public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Bait for reusable addresses
@ 2014-01-16  1:23 Gregory Maxwell
  2014-01-24  9:02 ` Peter Todd
  0 siblings, 1 reply; 14+ messages in thread
From: Gregory Maxwell @ 2014-01-16  1:23 UTC (permalink / raw)
  To: Bitcoin Development

One challenge with reusable addresses is that while they result in a
small constant overhead for full nodes in searching for their own
transactions they create large overheads for SPV nodes.

One way to address this is for the SPV nodes to hand their servers
their blinding private key so that the server may test addresses on
their behalf. The primary problem with this is that it is
non-reputable:  If I show you a blinding private key and say a set of
transactions are related you will be utterly convinced of it, the
transactions really are related. This makes the privacy brittle.

It also has a downside of not being indexable for the server, the
server must do O(clients * reusable-address-txn) work and the work
includes an ECC multiply.

An idea that Adam Back had originally proposed was including optional
"bloom bait", a small token— say 8 bits— that distinguished
transactions which allowed an anonymity set vs filtering trade off.
Such a bait would be indexable, enabling faster lookup too.

But bloom bait has privacy problems more severe than the current SPV
bloom filtering. While you leak information to your SPV servers today
if you use bloom filtering the leak usually goes no further. So a
compromise requires both a statistical attack _and_ using SPV servers
that log data against your interest.  With bloom bait the whole
network can see the relation. That is unfortunate.

I suggest instead that with optional bait is included in an address
that the sender compute H(nonce-pubkey) and then pick one byte at
random out of the first 16 and xor it with the specified bait and
store the result in the transaction.  An SPV server can now index the
bait as it comes in by extracting 16 8-bit keys from each transaction
(the 16 bytes xored with the bait in the transaction).  When the
client wants to search for transactions it can give the server a list
of keys its interested in— including their real key and number of
random number of cover keys.

ObTechnicalWank:  This is a specific simple instance of a general
class of solutions which are related to locally decodable error
correcting codes: E.g. the transaction data represents a codeword in a
vector-space and the degree of freedom provided by the adjustable
prefix is used to ensure that codeword is never more than a certain
distance from a specified point.  The point isn't made public in the
transaction and it's hidden from the server by providing several
points.   There is still an information leak here— as if someone
believes a set of transactions are related they can intersect their
radiuses and test if the intersection is empty, and if it's not assume
that they found the secret bait— but it is substantially lower an
information leak than the prefix case.

I didn't give any though into the parameters 8-bits and 16 dimensions.
Some reasoning should be done to fix the parameters in order to make
them the most useful: e.g.

Systems derived from more complex linear codes might give better
performance, e.g. two secret bloom baits, two prefixes in the
transaction bait0^random_char[0-8], bait1^random_char[0-8],  server
extracts 16 keys.. and returns to the client transactions which have
at least two key matches with their list.

Obviously whatever is used needs to be easy to implement, but schemes
loosely based on fountain codes should only require picking some
things and xoring... so they should be simple enough.



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-16  1:23 [Bitcoin-development] Bait for reusable addresses Gregory Maxwell
@ 2014-01-24  9:02 ` Peter Todd
  2014-01-24 12:26   ` Mike Hearn
  0 siblings, 1 reply; 14+ messages in thread
From: Peter Todd @ 2014-01-24  9:02 UTC (permalink / raw)
  To: Gregory Maxwell; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 4195 bytes --]

On Wed, Jan 15, 2014 at 05:23:04PM -0800, Gregory Maxwell wrote:
> It also has a downside of not being indexable for the server, the
> server must do O(clients * reusable-address-txn) work and the work
> includes an ECC multiply.
> 
> An idea that Adam Back had originally proposed was including optional
> "bloom bait", a small token— say 8 bits— that distinguished
> transactions which allowed an anonymity set vs filtering trade off.
> Such a bait would be indexable, enabling faster lookup too.
> 
> But bloom bait has privacy problems more severe than the current SPV
> bloom filtering. While you leak information to your SPV servers today
> if you use bloom filtering the leak usually goes no further. So a
> compromise requires both a statistical attack _and_ using SPV servers
> that log data against your interest.  With bloom bait the whole
> network can see the relation. That is unfortunate.

Yes, but remember I proposed prefixing in my blockchain data query paper
because it's a trade-off between theoretical good privacy and
brittleness. The real world experience is that users, or to be exact
wallet authors, turn down SPV privacy parameters until bloom filters
have almost no privacy in exchange for little bandwidth usage. (though
load on the server is unchanged of course)

The brittleness comes in because the moment you connect to a malicious,
data-collecting peer, the contents of your wallet are all revealed.
Frankly that'd be a disaster for CoinJoin too, and I think it'd be a
bigger disaster than the poor specificity patterns leaked by prefix
usage. If anyone wants to deanonymize CoinJoin there will be a lot of
incentives to do so, and you only need wallet content data to do that.

> I suggest instead that with optional bait is included in an address
> that the sender compute H(nonce-pubkey) and then pick one byte at
> random out of the first 16 and xor it with the specified bait and
> store the result in the transaction.  An SPV server can now index the
> bait as it comes in by extracting 16 8-bit keys from each transaction
> (the 16 bytes xored with the bait in the transaction).  When the
> client wants to search for transactions it can give the server a list
> of keys its interested in— including their real key and number of
> random number of cover keys.
> 
> I didn't give any though into the parameters 8-bits and 16 dimensions.
> Some reasoning should be done to fix the parameters in order to make
> them the most useful: e.g.
> 
> Systems derived from more complex linear codes might give better
> performance, e.g. two secret bloom baits, two prefixes in the
> transaction bait0^random_char[0-8], bait1^random_char[0-8],  server
> extracts 16 keys.. and returns to the client transactions which have
> at least two key matches with their list.
> 
> Obviously whatever is used needs to be easy to implement, but schemes
> loosely based on fountain codes should only require picking some
> things and xoring... so they should be simple enough.

Well, that's the big question: How much extra data do we need and what's
the chance that this will get turned into miner-committed indexes? Or
even just provided at all? We keep on saying that miner-commitments may
next happen at all because of performance issues, and adding n extra
indexes doesn't exactly help that situation. I really suspect that the
moment that gets implemented we'll see wallet software use that for
simple security reasons, so plan ahead for that.

