📅 Original date posted:2014-02-02
📝 Original message:>
> Consequently you can now securely and very network/space efficiently
> securely delegate searching a block by computing the private key for the
> IBE pub key that any sender would use for that block, and sending it as
> a query to a random (or node-capture defended random selected node).
> The node can decrypt the encrypted bloom baits with it, but remains
> powerless to correlate with bloom baits to other payments received by
> the same user in bother blocks.
>
I'm not sure I've fully wrapped my head around it.
d/Q - Identity key
E - Generate an epoch-pubkey: E = Q * H1(epoch)
r/P - Ephemeral privkey/pubkey, or discoverable from inputs
S = r * K - Shared secret (ECDE)
Payer derives an encryption key H(S), and encrypts M, which is a 1 byte
bloom bait.
For each epoch, payee generates e = d * H1(epoch) and provides the key to
a full node for monitoring. So you are providing a per-block or per-epoch
private key, along with the block ID or epoch ID that the key corresponds
to.
The full node then uses this privkey to decrypt the same byte in all the
transactions in that epoch/block which match the expected layout/template,
e.g. given a certain length OP_RETURN, pull the specific byte and decrypt.
This decrypted byte is then in turn used as bloom bait which may or may
not cause the transaction to be sent back to the SPV client.
Am I right in saying the full node has no idea if decryption is
'succeeding' it just feeds the resultant bait into the bloom filter and
the transaction may match or not? So we do get some level of repudiation
by the SPV client -- the server doesn't know exactly which transactions
belong to the SPV client.
The bloom bait specified in the reusable address is still making the
bandwidth/privacy trade-off, it just doesn't become public information,
because it's protected by another factor?
What encryption scheme is being used here?
-=-=-=-==
Another approach (inspired by IBE) which narrows the discoverability of
transactions to the nodes that your SPV client is actually communicating
with, for the specific blocks/epochs that you specify, would be to use
PEKS.
PEKS(Q, W) for a public key Q and a keyword W produces a searchable
encryption of the word W.
The payee holding 'd' (privkey for Q) can create a trapdoor which allows a
server to search for transactions with W, where the searching party only
knows if a match is found or not.
Payer:
d/Q - Longstanding / identity privkey/pubkey
r/P - Ephemeral privkey/pubkey, or discoverable from inputs
W - Searchable Keyword
H1 - Hash function, {0, 1} ∗ → G1
H2 - Hash function, G2 → {0, 1}p
Secret, as usual per ECDH:
S = r * Q
For payer to create the searchable encryption of W for Q, called 'Sw':
Sw = H2(e(H1(W), S))
OP_RETURN P, Sw
For payee to search for a given 'W', payee calculates a trapdoor 'Tw':
Tw = d * H1(W)
For a searcher, given a Trapdoor (Tw), check each Transaction (P, Sw):
H2(e(Tw, P)) ==? Sw
If the values match, the keyword matches
Without getting into the concepts of e(g,g) and binomial pairing, I think
of it this way:
Sw = H2(r * Q * H1(W)), but recall: rQ == dP, so...
= H2(d * P * H1(W)), which can be written
= H2(d * H1(W) * P)
Severs finds all transactions with 'P' on relevant parts of the
blockchain, multiplies by the provided trapdoor 'Tw', applies 'H2', and
checks for a matching 'Sw' in the transaction;
Tw = d * H1(W)
Sw = H2(Tw * P)
H2(d * H1(W) * P)
PEKS is vulnerable to an offline keyword guessing attack, where you can
discover the value of the keyword being searched, if the keyword is low
entropy. The server/attacker can figure out the value of W, but they can't
generate their own trapdoors to search for other keywords.
But in this case, the 'keyword' can simply be the block ID / epoch ID
itself, not a secret value at all. In other words, the server can only
search for your transactions within the blocks/epochs that you specify.
Using blockID/epochID as W, this would allow a server to find all
transactions belonging to the payer for that blockID / epochID. The SPV
client would simply provide the trapdoor for each block/epoch to be
searched.
There are extensions to PEKS which provide for 'fuzzy' matching but they
are 'fuzzy' within the scope of Q, not across different Q, so that doesn't
help provide any repudiation. So I see this as only slightly improving
Peter's original proposal of providing 'Q' to the searcher, but if you
want repudiation, not as good as Adam's solution.
Perfunctory disclaimer... Hopefully this is close to correct, but please
don't anyone actually try to implement this!
