Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: greBit on August 21, 2013, 09:20:43 AM



Title: Crypto question: Attaching metadata to a receive address.
Post by: greBit on August 21, 2013, 09:20:43 AM
I need to generate a receive address that is directly associated with some metadata, M, that forms part of a verifiable contract.

I require that customers can verify that an address really was generated from a specific contract message, but I do not want them to have the private key to the address.

I obviously don't want to bloat the blockchain nor do I wish to use non-standard transactions. P2SH is also not possible as it is still largely unsupported by many online wallet providers.

So here is my first attempt, based on (https://bitcointalk.org/index.php?topic=108423.0) ...

# generate an EC key pair for the company
issuer_public_key = issuer_private_key * G

# create a contract message string, M
M = 'Terms of contract bla bla and also includes issuer_public_key for safety'

# generate a hash of the message
e = SHA256(M)

# create an EC point that is known to both parties
contract_point =  (e * issuer_public_key)

# generate a public key for this contract to form our receive address. Customer agrees to contract when they send BTC to receive address.
receive_public_key = contract_point + issuer_public_key

# the private key for the receive address is thus
receive_private_key = contract_point + issuer_private_key


Feedback much appreciated :)


Title: Re: Crypto question: Attaching metadata to a receive address.
Post by: gmaxwell on August 21, 2013, 03:59:31 PM
The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.


Title: Re: Crypto question: Attaching metadata to a receive address.
Post by: greBit on August 21, 2013, 05:01:33 PM
The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.

Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?

Im basing it on the post from Stefan Thomas ...


So how about this.

The recipient publishes their public ECDSA point P.

A sender generates a JSON metadata object M and calculates its hash e = SHA256(M). The sender then calculates a new public point PM = P * e. Next, the sender creates a transaction sending the money to the address RIPE160(SHA256(PM)). Finally, he transmits M to the recipient through a secure channel - this could be sent directly via HTTPS, encrypted email, etc. or perhaps left as an message in a DHT, encrypted with ECDH and the recipient's public point P as the key.


Edit: to include quote.


Title: Re: Crypto question: Attaching metadata to a receive address.
Post by: gmaxwell on August 21, 2013, 06:36:02 PM
Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?
Imagine that e is 0.


Title: Re: Crypto question: Attaching metadata to a receive address.
Post by: greBit on August 21, 2013, 06:48:29 PM
Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?
Imagine that e is 0.


Yeah ok, barring the exceptional case that the hash of the metadata comes to zero but that seems pretty unlikely :)