1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Return-Path: <pappjm@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id F4052DA8
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Feb 2016 16:39:27 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-yk0-f175.google.com (mail-yk0-f175.google.com
[209.85.160.175])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 74878194
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Feb 2016 16:39:27 +0000 (UTC)
Received: by mail-yk0-f175.google.com with SMTP id z13so9891599ykd.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 10 Feb 2016 08:39:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=subject:to:references:cc:from:message-id:date:user-agent
:mime-version:in-reply-to:content-type:content-transfer-encoding;
bh=Q64jQ3KJa3K5zhUyxQMGZO503slatuRc0Z/XBAlCIN0=;
b=TY1fN6HuGZyFzymGiJtJUlzUoGbPNNLGkSNYAxkhKNxSRAigN90PqmVWBcRAYsTPMo
yh7cviCuMcA0Enr7xUdmBxrFmWYwG51mUgj/pfd2Mcmu6OsGcNaOd2yJdEabRHfAKQXZ
tXPAMI5xi0MehZIYlE6/LNuec75JN8J/gemioQNyx2kwIpraZ447xahwJDmNSy5n9ugm
V0DHNVtRfkRX8tYs8rziHnwEvG48JrD1ArHcE0m2MheGCL9SwiXdQnRi9OGELo/00tB+
LGnRkvcBy7t+7uQewSNxZPA8COCMTexgmKFpub0eU6o3Mn4c7dwczmbWCaHbbWtMKK+4
jXQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:subject:to:references:cc:from:message-id:date
:user-agent:mime-version:in-reply-to:content-type
:content-transfer-encoding;
bh=Q64jQ3KJa3K5zhUyxQMGZO503slatuRc0Z/XBAlCIN0=;
b=hzGJf6oPQxaDp/KU7WfDlWL2mzZUqnHiqxgQB37yaenInG88kHCaIVbva8XwQZXE4t
XUmBuEOeObCJ95bRvW7dX+ChJt2Gtxn5K/KDEF2/nVZKdqYV290QWX6v1RHx4LdyHWO4
ar55WpfKqmCufjq3UBHZMxbeLdxmqWFp7qvE/3aX88AM5ic8lG+eqdKP+aC+lYKjZAR/
eMUmjlba0CfxCuK6DF3tL/x2HBXxRWvURLHrhJ/8E2KMw6IKbdC0mpv73wX4I2m1oh5w
JesqzkbSTYxaBHMJdXwhRvcckBzLugvfXmDjRls0chhASu9VeCqIq3BjqmtgkS0Gkt+e
7PpQ==
X-Gm-Message-State: AG10YOQtOB9MuGU3rTL55cCr+Nb2ZnmNniZuOgL8RS3N7U/+ym9TB+yeGooEZ26yiB4joA==
X-Received: by 10.37.50.15 with SMTP id y15mr21972955yby.7.1455122366706;
Wed, 10 Feb 2016 08:39:26 -0800 (PST)
Received: from ?IPv6:2602:304:cfd3:380:d132:4228:3346:3b85?
([2602:304:cfd3:380:d132:4228:3346:3b85])
by smtp.gmail.com with ESMTPSA id
g64sm3090275ywa.27.2016.02.10.08.39.24
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 10 Feb 2016 08:39:25 -0800 (PST)
To: Henning Kopp <henning.kopp@uni-ulm.de>
References: <20160209131215.GE2329@banane.informatik.uni-ulm.de>
<56BA6455.9030803@gmail.com>
<20160210115345.GD2336@banane.informatik.uni-ulm.de>
From: Jeremy Papp <pappjm@gmail.com>
Message-ID: <56BB67BD.1060901@gmail.com>
Date: Wed, 10 Feb 2016 10:39:25 -0600
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <20160210115345.GD2336@banane.informatik.uni-ulm.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 10 Feb 2016 16:51:06 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Question regarding Confidential Transactions
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2016 16:39:28 -0000
On 2/10/2016 5:53 AM, Henning Kopp wrote:
> Hi Jeremy,
>
>> My understanding of the paper is that the blinding factor would be included
>> in the extra data which is incorporated into the ring signatures used in the
>> range proof.
> Yep, that is a possibility. The blinding factor could be encrypted
> with the public key of the receiver. Thus it is only visible for the
> receiver who can then check that the correct amount has been sent.
ECC doesn't work like RSA; you can't encrypt directly with a public
key. That's why you generate a shared secret between sender and
receiver. See also, ECDH. (Basically, if (m, M = m*G) is your
private/public key pair, and (n, N = n*G) is your recipient's private
public key pair, you can both generate shared secret S = m*N = n*M =
m*n*G without revealing your private keys to each other, and without
revealing the secret to anyone else as long as they don't know either
private key. You then use S as the basis for the key to some symmetric
algorithm.)
>> you'd transmit it then, though in any case, since using it will pretty much
>> require segwit, adding extraneous data isn't much of a problem. In both
>> cases, I imagine the blinding factor would be protected from outside
>> examination via some form of shared secret generation... Although that would
>> require the sender to know the recipient's unhashed public key; I don't know
>> of any shared secret schemes that will work on hashed keys.
> Here you lost me.
> Why do we need to create a shared secret? Is this shared secret used
> as the blinding factor?
> Also I think the sender knows the unhashed public key of the receiver.
> The only reason not to include it in the transaction script is that an
> external observer is unable to see the receiver directly in the
> blockchain.
Normal Bitcoin transactions are made to the hash of a public key because
once the public key is known, it becomes easier to break it if we ever
develop quantum computers. That's why it's recommended that you only
spend from a particular address once (if possible) since its only in
spending that you are required to reveal your public key. Since you
can't do a shared secret with a public key hash, AFAIK, you'd have to
know the public key of your recipient to be able to do ECDH.
Jeremy Papp
|