Thanks,
Jeremy
Jeremy Spilman [ARCHIVE] /
npub10e…jc727
2023-06-07 15:12:53
in reply to nevent1q…tu5v
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 15:12:53Event JSON
{
"id": "fe04571c145cc1f5bae39bd9f1b2fc8f6c805f4f397e1349b067da52b22bb823",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686150773,
"kind": 1,
"tags": [
[
"e",
"81bf280e73145aa317749ec149824a8b3809b797c845a3e3c9b019137c9e59f7",
"",
"root"
],
[
"e",
"c40082fc0cc217b366f4d291c19f4455396873592d8ffa4ab0ec1e243984db2c",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2014-02-02\n📝 Original message:\u003e\n\u003e Consequently you can now securely and very network/space efficiently\n\u003e securely delegate searching a block by computing the private key for the\n\u003e IBE pub key that any sender would use for that block, and sending it as\n\u003e a query to a random (or node-capture defended random selected node).\n\u003e The node can decrypt the encrypted bloom baits with it, but remains\n\u003e powerless to correlate with bloom baits to other payments received by\n\u003e the same user in bother blocks.\n\u003e\n\nI'm not sure I've fully wrapped my head around it.\n\n d/Q - Identity key\n E - Generate an epoch-pubkey: E = Q * H1(epoch)\n r/P - Ephemeral privkey/pubkey, or discoverable from inputs\n S = r * K - Shared secret (ECDE)\n\nPayer derives an encryption key H(S), and encrypts M, which is a 1 byte \nbloom bait.\n\nFor each epoch, payee generates e = d * H1(epoch) and provides the key to \na full node for monitoring. So you are providing a per-block or per-epoch \nprivate key, along with the block ID or epoch ID that the key corresponds \nto.\n\nThe full node then uses this privkey to decrypt the same byte in all the \ntransactions in that epoch/block which match the expected layout/template, \ne.g. given a certain length OP_RETURN, pull the specific byte and decrypt.\n\nThis decrypted byte is then in turn used as bloom bait which may or may \nnot cause the transaction to be sent back to the SPV client.\n\nAm I right in saying the full node has no idea if decryption is \n'succeeding' it just feeds the resultant bait into the bloom filter and \nthe transaction may match or not? So we do get some level of repudiation \nby the SPV client -- the server doesn't know exactly which transactions \nbelong to the SPV client.\n\nThe bloom bait specified in the reusable address is still making the \nbandwidth/privacy trade-off, it just doesn't become public information, \nbecause it's protected by another factor?\n\nWhat encryption scheme is being used here?\n\n-=-=-=-==\n\nAnother approach (inspired by IBE) which narrows the discoverability of \ntransactions to the nodes that your SPV client is actually communicating \nwith, for the specific blocks/epochs that you specify, would be to use \nPEKS.\n\nPEKS(Q, W) for a public key Q and a keyword W produces a searchable \nencryption of the word W.\n\nThe payee holding 'd' (privkey for Q) can create a trapdoor which allows a \nserver to search for transactions with W, where the searching party only \nknows if a match is found or not.\n\nPayer:\n\n d/Q - Longstanding / identity privkey/pubkey\n r/P - Ephemeral privkey/pubkey, or discoverable from inputs\n W - Searchable Keyword\n H1 - Hash function, {0, 1} ∗ → G1\n H2 - Hash function, G2 → {0, 1}p\n\nSecret, as usual per ECDH:\n\n S = r * Q\n\nFor payer to create the searchable encryption of W for Q, called 'Sw':\n\n Sw = H2(e(H1(W), S))\n OP_RETURN P, Sw\n\nFor payee to search for a given 'W', payee calculates a trapdoor 'Tw':\n\n Tw = d * H1(W)\n\nFor a searcher, given a Trapdoor (Tw), check each Transaction (P, Sw):\n\n H2(e(Tw, P)) ==? Sw\n If the values match, the keyword matches\n\nWithout getting into the concepts of e(g,g) and binomial pairing, I think \nof it this way:\n\n Sw = H2(r * Q * H1(W)), but recall: rQ == dP, so...\n = H2(d * P * H1(W)), which can be written\n = H2(d * H1(W) * P)\n\nSevers finds all transactions with 'P' on relevant parts of the \nblockchain, multiplies by the provided trapdoor 'Tw', applies 'H2', and \nchecks for a matching 'Sw' in the transaction;\n\n Tw = d * H1(W)\n Sw = H2(Tw * P)\n H2(d * H1(W) * P)\n\nPEKS is vulnerable to an offline keyword guessing attack, where you can \ndiscover the value of the keyword being searched, if the keyword is low \nentropy. The server/attacker can figure out the value of W, but they can't \ngenerate their own trapdoors to search for other keywords.\n\nBut in this case, the 'keyword' can simply be the block ID / epoch ID \nitself, not a secret value at all. In other words, the server can only \nsearch for your transactions within the blocks/epochs that you specify.\n\nUsing blockID/epochID as W, this would allow a server to find all \ntransactions belonging to the payer for that blockID / epochID. The SPV \nclient would simply provide the trapdoor for each block/epoch to be \nsearched.\n\nThere are extensions to PEKS which provide for 'fuzzy' matching but they \nare 'fuzzy' within the scope of Q, not across different Q, so that doesn't \nhelp provide any repudiation. So I see this as only slightly improving \nPeter's original proposal of providing 'Q' to the searcher, but if you \nwant repudiation, not as good as Adam's solution.\n\nPerfunctory disclaimer... Hopefully this is close to correct, but please \ndon't anyone actually try to implement this!\n\nThanks,\nJeremy",
"sig": "d1a5215e094b6bd162ca9409d6d7b936db447730c0da51b8ed93e41bc5b3d393a2662aafe5f91c0031e3719d96170990acebce821a8919bf6515d6228540d7f2"
}