Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 07A8F71 for ; Thu, 11 Aug 2016 15:13:22 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qk0-f171.google.com (mail-qk0-f171.google.com [209.85.220.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 80714226 for ; Thu, 11 Aug 2016 15:13:21 +0000 (UTC) Received: by mail-qk0-f171.google.com with SMTP id l2so7302249qkf.3 for ; Thu, 11 Aug 2016 08:13:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=w4h+Z0gxosXdak4E5151fNCMxkmf4qtYhy5cJKxp8Co=; b=hD7NpU3xczn4LlE6B3z2Wy43I1lrI7d/w/g/lnU6ryGm53tBcCXyW2z2DKfNfQEQay aRC2DBOPzknpeWFAGU5hMH84lK81R2goMjMMJPsHMVsa0TudMKOZHD3wnAaetlJdEOus YMOsrFg3tAhPzMOjDOZydL2Wun4GHv6Y8Zl4oHUlJ4P7UNatyqDCNEELqshXKX3E3mMx YyS77C2eQdDKKF2YV9cBG6fwD04/Ym3FVSS/KqY3v3I7WllxYRHSpKQORE4I6e7AhfeT wnB/M+XtDXetSg0hHvfzZksIVuJquDzNXLMke7mb6NsjdBqxDwo9Ac772tvYJS1HkAv9 PEEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=w4h+Z0gxosXdak4E5151fNCMxkmf4qtYhy5cJKxp8Co=; b=C3axKyPQpjFnOXGAK+EVXOy0NwIAG39CNempupKYj8ofIiawJEz9c06STWwX/mdsxs gPxFXq4v12D5y50ucUU/LxduQhD86yBkrNpv6cnrVHHbuDO7UN+/20QkuxtYKPt6LaPS zSadNDhalbiDqWum2RV/Vesu+rbLS+HiNoYz/Rwv0AhnIYRS63BNp422sMgzyEVqmfXn zkbouKi2RdGpNFSadIK6XS1AVQXgpSs3frdaggbLJdn5+Yg6ZirTiIJpRF45/YRBibXm MsU61YaMtxMOCGgkMVQ0+Sai/1GpPtNKC0NkjzYLVqw74JVWrFgT6dtwapPB8mGhdpCl +EdQ== X-Gm-Message-State: AEkoousAWGHRyUUK5+WVJuo0YDGQ8CrgcSAiQAo5Ojq2MbHeyQkDEzOxnBSJ0Quj+vaOT4mtKbPpU72I8O9Y1w== X-Received: by 10.55.133.197 with SMTP id h188mr11204887qkd.58.1470928400493; Thu, 11 Aug 2016 08:13:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.46.193 with HTTP; Thu, 11 Aug 2016 08:13:19 -0700 (PDT) In-Reply-To: References: From: Tier Nolan Date: Thu, 11 Aug 2016 16:13:19 +0100 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary=94eb2c072efecd38330539cd3424 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP Number Request: Addresses over Audio X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 15:13:22 -0000 --94eb2c072efecd38330539cd3424 Content-Type: text/plain; charset=UTF-8 On Thu, Aug 11, 2016 at 2:55 PM, Erik Aronesty via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Sorr, I thought there was some BIP for a public seed such that someone can > generate new random addresses, but cannot trivially verify whether an > address was derived from the seed. > If you take a public key and multiply it by k, then the recipient can work out the private key by multiplying their master private key by k. If k is random, then the recipient wouldn't be able to work it out, but if it is non-random, then everyone else can work it out. You need some way to get k to the recipient without others figuring it out. This means either the system is interactive or you use a shared secret. The info about the shared secret is included in the scriptPubKey (or the more socially conscientious option, an OP_RETURN). The address would indicate the master public key. master_public = master_private * G The transaction contains k*G. Both sides can compute the shared secret. secret = k*master_private*G = master_private*k*G DROP DUP HASH160 EQUALVERIFY CHECKSIG This adds 34 bytes to the scriptPubKey. This is pretty heavy for scanning for transactions sent to you. You have to check every transaction output to see if it is the given template. Then you have to do an ECC multiply to compute the shared secret. Once you have the shared secret, you need to do an ECC addition and a hash to figure out if it matches the public key hash in the output. This is approx one ECC multiply per output and is similar CPU load to what you would need to do to actually verify a block. --94eb2c072efecd38330539cd3424 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Thu, Aug 11, 2016 at 2:55 PM, Erik Aronesty via bitcoin= -dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Sorr, I though= t there was some BIP for a public seed such that someone can generate new r= andom addresses, but cannot trivially verify whether an address was derived= from the seed.

If you take a public key and mult= iply it by k, then the recipient can work out the private key by multiplyin= g their master private key by k.=C2=A0

If k is random, then th= e recipient wouldn't be able to work it out, but if it is non-random, t= hen everyone else can work it out.=C2=A0 You need some way to get k to the = recipient without others figuring it out.

This means= either the system is interactive or you use a shared secret.

=
The info about the shared secret is included in the scriptPubKey= (or the more socially conscientious option, an OP_RETURN).

The address would indicate the master public key.

master_public = =3D master_private * G

The transaction contain= s k*G.

Both sides can compute the shared secret.

s= ecret =3D k*master_private*G =3D master_private*k*G

<encode(k*G)> DROP DUP HASH160 <hash160(encode(secret + pub = key))> EQUALVERIFY CHECKSIG

This adds 34 bytes to the = scriptPubKey.

This is pretty heavy for scanning for trans= actions sent to you.=C2=A0 You have to check every transaction output to se= e if it is the given template.=C2=A0 Then you have to do an ECC multiply to= compute the shared secret.=C2=A0 Once you have the shared secret, you need= to do an ECC addition and a hash to figure out if it matches the public ke= y hash in the output.=C2=A0

This is approx one ECC multiply per out= put and is similar CPU load to what you would need to do to actually verify= a block.
--94eb2c072efecd38330539cd3424--