From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 46EE149B for ; Thu, 4 May 2017 16:23:30 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f177.google.com (mail-wr0-f177.google.com [209.85.128.177]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5F545170 for ; Thu, 4 May 2017 16:23:29 +0000 (UTC) Received: by mail-wr0-f177.google.com with SMTP id z52so10741384wrc.2 for ; Thu, 04 May 2017 09:23:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/4+CVpTRMCfYsftTM+Mc+Gyk2KTwvgvaW7nXTdWKNmk=; b=sFtLGI3JW7YXldYRsptAepF0GOq2s+oGC+zdA9bdKG145nGmQ+YMhGu1igY6WiWUlO 64Ha/cBeK/vfsMUAV0Na0Zo/aomyey5illaXTEfW4tZTAvURARPOB3i1p/D4J0IDcVqg CD4HW/BmrowS6ODHScEBKZ9QD+oV/+urc1/sewqZ69ERLvZSp+F0PwSgg1tBcG0zsSHa jaEq5ky9AWuiCB1TQ52iu1l7+HQmyuSsydLLgfm/0I0p+ITXxfDg4bFmtkPbpGPkqsBa gvcd84LejtErXGXXa+HnouGiRZRmVxeGpG+QqYM23LBTpqHzkxcmh1rHaieDp6tQad2b 1F7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/4+CVpTRMCfYsftTM+Mc+Gyk2KTwvgvaW7nXTdWKNmk=; b=DXRQV5UW09eewK3J/bYZvMIOAcBfRGK8hilIsAe/9urPMlB04ICCVVpSbPywlNiP24 oEEbZm/YsC2bFosf7tYTzpqSUswrHU4ReZk0uyb/suAHuRxgqX5Shn0R0FXNlpGYkigZ LlZD0oUI2p9G6t/uJOAd6XZQVUX+JyJmnKQgylrds8349345lUYal5GxVnM/omjmrcsQ bI1gg4SE0mhPbGsO48DZ4IJlqF4G83tZ4M5XroiCZESQaVH5lmDP2dncIXYHZTf/RVQB l6eFoLf5itRX6xQmQfKKfsZp+6hMk9iPiq5DfMpkhycrrtY2Fp+SbFPdt6E9VAlA61Dk zovQ== X-Gm-Message-State: AN3rC/56ApJIULSnbLWhao1B6VX9nFbSsVHob+5m2tR9obl9zFpYdAHq Arj/SPfM/rkXo+8h9MyniPGyr33NoQ== X-Received: by 10.223.164.9 with SMTP id d9mr25437501wra.91.1493915007951; Thu, 04 May 2017 09:23:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.173.102 with HTTP; Thu, 4 May 2017 09:23:27 -0700 (PDT) Received: by 10.223.173.102 with HTTP; Thu, 4 May 2017 09:23:27 -0700 (PDT) In-Reply-To: <20170504125138.GA2027@banane.informatik.uni-ulm.de> References: <20170504125138.GA2027@banane.informatik.uni-ulm.de> From: Chris Pacia Date: Thu, 4 May 2017 12:23:27 -0400 Message-ID: To: Henning Kopp Content-Type: multipart/alternative; boundary=f403045f14c25fc26d054eb5313b X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Combining SPV and Stealth addresses X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2017 16:23:30 -0000 --f403045f14c25fc26d054eb5313b Content-Type: text/plain; charset=UTF-8 Yes I've had it working using two pushes in op_return. op_return op_pushdata op_pushdata Flag goes in your filter. You anonymity set is all other transactions using that same flag. This is fairly decent privacy but the problem is you still need filter matches on outgoing transactions to build a functioning wallet. So it might not be an improvement over standard bloom filters but at least you can do stealth if you want. On May 4, 2017 9:00 AM, "Henning Kopp via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi all, > > Recently I think a lot about combining Stealth addresses with SPV but > I did not come to a satisfying conclusion, so I post this as a > challenge to the wider community. Maybe you have an idea. > > ## Explanation of SPV > In SPV a thin client puts his public keys in a bloom filter > and asks a full node to give him Merkle proofs of all transactions > whose pubkey are in the bloom filter. Since a bloom filter has a lot > of false positives depending on the parameters, this gives privacy to > the thin client, since the full node cannot detect if a specific > transaction belongs to the thin client. This is cool if you want to > use Bitcoin on your smartphone. > > ## Explanation of Stealth Addresses > Stealth addresses on the other hand enable receiver privacy. The > sender of a transaction derives a one-time pubkey to which he sends the > money. The receiver can check if the money was sent to him and recover > the one-time private key. This is cool, since an observer cannot > decide if two payments belong to the same recipient. Further the > recipient needs only to have one pubkey. > For a more formal explanation see https://github.com/genjix/ > bips/blob/master/bip-stealth.mediawiki#Reuse_ScanPubkey > I will use their notation in the following. > > ## The Problem > My line of thought was to combine stealth addresses with spv, so that > I can use stealth addresses on my smart phone without losing privacy. > > Basically to check if a payment belongs to a pubkey (Q,R), the full > node needs to check if R' = R + H(dP)*G for each transaction. For this > it needs the private scanning key d. > This sucks, since when I give my d to a full node, he can link all my > transactions. For an online-wallet this may be okay, but not for thin > client synchronisation. > > ## Ideas > In the following I detail some ideas of me which did not work. > > It does not suffice to have a Bloom filter and check if d is > contained since there is no way to recompute d from the equation. If > there were a way to recompute d, the scheme would offer no privacy, > since anyone could compute the private scanning key d and scan for > payments. > So, if we modify the scheme we need to be sure that d is kept private. > > Multiparty computation may be possible in theory. The full node and > the thin client could collaboratively check R' = R + H(dP)*G, where d > is the private input of the thin client and R, R',P is provided by the > full node. But this is costly and they need to do it for each > transaction. It may be more costly than simply setting up a full node. > > I do not think that some kind of search functionality without leaking > the search pattern (PIR?) would work, since the full node needs to compute > on the > data it has found. And further it needs to retrieve the whole Merkle > proofs. > > Any better ideas? > > Best, > Henning > > -- > Henning Kopp > Institute of Distributed Systems > Ulm University, Germany > > Office: O27 - 3402 > Phone: +49 731 50-24138 > Web: http://www.uni-ulm.de/in/vs/~kopp > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --f403045f14c25fc26d054eb5313b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Yes I've had it working using two pushes in op_return= .