In the short term without miner-commitments it's just a question of how
much extra load we subject servers to. Again, getting people to even
implement prefixes isn't a trivial argument to make, yet bloom has some
serious scalability problems. (though does do roughly what you're
proposing)

In any case, your "bait" proposal is stealth address specific - how
would you propose applying the same principle to all addresses? Again,
it's a tradeoff between brittleness - connecting to a malicious peer
reveals your wallet - and blockchain stats data.

-- 
'peter'[:-1]@petertodd.org
0000000000000001315c71472fdce344f85f794a7135e25554f2b51dfa6b83c4

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24  9:02 ` Peter Todd
@ 2014-01-24 12:26   ` Mike Hearn
  2014-01-24 15:26     ` Peter Todd
  2014-01-24 15:42     ` Adam Back
  0 siblings, 2 replies; 14+ messages in thread
From: Mike Hearn @ 2014-01-24 12:26 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 440 bytes --]

>
> brittleness. The real world experience is that users, or to be exact
> wallet authors, turn down SPV privacy parameters until bloom filters
> have almost no privacy in exchange for little bandwidth usage.


That's not fundamental though, it just reflects that the only
implementation of this is used on a wide range of devices and doesn't yet
have any notion of bandwidth modes or monitoring. It can and will be
resolved at some point.

[-- Attachment #2: Type: text/html, Size: 678 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24 12:26   ` Mike Hearn
@ 2014-01-24 15:26     ` Peter Todd
  2014-01-24 21:58       ` Jeremy Spilman
  2014-01-24 15:42     ` Adam Back
  1 sibling, 1 reply; 14+ messages in thread
From: Peter Todd @ 2014-01-24 15:26 UTC (permalink / raw)
  To: Mike Hearn; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 1055 bytes --]

On Fri, Jan 24, 2014 at 12:26:19PM +0000, Mike Hearn wrote:
> >
> > brittleness. The real world experience is that users, or to be exact
> > wallet authors, turn down SPV privacy parameters until bloom filters
> > have almost no privacy in exchange for little bandwidth usage.
> 
> 
> That's not fundamental though, it just reflects that the only
> implementation of this is used on a wide range of devices and doesn't yet
> have any notion of bandwidth modes or monitoring. It can and will be
> resolved at some point.

Resolved for some users, not for all. The underlying trade-off will
always be there; less bandwidth makes it harder, more addresses to check
makes it harder; an HD wallet used properly without re-using addresses
will quickly lead to a fairly full bloom filter unless addresses are
expired, and expiration leads to scenarios where funds can be lost.

I think we need to provide users with better options than that.

-- 
'peter'[:-1]@petertodd.org
000000000000000064ddd387d7548c97c4d42f4df1008d180f306c59e0440f4f

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24 12:26   ` Mike Hearn
  2014-01-24 15:26     ` Peter Todd
@ 2014-01-24 15:42     ` Adam Back
  2014-01-24 16:13       ` Peter Todd
  1 sibling, 1 reply; 14+ messages in thread
From: Adam Back @ 2014-01-24 15:42 UTC (permalink / raw)
  To: Mike Hearn; +Cc: Bitcoin Development

I think prefix has analysis side effects.  There are (at least) 4 things
that link payments: the graph of payment flows, timing, precise amounts, IP
addresses, but with prefix a 5th: the prefix allows public elmination of
candidates connections, I think that may make network flow analysis even
more effective than it has been.

So SPV can be tuned as Mike just said, and as Greg pointed out somewhere
bloom is more private than prefix because its a wallet to node connection,
not a node broadcast, and Mike mentioned embedded Tor in another post to
boost node-capture issues with hostile network.

So reusable addresses are cool for full node recipients (0-bit prefix) or
trusted server offload (your own desktop, VPS, or trusted service provider
node, and solve real problems for the use case of static and donation
addresses particularly with this second delegatable key for no-funds at risk
search (which is even good as Jeremey said for your own node, in a offline
wallet use case).

Now while it would be clearly a very nice win if reusable addresses could be
made SPV-like in network characteristics and privacy, but we dont have a
plausible mechanism yet IMO.  Close as we got was Greg's enhancement of
my/your "bloom bait"/"prefix" concept to make multiple candidate baits to
provide some ambiguity (still allows elimination, just slightly less of it).

If we can find some efficient crypto to solve that last one, we could even
adopt them generally if it was efficient enough without needing interactive
one-use address release.

Maybe we should ask some math/theoretical crypto people if there is anything
like public key watermarking or something that could solve this problem
efficiently.

For the related but different case of transaction level authenticity I like
Alan's server derived but communicated scalar & base to allow the client to
do at least TOFU.

Payment protocol may add another level of identity framework on top of TOFU
addresses (at a lower level than the payment messages defined now), and
without then needing a batch upload of offline signed secondary address
sigature that Mike described a while back, at least in person, maybe online
somewhere (an add on with similar purpose and effect to Alan's TOFU, but
then with revocation, identity and certification for merchants).

I have not talked about payment protocols main app level function I think we
all understand and agree on the purpose and use of the server and optional
client certs in that.  People may wish to add other cert types later (eg
PGP, SSH etc) but this version covers the common merchant tech, and allows
client-side certs to be experimented with for identity also (eg imagine as a
way to enrol with regulated entities like exchanges.)

Tell me if I am misunderstanding anything :)

Adam

On Fri, Jan 24, 2014 at 12:26:19PM +0000, Mike Hearn wrote:
>     brittleness. The real world experience is that users, or to be exact
>     wallet authors, turn down SPV privacy parameters until bloom filters
>     have almost no privacy in exchange for little bandwidth usage.
>
>   That's not fundamental though, it just reflects that the only
>   implementation of this is used on a wide range of devices and doesn't
>   yet have any notion of bandwidth modes or monitoring. It can and will
>   be resolved at some point.Â



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24 15:42     ` Adam Back
@ 2014-01-24 16:13       ` Peter Todd
  2014-01-25 16:19         ` [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses) Adam Back
  0 siblings, 1 reply; 14+ messages in thread
From: Peter Todd @ 2014-01-24 16:13 UTC (permalink / raw)
  To: Adam Back; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 5508 bytes --]

On Fri, Jan 24, 2014 at 04:42:35PM +0100, Adam Back wrote:
> I think prefix has analysis side effects.  There are (at least) 4 things
> that link payments: the graph of payment flows, timing, precise amounts, IP
> addresses, but with prefix a 5th: the prefix allows public elmination of
> candidates connections, I think that may make network flow analysis even
> more effective than it has been.

You know, we've made this discussion rather confusing because we're
using the term "prefix" for both prefix filters - which are equivalent
to bloom filters but with better scalability - and the act of forcing a
scriptPubKey to match some given prefix. I suggest we call the latter
concept 'wallet clustering' as it can just as easily be applied to bloom
filters, as well as Gregory Maxwell's candidate bait scheme, and for
that matter, prefix filters with a tweak option, e.g. H(scriptPubKey |
nTweak)

So yeah, clustering schemes make network flow analysis easier if the
attacker only has blockchain data to work from. But they can also make
network flow analysis significantly harder for attackers that have query
logs from attackers running nodes, and as we know sybiling the network
to get query logs is very easy. I'd rather develop systems that don't
fail catastrophically against sybil attack.

> So SPV can be tuned as Mike just said, and as Greg pointed out somewhere
> bloom is more private than prefix because its a wallet to node connection,
> not a node broadcast, and Mike mentioned embedded Tor in another post to
> boost node-capture issues with hostile network.

The hostile network is likely to have a significant percentage of
hostile, query-logging nodes. For one thing, running nodes is expensive
and would be even more so in a blocksize limit raising scenario, and a
easy way to pay those costs is by selling query data.

> So reusable addresses are cool for full node recipients (0-bit prefix) or
> trusted server offload (your own desktop, VPS, or trusted service provider
> node, and solve real problems for the use case of static and donation
> addresses particularly with this second delegatable key for no-funds at risk
> search (which is even good as Jeremey said for your own node, in a offline
> wallet use case).

Sure, in some cases you can use zero-length prefixes with trusted nodes;
not many users have access to such nodes.

> Now while it would be clearly a very nice win if reusable addresses could be
> made SPV-like in network characteristics and privacy, but we dont have a
> plausible mechanism yet IMO.  Close as we got was Greg's enhancement of
> my/your "bloom bait"/"prefix" concept to make multiple candidate baits to
> provide some ambiguity (still allows elimination, just slightly less of it).
> 
> If we can find some efficient crypto to solve that last one, we could even
> adopt them generally if it was efficient enough without needing interactive
> one-use address release.

Conversely, it'd be interesting if someone can dig up a proof showing
that doing much better than Gregory's ambiguity tradeoff is impossible.
My gut feeling is that it is, especially if you take into account the
desire for scalability - if we're to make the blocksize bigger assuming
all nodes have all data for every block just isn't going to happen.

> Maybe we should ask some math/theoretical crypto people if there is anything
> like public key watermarking or something that could solve this problem
> efficiently.

Yes, and I think such schemes should be pursued. But in the near-term
what can we offer users?

Remember that making stealth addresses and similar clustering-using
schemes capable of backward compatible upgrades isn't hard; if the
crypto is found later it can be adopted.

What is harder is that people want miners to commit to various types of
indexes - changing those indexes would require a soft-fork and there's
much pressure for those indexes to have very good performance
properties.

> For the related but different case of transaction level authenticity I like
> Alan's server derived but communicated scalar & base to allow the client to
> do at least TOFU.
> 
> Payment protocol may add another level of identity framework on top of TOFU
> addresses (at a lower level than the payment messages defined now), and
> without then needing a batch upload of offline signed secondary address
> sigature that Mike described a while back, at least in person, maybe online
> somewhere (an add on with similar purpose and effect to Alan's TOFU, but
> then with revocation, identity and certification for merchants).

Note how well the OpenPGP + bitcoin address UID ideas I and others have
been talking about meshes with TOFU: the logic for "Do I trust this
address to send money?" and "Do I trust this PGP key to send more
encrypted mail/verify signatures?" is just different questions about the
same human identity, so combining the two is synergistic. For instance I
might want to communicate securely with a friend via email and also send
funds to them securely.

An interesting nuance is ideally that UID can be used for more than just
a single address type, e.g. BIP32 derivation chains can the same root
pubkeys as stealth addresses. Though I don't know if the added
complexity is worthwhile vs. just adding another UID for the BIP32
derivation case.

-- 
'peter'[:-1]@petertodd.org
0000000000000001a2aeb2101283cb4e35d4a038b38a72a21af5092d8d8c9d2e

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24 15:26     ` Peter Todd
@ 2014-01-24 21:58       ` Jeremy Spilman
  2014-01-24 23:15         ` Mike Hearn
  0 siblings, 1 reply; 14+ messages in thread
From: Jeremy Spilman @ 2014-01-24 21:58 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Development

> 
> 
> 
> I think we need to provide users with better options than that.
> 

Perfect privacy without extraordinary computational overhead today means downloading everything. But we could provide better tools to *shift* bandwidth requirements rather than try to reduce them. 

I've been thinking about a setup where user runs a UTXO only, and maybe even outbound-connect only (like bitcoinj), full node at home. Then using Tor, mostly for tunneling, they host a hidden service they can connect back to from their smartphone to see balances, manage receive addresses, send funds, etc.

The smartphone is not doing SPV, it's like a web client for the wallet running at home. The initial connection between the smartphone and home wallet has the phone learn two codes, one is the hidden service name, another is an access token which is revocable. You may require further authentication from that point. 

With fast bootstrapping / checkpointing of the UTXO I think usability could be as good as SPV, and you would get push-notification of relevant transactions with zero privacy trade-off.

I wonder if people would want to run such an app, if they would run it on their desktop, a dedicated machine, or an old smartphone or other cheap ARM device.



