Bitcoin Forum
June 21, 2024, 09:16:56 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Untrackable addresses on: December 18, 2012, 08:16:44 PM
Well, d is an EC point hashed to an integer. So it can be implemented this way:

d=hash(A*c)=hash(C*a)
E=B+G*d
e=b+d

Here, hash is any hash function, and G is the base point.
Alternatively, a different key derivation function can be used:

E=B*d
e=b*d

I hope it's clearer now.
2  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Untrackable addresses on: December 18, 2012, 05:27:26 PM
Erm.  What exactly is stopping an attacker from doing the same math between the pubkey of each input and the list of known public keys to recover all of the transactions?

A, B and C are all publicly known, which means that d is known, which means that E is known.  The attacker still can't spend them because b is unknown, but he can sure see them.

P.S.  Diffie-Hellman is an online protocol.  It requires (bidirectional) active participation from both parties.

To compute d an attacker would need to know either a or c. None of them is public.
I define d=A*c=C*a. The fact that it's hard to compute d from A and C is the basis of Diffie–Hellman key agreement protocol.
3  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Untrackable addresses on: December 17, 2012, 09:16:31 PM
My proposal doesn't require sending anything privately. All the necessary information is contained in the transaction itself. At the same time, the transaction looks exactly like the ordinary send-to-address transaction.

You can also send the factor encrypted with the recipient public key, embedded in the input script. This way it works exactly like your proposal.
Not exactly. Everyone would be able to see that something is embedded in the input script. In my proposal, nothing reveals that the transaction is in any way different from an ordinary pay-to-address transaction.

I agree that for some cases, like anonymous donations, where you don't want any out-of-band communication to occur a scheme such as this would be nice.
That's the whole point. A person who wants to receive donations doesn't have to set up a server for out-of-band communication. He only needs to publish an address. This also means that it won't be necessary to keep multiple keys in a wallet. One key would be enough.
4  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Untrackable addresses on: December 17, 2012, 07:58:44 PM
My proposal doesn't require sending anything privately. All the necessary information is contained in the transaction itself. At the same time, the transaction looks exactly like the ordinary send-to-address transaction.
5  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Untrackable addresses on: December 17, 2012, 05:53:45 PM
If everyone uses this scheme, then it would appear that each address ever received at most one transaction. Every transactions would have a unique address. However, if someone sends money twice from the same normal address to the same proposed address, then destination normal address will also be the same. But these coins are tied to each other anyway.
6  Bitcoin / Development & Technical Discussion / [PROPOSAL] Untrackable addresses on: December 17, 2012, 04:56:02 PM
Currently, if someone publishes his Bitcoin address (to receive donations, for example), anyone can see how much money he got. I propose a protocol which can be used to receive donations without revealing all payments to everyone. A person who wishes to receive money would generate 3 keys:
1. Public key can be used to send money to the person, but not to see when others send money to him.
2. Semi-private key can be used to see all incoming transactions, but not spend them.
3. Private key is necessary to spend the money.
It is expected that the user will publish his public key, keep hist semi-private key on his online computer, and keep his private key offline.

Implementation
I will use lower case letters to denote ECDSA private keys and corresponding upper case letters to denote corresponding public keys.
Creating an address: to create an address, a user generates to pairs of ECDSA keys. Let's call them (a, A) and (b, B). Then, (A, B) is a public key, (a, B) is a semi-private key, and (a, b) is a private key.
Sending money: suppose that someone wants to send money to key (A, B), and some of it is currently owned by key C. He performs Diffie–Hellman key exchange between keys A and C to generate a shared secret d=A*c. Then he uses a type 2 key derivation function (used in type 2 deterministic wallets) to generate a new public key E from B and d. He than sends money to an address generated from E. Note that C must appear in one of the inputs.
Receiving money: on the receiving side, the user scans all transactions to see if they match his semi-private key (a, B). To do so, he iterates over all inputs that match send-to-address template. Let C be a key that appears in one of such inputs. He computes d=C*a and E. If E matches the address the money was sent to, then this money was sent to him.
Spending money: to generate private key e, the user generates d as before and derives e from b and d.

Why this is useful?
It would be able to publish an address such that no one would be able to see how much money was received.
If someone wants to send money owned by multiple keys, he can send it in multiple transactions that can't be linked to each other.
Finally, users won't need to have many addresses. They can send change to themselves using the same procedure.
7  Bitcoin / Development & Technical Discussion / Re: [PROPOSAL] Secure Payment Protocol on: December 16, 2012, 08:25:10 PM
A payment protocol is already being developed, with input from several on the bitcoin-development SourceForge mailing list.

See https://github.com/gavinandresen/paymentrequest for software or the mailing list discussion archives http://comments.gmane.org/gmane.comp.bitcoin.devel/1574

The protocol proposed there has several shortcomings. Firstly, it assumes that merchant's web server would not be compromised. Mike Hearn said that the server needs to have access to SSL private key, so if it is compromised, the game is over. However, this is not true: SSL termination can be performed on a machine different from the one running the web server. Even if it is done on the same machine, web applications are typically run with limited permissions, so they can't access SSL private key.

However, in the proposed payment protocol, an application running on the server needs access to private key to be able to sign PaymentRequests. If this application is compromised, so is the key.

Secondly, this protocol can't be used securely with offline wallet because Payment structure is not signed so it can be modified by compromised customer's online computer. Modifications to refund_to attribute seem the most dangerous. Also, a merchant can reject the payment but still broadcast the transactions (possibly after some delay).

As far as I understand, thanke's proposal has none of these shortcomings.

Also, it doesn't depend on traditional PKI. Merchants may sign their master keys with SSL certificates, GPG certificates, or even both. So a normal customer can verify merchant's key using SSL certificate, but a paranoid customer, who doesn't trust governments and CAs but trusts GPG WOT, can verify the merchant's key using GPG.
8  Other / Beginners & Help / Re: Introduce yourself :) on: December 16, 2012, 01:11:40 PM
Does anyone read this thread?
9  Other / Beginners & Help / Re: Introduce yourself :) on: December 16, 2012, 12:48:37 AM
Hi. I am delighted to see how Bitcoin makes many things possible, such as bitcointip bot on reddit or just the ability to receive money from anyone without setting up merchant account. Smiley
10  Local / Новички / Re: Возможность писать/отвечать в другие ветl on: December 16, 2012, 12:38:11 AM
Ещё это дурацкое ограничение на 1 пост в 6 минут...
11  Local / Новички / Re: Возможность писать/отвечать в другие ветl on: December 16, 2012, 12:28:25 AM
Кстати, а это всех после поста перенаправляет в список тем? Надо бы пофиксить.
12  Local / Новички / Re: Возможность писать/отвечать в другие ветl on: December 16, 2012, 12:21:38 AM
Ну да, вместо спама есть ветки вроде "Introduce yourself" на сотни страниц и прочий оффтоп.
13  Local / Разное / Re: как убить видеокарты? on: December 16, 2012, 12:11:25 AM
Напомнило http://ithappens.ru/story/2671.
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!