op_return op_pushdata <fl= ag> op_pushdata <ephem_pubkey>

Flag goes in your filter. You anonymity set is all other tr= ansactions using that same flag.=C2=A0

This is fairly decent privacy but the problem is you still n= eed filter matches on outgoing transactions to build a functioning wallet. = So it might not be an improvement over standard bloom filters but at least = you can do stealth if you want.

<= div class=3D"gmail_quote">On May 4, 2017 9:00 AM, "Henning Kopp via bi= tcoin-dev" <bitcoin-dev@lists.linuxfoundation.org> wrote:
Hi all,

Recently I think a lot about combining Stealth addresses with SPV but
I did not come to a satisfying conclusion, so I post this as a
challenge to the wider community. Maybe you have an idea.

## Explanation of SPV
In SPV a thin client puts his public keys in a bloom filter
and asks a full node to give him Merkle proofs of all transactions
whose pubkey are in the bloom filter. Since a bloom filter has a lot
of false positives depending on the parameters, this gives privacy to
the thin client, since the full node cannot detect if a specific
transaction belongs to the thin client. This is cool if you want to
use Bitcoin on your smartphone.

## Explanation of Stealth Addresses
Stealth addresses on the other hand enable receiver privacy. The
sender of a transaction derives a one-time pubkey to which he sends the
money. The receiver can check if the money was sent to him and recover
the one-time private key. This is cool, since an observer cannot
decide if two payments belong to the same recipient. Further the
recipient needs only to have one pubkey.
For a more formal explanation see https://github.com/genjix/bips/blob/master/bip-stealth.= mediawiki#Reuse_ScanPubkey
I will use their notation in the following.

## The Problem
My line of thought was to combine stealth addresses with spv, so that
I can use stealth addresses on my smart phone without losing privacy.

Basically to check if a payment belongs to a pubkey (Q,R), the full
node needs to check if R' =3D R + H(dP)*G for each transaction. For thi= s
it needs the private scanning key d.
This sucks, since when I give my d to a full node, he can link all my
transactions. For an online-wallet this may be okay, but not for thin
client synchronisation.

## Ideas
In the following I detail some ideas of me which did not work.

It does not suffice to have a Bloom filter and check if d is
contained since there is no way to recompute d from the equation. If
there were a way to recompute d, the scheme would offer no privacy,
since anyone could compute the private scanning key d and scan for
payments.
So, if we modify the scheme we need to be sure that d is kept private.

Multiparty computation may be possible in theory. The full node and
the thin client could collaboratively check R' =3D R + H(dP)*G, where d=
is the private input of the thin client and R, R',P is provided by the<= br> full node. But this is costly and they need to do it for each
transaction. It may be more costly than simply setting up a full node.

I do not think that some kind of search functionality without leaking
the search pattern (PIR?) would work, since the full node needs to compute = on the
data it has found. And further it needs to retrieve the whole Merkle
proofs.

Any better ideas?

Best,
Henning

--
Henning Kopp
Institute of Distributed Systems
Ulm University, Germany

Office: O27 - 3402
Phone: +49 7= 31 50-24138
Web: http://www.uni-ulm.de/in/vs/~kopp
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev
--f403045f14c25fc26d054eb5313b--