From: Peter Todd <pete@petertodd.org>
To: Jeremy Spilman <jeremy@taplink.co>
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Stealth Addresses
Date: Fri, 10 Jan 2014 05:20:37 -0500 [thread overview]
Message-ID: <20140110102037.GB25749@savin> (raw)
In-Reply-To: <op.w9c5o7vgyldrnw@laptop-air.hsd1.ca.comcast.net>
[-- Attachment #1: Type: text/plain, Size: 2331 bytes --]
On Wed, Jan 08, 2014 at 02:20:57AM -0800, Jeremy Spilman wrote:
> Thanks Peter for the paper!
>
> I'm just going to restate your 'simple explanation' to make sure I
> got it...
>
> The payee publishes a public key of theirs, which will be a
> long-standing identifier, public key = 'Q', corresponding private
> key = 'd'.
>
> To pay them, payee generate a keypair, private key = 'e' public key
> of 'P'. Publish 'P' in the transaction.
>
> The payer can calculate S = eQ, where S is a shared secret between
> payer/payee. The payee calculates the same S as S = dP. So the payee
> sees 'P' in a transaction, and multiplies by their private key, to
> get S.
>
> Now that we have the shared secret, either side can calculate an
> offset to Q which becomes the pay-to-address. When you say
> BIP32-style derivation, Q' = H(S) + Q, does this mean Q +
> SHA256(33-byte S)?
I think that's correct, but my ECC math is a bit shakey... In any case,
what's important is that you can derive a pubkey such that only the
recipient has the privkey, and without knowledge of the shared secret
you can't determine what the recipients master pubkey was.
> A payee has to check each transaction (or every transaction of a
> fixed prefix) with 'P', calculate Q' = Q + H(dP) and see if that
> transaction pays to Q'. If the address matches, then the payee can
> spend it with private key of d + H(dP).
Yup, you're understanding matches mine. (no guarantee if my
understanding is correct!)
> One downside is that you have to hold your private key in memory
> unencrypted in order to identify new payments coming in. So
> stealth-addresses may not be suitable for receiving eCommerce
> payments, since you can't implement a corresponding watch-only
> wallet, e.g. there's no way to "direct-deposit into cold storage."
Oh, sorry, I forgot to mention it in my first write-up but you can
easily make stealth addresses include a second pubkey for the purpose of
the communication that either isn't used in the scriptPubKey at all, or
is part of a n-of-m multisig. (n>=2) Interestingly that also means you
can give a third-party that key and out-source the effort of scanning
the blockchain for you.
--
'peter'[:-1]@petertodd.org
00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]
next prev parent reply other threads:[~2014-01-10 10:20 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-06 12:03 [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-08 10:20 ` Jeremy Spilman
2014-01-10 10:20 ` Peter Todd [this message]
2014-01-10 11:28 ` Drak
2014-01-10 12:00 ` Peter Todd
2014-01-12 10:33 ` Jeremy Spilman
2014-01-12 12:51 ` Mike Hearn
2014-01-12 18:20 ` Jeremy Spilman
2014-01-12 18:26 ` Mike Hearn
2014-01-13 9:13 ` Jeremy Spilman
2014-01-14 14:15 ` Peter Todd
