1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <melvincarvalho@gmail.com>) id 1UpHMb-0000po-7g
for bitcoin-development@lists.sourceforge.net;
Wed, 19 Jun 2013 12:19:49 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.215.44 as permitted sender)
client-ip=209.85.215.44; envelope-from=melvincarvalho@gmail.com;
helo=mail-la0-f44.google.com;
Received: from mail-la0-f44.google.com ([209.85.215.44])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1UpHMZ-0006ZO-NP
for bitcoin-development@lists.sourceforge.net;
Wed, 19 Jun 2013 12:19:49 +0000
Received: by mail-la0-f44.google.com with SMTP id er20so4609483lab.17
for <bitcoin-development@lists.sourceforge.net>;
Wed, 19 Jun 2013 05:19:41 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.152.29.227 with SMTP id n3mr1232780lah.43.1371644380941;
Wed, 19 Jun 2013 05:19:40 -0700 (PDT)
Received: by 10.112.2.8 with HTTP; Wed, 19 Jun 2013 05:19:40 -0700 (PDT)
In-Reply-To: <51BFD886.8000701@gmail.com>
References: <51BFD886.8000701@gmail.com>
Date: Wed, 19 Jun 2013 14:19:40 +0200
Message-ID: <CAKaEYhJh4ArCqxf+wFobNzMbyd8TDPWEDw_n7_mm78d_41oFbA@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Alan Reiner <etotheipi@gmail.com>
Content-Type: multipart/alternative; boundary=089e0158c76c15965504df80d8df
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(melvincarvalho[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1UpHMZ-0006ZO-NP
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Optional "wallet-linkable" address format
- Payment Protocol
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 12:19:49 -0000
--089e0158c76c15965504df80d8df
Content-Type: text/plain; charset=ISO-8859-1
On 18 June 2013 05:48, Alan Reiner <etotheipi@gmail.com> wrote:
> *Goal*: An alternative address format made possible by BIP 32, which
> allows one to specify a "Wallet ID" and "One-time payment" code, instead of
> the standard one-use Base58-Hash160 addresses. This allows parties with a
> persistent relationship to be able to prove that payment addresses they
> provide each other are linked to a particular wallet, reducing exposure to
> MitM attacks without the need for SSL or a web of trust, and without
> compromising the privacy of either party. For instance, this could be
> used between businesses that frequently do business, by exchanging and
> verifying public keys beforehand, or could be used by an exchange to
> identify if a customer withdrawal address is related to their last deposit
> address, and if not enforce extra authentication measures.
>
> *Background**:*
> I haven't been following the payment protocol discussions/development
> much, so I apologize if this has already been addressed. I'm calling it
> "wallet-linkable" addresses, which would be an optional second form for
> sending someone your address. With BIP 32, the address is computed by the
> payee (the person sending the address to receive money):
>
> Standard Address ~ Base58(0x00 || hash160(PubKeyParent * Multiplier[i])
> || checksum)
>
> What I'd like to do is have the option, when specifying an address through
> the payment protocol, to send *just* the {PublicKeyParent, Multiplier[i]}
> and let the receiver of that address compute the address on their own.
> This is no significant burden on the receiver, but it does provide the
> useful property that they can recognize when addresses specified in this
> way come from the same wallet -- because the PubKeyParent will be the
> same. Remember, this is *optional* for the person providing the address.
>
> One nice, accidental feature of BIP 32 is that the Multiplier[i] used
> above does not actually reveal the "chaincode" (I think Pieter started
> calling it the "tweak"). It is derived from the chaincode but doesn't
> reveal it. Therefore, the payer sees the parent public key, but that's not
> useful to derive any of the other addresses unless they also have the
> chaincode. But they can verify that the PublicKeyParent is identical
> between transactions, and thus is accessible only to that wallet. It
> allows them validate a specific address provided by the payee, but not
> generate or identify any other addresses.