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] Bait for reusable addresses
  2014-01-24 21:58       ` Jeremy Spilman
@ 2014-01-24 23:15         ` Mike Hearn
  0 siblings, 0 replies; 14+ messages in thread
From: Mike Hearn @ 2014-01-24 23:15 UTC (permalink / raw)
  To: Jeremy Spilman; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 1861 bytes --]

I've thought about [ab]using Tor as a STUN replacement before, but the
issue is a lot of people don't have computers that are switched on all the
time anymore except for their smartphones, which are too weak to calculate
the UTXO set. The trend has been for a while towards laptops, phones and
tablets, all of which are relatively weak.

I think there might be a market for a one-click "bring up an amazon VPS,
sync a full node and make it accessible only to me" type service though!



On Fri, Jan 24, 2014 at 10:58 PM, Jeremy Spilman <jeremy@taplink.co> wrote:

> >
> >
> >
> > I think we need to provide users with better options than that.
> >
>
> Perfect privacy without extraordinary computational overhead today means
> downloading everything. But we could provide better tools to *shift*
> bandwidth requirements rather than try to reduce them.
>
> I've been thinking about a setup where user runs a UTXO only, and maybe
> even outbound-connect only (like bitcoinj), full node at home. Then using
> Tor, mostly for tunneling, they host a hidden service they can connect back
> to from their smartphone to see balances, manage receive addresses, send
> funds, etc.
>
> The smartphone is not doing SPV, it's like a web client for the wallet
> running at home. The initial connection between the smartphone and home
> wallet has the phone learn two codes, one is the hidden service name,
> another is an access token which is revocable. You may require further
> authentication from that point.
>
> With fast bootstrapping / checkpointing of the UTXO I think usability
> could be as good as SPV, and you would get push-notification of relevant
> transactions with zero privacy trade-off.
>
> I wonder if people would want to run such an app, if they would run it on
> their desktop, a dedicated machine, or an old smartphone or other cheap ARM
> device.
>

[-- Attachment #2: Type: text/html, Size: 2287 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-01-24 16:13       ` Peter Todd
@ 2014-01-25 16:19         ` Adam Back
  2014-02-02  2:36           ` Peter Todd
  0 siblings, 1 reply; 14+ messages in thread
From: Adam Back @ 2014-01-25 16:19 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Development

I think I figured out a proof of existance for a space efficient way to do
better than bloom filters/prefix/bloom-bait.  (Must have been dreaming on it
as I woke up with the idea following Peter's suggestion to try prove instead
if its possible or not:).

I wrote up the details here:

https://bitcointalk.org/index.php?topic=431756.new

In summary with a use of novel application of IBE (*) based on weil-pairing
so the recipient can send a delegation private key that is specific to the
block being queried.  It means the node that services the query has no
ability to correlate with queries in other blocks from the some user.  The
sender derives a pub=IBE-extract(master-pub, id=previous block hash).  The
above link has more explanation, links and costs/risks.

I think it maybe within possibility to do further than this because it is
not technically necessary to delegate decryption, only to delegate
filtering, which can be a simpler requirement so there remains perhaps
(speculatively) a possibility to do it without introducing weil pairing
hardness problem or using eg I mentioned public key steganography or
something like that if there is anything similarly efficient but with more
widely used hardness assumptions.

Adam

(*) analogous to the way IBE is used as a building block for Non-Interactive
Forward Secrecy (NIFS)

On Fri, Jan 24, 2014 at 11:13:30AM -0500, Peter Todd wrote:
>On Fri, Jan 24, 2014 at 04:42:35PM +0100, Adam Back wrote:
>> Now while it would be clearly a very nice win if reusable addresses could
>> be made SPV-like in network characteristics and privacy, but we dont have
>> a plausible mechanism yet IMO.  [...]
>>
>> If we can find some efficient crypto to solve that last one, we could even
>> adopt them generally if it was efficient enough without needing interactive
>> one-use address release.
>
>Conversely, it'd be interesting if someone can dig up a proof showing
>that doing much better than Gregory's ambiguity tradeoff is impossible.




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-01-25 16:19         ` [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses) Adam Back
@ 2014-02-02  2:36           ` Peter Todd
  2014-02-02  9:16             ` Jeremy Spilman
  2014-02-02 11:55             ` Peter Todd
  0 siblings, 2 replies; 14+ messages in thread
From: Peter Todd @ 2014-02-02  2:36 UTC (permalink / raw)
  To: Adam Back; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 9939 bytes --]

On Sat, Jan 25, 2014 at 05:19:01PM +0100, Adam Back wrote:
> I think I figured out a proof of existance for a space efficient way to do
> better than bloom filters/prefix/bloom-bait.  (Must have been dreaming on it
> as I woke up with the idea following Peter's suggestion to try prove instead
> if its possible or not:).
> 
> I wrote up the details here:
> 
> https://bitcointalk.org/index.php?topic=431756.new

One of the main reasons I post to the bitcoin-development mailing list
rather than the forum is because the mailing list is archived by many
different, independent, parties. The forum is not - as an example
archive.org didn't have that URL until I manually told it to archive it.

So I'm taking the liberty of reposting your two posts there below:

[quote author=adam3us link=topic=431756.msg4729682#msg4729682
date=1390660452]
So have been talking with Greg Maxwell, Peter Todd, Jeremy Spillman,
Mike Hearn, Bytecoin and others about reusable addresses.

There is a summary of the situation here
http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03792.html
and I had posed th question of whether it was possible to do better at
all with Peter Todd:

[quote author=adam3us on bitcoin-dev]
Now while it would be clearly a very nice win if reusable addresses
could be  made SPV-like in network characteristics and privacy, but we
dont have a plausible mechanism yet IMO.  Close as we got was Greg's
enhancement of my/your "bloom bait"/"prefix" concept to make multiple
candidate baits to provide some ambiguity (still allows elimination,
just slightly less of it).

If we can find some efficient crypto to solve that last one, we could
even adopt them generally if it was efficient enough without needing
interactive one-use address release
[/quote]

and Peter proposed also the related problem of proving something about
that existence or not of a solution to that problem.

I think I have a proof-of-concept solution that proves by example we can
do better in space efficiency, linkability defense and non-interactivity
than my bloom bait, Peter Todds related prefix; and Greg Maxwell's
extended bloom bait described
http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03705.html.

So the idea is to use an IBE scheme as a building block in analogous way
to my 1996 problem statement for NIFS and 1998 observation that a novel
use for an IBE scheme can provide a generic solution to NIFS, and the
arrival in 2001 of the first efficient / sensible trapdoor steepness (*)
IBE with the introduction of the Weil Pairing problem by Dan Boneh and
Matt Franklin described here
http://en.wikipedia.org/wiki/Boneh%E2%80%93Franklin_scheme.

Greg summarized IBE as follows on IRC:

[quote]
(for those who may) not be familar with IBE stuff: The idea is that the
user has a master private key, which results in a master public key.
Anyone can take a prior block hash and combine it with the master public
key to get a session pubkey which could be used to encrypt a chaincode
included in an OP_RETURN.   Using the master private key the user can
derrive the session private key, which can then be used to recognize
transactions using the same session key.

In IBE (identity based encryption) this is all used a bit differently:
the master keys are held by a CA, and the session ID is your email
address, and now anyone can make a public key for you— but you need the
CA's help to get your private key)
[/quote]

Basically as Greg said your public key is your address (an email
address, a block hash, whatever is convenient and unique) and from that
and the master public key of the IBE server, the server can compute a
private key corresponding to that.  The master public is usually
considered to be a system-wide domain parameter.   Naturally enough
because a side effect of this is that the IBE server can decrypt
everyones email people were never too excited about the prospect.

However my 1998 NIFS observation is by acting as your own IBE server
(each user creates their own master public server key) they can create a
sequence (NIFS) or set (bitcoin reusable address) of public keys with
interesting and publicly derivable properties!

It is my conclusion from 1996 that to solve this with DL directly at
least in the NIFS case appears to be not possible.


So basically the reusable address becomes an IBE public key, the
existing public derivation via DH or EC Elgamal/ECIES or whatever
variant (bytecoins, mine, Peter Todd/Amir Taaki's) arrives at a factor
that can be recovered.  So with my variant (random sender generated
multiplication factor encrypted with ECIES) you could encrypt the factor
with a pub=IBE-extract(master pub, id=previous block hash) using the
previous block hash as the "identity" and the users own self-owned IBE
"server".

For Bytecoin & Peter Todd/Amir Taaki EC DH version using input or
auxilliary addresses to save space its not even necessary to send the
factor, its already sent.  So then you send a separate message to do
with secure delegatable filtering, a more secure/more space efficient
bloom filter/prefix replacement, and this is a more flexible structure.

So the secure delegatable filter is you separately add an encrypted
bloom bait Greg suggested (eg 1byte prefix communicated with public
address.)  And you can even combine that with Greg's extended bloom bait
above to add anonymity set within the block.

Consequently you can now securely and very network/space efficiently
securely delegate searching a block by computing the private key for the
IBE pub key that any sender would use for that block, and sending it as
a query to a random (or node-capture defended random selected node).
The node can decrypt the encrypted bloom baits with it, but remains
powerless to correlate with bloom baits to other payments received by
the same user in bother blocks.

(In practice you might need an epoch not block or overlapping test
because the user does not have full assurance of their tx ending up in
the pending block).

About weil pairing, and new hardness crypto risk, this is also the
hardness assumption under some ZK-SNARKs as I think used in zerocash,
and while ZK-SNARK introduces its own complexity/crypto system risk on
top; in my view weil pairing is slightly lower assurance/review not so
widely used relative to EC DL problem.  Anyway the interesting thing to
say about that is in the event this scheme got broken in the future it
falls back to the scheme that is being proposed using prefix.  Ie its no
worse than that from linkability and likely would retain some cost even
if broken-- asymmetric crypto breaks are usually somewhat gradual.

This looks more expensive and non-indexable though I didnt look to see
if there is any ciphertext only or batch precomputation that could be
squeezed out of it.

Obviously its more CPU intensive and some eg fee mechanism to prevent
node DoS could be nice, but it seems to demonstrate a proof by existence
that it is possible to do better.


Finally I think it maybe within possibility to do further than this
because it is not technically necessary to delegate decryption, only to
delegate filtering, which can be a simpler requirement.

Adam

(*) There was an earlier scheme by Maurer et al if I recall, but to get
a 1024-bit security margin you had to perform a discrete log attack on a
512-bit prime, so the key generation cost was immense, hence "sensible
trapdoor steepness" thats very shallow in tems of work difference
between setup cost and crypto system strength.
[/quote]

------

[quote author=adam3us link=topic=431756.msg4732503#msg4732503
date=1390669542]
[quote author=Mike Hearn link=topic=431756.msg4730986#msg4730986
date=1390664867]
You would need epochs for another reason. Recall that with Bloom
filtering the remote node is asked for blocks in batches of 500 at a
time and the remote end handles updating the filter as transactions are
matched. This is to avoid the performance hit of a network round-trip
for every block.
[/quote]

I see I dont think I realized that aspect of how bloom query works.  So
you then with IBE-based filtering could send multiple keys, one for each
block; but you are implicitly linked by being in one query, so you'd
just as well mark your key with your preferred epoch size and sender
uses epoch number in the query.

I think Greg is pointing out on IRC that by having a fairly small epoch
you can choose later to go down to that epoch size or scale up by
sending multiple epoch keys in a batch, a privacy/network round-trip
trade off.

Re my other problem with epochs ("In practice you might need an epoch
not block or overlapping test because the user does not have full
assurance of their tx ending up in the pending block") I think that
maybe fixable, if the blocknumber is chosen by the sender, and
communicated in enough bits to be mostly unambiguous in the message.
Then the node can index them by sen block num and no ambiguity.

It could be that another way to partly obscure ownership of queries
would be to relay queries and responses and mix other peoples queries
with your own in a batch, however as we are considering the SPV client
case relaying other peoples queries seems hard to gather query traffic
on demand and to use more bandwidth than it saves relative just issuing
smaller batches.

You could have relaying in the network eg using the embedded Tor but
waiting for queries to mix with adds latency, and suffers flood attacks
on mix-nets (send fake encrypted query traffic to flush out a tx, that
has no-anon set vs the person doing the flooding who can distinguish
their own queries).

