* [Bitcoin-development] Merge avoidance and P2P connection encryption @ 2013-12-12 16:03 Mike Hearn 2013-12-12 17:28 ` Paul Rabahy 0 siblings, 1 reply; 9+ messages in thread From: Mike Hearn @ 2013-12-12 16:03 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 713 bytes --] I wrote an article intended for a broad/non-developer audience on a few Bitcoin privacy topics: - P2P connection encryption - Address re-use/payment protocol - CoinJoin and merge avoidance I don't think there's anything much new here for people who were involved with the BIP70 design discussions, but it may prove a useful resource when talking about privacy features in the payment protocol. Specifically the ability to request multiple outputs and submit multiple transactions that satisfy them. The article elaborates on how to use that feature to achieve some useful privacy outcomes. I also analyze what using SSL for P2P connections would buy us and what it wouldn't. https://medium.com/p/7f95a386692f [-- Attachment #2: Type: text/html, Size: 921 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-12 16:03 [Bitcoin-development] Merge avoidance and P2P connection encryption Mike Hearn @ 2013-12-12 17:28 ` Paul Rabahy 2013-12-12 18:24 ` Mike Hearn 0 siblings, 1 reply; 9+ messages in thread From: Paul Rabahy @ 2013-12-12 17:28 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2706 bytes --] First off, nice article. Very clear and informative. I don't know if this is the best place to post this, but it seems related to me. As more wallets implement BIP32, I believe that bitcoin wallets should begin to encourage people to use https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-mi0style address instead of traditional addresses. In the end, this would improve privacy because users never need to merge coin if they had one of these "super addresses". In addition, "super addresses" would fit nicely into BIP70. Right now, the PaymentDetails message allows the merchant to provide multiple outputs. If instead the PaymentDetails provide 1 traditional output (for reverse compatibility) and 1 "super address", the payment could be broken into as many pieces as is needed to match unspent outputs already in the customers wallet. Finally, the refund_to address in Payment could also be upgraded to a "super address" to enhance privacy there. I am not sure if there is a large memory requirement for "super addresses", but to me, it seems that a lot of these privacy enhancing possibilities will be simple to implement once BIP32 is widely deployed. On Thu, Dec 12, 2013 at 11:03 AM, Mike Hearn <mike@plan99.net> wrote: > I wrote an article intended for a broad/non-developer audience on a few > Bitcoin privacy topics: > > - P2P connection encryption > - Address re-use/payment protocol > - CoinJoin and merge avoidance > > I don't think there's anything much new here for people who were involved > with the BIP70 design discussions, but it may prove a useful resource when > talking about privacy features in the payment protocol. Specifically the > ability to request multiple outputs and submit multiple transactions that > satisfy them. The article elaborates on how to use that feature to achieve > some useful privacy outcomes. > > I also analyze what using SSL for P2P connections would buy us and what it > wouldn't. > > https://medium.com/p/7f95a386692f > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > [-- Attachment #2: Type: text/html, Size: 3748 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-12 17:28 ` Paul Rabahy @ 2013-12-12 18:24 ` Mike Hearn 2013-12-13 0:20 ` Gavin Andresen 0 siblings, 1 reply; 9+ messages in thread From: Mike Hearn @ 2013-12-12 18:24 UTC (permalink / raw) To: Paul Rabahy; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 3677 bytes --] I think the right way to integrate BIP32 and BIP70 would be to specify output scripts as normal for backwards compatibility, and then allow each output to have an additional xpubkey and iteration count field. The iteration counts could be unsigned. Unfortunately to add data that isn't signed requires a backwards incompatible change to the protocol :( There isn't currently any area that isn't covered by the signature. We would have to add one, and then have a matching array of iteration counts for each xpubkey that was specified in the output. I wonder if we should make a last minute change to BIP70 before wallets have shipped and merchant support starts, something like message PaymentRequest { optional byte unsigned_data = 6; } that would be deleted like the signature is before reserialization. On Thu, Dec 12, 2013 at 9:28 AM, Paul Rabahy <prabahy@gmail.com> wrote: > First off, nice article. Very clear and informative. > > I don't know if this is the best place to post this, but it seems related > to me. > > As more wallets implement BIP32, I believe that bitcoin wallets should > begin to encourage people to use > https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#recurrent-business-to-business-transactions-mi0style address instead of traditional addresses. In the end, this would > improve privacy because users never need to merge coin if they had one of > these "super addresses". > > In addition, "super addresses" would fit nicely into BIP70. Right now, the > PaymentDetails message allows the merchant to provide multiple outputs. If > instead the PaymentDetails provide 1 traditional output (for reverse > compatibility) and 1 "super address", the payment could be broken into as > many pieces as is needed to match unspent outputs already in the customers > wallet. Finally, the refund_to address in Payment could also be upgraded to > a "super address" to enhance privacy there. > > I am not sure if there is a large memory requirement for "super > addresses", but to me, it seems that a lot of these privacy enhancing > possibilities will be simple to implement once BIP32 is widely deployed. > > > On Thu, Dec 12, 2013 at 11:03 AM, Mike Hearn <mike@plan99.net> wrote: > >> I wrote an article intended for a broad/non-developer audience on a few >> Bitcoin privacy topics: >> >> - P2P connection encryption >> - Address re-use/payment protocol >> - CoinJoin and merge avoidance >> >> I don't think there's anything much new here for people who were involved >> with the BIP70 design discussions, but it may prove a useful resource when >> talking about privacy features in the payment protocol. Specifically the >> ability to request multiple outputs and submit multiple transactions that >> satisfy them. The article elaborates on how to use that feature to achieve >> some useful privacy outcomes. >> >> I also analyze what using SSL for P2P connections would buy us and what >> it wouldn't. >> >> https://medium.com/p/7f95a386692f >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics >> Pro! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> >> > [-- Attachment #2: Type: text/html, Size: 5198 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-12 18:24 ` Mike Hearn @ 2013-12-13 0:20 ` Gavin Andresen 2013-12-13 0:26 ` Jeff Garzik 2013-12-13 17:26 ` Mike Hearn 0 siblings, 2 replies; 9+ messages in thread From: Gavin Andresen @ 2013-12-13 0:20 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev, Paul Rabahy [-- Attachment #1: Type: text/plain, Size: 892 bytes --] On Fri, Dec 13, 2013 at 4:24 AM, Mike Hearn <mike@plan99.net> wrote: > I think the right way to integrate BIP32 and BIP70 would be to specify > output scripts as normal for backwards compatibility, and then allow each > output to have an additional xpubkey and iteration count field. The > iteration counts could be unsigned. > Why would there be an iteration count? The payer would handle that, wouldn't they? If the use case is: I give the Foundation a "here's where to pay my salary" PaymentRequest, maybe with several Outputs each having a different xpubkey, then it seems to me the Foundation's wallet software should take care of iterating. (either saving state, so it knows it used xpubkey+10 last month and should use xpubkey+11 this month, or maybe it knows I'm paid monthly and just uses xpubkey+(number_of_months_from_date_in_original_payment_request). -- -- Gavin Andresen [-- Attachment #2: Type: text/html, Size: 1318 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-13 0:20 ` Gavin Andresen @ 2013-12-13 0:26 ` Jeff Garzik 2013-12-13 14:43 ` Peter Todd 2013-12-13 17:26 ` Mike Hearn 1 sibling, 1 reply; 9+ messages in thread From: Jeff Garzik @ 2013-12-13 0:26 UTC (permalink / raw) To: Gavin Andresen; +Cc: Bitcoin Dev, Paul Rabahy On Thu, Dec 12, 2013 at 7:20 PM, Gavin Andresen <gavinandresen@gmail.com> wrote: > If the use case is: I give the Foundation a "here's where to pay my salary" > PaymentRequest, maybe with several Outputs each having a different xpubkey, > then it seems to me the Foundation's wallet software should take care of > iterating. Absolutely. This is a key address-non-reuse case we really need to solve. Miner payouts, BitPay salary payouts, etc. all use a statically provided, manually changed address. Rotating through multiple outputs is a stopgap -- but IMO a useful one. HD wallets will solve this in a better way, but existing randkey systems will be around for a long time. -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-13 0:26 ` Jeff Garzik @ 2013-12-13 14:43 ` Peter Todd 0 siblings, 0 replies; 9+ messages in thread From: Peter Todd @ 2013-12-13 14:43 UTC (permalink / raw) To: Jeff Garzik, Gavin Andresen; +Cc: Bitcoin Dev, Paul Rabahy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 So, vendors hat on, what would it take for, say, BitPay to implement merge avoidance and coinjoin together? At the dark wallet hackathon when we were talking usability we decided that the main way to get coinjoin working well is to take advantage of non-time-critical payments to act as counterparties to time-critical payments. For instance BitPay could schedule a vendor payment to happen in full by some time in the future, say 1 day, and send the funds in one or more joins. The actual amounts sent in each tx are then picked to match the amounts desired by the counterparty who needs funds sent right now. We expect this to be first implemented just as a "anonymize my coins" button for wallet software on always on machines; getting vendors on board would be gravy. We may even allow joins to happen when one party pays less fees than the other, although this is tricky: the main Sybil resistance of coinjoin is fees so you don't want to overdo it. OTOH the idea of the NSA and Chinese equivalent wasting money completing each others joins is hilarious... Jeff Garzik <jgarzik@bitpay.com> wrote: >On Thu, Dec 12, 2013 at 7:20 PM, Gavin Andresen ><gavinandresen@gmail.com> wrote: >> If the use case is: I give the Foundation a "here's where to pay my >salary" >> PaymentRequest, maybe with several Outputs each having a different >xpubkey, >> then it seems to me the Foundation's wallet software should take care >of >> iterating. > >Absolutely. This is a key address-non-reuse case we really need to >solve. Miner payouts, BitPay salary payouts, etc. all use a >statically provided, manually changed address. > >Rotating through multiple outputs is a stopgap -- but IMO a useful >one. HD wallets will solve this in a better way, but existing randkey >systems will be around for a long time. -----BEGIN PGP SIGNATURE----- Version: APG v1.0.9 iQFQBAEBCAA6BQJSqxz9MxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8 cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhTMBB/9L8h5NuSHxsC6W5ptm gucxg2AbCwReuWQzRzqW42TYKQ7MnAhpfLLbSQrewNoXRP4H/j6aG8uWOt+z7fZf pJZ9K8kxmSltHm8SJcmPLTb62yazEKQXF5TDsdpgBdH14M/pFsjUR4H2hypW8k4T gcEAIhymZvlXev1NXDMh6rbuw0LtRTBE4NgE2buCuFzp0sEwTNTLxMU1WenMXfRQ PooSBn8UoAVNw7Vztnag0T0f5D45VFNJBvQ8m42ee0u3gvMCa4JNRTBM49N2U9qc Gk6WAvDakOf7FwaJiNMYoDpGyWphx6g697j28NnfB2q2hdjUVnZF+UVuBzkjnNwD Y40/ =4dxZ -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-13 0:20 ` Gavin Andresen 2013-12-13 0:26 ` Jeff Garzik @ 2013-12-13 17:26 ` Mike Hearn 2013-12-13 19:19 ` Mark Friedenbach 1 sibling, 1 reply; 9+ messages in thread From: Mike Hearn @ 2013-12-13 17:26 UTC (permalink / raw) To: Gavin Andresen; +Cc: Bitcoin Dev, Paul Rabahy [-- Attachment #1: Type: text/plain, Size: 942 bytes --] > > Why would there be an iteration count? The payer would handle that, > wouldn't they? > I'm thinking about a use case I hope will become common next year - pastebin style hosting sites for payment requests. Like, if I as a regular end user wish to use the payment protocol, I could just upload a (possibly signed) payment request to: payr.com/a62gahZ or whatever, and then payr.com can take care of incrementing the iteration count on each download of my file. That's why it's useful for it to be unsigned. > If the use case is: I give the Foundation a "here's where to pay my > salary" PaymentRequest, maybe with several Outputs each having a different > xpubkey, then it seems to me the Foundation's wallet software should take > care of iterating. > Absolutely. The two use cases can both be supported. You could give iteration ranges, for instance, if you want to specify expiry in terms of number of payments rather than time. [-- Attachment #2: Type: text/html, Size: 1749 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-13 17:26 ` Mike Hearn @ 2013-12-13 19:19 ` Mark Friedenbach 2013-12-13 21:49 ` Mike Hearn 0 siblings, 1 reply; 9+ messages in thread From: Mark Friedenbach @ 2013-12-13 19:19 UTC (permalink / raw) To: bitcoin-development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/13/2013 09:26 AM, Mike Hearn wrote: > I'm thinking about a use case I hope will become common next year > - pastebin style hosting sites for payment requests. Like, if I as > a regular end user wish to use the payment protocol, I could just > upload a (possibly signed) payment request to: > > payr.com/a62gahZ <http://payr.com/a62gahZ> > > or whatever, and then payr.com <http://payr.com> can take care of > incrementing the iteration count on each download of my file. > That's why it's useful for it to be unsigned. Or alternatively, the user-signed payment request without iteration count is enclosed within a payr.com-signed envelope that contains the iteration count. Having fields completely unsigned by anybody leaves me a little nervous. Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSq12pAAoJEAdzVfsmodw4MC4QAI9cjmQXz8AVawwr1htFc6b+ DVAAs1Y4hzbChPeeJCmy13m8a/BuXqc6G0WEWGSzIIa1or3IXCd01JQ2a5waD0IC uOjlIMD0tTT7yxwxRjxPc2df82s82traGJC2caOMYjrN4T5VPtj7erB2poNyvOF+ p0lmj+duxUZ8IoyDaih5mgNKzIVujfX7o3lPoOMDdIi6Q1LF9SZ9XbUAxHCpCLfw ieqVIm8zqtH0NprZ7/JLbqstl1iq5jCPKbORc+9qQWESZH1hFAeS29/ptjnRR8y6 HqrpDP236vSlrLDW4dLcW9UiQP42tSTwrLCgud08VqeKapSlMX8fjukLyNlTD7h5 GtPHEo1/j+LmpMfwsXA2OotUIVQBeFfEoi7PwV/Jd+SRVqC6zCTPky1lfg0P7JXA 7qD9m3u/Ey0+nk888zzff8N7AfBe7GaqFuUByXIyHh6dkcr0xUHBU4afiadFpNhg 8dTvmP4yqY0g05uz/Cq/ZqrSb5y/yPqsysuruAjWG2GT0M8rFM9oYepVHpUJr01K QOHY6qSoqyX/KDCkZgpTMZFDq9gvyPyMFuCQbdecNcCeMPV5kiwPyqqH4rHliJ8I gsXW44re5GfdL90nCOTboYFf2CFEn+66zyJ5vBskKSyDRDcU3t5YyCtrDzXdtJMu MjVeMFRluY700zLBajw0 =+MjP -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Bitcoin-development] Merge avoidance and P2P connection encryption 2013-12-13 19:19 ` Mark Friedenbach @ 2013-12-13 21:49 ` Mike Hearn 0 siblings, 0 replies; 9+ messages in thread From: Mike Hearn @ 2013-12-13 21:49 UTC (permalink / raw) To: Mark Friedenbach; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 603 bytes --] > > Or alternatively, the user-signed payment request without iteration > count is enclosed within a payr.com-signed envelope that contains the > iteration count. But how does that show up in the user interface? I don't know how you would explain what the signature means or implies, or what you do if the signature is broken/missing. The only thing that a maliciously modified iteration count can do is cause money to be sent to an address that's beyond the recipients gap limit, meaning they won't receive it (unless they reconfigure their software and rescan). But you can't steal money that way. [-- Attachment #2: Type: text/html, Size: 873 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-12-13 21:49 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-12-12 16:03 [Bitcoin-development] Merge avoidance and P2P connection encryption Mike Hearn 2013-12-12 17:28 ` Paul Rabahy 2013-12-12 18:24 ` Mike Hearn 2013-12-13 0:20 ` Gavin Andresen 2013-12-13 0:26 ` Jeff Garzik 2013-12-13 14:43 ` Peter Todd 2013-12-13 17:26 ` Mike Hearn 2013-12-13 19:19 ` Mark Friedenbach 2013-12-13 21:49 ` Mike Hearn
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox