Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DA753F58 for ; Sat, 12 Sep 2015 05:38:58 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io0-f182.google.com (mail-io0-f182.google.com [209.85.223.182]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E7045124 for ; Sat, 12 Sep 2015 05:38:57 +0000 (UTC) Received: by iofb144 with SMTP id b144so120103962iof.1 for ; Fri, 11 Sep 2015 22:38:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ricmoo.com; s=google; h=from:content-type:subject:message-id:date:to:mime-version; bh=THjtF1il4xo6cduw3sUC5jqQHpjuyXsXQDQHK6At1a8=; b=ZQnqXPhW1zMmV7lfcuVIdj0lQnEF3SwpCrx+vmKMjeuiFnQC681jTORXHU9gxjHQuV H2eAsHjxioUvD7YFWpLDJxctPrTnqtLoJVNRKm4L7IxfFj0UcuKeXXIdDhXsw2VWUGiE zRDFsc+yVPpZCM0bD1pJpQL/j09i4Kjd9Lk8o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:subject:message-id:date:to :mime-version; bh=THjtF1il4xo6cduw3sUC5jqQHpjuyXsXQDQHK6At1a8=; b=dhq4eNVzrAhmjKNIuVqVIT6OaEmgXV0fk8TzRqyjKH79gGt+19bSX/9ytuGXC0w8g9 Ju2Dh4LKZBozPtexkYiNuy8CzWq7hbe3PaguCa5hHo4rG5St18jVYdgb5O3i6SRvYzS7 fq6WCT3CeQ1B5R5iEs1XIPQA1xd1kDS6ehf+Ma7y6+M25+UjFPAt9ONCWH1Zn6YoIre/ UohDzdlnOQNrkqCdbYbrQcFq70XaQPE1fq4BqVERtnnwsVud152V6g5rND++FuLqyvvr 3W7oRRzUnPUH8N19HJoBsG99xgzS4yR94LrnB/rtdpMD6S90h587ZI6AUH2fQi4Or69R apEw== X-Gm-Message-State: ALoCoQk4ngo959Pnyuf/msmY2rW6lC/Hf8kmPkAM0a1ydGFEgwwAyMQ1RjLlcGgDvmkbfNk4LJsQ X-Received: by 10.107.10.14 with SMTP id u14mr8439104ioi.94.1442036337322; Fri, 11 Sep 2015 22:38:57 -0700 (PDT) Received: from [192.168.2.79] (135-23-143-85.cpe.pppoe.ca. [135.23.143.85]) by smtp.gmail.com with ESMTPSA id u4sm1194852igz.8.2015.09.11.22.38.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Sep 2015 22:38:55 -0700 (PDT) From: Richard Moore Content-Type: multipart/alternative; boundary="Apple-Mail=_8B2BBFF4-DD92-44F9-95EA-85512F14B54E" Message-Id: <71A8E490-14C5-49F1-8E08-75C0A754B5BB@ricmoo.com> Date: Sat, 12 Sep 2015 01:38:53 -0400 To: bitcoin-dev@lists.linuxfoundation.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] Stealth Address Idea (special-less) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2015 05:38:59 -0000 --Apple-Mail=_8B2BBFF4-DD92-44F9-95EA-85512F14B54E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hey all, I am throwing out an idea I=E2=80=99ve been toying with, for feedback = and if it seems like an idea worth pursuing, possibly a BIP number. The goal is to make straight forward stealth address that are SPV = friendly and easy to support in software without too much special goop. I=E2=80=99ve got working code at = https://github.com/ricmoo/sandbox/tree/master/stealth, and here are some = example transactions on the block chain: Target Public Key: = 029ed06e396761c24416cf7323ed4f1cb29763ee9e2b0fccae347d6a2a3eaecbf5 Target Public Key [tentative] Encoding (this is what you would give = away): 59KkSZsVE7vErdqo8m5gtNoez44CbdwJQ5cSM1AAARzN19vkJ6NU Revocable Payment made: = b4ad20cad4cc2fcbbec09bc071dfe8c4a4b1e8e57d1e56bf51947445cfc6c7af Irrevocable Payment made: = f600643a1d32152117be0d9c652a86dc6182d2dab3be53340739395f524cd95c Cleared out all funds from stealth address: = 58eb0fdab108c7add74835466251ffe5c51c7f4cec149f06daf0435d43d9ce55 Idea overview: There are 2 modes of operation, revocable and irrevocable payments. = Revocable payments result in both parties knowing the private key, = allowing for a certain level of plausible deniability when the funds are = swept, as to whether the funds were actually sent or were revoked=E2=80=A6= You could imagine WikiLeaks stating they will not claim donations for = 1-3 months after receiving them; if the funds are claimed after 1.5 = months, did the sender actually send funds? The other option is = irrevocable, where only the receiver can claim the funds (allowing them = to leave them in that address until they need to be spent). The basic idea is (the above code above gets into the nitty gritty), to = send to targetPublicKey: Given the UTXO set of inputs into a transaction, choose one at random, = senderUtxo Use ECDH(targetPublicKey, senderUtxo.privateKey) as sharedSecret For revocable payments, you are done; use sharedSecret as your = privateKey, compute the address For irrevocable payments, create a sharedPrivateKey from the bytes of = sharedSecret, use ECC addition (or would multiplication make more sense? = advantages?) on the public key of sharedPrivateKey and the = targetPublicKey. The receiver can then use ECC addition (or = multiplication) on the sharedPrivateKey and the targetPrivateKey to = generate the coresponding privateKey. The SPV-able part, is lightly discussed in the top of stealth.js, but I = haven=E2=80=99t played with bloom filters enough and the idea is still = all too fresh in my head; the general idea is to make a 1-of-2 multisig = where the first is the resulting stealth address, and the second is = something (anything) that looks like a valid public key, but will match = a bloom filter (given a tweak that is generated deterministically from = the targetPublicKey) and matches the targetPublicKey. Again, I need much = more feedback on this. Thanks, RicMoo = .=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8=C2= =B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8= =C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8><(((=C2=BA> Richard Moore ~ Founder Genetic Mistakes Software inc. phone: (778) 882-6125 email: ricmoo@geneticmistakes.com www: http://GeneticMistakes.com --Apple-Mail=_8B2BBFF4-DD92-44F9-95EA-85512F14B54E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hey all,