2014-01-14 17:54 ` Odinn Cyberguerrilla
2014-01-12 21:18 ` Gavin Andresen
2014-01-13 9:52 ` Gregory Maxwell
2014-01-13 10:39 ` Mike Hearn
2014-01-13 13:37 ` Roy Badami
2014-01-13 15:58 ` Mike Hearn
2014-01-13 20:11 ` Roy Badami
2014-01-14 22:53 ` Roy Badami
2014-01-15 0:19 ` Drak
2014-01-15 20:22 ` Ben Davenport
2014-01-15 20:38 ` Gregory Maxwell
2014-01-15 20:44 ` Jeff Garzik
2014-01-15 22:38 ` [Bitcoin-development] Static addresses on chains encouraging address *RE* use Troy Benjegerdes
2014-01-15 23:01 ` [Bitcoin-development] Stealth Addresses Mike Hearn
2014-01-15 23:04 ` Roy Badami
2014-01-15 23:07 ` Jeff Garzik
2014-01-15 23:17 ` Roy Badami
2014-01-15 23:19 ` Roy Badami
2014-01-15 23:09 ` [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses) Adam Back
2014-01-16 1:02 ` Jeremy Spilman
2014-01-16 1:32 ` Gregory Maxwell
2014-01-18 17:44 ` Troy Benjegerdes
2014-01-18 20:25 ` Christophe Biocca
2014-01-20 11:11 ` Peter Todd
2014-01-21 4:00 ` Jeremy Spilman
2014-01-24 9:17 ` Peter Todd
2014-01-16 11:42 ` Adam Back
2014-01-16 18:19 ` Troy Benjegerdes
2014-01-16 0:05 ` [Bitcoin-development] Stealth Addresses Jeremy Spilman
2014-01-16 0:10 ` Gregory Maxwell
2014-01-16 0:24 ` Mark Friedenbach
2014-01-16 0:44 ` Eric Martindale
2014-01-16 6:26 ` Gary Rowe
2014-01-16 9:48 ` Wladimir
2014-01-16 1:16 ` Odinn Cyberguerrilla
2014-01-16 10:14 ` Drak
2014-01-16 10:19 ` Mike Hearn
2014-01-16 11:12 ` [Bitcoin-development] reusable address privacy problems & fuzzy bait limitations (Re: Stealth Addresses) Adam Back
2014-01-16 21:28 ` [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-17 2:30 ` Johnathan Corgan
2014-01-17 3:13 ` Jeremy Spilman
2014-01-17 7:49 ` Drak
2014-01-17 9:15 ` Mike Hearn
2014-01-17 9:19 ` Mark Friedenbach
2014-01-17 9:23 ` Natanael
2014-01-17 9:59 ` Drak
2014-01-17 20:16 ` Cameron Garnham
2014-01-17 14:46 ` Peter Todd
2014-01-17 19:21 ` Ben Davenport
2014-01-18 4:55 ` Alan Reiner
2014-01-18 5:09 ` Gregory Maxwell
2014-01-18 23:12 ` Jeremy Spilman
2014-01-18 23:50 ` Gregory Maxwell
2014-01-20 11:08 ` Peter Todd
2014-01-13 19:53 ` Roy Badami
2014-01-13 19:57 ` Mike Hearn
2014-01-13 20:01 ` Roy Badami
2014-01-13 19:40 ` Roy Badami
2014-01-13 19:44 ` Drak
2014-01-13 19:59 ` Alan Reiner
2014-01-13 20:10 ` Gregory Maxwell
2014-01-13 20:15 ` Peter Todd
2014-01-13 22:02 ` Jeremy Spilman
2014-01-14 14:19 ` Peter Todd
2014-01-14 19:12 ` Jeremy Spilman
2014-01-14 20:48 ` Peter Todd
2014-01-14 21:51 ` Adam Back
2014-01-14 22:34 ` Jeremy Spilman
2014-01-13 20:14 ` Peter Todd
2014-01-13 20:41 ` Alan Reiner
2014-01-13 20:47 ` Gregory Maxwell
2014-01-13 21:02 ` Roy Badami
2014-01-13 21:15 ` Alan Reiner
2014-01-13 21:27 ` Peter Todd
[not found] ` <op.w9ne31oqyldrnw@laptop-air.hsd1.ca.comcast.net>
2014-01-14 12:10 ` Peter Todd
2014-03-06 12:23 ` Dan Carter
[not found] <mailman.417890.1389952750.21953.bitcoin-development@lists.sourceforge.net>
2014-01-17 12:16 ` joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140110102037.GB25749@savin \
--to=pete@petertodd.org \
--cc=bitcoin-development@lists.sourceforge.net \
--cc=jeremy@taplink.co \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox