From: Dan Carter <carterd@gmail.com>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Stealth Addresses
Date: Thu, 06 Mar 2014 04:23:40 -0800 [thread overview]
Message-ID: <531868CC.807@gmail.com> (raw)
In-Reply-To: <20140106120338.GA14918@savin>
I think stealth addresses combined with zk-snarks would obviate the need
for CoinJoin. zk-snarks could be used to hide the coin's value and
stealth addresses could be used to hide the recipient for payments and
even mined coins. More info on zero-knowledge snarks:
http://cs.tau.ac.il/~tromer/papers/vnsnark-20131230.pdf
http://cs.tau.ac.il/~tromer/papers/csnark-20131007.pdf
Start with a mined coin: generate a coin secret, create a coinbase
transaction with an output to your stealth address and send
hash(coin-secret + reward-value) + encrypt(coin-secret + reward-value)
where only the recipient (you) can decrypt. (The reward value is known
publicly but just assume it isn't here for generality). You also embed
the 0.2KB zk-snark proof + 3KB verifying key that the hash result is in
fact SHA256(coin-secret + reward-value), where your private witnesses
are (coin-secret, reward-value).
Now you could split a coin into as many pieces as you want in a single
transaction and send to multiple recipients, some pieces go to yourself
(change) and others to the payee, every piece would have a different
recipient address thanks to stealth addresses, and all values hidden
thanks to zk-snarks.
So lets say you want to split the mined coin into two new ones. You
create a transaction where the input redeems the mined coin using mined
tx out + your stealth address, and there are two new coins as outputs to
your own stealth address each having: hash(new-coin-secret +
new-hidden-value) + encrypt(new-coin-secret + new-hidden-value). You
also embed the zk-snark proof that the two new hidden values add up to
the original hidden value, and that the two new hash results are in fact
SHA256(new-coin-secret + new-hidden-value), where your private witnesses
are (original-coin-secret, original-hidden-value, new-coin-secrets,
new-hidden-values).
If you want to merge two coins into one it's just a split backwards, two
inputs one output, zk-snark proof that two original hidden values add up
to the new hidden value and that the new hash result is
SHA256(new-coin-secret + new-hidden-value).
If you want to transfer ownership of a coin then just redeem at input,
and output same as mined coin except using recipient stealth address
(which is a public key) to encrypt(coin-secret + hidden-value).
- Dan
On 2014-01-06 4:03 AM, Peter Todd wrote:
> * Abstract
>
> A Stealth Address is a new type of Bitcoin address and related
> scriptPubKey/transaction generation scheme that allowers payees to
> publish a single, fixed, address that payors can send funds efficiently,
> privately, reliably and non-interactively. Payors do not learn what
> other payments have been made to the stealth address, and third-parties
> learn nothing at all. (both subject to an adjustable anonymity set)
next prev parent reply other threads:[~2014-03-06 12:24 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-06 12:03 [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-08 10:20 ` Jeremy Spilman
2014-01-10 10:20 ` Peter Todd
2014-01-10 11:28 ` Drak
2014-01-10 12:00 ` Peter Todd
2014-01-12 10:33 ` Jeremy Spilman
2014-01-12 12:51 ` Mike Hearn
2014-01-12 18:20 ` Jeremy Spilman
2014-01-12 18:26 ` Mike Hearn
2014-01-13 9:13 ` Jeremy Spilman
2014-01-14 14:15 ` Peter Todd
2014-01-14 17:54 ` Odinn Cyberguerrilla
2014-01-12 21:18 ` Gavin Andresen
2014-01-13 9:52 ` Gregory Maxwell
2014-01-13 10:39 ` Mike Hearn
2014-01-13 13:37 ` Roy Badami
2014-01-13 15:58 ` Mike Hearn
2014-01-13 20:11 ` Roy Badami
2014-01-14 22:53 ` Roy Badami
2014-01-15 0:19 ` Drak
2014-01-15 20:22 ` Ben Davenport
2014-01-15 20:38 ` Gregory Maxwell
2014-01-15 20:44 ` Jeff Garzik
2014-01-15 22:38 ` [Bitcoin-development] Static addresses on chains encouraging address *RE* use Troy Benjegerdes
2014-01-15 23:01 ` [Bitcoin-development] Stealth Addresses Mike Hearn
2014-01-15 23:04 ` Roy Badami
2014-01-15 23:07 ` Jeff Garzik
2014-01-15 23:17 ` Roy Badami
2014-01-15 23:19 ` Roy Badami
2014-01-15 23:09 ` [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses) Adam Back
2014-01-16 1:02 ` Jeremy Spilman
2014-01-16 1:32 ` Gregory Maxwell
2014-01-18 17:44 ` Troy Benjegerdes
2014-01-18 20:25 ` Christophe Biocca
2014-01-20 11:11 ` Peter Todd
2014-01-21 4:00 ` Jeremy Spilman
2014-01-24 9:17 ` Peter Todd
2014-01-16 11:42 ` Adam Back
2014-01-16 18:19 ` Troy Benjegerdes
2014-01-16 0:05 ` [Bitcoin-development] Stealth Addresses Jeremy Spilman
2014-01-16 0:10 ` Gregory Maxwell
2014-01-16 0:24 ` Mark Friedenbach
2014-01-16 0:44 ` Eric Martindale
2014-01-16 6:26 ` Gary Rowe
2014-01-16 9:48 ` Wladimir
2014-01-16 1:16 ` Odinn Cyberguerrilla
2014-01-16 10:14 ` Drak
2014-01-16 10:19 ` Mike Hearn
2014-01-16 11:12 ` [Bitcoin-development] reusable address privacy problems & fuzzy bait limitations (Re: Stealth Addresses) Adam Back
2014-01-16 21:28 ` [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-17 2:30 ` Johnathan Corgan
2014-01-17 3:13 ` Jeremy Spilman
2014-01-17 7:49 ` Drak
2014-01-17 9:15 ` Mike Hearn
2014-01-17 9:19 ` Mark Friedenbach
2014-01-17 9:23 ` Natanael
2014-01-17 9:59 ` Drak
2014-01-17 20:16 ` Cameron Garnham
2014-01-17 14:46 ` Peter Todd
2014-01-17 19:21 ` Ben Davenport
2014-01-18 4:55 ` Alan Reiner
2014-01-18 5:09 ` Gregory Maxwell
2014-01-18 23:12 ` Jeremy Spilman
2014-01-18 23:50 ` Gregory Maxwell
2014-01-20 11:08 ` Peter Todd
2014-01-13 19:53 ` Roy Badami
2014-01-13 19:57 ` Mike Hearn
2014-01-13 20:01 ` Roy Badami
2014-01-13 19:40 ` Roy Badami
2014-01-13 19:44 ` Drak
2014-01-13 19:59 ` Alan Reiner
2014-01-13 20:10 ` Gregory Maxwell
2014-01-13 20:15 ` Peter Todd
2014-01-13 22:02 ` Jeremy Spilman
2014-01-14 14:19 ` Peter Todd
2014-01-14 19:12 ` Jeremy Spilman
2014-01-14 20:48 ` Peter Todd
2014-01-14 21:51 ` Adam Back
2014-01-14 22:34 ` Jeremy Spilman
2014-01-13 20:14 ` Peter Todd
2014-01-13 20:41 ` Alan Reiner
2014-01-13 20:47 ` Gregory Maxwell
2014-01-13 21:02 ` Roy Badami
2014-01-13 21:15 ` Alan Reiner
2014-01-13 21:27 ` Peter Todd
[not found] ` <op.w9ne31oqyldrnw@laptop-air.hsd1.ca.comcast.net>
2014-01-14 12:10 ` Peter Todd
2014-03-06 12:23 ` Dan Carter [this message]
[not found] <mailman.417890.1389952750.21953.bitcoin-development@lists.sourceforge.net>
2014-01-17 12:16 ` joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=531868CC.807@gmail.com \
--to=carterd@gmail.com \
--cc=bitcoin-development@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox