgmKFpub0eU6o3Mn4c7dwczmbWCaHbbWtMKK+4 jXQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=Q64jQ3KJa3K5zhUyxQMGZO503slatuRc0Z/XBAlCIN0=; b=hzGJf6oPQxaDp/KU7WfDlWL2mzZUqnHiqxgQB37yaenInG88kHCaIVbva8XwQZXE4t XUmBuEOeObCJ95bRvW7dX+ChJt2Gtxn5K/KDEF2/nVZKdqYV290QWX6v1RHx4LdyHWO4 ar55WpfKqmCufjq3UBHZMxbeLdxmqWFp7qvE/3aX88AM5ic8lG+eqdKP+aC+lYKjZAR/ eMUmjlba0CfxCuK6DF3tL/x2HBXxRWvURLHrhJ/8E2KMw6IKbdC0mpv73wX4I2m1oh5w JesqzkbSTYxaBHMJdXwhRvcckBzLugvfXmDjRls0chhASu9VeCqIq3BjqmtgkS0Gkt+e 7PpQ== X-Gm-Message-State: AG10YOQtOB9MuGU3rTL55cCr+Nb2ZnmNniZuOgL8RS3N7U/+ym9TB+yeGooEZ26yiB4joA== X-Received: by 10.37.50.15 with SMTP id y15mr21972955yby.7.1455122366706; Wed, 10 Feb 2016 08:39:26 -0800 (PST) Received: from ?IPv6:2602:304:cfd3:380:d132:4228:3346:3b85? ([2602:304:cfd3:380:d132:4228:3346:3b85]) by smtp.gmail.com with ESMTPSA id g64sm3090275ywa.27.2016.02.10.08.39.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Feb 2016 08:39:25 -0800 (PST) To: Henning Kopp References: <20160209131215.GE2329@banane.informatik.uni-ulm.de> <56BA6455.9030803@gmail.com> <20160210115345.GD2336@banane.informatik.uni-ulm.de> From: Jeremy Papp Message-ID: <56BB67BD.1060901@gmail.com> Date: Wed, 10 Feb 2016 10:39:25 -0600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <20160210115345.GD2336@banane.informatik.uni-ulm.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 10 Feb 2016 16:51:06 +0000 Cc: bitcoin-dev@lists.linuxfoundation.org Subject: Re: [bitcoin-dev] Question regarding Confidential Transactions X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2016 16:39:28 -0000 On 2/10/2016 5:53 AM, Henning Kopp wrote: > Hi Jeremy, > >> My understanding of the paper is that the blinding factor would be included >> in the extra data which is incorporated into the ring signatures used in the >> range proof. > Yep, that is a possibility. The blinding factor could be encrypted > with the public key of the receiver. Thus it is only visible for the > receiver who can then check that the correct amount has been sent. ECC doesn't work like RSA; you can't encrypt directly with a public key. That's why you generate a shared secret between sender and receiver. See also, ECDH. (Basically, if (m, M = m*G) is your private/public key pair, and (n, N = n*G) is your recipient's private public key pair, you can both generate shared secret S = m*N = n*M = m*n*G without revealing your private keys to each other, and without revealing the secret to anyone else as long as they don't know either private key. You then use S as the basis for the key to some symmetric algorithm.) >> you'd transmit it then, though in any case, since using it will pretty much >> require segwit, adding extraneous data isn't much of a problem. In both >> cases, I imagine the blinding factor would be protected from outside >> examination via some form of shared secret generation... Although that would >> require the sender to know the recipient's unhashed public key; I don't know >> of any shared secret schemes that will work on hashed keys. > Here you lost me. > Why do we need to create a shared secret? Is this shared secret used > as the blinding factor? > Also I think the sender knows the unhashed public key of the receiver. > The only reason not to include it in the transaction script is that an > external observer is unable to see the receiver directly in the > blockchain. Normal Bitcoin transactions are made to the hash of a public key because once the public key is known, it becomes easier to break it if we ever develop quantum computers. That's why it's recommended that you only spend from a particular address once (if possible) since its only in spending that you are required to reveal your public key. Since you can't do a shared secret with a public key hash, AFAIK, you'd have to know the public key of your recipient to be able to do ECDH. Jeremy Papp