I am throwing = out an idea I=E2=80=99ve been toying with, for feedback and if it seems = like an idea worth pursuing, possibly a BIP number.

The goal is to make straight forward stealth address that are = SPV friendly and easy to support in software without too much special = goop.

I=E2=80=99ve got working code at https://github.com/ricmoo/sandbox/tree/master/stealth, = and here are some example transactions on the block chain:

Target Public = Key: 029ed06e396761c24416cf7323ed4f1cb29763ee9e2b0fccae347d6a2a3eaecb= f5
Target Public Key [tentative] Encoding (this is what you = would give = away): 59KkSZsVE7vErdqo8m5gtNoez44CbdwJQ5cSM1AAARzN19vkJ6NU

Revocable Payment = made: b4ad20cad4cc2fcbbec09bc071dfe8c4a4b1e8e57d1e56bf51947445cfc6c7a= f
Irrevocable Payment = made: f600643a1d32152117be0d9c652a86dc6182d2dab3be53340739395f524cd95= c
Cleared out all funds from stealth address: = 58eb0fdab108c7add74835466251ffe5c51c7f4cec149f06daf0435d43d9ce55


Idea overview:

There are 2 modes of operation, revocable and irrevocable = payments. Revocable payments result in both parties knowing the private = key, allowing for a certain level of plausible deniability when the = funds are swept, as to whether the funds were actually sent or were = revoked=E2=80=A6 You could imagine WikiLeaks stating they will not claim = donations for 1-3 months after receiving them; if the funds are claimed = after 1.5 months, did the sender actually send funds? The other option = is irrevocable, where only the receiver can claim the funds (allowing = them to leave them in that address until they need to be = spent).

The basic idea is (the above code above = gets into the nitty gritty), to send to targetPublicKey:
  • Given the UTXO set of inputs = into a transaction, choose one at random, senderUtxo
  • Use ECDH(targetPublicKey, senderUtxo.privateKey) as = sharedSecret
  • For revocable payments, you are done; = use sharedSecret as your privateKey, compute the address
  • For irrevocable payments, create a sharedPrivateKey from the = bytes of sharedSecret, use ECC addition (or would multiplication make = more sense? advantages?) on the public key of sharedPrivateKey and the = targetPublicKey. The receiver can then use ECC addition (or = multiplication) on the sharedPrivateKey and the targetPrivateKey to = generate the coresponding privateKey.

The SPV-able part, is lightly discussed in the top of = stealth.js, but I haven=E2=80=99t played with bloom filters enough and = the idea is still all too fresh in my head; the general idea is to make = a 1-of-2 multisig where the first is the resulting stealth address, and = the second is something (anything) that looks like a valid public key, = but will match a bloom filter (given a tweak that is generated = deterministically from the targetPublicKey) and matches the = targetPublicKey. Again, I need much more feedback on this.

Thanks,
RicMoo

.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2= =B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7= .=C2=B8=C2=B8.=C2=B7=C2=B4=C2=AF`=C2=B7.=C2=B8><(((=C2=BA>

Richard Moore ~ Founder
Genetic = Mistakes Software inc.
phone: (778) 882-6125
email: ricmoo@geneticmistakes.com
www: http://GeneticMistakes.com

= --Apple-Mail=_8B2BBFF4-DD92-44F9-95EA-85512F14B54E--