📅 Original date posted:2014-01-14
📝 Original message:On Tue, 14 Jan 2014 06:19:08 -0800, Peter Todd <pete at petertodd.org> wrote:
> On Mon, Jan 13, 2014 at 02:02:00PM -0800, Jeremy Spilman wrote:
>> I decided to put both pubKeys in a 2-of-2 multisig, instead of keeping
>> one of the pubKeys in the OP-RETURN, to prevent a malicious sender from
>> triggering false positives on your online detection key when the funds
>> are actually still fully controlled by the payer.
>>
>> You can still have a false positive (only 1 of 2 keys actually yours)
>> but the funds would be trapped so it's unlikely anyone would do it.
>
> How would they trigger false positives? The payee recovers the nonce
> with ECDH from the payor's ephemereal pubkey and their online detection
> secret key. They use BIP32 public derivation with their offline spending
> pubkey(s), if the derived pubkeys match the actual scriptPubKey they
> know the output is spendable by them. I don't see how that can go wrong.
>
Right now I have this:
byte[] e = EC.NewPrivateKey();
byte[] P = EC.GetPublicKey(e, compressed: true);
byte[] S1 = EC.DH(e, Q1);
byte[] S2 = EC.DH(e, Q2);
byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S1));
byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S2));
stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(".995"), 2, 2, q1New,
q2New));
stealthTx.Vout.Add(TxOut.OpReturn(P));
In this case, you can scan with d2, calculate S2, and matching payments
will have the right 'q2New'. But you need to check again offline with d1
since it's a separate shared secret.
Maybe you are saying:
byte[] S = EC.DH(e, Q2);
byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S));
byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S));
But the payment would have (q2New - q1New) == (Q2 - Q1), so I think not
entirely stealth? OK, let's fix that by adding a counter to the hash
function...
byte[] S = EC.DH(e, Q2);
byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S || 1));
byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S || 2));
stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(".995"), 2, 2, q1New,
q2New));
stealthTx.Vout.Add(TxOut.OpReturn(P));
This is assuming we want to put q2New somewhere into the transaction,
which, is it even required?
byte[] S = EC.DH(e, Q2);
byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S));
stealthTx.Vout.Add(TxOut.PayToPubKeyHash(Util.Amount(".995"), q1New);
stealthTx.Vout.Add(TxOut.OpReturn(P));
I'll wait for ACK and then update my sample code.
Jeremy Spilman [ARCHIVE] /
npub10e…jc727
2023-06-07 15:11:53
in reply to nevent1q…lmk3
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 15:11:53Event JSON
{
"id": "0a62cda472a7c586b9a148debd2e0704aa1b910566e9befa061806744b3c61c6",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686150713,
"kind": 1,
"tags": [
[
"e",
"6b79d8c7bec3dc6952db91cc68d0510d9897c37dcf58a24d8e2f4288fe42525c",
"",
"root"
],
[
"e",
"73517641eb7bdde29aa424756aa5d24bf7dd275aadf8d622d7ee5d8c3ab5a279",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2014-01-14\n📝 Original message:On Tue, 14 Jan 2014 06:19:08 -0800, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\n\u003e On Mon, Jan 13, 2014 at 02:02:00PM -0800, Jeremy Spilman wrote:\n\u003e\u003e I decided to put both pubKeys in a 2-of-2 multisig, instead of keeping \n\u003e\u003e one of the pubKeys in the OP-RETURN, to prevent a malicious sender from \n\u003e\u003e triggering false positives on your online detection key when the funds \n\u003e\u003e are actually still fully controlled by the payer.\n\u003e\u003e\n\u003e\u003e You can still have a false positive (only 1 of 2 keys actually yours) \n\u003e\u003e but the funds would be trapped so it's unlikely anyone would do it.\n\u003e\n\u003e How would they trigger false positives? The payee recovers the nonce\n\u003e with ECDH from the payor's ephemereal pubkey and their online detection\n\u003e secret key. They use BIP32 public derivation with their offline spending\n\u003e pubkey(s), if the derived pubkeys match the actual scriptPubKey they\n\u003e know the output is spendable by them. I don't see how that can go wrong.\n\u003e\n\nRight now I have this:\n\n byte[] e = EC.NewPrivateKey();\n byte[] P = EC.GetPublicKey(e, compressed: true);\n byte[] S1 = EC.DH(e, Q1);\n byte[] S2 = EC.DH(e, Q2);\n byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S1));\n byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S2));\n stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(\".995\"), 2, 2, q1New, \nq2New));\n stealthTx.Vout.Add(TxOut.OpReturn(P));\n\nIn this case, you can scan with d2, calculate S2, and matching payments \nwill have the right 'q2New'. But you need to check again offline with d1 \nsince it's a separate shared secret.\n\nMaybe you are saying:\n\n byte[] S = EC.DH(e, Q2);\n byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S));\n byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S));\n\nBut the payment would have (q2New - q1New) == (Q2 - Q1), so I think not \nentirely stealth? OK, let's fix that by adding a counter to the hash \nfunction...\n\n byte[] S = EC.DH(e, Q2);\n byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S || 1));\n byte[] q2New = EC.PointAdd(Q2, Util.SingleSHA256(S || 2));\n stealthTx.Vout.Add(TxOut.PayToMultiSig(Util.Amount(\".995\"), 2, 2, q1New, \nq2New));\n stealthTx.Vout.Add(TxOut.OpReturn(P));\n\nThis is assuming we want to put q2New somewhere into the transaction, \nwhich, is it even required?\n\n byte[] S = EC.DH(e, Q2);\n byte[] q1New = EC.PointAdd(Q1, Util.SingleSHA256(S));\n stealthTx.Vout.Add(TxOut.PayToPubKeyHash(Util.Amount(\".995\"), q1New);\n stealthTx.Vout.Add(TxOut.OpReturn(P));\n\nI'll wait for ACK and then update my sample code.",
"sig": "975729cfbca31f482a00dc196da2bcf882a52947330734044cba9887f55f8146bc041690c76a743f156a0e315ddb6fcec245921bb4a53abbbbb07a7a01cc1eb4"
}