public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Jeremy Spilman" <jeremy@taplink.co>
To: "Jeff Garzik" <jgarzik@bitpay.com>, "Adam Back" <adam@cypherspace.org>
Cc: "bitcoin-development@lists.sourceforge.net"
	<bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses)
Date: Wed, 15 Jan 2014 17:02:10 -0800	[thread overview]
Message-ID: <op.w9q85wkhyldrnw@laptop-air.hsd1.ca.comcast.net> (raw)
In-Reply-To: <20140115230901.GA25135@netbook.cypherspace.org>

On Wed, 15 Jan 2014 15:09:01 -0800, Adam Back <adam@cypherspace.org> wrote:
> I was meaning to comment on the SPV privacy properties.
>
> For full-node use these unlinkable static addresses have quite nice
> properties.  It also nicely solves the problem of having to educate users
> and wallet authors to not reuse addresses.  But for SPV nodes they have  
> no direct-way to find the payments.  So then in Peter Todd's variant  
> (maybe it was suggested by Greg Maxwell?) there is a second address so  
> that the SPV
> client can delegate detection to a full node without giving it the  
> private key allowing it to spend!  (This is something analogous to bloom  
> filtering).

The second pubKey is useful for delegating scanning, or even just being  
able to scan for transactions yourself without keeping bitcoin-encumbered  
private keys decrypted in memory. So even while running your own full node  
there are good reasons to use a second pubKey to derive the shared secret.

> But I think its moderately expensive for the full node because it has to  
> do a DH calculation per transaction and its not precomputable so there  
> is IO
> per query.  (In the P version in fact only payments which are thereby
> reconizable as unlinkable static need to be processed).

And of course, if you have multiple reuseable addresses, then you're doing  
this calculation separately to check each one.

So the load on a popular centralized service would be quite high, which  
you may consider a feature.

>
> Then an artificial prefix is proposed to constrain the query to a subset,
> however that leaks to everyone so in some ways its a worse privacy leak
> than bloom filtering.  It can be used to rule out recipients and could be
> quite a powerful extra lever for statistical analysis.

Choosing how many bits to put in the prefix may be difficult, particularly  
if transaction load changes dramatically over time. 0 or 1 bits may be  
just fine for a single user running their own node, whereas a central  
service might want 4 or 5 bits to keep their computation costs scalable.

But I think it's great people can choose how to trade privacy for  
computation/bandwidth however they want, and services can compete to offer  
monitoring for 0+ bit prefixes.

> (And also there is proposed a version of the prefix computed via
> brute-force to make it somewhat stealthy still).

I think in this case the hash grinding of the prefix would only being used  
if thats how transactions are being indexed. I don't think it adds any  
privacy, it's just added work we're forced to do in order for the prefix  
to work as designed. Peter, please correct me if I'm wrong.


>
> Maybe in the payment address case the service should choose the  
> derivation factor and communicate it and the client with the static
> address, as suggested by Alan Reiner because then it can also serve
> the function of allowing the service to tie the payment to the users
> account.

I think any change which requires more than a single published public  
message (e.g. a posting in a forum, or in a README.me in Github) should be  
seen as solving an entirely different problem.

If you have directed communication from payee->payer, I think there's  
simply no reason to do it this way. (By "this way" I mean ECDH with  
OP_RETURN P).

We could try to define a different reusable address type, for when you can  
make a single directed message from payer->payee, and in that case there's  
probably no need for ECDH or the prefix, like Alan's proposal.

But once you admit having that directed communication, then you are  
swimming very close to the payment protocol.




  reply	other threads:[~2014-01-16  1:02 UTC|newest]

Thread overview: 87+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-06 12:03 [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-08 10:20 ` Jeremy Spilman
2014-01-10 10:20   ` Peter Todd
2014-01-10 11:28     ` Drak
2014-01-10 12:00       ` Peter Todd
2014-01-12 10:33     ` Jeremy Spilman
2014-01-12 12:51       ` Mike Hearn
2014-01-12 18:20         ` Jeremy Spilman
2014-01-12 18:26           ` Mike Hearn
2014-01-13  9:13             ` Jeremy Spilman
2014-01-14 14:15               ` Peter Todd
2014-01-14 17:54                 ` Odinn Cyberguerrilla
2014-01-12 21:18       ` Gavin Andresen
2014-01-13  9:52         ` Gregory Maxwell
2014-01-13 10:39           ` Mike Hearn
2014-01-13 13:37             ` Roy Badami
2014-01-13 15:58               ` Mike Hearn
2014-01-13 20:11                 ` Roy Badami
2014-01-14 22:53                 ` Roy Badami
2014-01-15  0:19                   ` Drak
2014-01-15 20:22                     ` Ben Davenport
2014-01-15 20:38                       ` Gregory Maxwell
2014-01-15 20:44                         ` Jeff Garzik
2014-01-15 22:38                           ` [Bitcoin-development] Static addresses on chains encouraging address *RE* use Troy Benjegerdes
2014-01-15 23:01                           ` [Bitcoin-development] Stealth Addresses Mike Hearn
2014-01-15 23:04                           ` Roy Badami
2014-01-15 23:07                             ` Jeff Garzik
2014-01-15 23:17                               ` Roy Badami
2014-01-15 23:19                                 ` Roy Badami
2014-01-15 23:09                           ` [Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses) Adam Back
2014-01-16  1:02                             ` Jeremy Spilman [this message]
2014-01-16  1:32                               ` Gregory Maxwell
2014-01-18 17:44                                 ` Troy Benjegerdes
2014-01-18 20:25                                   ` Christophe Biocca
2014-01-20 11:11                                   ` Peter Todd
2014-01-21  4:00                                 ` Jeremy Spilman
2014-01-24  9:17                                   ` Peter Todd
2014-01-16 11:42                               ` Adam Back
2014-01-16 18:19                                 ` Troy Benjegerdes
2014-01-16  0:05                           ` [Bitcoin-development] Stealth Addresses Jeremy Spilman
2014-01-16  0:10                             ` Gregory Maxwell
2014-01-16  0:24                             ` Mark Friedenbach
2014-01-16  0:44                             ` Eric Martindale
2014-01-16  6:26                               ` Gary Rowe
2014-01-16  9:48                                 ` Wladimir
2014-01-16  1:16                             ` Odinn Cyberguerrilla
2014-01-16 10:14                             ` Drak
2014-01-16 10:19                               ` Mike Hearn
2014-01-16 11:12                               ` [Bitcoin-development] reusable address privacy problems & fuzzy bait limitations (Re: Stealth Addresses) Adam Back
2014-01-16 21:28                             ` [Bitcoin-development] Stealth Addresses Peter Todd
2014-01-17  2:30                               ` Johnathan Corgan
2014-01-17  3:13                               ` Jeremy Spilman
2014-01-17  7:49                               ` Drak
2014-01-17  9:15                                 ` Mike Hearn
2014-01-17  9:19                                   ` Mark Friedenbach
2014-01-17  9:23                                   ` Natanael
2014-01-17  9:59                                   ` Drak
2014-01-17 20:16                                     ` Cameron Garnham
2014-01-17 14:46                                   ` Peter Todd
2014-01-17 19:21                                     ` Ben Davenport
2014-01-18  4:55                                       ` Alan Reiner
2014-01-18  5:09                                         ` Gregory Maxwell
2014-01-18 23:12                                           ` Jeremy Spilman
2014-01-18 23:50                                             ` Gregory Maxwell
2014-01-20 11:08                                             ` Peter Todd
2014-01-13 19:53               ` Roy Badami
2014-01-13 19:57                 ` Mike Hearn
2014-01-13 20:01                   ` Roy Badami
2014-01-13 19:40           ` Roy Badami
2014-01-13 19:44             ` Drak
2014-01-13 19:59               ` Alan Reiner
2014-01-13 20:10                 ` Gregory Maxwell
2014-01-13 20:15                   ` Peter Todd
2014-01-13 22:02                   ` Jeremy Spilman
2014-01-14 14:19                     ` Peter Todd
2014-01-14 19:12                       ` Jeremy Spilman
2014-01-14 20:48                         ` Peter Todd
2014-01-14 21:51                         ` Adam Back
2014-01-14 22:34                           ` Jeremy Spilman
2014-01-13 20:14                 ` Peter Todd
2014-01-13 20:41                   ` Alan Reiner
2014-01-13 20:47                     ` Gregory Maxwell
2014-01-13 21:02                     ` Roy Badami
2014-01-13 21:15                       ` Alan Reiner
2014-01-13 21:27                         ` Peter Todd
     [not found]                           ` <op.w9ne31oqyldrnw@laptop-air.hsd1.ca.comcast.net>
2014-01-14 12:10                             ` Peter Todd
2014-03-06 12:23 ` Dan Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=op.w9q85wkhyldrnw@laptop-air.hsd1.ca.comcast.net \
    --to=jeremy@taplink.co \
    --cc=adam@cypherspace.org \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=jgarzik@bitpay.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox