public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd.org>
To: Jeremy Spilman <jeremy@taplink.co>
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Stealth Addresses
Date: Fri, 10 Jan 2014 05:20:37 -0500	[thread overview]
Message-ID: <20140110102037.GB25749@savin> (raw)
In-Reply-To: <op.w9c5o7vgyldrnw@laptop-air.hsd1.ca.comcast.net>

[-- Attachment #1: Type: text/plain, Size: 2331 bytes --]

On Wed, Jan 08, 2014 at 02:20:57AM -0800, Jeremy Spilman wrote:
> Thanks Peter for the paper!
> 
> I'm just going to restate your 'simple explanation' to make sure I
> got it...
> 
> The payee publishes a public key of theirs, which will be a
> long-standing identifier, public key = 'Q', corresponding private
> key = 'd'.
> 
> To pay them, payee generate a keypair, private key = 'e' public key
> of 'P'. Publish 'P' in the transaction.
> 
> The payer can calculate S = eQ, where S is a shared secret between
> payer/payee. The payee calculates the same S as S = dP. So the payee
> sees 'P' in a transaction, and multiplies by their private key, to
> get S.
> 
> Now that we have the shared secret, either side can calculate an
> offset to Q which becomes the pay-to-address. When you say
> BIP32-style derivation, Q' = H(S) + Q, does this mean Q +
> SHA256(33-byte S)?

I think that's correct, but my ECC math is a bit shakey... In any case,
what's important is that you can derive a pubkey such that only the
recipient has the privkey, and without knowledge of the shared secret
you can't determine what the recipients master pubkey was.

> A payee has to check each transaction (or every transaction of a
> fixed prefix) with 'P', calculate Q' = Q + H(dP) and see if that
> transaction pays to Q'. If the address matches, then the payee can
> spend it with private key of d + H(dP).

Yup, you're understanding matches mine. (no guarantee if my
understanding is correct!)

> One downside is that you have to hold your private key in memory
> unencrypted in order to identify new payments coming in. So
> stealth-addresses may not be suitable for receiving eCommerce
> payments, since you can't implement a corresponding watch-only
> wallet, e.g. there's no way to "direct-deposit into cold storage."

Oh, sorry, I forgot to mention it in my first write-up but you can
easily make stealth addresses include a second pubkey for the purpose of
the communication that either isn't used in the scriptPubKey at all, or
is part of a n-of-m multisig. (n>=2) Interestingly that also means you
can give a third-party that key and out-source the effort of scanning
the blockchain for you.

-- 
'peter'[:-1]@petertodd.org
00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

  reply	other threads:[~2014-01-10 10:20 UTC|newest]

