What wallet is deterministic AND uses compressed keys?
By deterministic, I mean where with a master public key, one can derive thousands of watch-only addresses, but the corresponding private keys are of the compressed type that begins with letter K or L.
BreadWallet, Mycelium, web.hivewallet.com, Electrum (starting with any wallet made on ver. 2.0 onward... not released yet, but available on github) |
|
|
|
Also, I have a second question relating to P2SH Stealth Address.
If one receive a P2SH Stealth Payment with prefix matching, then he needs to know if the P2SH scriptPubKey is correct.
The problem is, for that to happen, all the keys should be uncovered by the scanner, which is a costly.
If no P2SH is used, only 1 uncover operation is enough.
So, a scanner supporting P2SH stealth payment is potentially weaker to DDOS attack. right ?
This make me think that no scanner should assume P2SH stealth payment is possible by default, except if specified otherwise.
Since the scanner knows the Stealth Address, it would be nice to include this information in the Option byte.
So, the payment receiver can decide himself, at the time of the address creation, if he accepts the risk or not.
And better, the payer don't have to ask the question out of band whether he uses P2SH or not.
https://wiki.unsystem.net/en/index.php/DarkWallet/Stealth#Address_formatStealth addresses have a byte for N and a byte for M (Shown in wiki as [number_sigs:1]) in the "M-of-N" (aka multisig) If N = 0x01, then p2pkh If N > 0x01, then p2sh. As for operations, you will have to discover the shared secret once (using scan_pubkey only), then just add the shared secret point to each spend pubkey. So the difference between the calculations for a p2pkh stealth and a p2sh stealth is + (N - 1) EC additions (which are trivial, EC multiply is where the real heavy lifting takes place) so it's negligible. Let me show some example code: def find_stealth_address(scan_pubkey, spend_pubkeys, ephemkey, multisig_m = 0):
##### This takes scan_pubkey and spend_pubkeys and creates the new address
S1 = diffie_hellman(ephemkey.secret, scan_pubkey)
##### Scan pubkey * ephem_secret (this function is for generating the address for sending.)
c = sha256(S1)
##### Hashing the compressed pubkey shared secret once with sha256 to get an integer.
shared_point = EC_KEY(c).pubkey.point
##### Generate the point from the shared secret and get the point (pubkey point)
addr_pubkey = []
##### initialize address pubkey list
if len(spend_pubkeys) == 1:
##### If Length of spend pubkeys (should be same as N, its sanity is checked in separate function.)
point = ser_to_point(spend_pubkeys[0]) + shared_point
##### Add the spend pubkey point to the shared point
addr_pubkey.append(point_to_ser(point))
##### Add compressed pubkey to addr pubkey list
address = public_key_to_bc_address(addr_pubkey[0])
##### Get address
else:
##### When N > 1
assert multisig_m > 0 and multisig_m <= len(spend_pubkeys)
##### sanity check, M should be at least 1, M should be less or equal to N.
for i in range(len(spend_pubkeys)):
point = ser_to_point(spend_pubkeys[i]) + shared_point
##### Add each of N spend pubkeys to the same shared secret point
addr_pubkey.append(point_to_ser(point).encode('hex'))
##### Add the pubkeys to the addr pubkeys list
from transaction import Transaction
redeem_script = Transaction.multisig_script(sorted(addr_pubkey), multisig_m)
##### Generate redeemscript by sorting the addr_pubkeys first (canonical)
address = hash_160_to_bc_address(hash_160(redeem_script.decode('hex')), 5)
##### Generate the p2sh address
return address The calculations for the p2sh are not much more, just extra point additions. |
|
|
|
|
Most services with any level of competence implement their own services from the ground up. (ie. they don't use "pre-packaged" solutions like Bitcoin Core)
I would suggest managing your keys with BIP32, generate an extra 10 accounts and an extra 10 addresses for each account as a buffer (for when your service gets hit hard) then set up a bunch of SPV instances with bloom filters to accept transactions only dealing with your service.
You could set a low false positive rate, as your service as a whole probably doesn't need to have much privacy. (Your service basically masks users's activity to the network anyways)
Then just sit and watch the transactions roll in.
As they come in, you can categorize them based on the utxos of each transaction and use it to update your server's database.
|
|
|
|
|
Does it support p2sh stealth addresses with prefixes?
I have a hand-made stealth that I've been using.
|
|
|
|
|
+1
headers first syncing will remove the need for checkpoints.
|
|
|
|
Thank you. 1. No install. electrum-1.9.8-portable.exe (MD5 0E0D65E83B83211463EEA86F5E487E35). Made a new wallet from seed generated by app; 2. Installed Electrum for Android just followed the site ( https://electrum.org/android.html);3. On PC tapped "Seed", typed password and the app make me QRcode; 4. "electrum-1.9.8-portable" and "e4a-1.8.1 scrypt". Thank you again. Good luck. PS. i think there are some diff from scrypts to PC and e4a-1.8.1. Ok, I found the problem. The Android version runs on version 1.8.1 of the Electrum code. In 1.8.1, the seed QR code contained the hex seed (ie. '0fb478acbdfe76cd3679acd98ef67837') So your Android device is hashing the mnemonic phrase instead of the seed. To fix: * Input your seed manually tapping "Restore" > "mnemonic"... then type in your seed word by word. Why I was getting all correct seeds: * I noticed this a long time ago and fixed it locally, but since Android version is deprecated, didn't bother with a PR. |
|
|
|
I just tried it 10 times with 10 different seeds.
Addresses all match...
Can you explain how you installed Electrum? (explain every step. Don't just say "I followed the site")
Can you explain how you installed Electrum for Android?
Can you tell me every button you tapped on the app?
Can you tell me the version numbers of both apps?
I can't reproduce your issue, so unless I can reproduce it... there's no way I or anyone else can help you.
Thank you. 1. No install. electrum-1.9.8-portable.exe (MD5 0E0D65E83B83211463EEA86F5E487E35). Made a new wallet from seed generated by app; 2. Installed Electrum for Android just followed the site ( https://electrum.org/android.html);3. On PC tapped "Seed", typed password and the app make me QRcode; 4. "electrum-1.9.8-portable" and "e4a-1.8.1 scrypt". Thank you again. Good luck. PS. i think there are some diff from scrypts to PC and e4a-1.8.1. Can you do me a favor?: 1. Open Electrum (PC) and generate a new wallet (use "File" > "New Wallet" and put in any name for the new wallet) 2. Delete the wallet.dat file from your Android. (I am assuming you are not using it) 3. Click seed on the new wallet from #1 and scan the QR code from the "Restore" option in Android. 4. Take a screenshot of the PC wallet's "Address" tab open and the "Seed" window open next to it. 5. Take a screenshot with your Android of the Show seed screen, then also take a screenshot of the receive addresses screen. 6. Upload the screenshots from #4 and #5. (Since you will post this on the internet, do not use this seed) Thanks |
|
|
|
vout_priv = sha256((scan_pubkey + prev_hash + vout + index).decode('hex'))
maybe you want scan_privkey instead of pubkey there otherwise the secret is public...
address_point = ECaddition(ECaddition(spend_pubkey, shared_secret_pub), vout_pub) spend_pubkey = public shared_secret_pub = private vout_pub = public Since the shared_secret_pub is already private (as it is the scan_privkey x Ephem_pubkey (or vice versa)) there is no need to have the vout_pub be secret. The vout_pub only serves the purpose of removing the possibility of address reuse when sending multiple outputs to the same stealth address. Not to mention that if you used scan_privkey, the sender would not be able to calculate the address's point. Back to OT, I have been working on this sporadically, and a lot of security concerns arise from allowing private keys to stay in memory for longer than necessary... I was thinking of other solutions... one of which would involve using the k value (the one used to generate the r value of the signature) with the scan pubkey to generate the shared secret... this way the receiver would multiply his scan privkey with the r value to get the shared secret... the problem with this is that it would mess with the deterministic signatures of Electrum. (you need the final tx to be signed in order to be a truly deterministic signature... I think that replacing the output script with the hex representation of the stealth address for the k generation, and this should be sufficient... but the security implications of such tomfoolery is beyond my scope of studies) I guess the best way to deal with it is: 1. Move to create a new standard script template that can accommodate stealth in one output. 2. Just hope everyone uses stealth to lower the standing out of OP_RETURN stealth on the blockchain. Maybe I'm just over-thinking things... |
|
|
|
I just tried it 10 times with 10 different seeds. Addresses all match... Can you explain how you installed Electrum? (explain every step. Don't just say "I followed the site") Can you explain how you installed Electrum for Android? Can you tell me every button you tapped on the app? Can you tell me the version numbers of both apps? I can't reproduce your issue, so unless I can reproduce it... there's no way I or anyone else can help you. |
|
|
|
signrawtransaction 01000000012007ba139a8cb5a1a3fe34bdbb621d2fe90aa10a560c1a1ff8ece1fcd489c7b801000000001976a9141d0b7c5540cfa07fd7eda5238396ab7573c2705788acffffffff0120480100000000001976a9141d0b7c5540cfa07fd7eda5238396ab7573c2705788ac0000000001000000 This should get you the right tx. I changed your amount too... you were about to send yourself 0.0001 BTC and give a 0.00084 BTC miner's tip (remember: any BTC from the input not allocated to an output is the miner's fee) |
|
|
|
|
All these "vulnerabilities" are all things that are known and accepted under the umbrella of safe security practices.
ie.
1. Bad RNG for signing
2. Bad RNG for private key generation
3. releasing Master Public Key along with one of the Private keys derived from its tree
These are all known no-nos for crypto.
The only thing that is slightly on the ball is that thanks to this guy a lot of script kiddies now are aware of vulnerabilities and have a one button press tool to discover reused r values, so the speed at which your bitcoins will be stolen when you perform one of the top 3 bad security practices is faster...
But this is not anything newly discovered.
Just like Gox claiming transaction malleability was some new vulnerability, these people run around saying "omg I found heartbleed bug and now I found a brand new vulnerability in Bitcoin!" and normal people don't know any better and panic.
Crypto relies on random numbers. This is an unavoidable fact of crypto, and will be a weakness for as long as crypto exists.
Deterministic signatures are fine and dandy, but useless if your private key was generated on crappy RNG.
|
|
|
|
i,ii,iii,iv parts should be in any ordinary tx body.
I'm wondering if I have the OP_RETURN part, is iv. part (the "to address") can still be there
Thanks~
I think you and amaclin are misunderstanding each other. You mean that you want the output to send bitcoin to an address while at the same time storing 40 bytes of data? In that case, no. That would be non-standard. In order to place 40 bytes on a transaction, you are placing "OP_RETURN: 40 bytes of data here" in the place where you would normally put "To: Alice's address"... this is why blockchain.info says "Can't Decode." Because blockchain.info expects the output to have a bitcoin address in it, but instead there's a "OP_RETURN: data data data" written there, so blockchain.info says "Can't decode" |
|
|
|
and then, must i scan a private key ? EDIT: ok ... just a reader to a single adress ... if i want use the single adress, i must QR code scan the private key ... and then, the program discharge the private single adress to the HD wallet. Backup only store HD Wallet.  Remember, if any bitcoin comes to any address on your HD wallet, you will always have it. Just because you are on Address #5 does NOT mean that you can't use #1 anymore... it just means it is hidden. If you want to post an HD wallet address on your forum posts to receive bitcoins you can receive bitcoins forever, even if you are already using #394... #1 will still receive bitcoins to your mycelium. |
|
|
|
OK, HD wallet is a new form of backup ... in the APP.
OK ... but i want receive my funds in a single and SAME BTC adress.
How can i do this ?
Also, please note that you can receive bitcoins to your old addresses even if they are not shown on the screen. If you would like Mycelium to show all previous HD addresses up til now, enable that option in the advanced settings. |
|
|
|
This is not true unless you have some specific requirements on keys or keys are not available in a wallet.
Well, he must be doing something wrong if the raw tx is spitting out 00 for the scriptPubkey. I have next to no experience with Core RPC and 0 experience with Dogecoin, but I have written/reviewed code in many languages to sign raw transactions... and putting a 00 in there would indicate to me either 1. sloppy coding, or 2. incomplete info from the user. I would hope 1 is not true... so I lean to 2. |
|
|
|
Second, i usd createrawtransaction to creat the transation:
{
"result": "0100000001022095d74c74d16041cab1c7a4cab5f4a56dbe982428668c891ab96f4b9f964f00000 00000ffffffff027ef9062a000000001976a91465dc2a40b96081ec8d4e846c115d21201f37276e88ace 6c21a1e000000001976a914245a83c7a236a1d223314a11f2455af7541ce6e288ac00000000",
"error": null,
"id": null
}
You are signing a 0x00 byte, you should be signing a utxo. You need to input ALL the necessary info from the utxo, including the scriptpubkey from the prevout. use the help command to learn what information is needed for createrawtransaction. Edit: Also, I just looked at the dogechain, your vout is not 0, it's 1... this is why you got "already spent"... the first out is already spent. Edit: Try signing this instead: 1976a914245a83c7a236a1d223314a11f2455af7541ce6e288ac Replaced the 00 with it here: (Edit: and I changed the vout to 1) {
"result": "0100000001022095d74c74d16041cab1c7a4cab5f4a56dbe982428668c891ab96f4b9f964f010000001976a914245a83c7a236a1d223314a11f2455af7541ce6e288acffffffff027ef9062a000000001976a91465dc2a40b96081ec8d4e846c115d21201f37276e88ace6c21a1e000000001976a914245a83c7a236a1d223314a11f2455af7541ce6e288ac00000000",
"error": null,
"id": null
} |
|
|
|
|
Electrum discourages importing private keys, as they are not covered by the seed.
Many people forget this, and lose bitcoins.
The best way to move your funds from blockchain.info to Electrum is the following.
1. Setup Electrum, write down your seed on paper, then copy the first receiving address.
2. Log into blockchain.info, send your total balance to the copied address from #1.
|
|
|
|
Hmm, no, I haven't thought about that at all. I haven't even used Coinapult before. Is it something a lot of people use? That repo you linked to, is that a fork of Electrum? So the official Electrum doesn't support it? Yeah, OP is a little mixed up. Coinapult copy&pasted electrum and added their own functionality. Electrum has not done anything to implement Coinapult. |
|
|
|
|
No service supports Stealth Addresses except Dark Wallet.
So if you are sending Dark Wallet <> Dark Wallet, you may use the Stealth Addresses.
Coin.mx etc. do not support it.
|
|
|
|
|
Show Posts
