š
Original date posted:2014-01-10
š Original message:On Wed, Jan 08, 2014 at 02:20:57AM -0800, Jeremy Spilman wrote:
> Thanks Peter for the paper!
>
> I'm just going to restate your 'simple explanation' to make sure I
> got it...
>
> The payee publishes a public key of theirs, which will be a
> long-standing identifier, public key = 'Q', corresponding private
> key = 'd'.
>
> To pay them, payee generate a keypair, private key = 'e' public key
> of 'P'. Publish 'P' in the transaction.
>
> The payer can calculate S = eQ, where S is a shared secret between
> payer/payee. The payee calculates the same S as S = dP. So the payee
> sees 'P' in a transaction, and multiplies by their private key, to
> get S.
>
> Now that we have the shared secret, either side can calculate an
> offset to Q which becomes the pay-to-address. When you say
> BIP32-style derivation, Q' = H(S) + Q, does this mean Q +
> SHA256(33-byte S)?
I think that's correct, but my ECC math is a bit shakey... In any case,
what's important is that you can derive a pubkey such that only the
recipient has the privkey, and without knowledge of the shared secret
you can't determine what the recipients master pubkey was.
> A payee has to check each transaction (or every transaction of a
> fixed prefix) with 'P', calculate Q' = Q + H(dP) and see if that
> transaction pays to Q'. If the address matches, then the payee can
> spend it with private key of d + H(dP).
Yup, you're understanding matches mine. (no guarantee if my
understanding is correct!)
> One downside is that you have to hold your private key in memory
> unencrypted in order to identify new payments coming in. So
> stealth-addresses may not be suitable for receiving eCommerce
> payments, since you can't implement a corresponding watch-only
> wallet, e.g. there's no way to "direct-deposit into cold storage."
Oh, sorry, I forgot to mention it in my first write-up but you can
easily make stealth addresses include a second pubkey for the purpose of
the communication that either isn't used in the scriptPubKey at all, or
is part of a n-of-m multisig. (n>=2) Interestingly that also means you
can give a third-party that key and out-source the effort of scanning
the blockchain for you.
--
'peter'[:-1]@petertodd.org
00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140110/f85268c9/attachment.sig>;
Peter Todd [ARCHIVE] /
npub1m2ā¦a2np2
2023-06-07 15:11:35
in reply to nevent1qā¦7vlg
Author Public Key
npub1m230cem2yh3mtdzkg32qhj73uytgkyg5ylxsu083n3tpjnajxx4qqa2np2Published at
2023-06-07 15:11:35Event JSON
{
"id": "8e343b19bb4f03076695b7ec4abfd4f1e7f30736779d86c7b3fff268719656c3",
"pubkey": "daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa",
"created_at": 1686150695,
"kind": 1,
"tags": [
[
"e",
"6b79d8c7bec3dc6952db91cc68d0510d9897c37dcf58a24d8e2f4288fe42525c",
"",
"root"
],
[
"e",
"5246e668296bcde617bbdddd28efbdf85ef368c4ff063e1bd67c5297150fb7bc",
"",
"reply"
],
[
"p",
"7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3"
]
],
"content": "š
Original date posted:2014-01-10\nš Original message:On Wed, Jan 08, 2014 at 02:20:57AM -0800, Jeremy Spilman wrote:\n\u003e Thanks Peter for the paper!\n\u003e \n\u003e I'm just going to restate your 'simple explanation' to make sure I\n\u003e got it...\n\u003e \n\u003e The payee publishes a public key of theirs, which will be a\n\u003e long-standing identifier, public key = 'Q', corresponding private\n\u003e key = 'd'.\n\u003e \n\u003e To pay them, payee generate a keypair, private key = 'e' public key\n\u003e of 'P'. Publish 'P' in the transaction.\n\u003e \n\u003e The payer can calculate S = eQ, where S is a shared secret between\n\u003e payer/payee. The payee calculates the same S as S = dP. So the payee\n\u003e sees 'P' in a transaction, and multiplies by their private key, to\n\u003e get S.\n\u003e \n\u003e Now that we have the shared secret, either side can calculate an\n\u003e offset to Q which becomes the pay-to-address. When you say\n\u003e BIP32-style derivation, Q' = H(S) + Q, does this mean Q +\n\u003e SHA256(33-byte S)?\n\nI think that's correct, but my ECC math is a bit shakey... In any case,\nwhat's important is that you can derive a pubkey such that only the\nrecipient has the privkey, and without knowledge of the shared secret\nyou can't determine what the recipients master pubkey was.\n\n\u003e A payee has to check each transaction (or every transaction of a\n\u003e fixed prefix) with 'P', calculate Q' = Q + H(dP) and see if that\n\u003e transaction pays to Q'. If the address matches, then the payee can\n\u003e spend it with private key of d + H(dP).\n\nYup, you're understanding matches mine. (no guarantee if my\nunderstanding is correct!)\n\n\u003e One downside is that you have to hold your private key in memory\n\u003e unencrypted in order to identify new payments coming in. So\n\u003e stealth-addresses may not be suitable for receiving eCommerce\n\u003e payments, since you can't implement a corresponding watch-only\n\u003e wallet, e.g. there's no way to \"direct-deposit into cold storage.\"\n\nOh, sorry, I forgot to mention it in my first write-up but you can\neasily make stealth addresses include a second pubkey for the purpose of\nthe communication that either isn't used in the scriptPubKey at all, or\nis part of a n-of-m multisig. (n\u003e=2) Interestingly that also means you\ncan give a third-party that key and out-source the effort of scanning\nthe blockchain for you.\n\n-- \n'peter'[:-1]@petertodd.org\n00000000000000028a5c9edabc9697fe96405f667be1d6d558d1db21d49b8857\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 685 bytes\nDesc: Digital signature\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140110/f85268c9/attachment.sig\u003e",
"sig": "12aca476f8279c6e8a4fc93707c95749ecaccbeae0ddf9da2ba981c1b9da807328f282487cd5320dff0c366aa159148ba7b3e4758909b6b7a5a58a6f872b280d"
}