📅 Original date posted:2013-06-18
📝 Original message:_*Goal*_: An alternative address format made possible by BIP 32, which
allows one to specify a "Wallet ID" and "One-time payment" code, instead
of the standard one-use Base58-Hash160 addresses. This allows parties
with a persistent relationship to be able to prove that payment
addresses they provide each other are linked to a particular wallet,
reducing exposure to MitM attacks without the need for SSL or a web of
trust, and without compromising the privacy of either party. For
instance, this could be used between businesses that frequently do
business, by exchanging and verifying public keys beforehand, or could
be used by an exchange to identify if a customer withdrawal address is
related to their last deposit address, and if not enforce extra
authentication measures.
_*Background*__:_
I haven't been following the payment protocol discussions/development
much, so I apologize if this has already been addressed. I'm calling
it "wallet-linkable" addresses, which would be an optional second form
for sending someone your address. With BIP 32, the address is computed
by the payee (the person sending the address to receive money):
Standard Address ~ Base58(0x00 || hash160(PubKeyParent *
Multiplier[i]) || checksum)
What I'd like to do is have the option, when specifying an address
through the payment protocol, to send *just* the {PublicKeyParent,
Multiplier[i]} and let the receiver of that address compute the address
on their own. This is no significant burden on the receiver, but it
does provide the useful property that they can recognize when addresses
specified in this way come from the same wallet -- because the
PubKeyParent will be the same. Remember, this is _optional_ for the
person providing the address.
One nice, accidental feature of BIP 32 is that the Multiplier[i] used
above does not actually reveal the "chaincode" (I think Pieter started
calling it the "tweak"). It is derived from the chaincode but doesn't
reveal it. Therefore, the payer sees the parent public key, but that's
not useful to derive any of the other addresses unless they also have
the chaincode. But they can verify that the PublicKeyParent is
identical between transactions, and thus is accessible only to that
wallet. It allows them validate a specific address provided by the
payee, but not generate or identify any other addresses.
*_Use Cases:_*
(1) So, just like with PGP/GPG, when two parties decide they will start
a relationship, they can start by exchanging the public keys of their
wallet and verify them in a reliable manner. After that, when one party
requests a payment address from the other, they can optionally send
{PubKey, Multiplier}, and the payer's software will identify the owner
of that address, or let you select who you think the address belongs to
and it will verify it. If the payee's system is compromised and address
is replaced, the address received by the payer won't validate. This
doesn't help if the side sending the money is compromised.
(2) When a customer first provides a deposit to an exchange, it will
send money from an address in their wallet and the software will provide
the exchange the {PubKey,Mult}. When the customer later provides a
withdrawal address, the site can automatically trust the address as long
it is provided in the alternate form and the public keys match. If they
don't, it might be the same customer just requesting a withdrawal to a
different wallet, which is fine, but they'll have to go through an extra
verification step to do so.
_*Downsides:*_
Multi-sig/P2SH - The only way this works with P2SH, violates one of the
goals of P2SH slightly, but may not matter much if it's all done under
the hood by the software. Instead of providing a 20-byte hash of a
script, you provide all the public keys and multipliers for the
individual addresses. The payer's software automatically verifies all
addresses and creates the P2SH script itself (after a divine decree that
public keys will always be sorted lexicographically in the multi-sig
script). The blockchain still benefits from the "compression" of moving
the bulky scripts to the TxIn, but it does require revealing more
information than is necessary for the payer to pay the payee. But it
may not /really/ be a problem, given the benefits. It might just be
slightly longer strings to exchange during initialization and for each
transaction.
I have various reasons I'd like to use this, and it'd be nice to have
some community backing, so I don't have to twist anyone's arm to trust
me that it's legit.
-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130617/d52177a4/attachment.html>;
Alan Reiner [ARCHIVE] /
npub1sm…mnq7h
2023-06-07 15:03:27
in reply to nevent1q…vqu5
Author Public Key
npub1sm6zhjmk5scuz294jmpkw99wwwjzetjgwp4fu4gn6utqgdz87hkqamnq7hPublished at
2023-06-07 15:03:27Event JSON
{
"id": "ffcc1a6070419fc5c409ddc1ddf1a07b313e81a037a9913d5edfd6d8d4258dcf",
"pubkey": "86f42bcb76a431c128b596c36714ae73a42cae48706a9e5513d716043447f5ec",
"created_at": 1686150207,
"kind": 1,
"tags": [
[
"e",
"60c63b2d935c09c2d6c618c7776de45a3225391d6d5c2bbb728d2b54da18fc56",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2013-06-18\n📝 Original message:_*Goal*_: An alternative address format made possible by BIP 32, which\nallows one to specify a \"Wallet ID\" and \"One-time payment\" code, instead\nof the standard one-use Base58-Hash160 addresses. This allows parties\nwith a persistent relationship to be able to prove that payment\naddresses they provide each other are linked to a particular wallet,\nreducing exposure to MitM attacks without the need for SSL or a web of\ntrust, and without compromising the privacy of either party. For\ninstance, this could be used between businesses that frequently do\nbusiness, by exchanging and verifying public keys beforehand, or could\nbe used by an exchange to identify if a customer withdrawal address is\nrelated to their last deposit address, and if not enforce extra\nauthentication measures.\n\n_*Background*__:_\nI haven't been following the payment protocol discussions/development\nmuch, so I apologize if this has already been addressed. I'm calling\nit \"wallet-linkable\" addresses, which would be an optional second form\nfor sending someone your address. With BIP 32, the address is computed\nby the payee (the person sending the address to receive money):\n\n Standard Address ~ Base58(0x00 || hash160(PubKeyParent *\nMultiplier[i]) || checksum)\n\nWhat I'd like to do is have the option, when specifying an address\nthrough the payment protocol, to send *just* the {PublicKeyParent,\nMultiplier[i]} and let the receiver of that address compute the address\non their own. This is no significant burden on the receiver, but it\ndoes provide the useful property that they can recognize when addresses\nspecified in this way come from the same wallet -- because the\nPubKeyParent will be the same. Remember, this is _optional_ for the\nperson providing the address.\n\nOne nice, accidental feature of BIP 32 is that the Multiplier[i] used\nabove does not actually reveal the \"chaincode\" (I think Pieter started\ncalling it the \"tweak\"). It is derived from the chaincode but doesn't\nreveal it. Therefore, the payer sees the parent public key, but that's\nnot useful to derive any of the other addresses unless they also have\nthe chaincode. But they can verify that the PublicKeyParent is\nidentical between transactions, and thus is accessible only to that\nwallet. It allows them validate a specific address provided by the\npayee, but not generate or identify any other addresses.\n\n*_Use Cases:_*\n(1) So, just like with PGP/GPG, when two parties decide they will start\na relationship, they can start by exchanging the public keys of their\nwallet and verify them in a reliable manner. After that, when one party\nrequests a payment address from the other, they can optionally send\n{PubKey, Multiplier}, and the payer's software will identify the owner\nof that address, or let you select who you think the address belongs to\nand it will verify it. If the payee's system is compromised and address\nis replaced, the address received by the payer won't validate. This\ndoesn't help if the side sending the money is compromised.\n\n(2) When a customer first provides a deposit to an exchange, it will\nsend money from an address in their wallet and the software will provide\nthe exchange the {PubKey,Mult}. When the customer later provides a\nwithdrawal address, the site can automatically trust the address as long\nit is provided in the alternate form and the public keys match. If they\ndon't, it might be the same customer just requesting a withdrawal to a\ndifferent wallet, which is fine, but they'll have to go through an extra\nverification step to do so. \n\n\n_*Downsides:*_ \nMulti-sig/P2SH - The only way this works with P2SH, violates one of the\ngoals of P2SH slightly, but may not matter much if it's all done under\nthe hood by the software. Instead of providing a 20-byte hash of a\nscript, you provide all the public keys and multipliers for the\nindividual addresses. The payer's software automatically verifies all\naddresses and creates the P2SH script itself (after a divine decree that\npublic keys will always be sorted lexicographically in the multi-sig\nscript). The blockchain still benefits from the \"compression\" of moving\nthe bulky scripts to the TxIn, but it does require revealing more\ninformation than is necessary for the payer to pay the payee. But it\nmay not /really/ be a problem, given the benefits. It might just be\nslightly longer strings to exchange during initialization and for each\ntransaction.\n\nI have various reasons I'd like to use this, and it'd be nice to have\nsome community backing, so I don't have to twist anyone's arm to trust\nme that it's legit.\n\n-Alan\n\n\n\n\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130617/d52177a4/attachment.html\u003e",
"sig": "8ba30e4bc956b18cf50a695ccf5a56d2bea6e248a63e74bd871a5a09ecaa5499b0e77e41e3f51ce46f1ed0384b167ef23bfabbc6b6f8cdc54727412e3965a0e3"
}