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-06 12:03 [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-08 10:20 ` Jeremy Spilman
2014-01-10 10:20   ` Peter Todd [this message]
2014-01-10 11:28     ` Drak
2014-01-10 12:00       ` Peter Todd
2014-01-12 10:33     ` Jeremy Spilman
2014-01-12 12:51       ` Mike Hearn
2014-01-12 18:20         ` Jeremy Spilman
2014-01-12 18:26           ` Mike Hearn
2014-01-13  9:13             ` Jeremy Spilman
2014-01-14 14:15               ` Peter Todd
2014-01-14 17:54                 ` Odinn Cyberguerrilla
2014-01-12 21:18       ` Gavin Andresen
2014-01-13  9:52         ` Gregory Maxwell
2014-01-13 10:39           ` Mike Hearn
2014-01-13 13:37             ` Roy Badami
2014-01-13 15:58               ` Mike Hearn
2014-01-13 20:11                 ` Roy Badami
2014-01-14 22:53                 ` Roy Badami
2014-01-15  0:19                   ` Drak
2014-01-15 20:22                     ` Ben Davenport
2014-01-15 20:38                       ` Gregory Maxwell
2014-01-15 20:44                         ` Jeff Garzik
2014-01-15 22:38                           ` [Bitcoin-development] Static addresses on chains encouraging address *RE* use Troy Benjegerdes
2014-01-15 23:01                           ` [Bitcoin-development] Stealth Addresses Mike Hearn
2014-01-15 23:04                           ` Roy Badami
2014-01-15 23:07                             ` Jeff Garzik
2014-01-15 23:17                               ` Roy Badami
2014-01-15 23:19                                 ` Roy Badami
2014-01-15 23:09                           ` [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses) Adam Back
2014-01-16  1:02                             ` Jeremy Spilman
2014-01-16  1:32                               ` Gregory Maxwell
2014-01-18 17:44                                 ` Troy Benjegerdes
2014-01-18 20:25                                   ` Christophe Biocca
2014-01-20 11:11                                   ` Peter Todd
2014-01-21  4:00                                 ` Jeremy Spilman
2014-01-24  9:17                                   ` Peter Todd
2014-01-16 11:42                               ` Adam Back
2014-01-16 18:19                                 ` Troy Benjegerdes
2014-01-16  0:05                           ` [Bitcoin-development] Stealth Addresses Jeremy Spilman
2014-01-16  0:10                             ` Gregory Maxwell
2014-01-16  0:24                             ` Mark Friedenbach
2014-01-16  0:44                             ` Eric Martindale
2014-01-16  6:26                               ` Gary Rowe
2014-01-16  9:48                                 ` Wladimir
2014-01-16  1:16                             ` Odinn Cyberguerrilla
2014-01-16 10:14                             ` Drak
2014-01-16 10:19                               ` Mike Hearn
2014-01-16 11:12                               ` [Bitcoin-development] reusable address privacy problems & fuzzy bait limitations (Re: Stealth Addresses) Adam Back
2014-01-16 21:28                             ` [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-17  2:30                               ` Johnathan Corgan
2014-01-17  3:13                               ` Jeremy Spilman
2014-01-17  7:49                               ` Drak
2014-01-17  9:15                                 ` Mike Hearn
2014-01-17  9:19                                   ` Mark Friedenbach
2014-01-17  9:23                                   ` Natanael
2014-01-17  9:59                                   ` Drak
2014-01-17 20:16                                     ` Cameron Garnham
2014-01-17 14:46                                   ` Peter Todd
2014-01-17 19:21                                     ` Ben Davenport
2014-01-18  4:55                                       ` Alan Reiner
2014-01-18  5:09                                         ` Gregory Maxwell
2014-01-18 23:12                                           ` Jeremy Spilman
2014-01-18 23:50                                             ` Gregory Maxwell
2014-01-20 11:08                                             ` Peter Todd
2014-01-13 19:53               ` Roy Badami
2014-01-13 19:57                 ` Mike Hearn
2014-01-13 20:01                   ` Roy Badami
2014-01-13 19:40           ` Roy Badami
2014-01-13 19:44             ` Drak
2014-01-13 19:59               ` Alan Reiner
2014-01-13 20:10                 ` Gregory Maxwell
2014-01-13 20:15                   ` Peter Todd
2014-01-13 22:02                   ` Jeremy Spilman
2014-01-14 14:19                     ` Peter Todd
2014-01-14 19:12                       ` Jeremy Spilman
2014-01-14 20:48                         ` Peter Todd
2014-01-14 21:51                         ` Adam Back
2014-01-14 22:34                           ` Jeremy Spilman
2014-01-13 20:14                 ` Peter Todd
2014-01-13 20:41                   ` Alan Reiner
2014-01-13 20:47                     ` Gregory Maxwell
2014-01-13 21:02                     ` Roy Badami
2014-01-13 21:15                       ` Alan Reiner
2014-01-13 21:27                         ` Peter Todd
     [not found]                           ` <op.w9ne31oqyldrnw@laptop-air.hsd1.ca.comcast.net>
2014-01-14 12:10                             ` Peter Todd
2014-03-06 12:23 ` Dan Carter
     [not found] <mailman.417890.1389952750.21953.bitcoin-development@lists.sourceforge.net>
2014-01-17 12:16 ` joseph

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140110102037.GB25749@savin \
    --to=pete@petertodd.org \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=jeremy@taplink.co \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox