📅 Original date posted:2013-06-19
📝 Original message:Since you mention to use this in conjunction with the payment protocol,
note the following subtlety. Suppose the payer has to paid this address
called "destination":
> Standard Address ~ Base58(0x00 || hash160(PubKeyParent * Multiplier[i]) ||
> checksum)
Also suppose the payee has spent the output, i.e. the pubkey
corresponding to "destination", which is PubKeyParent * Multiplier[i],
is publicly known. Then anybody can (in retrospect) create arbitrary
many pairs {PublicKeyParent, Multiplier} (in particular different
PublicKeyParent) that lead to the same "destination".
Depending on what you have in mind that the transaction should "prove"
regarding its actual receiver or regarding the receiver's PubKeyParent,
this could be an unwanted feature (or it could be just fine). If it is
unwanted then I suggest replacing
PubKeyParent * Multiplier[i] by
PubKeyParent * HMAC(Multiplier[i],PubKeyParent)
which eliminates from the destination all ambiguity about PubKeyParent.
This modification would not be directly compatible with BIP32 anymore
(unfortunately), but seems to be better suited for use in conjunction
with a payment protocol.
Timo
On Mon, Jun 17, 2013 at 11:48:22PM -0400, Alan Reiner wrote:
> Goal: An alternative address format made possible by BIP 32, which allows one
> to specify a "Wallet ID" and "One-time payment" code, instead of the standard
> one-use Base58-Hash160 addresses. This allows parties with a persistent
> relationship to be able to prove that payment addresses they provide each other
> are linked to a particular wallet, reducing exposure to MitM attacks without
> the need for SSL or a web of trust, and without compromising the privacy of
> either party. For instance, this could be used between businesses that
> frequently do business, by exchanging and verifying public keys beforehand, or
> could be used by an exchange to identify if a customer withdrawal address is
> related to their last deposit address, and if not enforce extra authentication
> measures.
>
> Background:
> I haven't been following the payment protocol discussions/development much, so
> I apologize if this has already been addressed. I'm calling it
> "wallet-linkable" addresses, which would be an optional second form for sending
> someone your address. With BIP 32, the address is computed by the payee (the
> person sending the address to receive money):
>
> Standard Address ~ Base58(0x00 || hash160(PubKeyParent * Multiplier[i]) ||
> checksum)
>
> What I'd like to do is have the option, when specifying an address through the
> payment protocol, to send *just* the {PublicKeyParent, Multiplier[i]} and let
> the receiver of that address compute the address on their own. This is no
> significant burden on the receiver, but it does provide the useful property
> that they can recognize when addresses specified in this way come from the same
> wallet -- because the PubKeyParent will be the same. Remember, this is
> optional for the person providing the address.
>
> One nice, accidental feature of BIP 32 is that the Multiplier[i] used above
> does not actually reveal the "chaincode" (I think Pieter started calling it the
> "tweak"). It is derived from the chaincode but doesn't reveal it. Therefore,
> the payer sees the parent public key, but that's not useful to derive any of
> the other addresses unless they also have the chaincode. But they can verify
> that the PublicKeyParent is identical between transactions, and thus is
> accessible only to that wallet. It allows them validate a specific address
> provided by the payee, but not generate or identify any other addresses.
>
> Use Cases:
> (1) So, just like with PGP/GPG, when two parties decide they will start a
> relationship, they can start by exchanging the public keys of their wallet and
> verify them in a reliable manner. After that, when one party requests a
> payment address from the other, they can optionally send {PubKey, Multiplier},
> and the payer's software will identify the owner of that address, or let you
> select who you think the address belongs to and it will verify it. If the
> payee's system is compromised and address is replaced, the address received by
> the payer won't validate. This doesn't help if the side sending the money is
> compromised.
>
> (2) When a customer first provides a deposit to an exchange, it will send
> money from an address in their wallet and the software will provide the
> exchange the {PubKey,Mult}. When the customer later provides a withdrawal
> address, the site can automatically trust the address as long it is provided in
> the alternate form and the public keys match. If they don't, it might be the
> same customer just requesting a withdrawal to a different wallet, which is
> fine, but they'll have to go through an extra verification step to do so.
>
>
> Downsides:
> Multi-sig/P2SH - The only way this works with P2SH, violates one of the goals
> of P2SH slightly, but may not matter much if it's all done under the hood by
> the software. Instead of providing a 20-byte hash of a script, you provide all
> the public keys and multipliers for the individual addresses. The payer's
> software automatically verifies all addresses and creates the P2SH script
> itself (after a divine decree that public keys will always be sorted
> lexicographically in the multi-sig script). The blockchain still benefits from
> the "compression" of moving the bulky scripts to the TxIn, but it does require
> revealing more information than is necessary for the payer to pay the payee.
> But it may not really be a problem, given the benefits. It might just be
> slightly longer strings to exchange during initialization and for each
> transaction.
>
> I have various reasons I'd like to use this, and it'd be nice to have some
> community backing, so I don't have to twist anyone's arm to trust me that it's
> legit.
>
> -Alan
>
>
>
>
--
Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8
Timo Hanke [ARCHIVE] /
npub1dd…pgp9a
2023-06-07 15:03:30
in reply to nevent1q…tsl5
Author Public Key
npub1ddqaln8xsfmy6sxqplt9sz5ev99kh052sveqsh02q7hmc3a6n68shpgp9aPublished at
2023-06-07 15:03:30Event JSON
{
"id": "5a1a97f02d01a0f1a4d73f524832bd1f32e34a86b24ef76e69a42939975bf0da",
"pubkey": "6b41dfcce682764d40c00fd6580a99614b6bbe8a8332085dea07afbc47ba9e8f",
"created_at": 1686150210,
"kind": 1,
"tags": [
[
"e",
"60c63b2d935c09c2d6c618c7776de45a3225391d6d5c2bbb728d2b54da18fc56",
"",
"root"
],
[
"e",
"749c43d970e4d429e2a1511a87774e7e7bcd0605956decc84c40740450acc4c3",
"",
"reply"
],
[
"p",
"5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6"
]
],
"content": "📅 Original date posted:2013-06-19\n📝 Original message:Since you mention to use this in conjunction with the payment protocol,\nnote the following subtlety. Suppose the payer has to paid this address\ncalled \"destination\": \n\u003e Standard Address ~ Base58(0x00 || hash160(PubKeyParent * Multiplier[i]) ||\n\u003e checksum)\nAlso suppose the payee has spent the output, i.e. the pubkey\ncorresponding to \"destination\", which is PubKeyParent * Multiplier[i],\nis publicly known. Then anybody can (in retrospect) create arbitrary\nmany pairs {PublicKeyParent, Multiplier} (in particular different\nPublicKeyParent) that lead to the same \"destination\".\n\nDepending on what you have in mind that the transaction should \"prove\"\nregarding its actual receiver or regarding the receiver's PubKeyParent,\nthis could be an unwanted feature (or it could be just fine). If it is\nunwanted then I suggest replacing\nPubKeyParent * Multiplier[i] by \nPubKeyParent * HMAC(Multiplier[i],PubKeyParent)\nwhich eliminates from the destination all ambiguity about PubKeyParent.\n\nThis modification would not be directly compatible with BIP32 anymore\n(unfortunately), but seems to be better suited for use in conjunction\nwith a payment protocol. \n\nTimo\n\nOn Mon, Jun 17, 2013 at 11:48:22PM -0400, Alan Reiner wrote:\n\u003e Goal: An alternative address format made possible by BIP 32, which allows one\n\u003e to specify a \"Wallet ID\" and \"One-time payment\" code, instead of the standard\n\u003e one-use Base58-Hash160 addresses. This allows parties with a persistent\n\u003e relationship to be able to prove that payment addresses they provide each other\n\u003e are linked to a particular wallet, reducing exposure to MitM attacks without\n\u003e the need for SSL or a web of trust, and without compromising the privacy of\n\u003e either party. For instance, this could be used between businesses that\n\u003e frequently do business, by exchanging and verifying public keys beforehand, or\n\u003e could be used by an exchange to identify if a customer withdrawal address is\n\u003e related to their last deposit address, and if not enforce extra authentication\n\u003e measures.\n\u003e \n\u003e Background:\n\u003e I haven't been following the payment protocol discussions/development much, so\n\u003e I apologize if this has already been addressed. I'm calling it\n\u003e \"wallet-linkable\" addresses, which would be an optional second form for sending\n\u003e someone your address. With BIP 32, the address is computed by the payee (the\n\u003e person sending the address to receive money):\n\u003e \n\u003e Standard Address ~ Base58(0x00 || hash160(PubKeyParent * Multiplier[i]) ||\n\u003e checksum)\n\u003e \n\u003e What I'd like to do is have the option, when specifying an address through the\n\u003e payment protocol, to send *just* the {PublicKeyParent, Multiplier[i]} and let\n\u003e the receiver of that address compute the address on their own. This is no\n\u003e significant burden on the receiver, but it does provide the useful property\n\u003e that they can recognize when addresses specified in this way come from the same\n\u003e wallet -- because the PubKeyParent will be the same. Remember, this is\n\u003e optional for the person providing the address.\n\u003e \n\u003e One nice, accidental feature of BIP 32 is that the Multiplier[i] used above\n\u003e does not actually reveal the \"chaincode\" (I think Pieter started calling it the\n\u003e \"tweak\"). It is derived from the chaincode but doesn't reveal it. Therefore,\n\u003e the payer sees the parent public key, but that's not useful to derive any of\n\u003e the other addresses unless they also have the chaincode. But they can verify\n\u003e that the PublicKeyParent is identical between transactions, and thus is\n\u003e accessible only to that wallet. It allows them validate a specific address\n\u003e provided by the payee, but not generate or identify any other addresses.\n\u003e \n\u003e Use Cases:\n\u003e (1) So, just like with PGP/GPG, when two parties decide they will start a\n\u003e relationship, they can start by exchanging the public keys of their wallet and\n\u003e verify them in a reliable manner. After that, when one party requests a\n\u003e payment address from the other, they can optionally send {PubKey, Multiplier},\n\u003e and the payer's software will identify the owner of that address, or let you\n\u003e select who you think the address belongs to and it will verify it. If the\n\u003e payee's system is compromised and address is replaced, the address received by\n\u003e the payer won't validate. This doesn't help if the side sending the money is\n\u003e compromised.\n\u003e \n\u003e (2) When a customer first provides a deposit to an exchange, it will send\n\u003e money from an address in their wallet and the software will provide the\n\u003e exchange the {PubKey,Mult}. When the customer later provides a withdrawal\n\u003e address, the site can automatically trust the address as long it is provided in\n\u003e the alternate form and the public keys match. If they don't, it might be the\n\u003e same customer just requesting a withdrawal to a different wallet, which is\n\u003e fine, but they'll have to go through an extra verification step to do so. \n\u003e \n\u003e \n\u003e Downsides: \n\u003e Multi-sig/P2SH - The only way this works with P2SH, violates one of the goals\n\u003e of P2SH slightly, but may not matter much if it's all done under the hood by\n\u003e the software. Instead of providing a 20-byte hash of a script, you provide all\n\u003e the public keys and multipliers for the individual addresses. The payer's\n\u003e software automatically verifies all addresses and creates the P2SH script\n\u003e itself (after a divine decree that public keys will always be sorted\n\u003e lexicographically in the multi-sig script). The blockchain still benefits from\n\u003e the \"compression\" of moving the bulky scripts to the TxIn, but it does require\n\u003e revealing more information than is necessary for the payer to pay the payee. \n\u003e But it may not really be a problem, given the benefits. It might just be\n\u003e slightly longer strings to exchange during initialization and for each\n\u003e transaction.\n\u003e \n\u003e I have various reasons I'd like to use this, and it'd be nice to have some\n\u003e community backing, so I don't have to twist anyone's arm to trust me that it's\n\u003e legit.\n\u003e \n\u003e -Alan\n\u003e \n\u003e \n\u003e \n\u003e \n\n-- \nTimo Hanke\nPGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8",
"sig": "aa40ff8c1948514cadaacc5cf90b44b2a994b55bd4d4216ff6a852a7e98d23cadeaea9259efabb22839eec16fbbbe8af14d4141ae84ce07bb2f4a1434a34f994"
}