>
> *Use Cases:*
> (1) So, just like with PGP/GPG, when two parties decide they will start a
> relationship, they can start by exchanging the public keys of their wallet
> and verify them in a reliable manner. After that, when one party requests
> a payment address from the other, they can optionally send {PubKey,
> Multiplier}, and the payer's software will identify the owner of that
> address, or let you select who you think the address belongs to and it will
> verify it. If the payee's system is compromised and address is replaced,
> the address received by the payer won't validate. This doesn't help if the
> side sending the money is compromised.
>
> (2) When a customer first provides a deposit to an exchange, it will send
> money from an address in their wallet and the software will provide the
> exchange the {PubKey,Mult}. When the customer later provides a withdrawal
> address, the site can automatically trust the address as long it is
> provided in the alternate form and the public keys match. If they don't,
> it might be the same customer just requesting a withdrawal to a different
> wallet, which is fine, but they'll have to go through an extra verification
> step to do so.
>
>
> *Downsides:*
> Multi-sig/P2SH - The only way this works with P2SH, violates one of the
> goals of P2SH slightly, but may not matter much if it's all done under the
> hood by the software. Instead of providing a 20-byte hash of a script, you
> provide all the public keys and multipliers for the individual addresses.
> The payer's software automatically verifies all addresses and creates the
> P2SH script itself (after a divine decree that public keys will always be
> sorted lexicographically in the multi-sig script). The blockchain still
> benefits from the "compression" of moving the bulky scripts to the TxIn,
> but it does require revealing more information than is necessary for the
> payer to pay the payee. But it may not *really* be a problem, given the
> benefits. It might just be slightly longer strings to exchange during
> initialization and for each transaction.
>
> I have various reasons I'd like to use this, and it'd be nice to have some
> community backing, so I don't have to twist anyone's arm to trust me that
> it's legit.
>
Generally in favour of hierarchical deterministic wallets.
Will this new style of address make it into the block chain? I'd be less
keen on that.
I'm finding BIP0032 quite hard to read right now, but perhaps that's
because I'm less familiar with the material than some. However, there's
little things like it never actually defines a deterministic wallet in the
Abstract. But, I'll keep trying to understand and see if I can use the
test vectors.
>
> -Alan
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
--089e0158c76c15965504df80d8df
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On 18 June 2013 05:48, Alan Reiner <span dir=3D"ltr"><<a href=3D=
"mailto:etotheipi@gmail.com" target=3D"_blank">etotheipi@gmail.com</a>><=
/span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
=20
=20
=20
<div text=3D"#000000" bgcolor=3D"#FFFFFF">
<u><b>Goal</b></u>:=A0 An alternative address format made possible by
BIP 32, which allows one to specify a "Wallet ID" and "O=
ne-time
payment" code, instead of the standard one-use Base58-Hash160
addresses.=A0=A0 This allows parties with a persistent relationship to
be able to prove that payment addresses they provide each other are
linked to a particular wallet, reducing exposure to MitM attacks
without the need for SSL or a web of trust, and without compromising
the privacy of either party.=A0=A0=A0 For instance, this could be used
between businesses that frequently do business, by exchanging and
verifying public keys beforehand, or could be used by an exchange to
identify if a customer withdrawal address is related to their last
deposit address, and if not enforce extra authentication measures.<br>
<br>
<u><b>Background</b></u><u>:</u><br>
I haven't been following the payment protocol
discussions/development much, so I apologize if this has already
been addressed.=A0=A0 I'm calling it "wallet-linkable" ad=
dresses, which
would be an optional second form for sending someone your address.=A0=
=A0
With BIP 32, the address is computed by the payee (the person
sending the address to receive money):<br>
<br>
=A0=A0 Standard Address ~ Base58(0x00 || hash160(<font color=3D"#3333ff=
">PubKeyParent
* Multiplier[i]</font>) || checksum)<br>
<br>
What I'd like to do is have the option, when specifying an address
through the payment protocol, to send *just* the {<font color=3D"#3333f=
f">PublicKeyParent, Multiplier[i]</font>} and let the
receiver of that address compute the address on their own.=A0 This is
no significant burden on the receiver, but it does provide the
useful property that they can recognize when addresses specified in
this way come from the same wallet -- because the PubKeyParent will
be the same.=A0 Remember, this is <u>optional</u> for the person
providing the address.<br>
<br>
One nice, accidental feature of BIP 32 is that the Multiplier[i]
used above does not actually reveal the "chaincode" (I think =
Pieter
started calling it the "tweak").=A0=A0 It is derived from the=
chaincode
but doesn't reveal it.=A0 Therefore, the payer sees the parent publ=
ic
key, but that's not useful to derive any of the other addresses
unless they also have the chaincode.=A0 But they can verify that the
PublicKeyParent is identical between transactions, and thus is
accessible only to that wallet.=A0 It allows them validate a specific
address provided by the payee, but not generate or identify any
other addresses.<br>
<br>
<b><u>Use Cases:</u></b><br>
(1)=A0 So, just like with PGP/GPG, when two parties decide they will
start a relationship, they can start by exchanging the public keys
of their wallet and verify them in a reliable manner.=A0 After that,
when one party requests a payment address from the other, they can
optionally send {PubKey, Multiplier}, and the payer's software will
identify the owner of that address, or let you select who you think
the address belongs to and it will verify it.=A0 If the payee's sys=
tem
is compromised and address is replaced, the address received by the
payer won't validate.=A0 This doesn't help if the side sending =
the
money is compromised.<br>
<br>
(2)=A0 When a customer first provides a deposit to an exchange, it
will send money from an address in their wallet and the software
will provide the exchange the {PubKey,Mult}.=A0 When the customer
later provides a withdrawal address, the site can automatically
trust the address as long it is provided in the alternate form and
the public keys match.=A0 If they don't, it might be the same custo=
mer
just requesting a withdrawal to a different wallet, which is fine,
but they'll have to go through an extra verification step to do so.=
=A0
<br>
<br>
<br>
<u><b>Downsides:</b></u>=A0 <br>
Multi-sig/P2SH=A0 - The only way this works with P2SH, violates one of
the goals of P2SH slightly, but may not matter much if it's all don=
e
under the hood by the software.=A0 Instead of providing a 20-byte hash
of a script, you provide all the public keys and multipliers for the
individual addresses.=A0 The payer's software automatically verifie=
s
all addresses and creates the P2SH script itself (after a divine
decree that public keys will always be sorted lexicographically in
the multi-sig script).=A0 The blockchain still benefits from the
"compression" of moving the bulky scripts to the TxIn, but it=
does
require revealing more information than is necessary for the payer
to pay the payee.=A0 But it may not <i>really</i> be a problem, given
the benefits.=A0 It might just be slightly longer strings to exchange
during initialization and for each transaction.<br>
<br>
I have various reasons I'd like to use this, and it'd be nice t=
o
have some community backing, so I don't have to twist anyone's =
arm
to trust me that it's legit.<span class=3D"HOEnZb"><font color=3D"#=
888888"><br></font></span></div></blockquote><div><br></div><div>Generally =
in favour of hierarchical deterministic wallets.<br><br></div><div>Will thi=
s new style of address make it into the block chain?=A0 I'd be less kee=
n on that.<br>
<br></div><div>I'm finding BIP0032 quite hard to read right now, but pe=
rhaps that's because I'm less familiar with the material than some.=
=A0 However, there's little things like it never actually defines a det=
erministic wallet in the Abstract.=A0 But, I'll keep trying to understa=
nd and see if I can use the test vectors.<br>
</div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div text=3D"#000000" bg=
color=3D"#FFFFFF"><span class=3D"HOEnZb"><font color=3D"#888888">
<br>
-Alan<br>
<br>
<br>
<br>
<br>
</font></span></div>
<br>-----------------------------------------------------------------------=
-------<br>
This SF.net email is sponsored by Windows:<br>
<br>
Build for Windows Store.<br>
<br>
<a href=3D"http://p.sf.net/sfu/windows-dev2dev" target=3D"_blank">http://p.=
sf.net/sfu/windows-dev2dev</a><br>_________________________________________=
______<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div></div>
--089e0158c76c15965504df80d8df--
|
