From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <pete@petertodd.org>) id 1W3AuM-0004kI-LN for bitcoin-development@lists.sourceforge.net; Tue, 14 Jan 2014 20:48:22 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.82 as permitted sender) client-ip=62.13.149.82; envelope-from=pete@petertodd.org; helo=outmail149082.authsmtp.co.uk; Received: from outmail149082.authsmtp.co.uk ([62.13.149.82]) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1W3AuL-00038P-C5 for bitcoin-development@lists.sourceforge.net; Tue, 14 Jan 2014 20:48:22 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt14.authsmtp.com (8.14.2/8.14.2) with ESMTP id s0EKmEVP022726; Tue, 14 Jan 2014 20:48:14 GMT Received: from petertodd.org (petertodd.org [174.129.28.249]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id s0EKm6P5030400 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 14 Jan 2014 20:48:09 GMT Date: Tue, 14 Jan 2014 15:48:06 -0500 From: Peter Todd <pete@petertodd.org> To: Jeremy Spilman <jeremy@taplink.co> Message-ID: <20140114204806.GA20546@petertodd.org> References: <op.w9kkxcityldrnw@laptop-air.hsd1.ca.comcast.net> <CABsx9T2G=yqSUGr0+Ju5-z9P++uS20AwLC+c3DnFMHtcQjQK6w@mail.gmail.com> <CAAS2fgTz0TaGhym_35V3N2-vHVzU9BeuV8q+QJjwh5bg77FEZg@mail.gmail.com> <20140113194049.GJ38964@giles.gnomon.org.uk> <CANAnSg30V01B_3LCJ09sTwcsYa4_WOg3sKd-=p6COZS6w0b-uA@mail.gmail.com> <52D4458C.6010909@gmail.com> <CAAS2fgTzVWUF_B_-1jkRs3WZ8Um_CcHeH7uFU0eLncgEqQ01HQ@mail.gmail.com> <19AE1549-16E0-4119-8BE9-8F4DFD3381C1@taplink.co> <20140114141908.GB29950@savin> <op.w9oybextyldrnw@laptop-air.hsd1.ca.comcast.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: <op.w9oybextyldrnw@laptop-air.hsd1.ca.comcast.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 2dc56bab-7d5d-11e3-b802-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aQdMdwYUElQaAgsB AmIbWVReVFV7WGM7 ag1VcwRfa1RMVxto VEFWR1pVCwQmQhx0 fUMYMhxydAVCeH4+ ZEFgV3YVXhApcEAv ExxJEjkDMXphaTUc TRJQdwFJcANIexZF O1F6ACIKLwdSbGoL NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJSIx ThQeHX0GEUEfSj4o IgdO X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 174.129.28.249/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1W3AuL-00038P-C5 Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> Subject: Re: [Bitcoin-development] Stealth Addresses X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Tue, 14 Jan 2014 20:48:22 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 14, 2014 at 11:12:40AM -0800, Jeremy Spilman wrote: > Maybe you are saying: >=20 > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S)); > byte[] q2New =3D EC.PointAdd(Q2, Util.SingleSHA256(S)); >=20 > But the payment would have (q2New - q1New) =3D=3D (Q2 - Q1), so I think > not entirely stealth? OK, let's fix that by adding a counter to the > hash function... Good catch, yeah, use the master shared secret to derive per-pubkey secrets. > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S || 1)); > byte[] q2New =3D EC.PointAdd(Q2, Util.SingleSHA256(S || 2)); > stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(".995"), 2, 2, > q1New, q2New)); > stealthTx.Vout.Add(TxOut.OpReturn(P)); >=20 > This is assuming we want to put q2New somewhere into the > transaction, which, is it even required? >=20 > byte[] S =3D EC.DH(e, Q2); > byte[] q1New =3D EC.PointAdd(Q1, Util.SingleSHA256(S)); > stealthTx.Vout.Add(TxOut.PayToPubKeyHash(Util.Amount(".995"), q1New); > stealthTx.Vout.Add(TxOut.OpReturn(P)); Well like I said, you shouldn't force the txout to be exactly a 2-of-2 multisig - the recipient might be using a multi-factor wallet for instance. So, if I understand your code, what you want is the following: byte[] Q =3D <payee root pubkeys>; byte[] Q_Scan =3D <may or may not be provided in Q> int m =3D <# of pubkeys required to redeem>; byte[] S =3D EC.DH(e, Q_Scan); byte[] qDerived[]; for (int =3D 0; i < len(Q); i++){ qDerived[i] =3D EC.PointAdd(Q[i], Util.SingleSHA256(S || i)); } // Best to have a single canonical order re: anonymity set. qDerived =3D sorted(qDerived); if (len(Q) > 1){ stealthTx.Vout.Add(TxOut.PayToMultiSig(amount, m, len(Q), qDerived)); } else { stealthTx.Vout.Add(TxOut.PayToPubKeyHash(amount, qDerived[0]); } stealthTx.Vout.Add(TxOut.OpReturn(P)); Finally, it would probably be better if the multisig output was wrapped in a P2SH output to better match the behavior of other wallets for the sake of a bigger anonymity set - seems that stuff that is implementing multifactor wallets and escrow is using P2SH to do it rather than bare multisig. Also there's quite a bit of support for making bare multisig not IsStandard() to discourage data-storage applications. --=20 'peter'[:-1]@petertodd.org 00000000000000010c474cd4e25913535ec1c166b6d43fbdd9a5f2726711ced7 --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJS1aKGAAoJEBmcgzuo5/CFfegIAKS4AB6/alcIhc18ALsjCC5A QXjJeJ+GHAfhbS6sn+e0cRveAi7/UccS++N6rurZS7c7/gwW1sm17wpU9MEu4/q7 Bprd/ZWExqMGfpz8wW8qPk9dgd/lk+GzhFj65YW+raXggXWdAcEfpYjS6gGzjSZP a7HG3SrcRMj+dOSV/POfAZrVRCHIZ00Ch5CxJ8ULqA+RU8juhpJTCdv54Fo5xojl EAUNNa8lfx4JEmB4napqkYsgr4o39ayp+fd2oEVaH5IUQpKqw37EOFVB6tUd/9f1 o0cPQnT678fs6HB02A4CsxCvOGM2lIDmQUca2ExPgNVD+4KWN+rxt0aVfPA/FMM= =7VUT -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--