Adam

[/quote]

-- 
'peter'[:-1]@petertodd.org
000000000000000075829f6169c79d7d5aaa20bfa8da6e9edb2393c4f8662ba0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-02-02  2:36           ` Peter Todd
@ 2014-02-02  9:16             ` Jeremy Spilman
  2014-02-02 12:26               ` Peter Todd
  2014-02-02 11:55             ` Peter Todd
  1 sibling, 1 reply; 14+ messages in thread
From: Jeremy Spilman @ 2014-02-02  9:16 UTC (permalink / raw)
  To: Adam Back, Peter Todd; +Cc: Bitcoin Development

>
> Consequently you can now securely and very network/space efficiently
> securely delegate searching a block by computing the private key for the
> IBE pub key that any sender would use for that block, and sending it as
> a query to a random (or node-capture defended random selected node).
> The node can decrypt the encrypted bloom baits with it, but remains
> powerless to correlate with bloom baits to other payments received by
> the same user in bother blocks.
>

I'm not sure I've fully wrapped my head around it.

   d/Q        - Identity key
   E          - Generate an epoch-pubkey: E = Q * H1(epoch)
   r/P        - Ephemeral privkey/pubkey, or discoverable from inputs
   S = r * K  - Shared secret (ECDE)

Payer derives an encryption key H(S), and encrypts M, which is a 1 byte  
bloom bait.

For each epoch, payee generates e = d * H1(epoch) and provides the key to  
a full node for monitoring. So you are providing a per-block or per-epoch  
private key, along with the block ID or epoch ID that the key corresponds  
to.

The full node then uses this privkey to decrypt the same byte in all the  
transactions in that epoch/block which match the expected layout/template,  
e.g. given a certain length OP_RETURN, pull the specific byte and decrypt.

This decrypted byte is then in turn used as bloom bait which may or may  
not cause the transaction to be sent back to the SPV client.

Am I right in saying the full node has no idea if decryption is  
'succeeding' it just feeds the resultant bait into the bloom filter and  
the transaction may match or not? So we do get some level of repudiation  
by the SPV client -- the server doesn't know exactly which transactions  
belong to the SPV client.

The bloom bait specified in the reusable address is still making the  
bandwidth/privacy trade-off, it just doesn't become public information,  
because it's protected by another factor?

What encryption scheme is being used here?

-=-=-=-==

Another approach (inspired by IBE) which narrows the discoverability of  
transactions to the nodes that your SPV client is actually communicating  
with, for the specific blocks/epochs that you specify, would be to use  
PEKS.

PEKS(Q, W) for a public key Q and a keyword W produces a searchable  
encryption of the word W.

The payee holding 'd' (privkey for Q) can create a trapdoor which allows a  
server to search for transactions with W, where the searching party only  
knows if a match is found or not.

Payer:

   d/Q   - Longstanding / identity privkey/pubkey
   r/P   - Ephemeral privkey/pubkey, or discoverable from inputs
   W     - Searchable Keyword
   H1    - Hash function, {0, 1} ∗ → G1
   H2    - Hash function, G2 → {0, 1}p

Secret, as usual per ECDH:

   S = r * Q

For payer to create the searchable encryption of W for Q, called 'Sw':

   Sw = H2(e(H1(W), S))
   OP_RETURN P, Sw

For payee to search for a given 'W', payee calculates a trapdoor 'Tw':

   Tw = d * H1(W)

For a searcher, given a Trapdoor (Tw), check each Transaction (P, Sw):

   H2(e(Tw, P)) ==? Sw
   If the values match, the keyword matches

Without getting into the concepts of e(g,g) and binomial pairing, I think  
of it this way:

   Sw = H2(r * Q * H1(W)), but recall: rQ == dP, so...
      = H2(d * P * H1(W)), which can be written
      = H2(d * H1(W) * P)

Severs finds all transactions with 'P' on relevant parts of the  
blockchain, multiplies by the provided trapdoor 'Tw', applies 'H2', and  
checks for a matching 'Sw' in the transaction;

   Tw = d * H1(W)
   Sw = H2(Tw * P)
        H2(d * H1(W) * P)

PEKS is vulnerable to an offline keyword guessing attack, where you can  
discover the value of the keyword being searched, if the keyword is low  
entropy. The server/attacker can figure out the value of W, but they can't  
generate their own trapdoors to search for other keywords.

But in this case, the 'keyword' can simply be the block ID / epoch ID  
itself, not a secret value at all. In other words, the server can only  
search for your transactions within the blocks/epochs that you specify.

Using blockID/epochID as W, this would allow a server to find all  
transactions belonging to the payer for that blockID / epochID. The SPV  
client would simply provide the trapdoor for each block/epoch to be  
searched.

There are extensions to PEKS which provide for 'fuzzy' matching but they  
are 'fuzzy' within the scope of Q, not across different Q, so that doesn't  
help provide any repudiation. So I see this as only slightly improving  
Peter's original proposal of providing 'Q' to the searcher, but if you  
want repudiation, not as good as Adam's solution.

Perfunctory disclaimer... Hopefully this is close to correct, but please  
don't anyone actually try to implement this!

Thanks,
Jeremy




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-02-02  2:36           ` Peter Todd
  2014-02-02  9:16             ` Jeremy Spilman
@ 2014-02-02 11:55             ` Peter Todd
  1 sibling, 0 replies; 14+ messages in thread
From: Peter Todd @ 2014-02-02 11:55 UTC (permalink / raw)
  To: Adam Back; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 4296 bytes --]

> On Sat, Jan 25, 2014 at 05:19:01PM +0100, Adam Back wrote:
> [quote author=adam3us link=topic=431756.msg4729682#msg4729682
> date=1390660452]
> So have been talking with Greg Maxwell, Peter Todd, Jeremy Spillman,
> Mike Hearn, Bytecoin and others about reusable addresses.
> 
> There is a summary of the situation here
> http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03792.html
> and I had posed th question of whether it was possible to do better at
> all with Peter Todd:

You're explanation is a bit long-winded, so I'll start with a simplified
ECC-based version first and later explain how identity-based encryption
applies to the problem; I have a feeling not many non-crypt-experts
spent the time to figure out what you're talking about; do check if what
I've written below is correct:

So Alice wants to pay Bob, who is bandwidth constrained and frequently
offline. Meanwhile Ivan has a full node, but can't really be trusted.
Meanwhile Eve is busy trying to piece together everyones' financial
details.

Bob publicly publishes three pubkeys, Filter, Recover, and Spend, along
with a short n-bit prefix p. When Alice needs to pay Bob she creates a
ephemeral keypair and uses ECDH *two* shared secrets, n_f and n_r, from
Bob's Filter and Recover pubkeys respectively. She makes a transaction
that pays Bob by deriving pubkey Spend_{n_f} from the Spend and n_r
nonce.  She also uses the Filter nonce and the prefix to derive a
encrypted prefix p'=n_f^p and puts that prefix and the cleartext
ephemeral pubkey in the transaction as data.

When Bob wants to find that transaction he gives the prefix and Filter
secret key to Ivan, who then scans the blockchain. For every transaction
he computes n_f=ECDH(Filter_sec, Ephm_pub), extracts the encrypted
prefix p' from the transaction, and checks if p'=n_f^p If so he gives
that transaction to Bob who can then use his Recover secret key to check
if the transaction was in fact for him. (note how the prefix can
actually always be simply a given length of zeros)

Because Bob's prefix is short Ivan only learns probabalistic information
about what transactions might be Bob's. Eve doesn't know the Filter
secret key, and thus learns nothing at all from the blockchain data. On
the other hand after getting the key once Ivan can forever after get
that probability information about what transactions might be Bob's.

What we'd really like is for there to be some way for Alice to derive a
time-limited Filter pubkey from some public random beacon with value
R_i, such as the Bitcoin blockchain, such that each defined time
interval uses a different key. Bob would then only give Ivan the secret
key(s) for the time interval(s) in question.

Unfortunately ECDSA doesn't have a way to do this. The closest thing
available is BIP32-style key derivation, however it has the property
that given a derived secret key and known master pubkey the master
secret key can be derived. Thus Ivan can simply try every public Filter
key/epoch tweak he knows about until he finds Q,d' st. (d+d')G=Q+d'G
From that he can recover d, reducing the security to where we started.
(or put another way, Ivan can store every (d+d') secret key he is asked
to search with, and test it against every public key he learns about
later)

Identity-based cryptograhy however can do that. Bob publishes a (single)
master public key, and anyone can derive public keys based on that
master key and the random beacon value R_i. Bob can then derive the
corresponding secret key, but unlike with ECDSA, that secret key *can't*
be used to derive the master private key. Having said that, it can of
course be linked to that key, so every query that Bob makes gives Ivan
some knowledge about what transactions might be in Bob's wallet.

Problem is, who the hell has a production-ready Weil pairing library
kicking around? (is this read? http://crypto.stanford.edu/pbc/) Also,
Weil pairing is not yet trustworthy:

    < gmaxwell> (IMO thats how we should be using pairing in
    cryptosystems: for lower value applications, and solving things that
    can't be solved any other way)

-- 
'peter'[:-1]@petertodd.org
000000000000000075829f6169c79d7d5aaa20bfa8da6e9edb2393c4f8662ba0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-02-02  9:16             ` Jeremy Spilman
@ 2014-02-02 12:26               ` Peter Todd
  2014-02-02 15:26                 ` Adam Back
  0 siblings, 1 reply; 14+ messages in thread
From: Peter Todd @ 2014-02-02 12:26 UTC (permalink / raw)
  To: Jeremy Spilman; +Cc: Bitcoin Development

[-- Attachment #1: Type: text/plain, Size: 3255 bytes --]

On Sun, Feb 02, 2014 at 01:16:20AM -0800, Jeremy Spilman wrote:
> >
> >Consequently you can now securely and very network/space efficiently
> >securely delegate searching a block by computing the private key for the
> >IBE pub key that any sender would use for that block, and sending it as
> >a query to a random (or node-capture defended random selected node).
> >The node can decrypt the encrypted bloom baits with it, but remains
> >powerless to correlate with bloom baits to other payments received by
> >the same user in bother blocks.
> >
> 
> I'm not sure I've fully wrapped my head around it.
> 
>   d/Q        - Identity key
>   E          - Generate an epoch-pubkey: E = Q * H1(epoch)
>   r/P        - Ephemeral privkey/pubkey, or discoverable from inputs
>   S = r * K  - Shared secret (ECDE)

There needs to be two separate payor pubkeys, which I called elsewhere
the "Filter" and "Recover" pubkeys - the latter I think corresponds to
what you meant by identity key. From those two pubkeys two separate
shared secrets are derived.

The key idea is that you can encrypt a short string of zeros with the
"Filter" pubkey using ECDH and place the resulting "filter bait" in the
transaction. This lets the payor give the secret key corresponding to
that pubkey to a semi-trusted third party. That third party can then
trial decrypt all filter bait seen in transactions in the blockchain,
and every time the decrypted string has a sufficient number of zeros
it's considered a filter pass and the transaction is given to the payor.
For n zero bits one in 2^n transactions will match at random, which sets
your false positive rate.

Basically think of it as a way to outsource the work required for
zero-prefix stealth addresses, but with (less) of a sacrifice of
anonymity compared to just giving the third-party your recovery pubkey.
Identity-based encryption only comes into it because it's nice to be
able to further limit what transactions the server knows about to
specific time intervals rather than forver into the future.

Interestingly both schemes can be used at once - a short public prefix
combined with a second private filter. What's interesting there is that
the public prefix can do a first-pass filtering, with the second private
filter relatively long but still providing plausible deniability - you
can always claim 100% of the matching transactions were false positives
because you didn't receive any funds!

> The full node then uses this privkey to decrypt the same byte in all
> the transactions in that epoch/block which match the expected
> layout/template, e.g. given a certain length OP_RETURN, pull the
> specific byte and decrypt.
> 
> This decrypted byte is then in turn used as bloom bait which may or
> may not cause the transaction to be sent back to the SPV client.

There's no bloom filters involved; as I said before "bloom bait" is a
misleading name. "Filter bait" is a better term given it's a generic
concept.

> What encryption scheme is being used here?

XOR with the ECDH-calculated nonce is fine. (run the nonce though a hash
function first)

-- 
'peter'[:-1]@petertodd.org
000000000000000075829f6169c79d7d5aaa20bfa8da6e9edb2393c4f8662ba0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
  2014-02-02 12:26               ` Peter Todd
@ 2014-02-02 15:26                 ` Adam Back
  0 siblings, 0 replies; 14+ messages in thread
From: Adam Back @ 2014-02-02 15:26 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Development

I think you Peter & Jeremy figured it out - dont disagree with the
explanation details.

And it seems better explained between the two posts than I did.  I think
Peter is right that you do not need an explicit prefix, the prefix after
decryption can be a chosen number of leading 0s and this gives a tunable
amount of false positives.  You already have privacy becaue the query is
only revealed to the semi-trusted full node, and its query scope is limited
to one or a chosen batch of blocks.  But you can if desired add additional
ambiguity as Peter described by reducing the number of bits of 0 in the
decrypted block.  There is no need for matching a specific prefix as its
already a recipient specific calculation.  (It means the actual encrypted
value where it is chosen would have to mimic false positives: random with
n-bits of trailing 0s and expected probability distribution).

It should be compatible for combining with sharding or public prefixes, as
Peter mentioned but for short public prefixes those still has some (reduced)
blockchain ledger logged possibility to reduce anonymity set when combined
with flow analysis.

Maybe you could vary a public prefix per block.  Eg the public prefix for a
given user is the LSBits of the per block IBE derived pubic key for a given
user.  I am not sure if that helps or hinders.  Maybe it hurts anonymity set
because the analyst (Eve) is given multiple chances over time to exclude an
analysed flow candidate.

It would desirable to find a non-IBE way to do this.  (And more
computationally efficient / precomputable / indexable)

Or you could use different address types depending on the circumstance:
one-use, stealth, or IBE.  Kind of difficult to automate that (to know what
the user is planning to do with it) and avoid user confusion.  Clearly users
are quite confused and the convenient and understandable thing is to have a
(safely) reusable address.

Adam

On Sun, Feb 02, 2014 at 07:26:10AM -0500, Peter Todd wrote:
>On Sun, Feb 02, 2014 at 01:16:20AM -0800, Jeremy Spilman wrote:
>> >
>> >Consequently you can now securely and very network/space efficiently
>> >securely delegate searching a block by computing the private key for the
>> >IBE pub key that any sender would use for that block, and sending it as
>> >a query to a random (or node-capture defended random selected node).
>> >The node can decrypt the encrypted bloom baits with it, but remains
>> >powerless to correlate with bloom baits to other payments received by
>> >the same user in bother blocks.
>> >
>>
>> I'm not sure I've fully wrapped my head around it.
>>
>>   d/Q        - Identity key
>>   E          - Generate an epoch-pubkey: E = Q * H1(epoch)
>>   r/P        - Ephemeral privkey/pubkey, or discoverable from inputs
>>   S = r * K  - Shared secret (ECDE)
>
>There needs to be two separate payor pubkeys, which I called elsewhere
>the "Filter" and "Recover" pubkeys - the latter I think corresponds to
>what you meant by identity key. From those two pubkeys two separate
>shared secrets are derived.
>
>The key idea is that you can encrypt a short string of zeros with the
>"Filter" pubkey using ECDH and place the resulting "filter bait" in the
>transaction. This lets the payor give the secret key corresponding to
>that pubkey to a semi-trusted third party. That third party can then
>trial decrypt all filter bait seen in transactions in the blockchain,
>and every time the decrypted string has a sufficient number of zeros
>it's considered a filter pass and the transaction is given to the payor.
>For n zero bits one in 2^n transactions will match at random, which sets
>your false positive rate.
>
>Basically think of it as a way to outsource the work required for
>zero-prefix stealth addresses, but with (less) of a sacrifice of
>anonymity compared to just giving the third-party your recovery pubkey.
>Identity-based encryption only comes into it because it's nice to be
>able to further limit what transactions the server knows about to
>specific time intervals rather than forver into the future.
>
>Interestingly both schemes can be used at once - a short public prefix
>combined with a second private filter. What's interesting there is that
>the public prefix can do a first-pass filtering, with the second private
>filter relatively long but still providing plausible deniability - you
>can always claim 100% of the matching transactions were false positives
>because you didn't receive any funds!
>
>> The full node then uses this privkey to decrypt the same byte in all
>> the transactions in that epoch/block which match the expected
>> layout/template, e.g. given a certain length OP_RETURN, pull the
>> specific byte and decrypt.
>>
>> This decrypted byte is then in turn used as bloom bait which may or
>> may not cause the transaction to be sent back to the SPV client.
>
>There's no bloom filters involved; as I said before "bloom bait" is a
>misleading name. "Filter bait" is a better term given it's a generic
>concept.
>
>> What encryption scheme is being used here?
>
>XOR with the ECDH-calculated nonce is fine. (run the nonce though a hash
>function first)
>
>-- 
>'peter'[:-1]@petertodd.org
>000000000000000075829f6169c79d7d5aaa20bfa8da6e9edb2393c4f8662ba0





^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2014-02-02 15:27 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-16  1:23 [Bitcoin-development] Bait for reusable addresses Gregory Maxwell
2014-01-24  9:02 ` Peter Todd
2014-01-24 12:26   ` Mike Hearn
2014-01-24 15:26     ` Peter Todd
2014-01-24 21:58       ` Jeremy Spilman
2014-01-24 23:15         ` Mike Hearn
2014-01-24 15:42     ` Adam Back
2014-01-24 16:13       ` Peter Todd
2014-01-25 16:19         ` [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses) Adam Back
2014-02-02  2:36           ` Peter Todd
2014-02-02  9:16             ` Jeremy Spilman
2014-02-02 12:26               ` Peter Todd
2014-02-02 15:26                 ` Adam Back
2014-02-02 11:55             ` Peter Todd

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox