Title: Crypto question: Attaching metadata to a receive address. Post by: greBit on August 21, 2013, 09:20:43 AM I need to generate a receive address that is directly associated with some metadata, M, that forms part of a verifiable contract.
I require that customers can verify that an address really was generated from a specific contract message, but I do not want them to have the private key to the address. I obviously don't want to bloat the blockchain nor do I wish to use non-standard transactions. P2SH is also not possible as it is still largely unsupported by many online wallet providers. So here is my first attempt, based on (https://bitcointalk.org/index.php?topic=108423.0) ... # generate an EC key pair for the company issuer_public_key = issuer_private_key * G # create a contract message string, M M = 'Terms of contract bla bla and also includes issuer_public_key for safety' # generate a hash of the message e = SHA256(M) # create an EC point that is known to both parties contract_point = (e * issuer_public_key) # generate a public key for this contract to form our receive address. Customer agrees to contract when they send BTC to receive address. receive_public_key = contract_point + issuer_public_key # the private key for the receive address is thus receive_private_key = contract_point + issuer_private_key Feedback much appreciated :) Title: Re: Crypto question: Attaching metadata to a receive address. Post by: gmaxwell on August 21, 2013, 03:59:31 PM The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.
Title: Re: Crypto question: Attaching metadata to a receive address. Post by: greBit on August 21, 2013, 05:01:33 PM The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail. Yeah the output `e` would be a scalar. But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point? Im basing it on the post from Stefan Thomas ... So how about this. The recipient publishes their public ECDSA point P. A sender generates a JSON metadata object M and calculates its hash e = SHA256(M). The sender then calculates a new public point PM = P * e. Next, the sender creates a transaction sending the money to the address RIPE160(SHA256(PM)). Finally, he transmits M to the recipient through a secure channel - this could be sent directly via HTTPS, encrypted email, etc. or perhaps left as an message in a DHT, encrypted with ECDH and the recipient's public point P as the key. Edit: to include quote. Title: Re: Crypto question: Attaching metadata to a receive address. Post by: gmaxwell on August 21, 2013, 06:36:02 PM Yeah the output `e` would be a scalar. But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point? Imagine that e is 0.Title: Re: Crypto question: Attaching metadata to a receive address. Post by: greBit on August 21, 2013, 06:48:29 PM Yeah the output `e` would be a scalar. But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point? Imagine that e is 0.Yeah ok, barring the exceptional case that the hash of the metadata comes to zero but that seems pretty unlikely :) |