Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1W3AuM-0004kI-LN for bitcoin-development@lists.sourceforge.net; Tue, 14 Jan 2014 20:48:22 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.82 as permitted sender) client-ip=62.13.149.82; envelope-from=pete@petertodd.org; helo=outmail149082.authsmtp.co.uk; Received: from outmail149082.authsmtp.co.uk ([62.13.149.82]) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1W3AuL-00038P-C5 for bitcoin-development@lists.sourceforge.net; Tue, 14 Jan 2014 20:48:22 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt14.authsmtp.com (8.14.2/8.14.2) with ESMTP id s0EKmEVP022726; Tue, 14 Jan 2014 20:48:14 GMT Received: from petertodd.org (petertodd.org [174.129.28.249]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s0EKm6P5030400 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 14 Jan 2014 20:48:09 GMT Date: Tue, 14 Jan 2014 15:48:06 -0500 From: Peter Todd To: Jeremy Spilman Message-ID: <20140114204806.GA20546@petertodd.org> References: <20140113194049.GJ38964@giles.gnomon.org.uk> <52D4458C.6010909@gmail.com> <19AE1549-16E0-4119-8BE9-8F4DFD3381C1@taplink.co> <20140114141908.GB29950@savin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 2dc56bab-7d5d-11e3-b802-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aQdMdwYUElQaAgsB AmIbWVReVFV7WGM7 ag1VcwRfa1RMVxto VEFWR1pVCwQmQhx0 fUMYMhxydAVCeH4+ ZEFgV3YVXhApcEAv ExxJEjkDMXphaTUc TRJQdwFJcANIexZF O1F6ACIKLwdSbGoL NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJSIx ThQeHX0GEUEfSj4o IgdO X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 174.129.28.249/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1W3AuL-00038P-C5 Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Stealth Addresses X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:48:22 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 11:12:40AM -0800, Jeremy Spilman wrote: > Maybe you are saying: >=20 > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S)); > byte[] q2New =3D EC.PointAdd(Q2, Util.SingleSHA256(S)); >=20 > But the payment would have (q2New - q1New) =3D=3D (Q2 - Q1), so I think > not entirely stealth? OK, let's fix that by adding a counter to the > hash function... Good catch, yeah, use the master shared secret to derive per-pubkey secrets. > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S || 1)); > byte[] q2New =3D EC.PointAdd(Q2, Util.SingleSHA256(S || 2)); > stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(".995"), 2, 2, > q1New, q2New)); > stealthTx.Vout.Add(TxOut.OpReturn(P)); >=20 > This is assuming we want to put q2New somewhere into the > transaction, which, is it even required? >=20 > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S)); > stealthTx.Vout.Add(TxOut.PayToPubKeyHash(Util.Amount(".995"), q1New); > stealthTx.Vout.Add(TxOut.OpReturn(P)); Well like I said, you shouldn't force the txout to be exactly a 2-of-2 multisig - the recipient might be using a multi-factor wallet for instance. So, if I understand your code, what you want is the following: byte[] Q =3D ; byte[] Q_Scan =3D int m =3D <# of pubkeys required to redeem>; byte[] S =3D EC.DH(e, Q_Scan); byte[] qDerived[]; for (int =3D 0; i < len(Q); i++){ qDerived[i] =3D EC.PointAdd(Q[i], Util.SingleSHA256(S || i)); } // Best to have a single canonical order re: anonymity set. qDerived =3D sorted(qDerived); if (len(Q) > 1){ stealthTx.Vout.Add(TxOut.PayToMultiSig(amount, m, len(Q), qDerived)); } else { stealthTx.Vout.Add(TxOut.PayToPubKeyHash(amount, qDerived[0]); } stealthTx.Vout.Add(TxOut.OpReturn(P)); Finally, it would probably be better if the multisig output was wrapped in a P2SH output to better match the behavior of other wallets for the sake of a bigger anonymity set - seems that stuff that is implementing multifactor wallets and escrow is using P2SH to do it rather than bare multisig. Also there's quite a bit of support for making bare multisig not IsStandard() to discourage data-storage applications. --=20 'peter'[:-1]@petertodd.org 00000000000000010c474cd4e25913535ec1c166b6d43fbdd9a5f2726711ced7 --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJS1aKGAAoJEBmcgzuo5/CFfegIAKS4AB6/alcIhc18ALsjCC5A QXjJeJ+GHAfhbS6sn+e0cRveAi7/UccS++N6rurZS7c7/gwW1sm17wpU9MEu4/q7 Bprd/ZWExqMGfpz8wW8qPk9dgd/lk+GzhFj65YW+raXggXWdAcEfpYjS6gGzjSZP a7HG3SrcRMj+dOSV/POfAZrVRCHIZ00Ch5CxJ8ULqA+RU8juhpJTCdv54Fo5xojl EAUNNa8lfx4JEmB4napqkYsgr4o39ayp+fd2oEVaH5IUQpKqw37EOFVB6tUd/9f1 o0cPQnT678fs6HB02A4CsxCvOGM2lIDmQUca2ExPgNVD+4KWN+rxt0aVfPA/FMM= =7VUT -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--