@dabura667 cheers. so the prefix length cannot be bigger than 32 bits? and if it was all 32 bits, but I could not find a matching nonce - what then? pick up a different "ephemkey"? @genjix yeah, I had gone through these specs. none of them was even close to be as useful as one post from dabura667  btw, building the tools on my old ubuntu 12.04 was a real fight. first I needed gcc 4.7 (I had 4.6) then leveldb version was apparently too old and libbboost - I also had to upgrade this one to 1.49. the biggest problem was that the errors I saw did not help much to diagnose the problems. the second biggest: this version of ubuntu would not just upgrade any of these packages in a simple way. |
|
|
|
I think it works. Just one more question. When you say "brute force a nonce such that SHA256(nonce.concate(ephemkey)) first 4 bytes are equal to the prefix" - what if the prefix is not 4 bytes long? |
|
|
|
|
That's very useful - thanks!
|
|
|
|
Oh, I think I get it. R is a function of (k, private key), while S if a function (R, hash). Stupid me Anyway, thanks for the answer. |
|
|
|
Well you can't just use the value being signed. The k value must be both unique AND UNKNOWN. If the attacker knows the k value even if it is unique they can derive the private key.
I though the problem was with R values being re-used. Then you calculate S, for a specific R and the private key. And you publish R values anyway, as a part of the signature, so by definition these cannot be UNKNOWN. Sorry, isn't it how it works? |
|
|
|
I'm still a bit confused, to be honest. I wanted to use DW to send some money to my own stealth addresses, just to see how it works. But my transactions have been pending for days already, so I am now trying to send it myself, using my own s/w. Anyway, please explain me one thing. I have a stealth address with two public keys: scanKey and spendKey - I want to send some coins there. So what I would do is: 1. I pick up a secret C - some random 32 bytes 2. Do I have to do anything with C here???3. I calculate C*scanKey - and put it inside the first null-ouptut, like this: 6a2606 <4_random_bytes> <compressed(C*scanKey)> 4. I calculate C*spenKey - and use it in the next output (one that actually spends the coins): 76a914 <hash160(C*spenKey)> 88ac 5. I sign and broadcast the transaction. In general it seems pretty clear, but the devil is in the details. Obviously I want my txs to be compatible with the existing solution (not just with my own), so I have these questions: 1. Do I need to do anything with my random C, between point 1 and 3? 2. You have this StealthDH() function that takes X from a result of EC multiplication, prefixes it with 03 and then does sha256 on it - at which point is it actually used? 3. The 4 random bytes in point 3 - are they just random, or what? |
|
|
|
|
Sorry for maybe a stupid question.
Is there any reason against using the value that is getting signed as the R as well?
I mean, apart from the fact that it might be out of range.
But would there be any technical or security concerns having the same value at two different input params?
|
|
|
|
That's elliptic curve point multiplication, you should have a library in your language of preference taking care of that.
That is what I had initially thought, but the thing is that for the example test vector: [...] sorry, never mind - I was printing wrong values. didn't realize that pub.x.x is not the actual x. what a sucker I am now everythign makes much more sense. |
|
|
|
That's elliptic curve point multiplication, you should have a library in your language of preference taking care of that.
That is what I had initially thought, but the thing is that for the example test vector: X = f46a67e20804f956a1ce64566d96a42658a9a7a4c9a0be924615bef881a4a3f2
Y = 3a8218cdf4156c60585f5721189289cc89500eab79480a109eb1d0684e560996
k = 84e5f7d329c3dab1160dbf9cb0b1a3c82e6058c06260f4101b1660b865ce98c5
... the JS function returns: x = eb8d6a5c12e70b0d5e05336e9103318e89ca4445004afc3640d3e47e488a4d0f
y = 8fabd090eade40104431906d3bc0c25d988270aa017bfa8ce3707c0d72649571 while the EC multiplication k*(x,y) that I have here would return: x = 61537944f9b1245a76be6bf1d49e5ea0aa44a9a4da657c7b04598c702b440db8
y = f96de684e701f3bc48ef2e86a2e9e0be122b741331b926023ab346a82e81b8e9 |
|
|
|
OK. It seems that I have a proof of concept software that I am able to run and use as a reference. Now, if someone could please advise me... This function (that's javascrip from the darkwallet): // Simple NAF (Non-Adjacent Form) multiplication algorithm
// TODO: modularize the multiplication algorithm
function pointFpMultiply(k) {
if(this.isInfinity()) return this;
if(k.signum() == 0) return this.curve.getInfinity();
var e = k;
var h = e.multiply(new BigInteger("3"));
var neg = this.negate();
var R = this;
var i;
for(i = h.bitLength() - 2; i > 0; --i) {
R = R.twice();
var hBit = h.testBit(i);
var eBit = e.testBit(i);
if (hBit != eBit) {
R = R.add(hBit ? this : neg);
}
}
return R;
}
It seems to multiply this(x,y,z) point, by a big int k - to return R(x,y,z)Non-Adjacent Form - right, that explains a lot!  Except that I have no idea what it means Anyway, such a function had not been used for anything else in Bitcoin before - had it? I mean, I need to code it in, if I want my wallet to be able to send coins to stealth addresses - right? Is there some simpler (less optimized) version of such a function? One that would operate solely on big-int arithmetic, instead of this for/if/bit/add stuff? Just so I'd be able to understand what it actually does and the actual math behind it. |
|
|
|
Thanks, but this one didn't solve it. Other issues. Seems to need boost 1.49 when my OS has 1.46. After changing the script to use 1.46, still crashes on building getx_responder.lo EDIT: nvm, took me a few hours, but somehow managed to build it already. but it doesn't even seem to support the "New stuff" so it doesn't really help me. EDIT2: Found it: https://wiki.unsystem.net/index.php/DarkWallet/Stealth |
|
|
|
|
I tried that today but cannot get this sx tool to build on my Ubuntu.
So I cannot execute these commands.
Also I'm curious about the encryption part and how the actual transaction looks inside.
I guess there is some extra null output with this encrypted nonce.
I'm asking about a format of a stealth payment transaction - is such thing even defined yet?
|
|
|
|
I'm kind of bored recently and even though I was never very enthusiastic about the stealth addresses, it still seems to be the most exciting feature to add to my wallet software. I know that there are all kind of mailing lists with less and more outdated specs flying around, but since I don't monitor them, could anyone please update me on the most recent status? Today I have been playing with DarkWallet a bit and from what I see each wallet there has by default one stealth address assigned to it. I also figured out what this address represents. For all I know, there are two public keys - one is to encrypt the message (nonce or whatever it is called), while the other one is there to calculate the actual destination for the coins that are being spent. So, for instance, I got an address vJmyoyfHgvkW2fRbqpANQircWiWDFMHtzyUxbcGsnUCX6z1jEjfArypDBNMeQdmsczkLVoSwYRZ5pS8 YAxxQY7Q2m8SUXB2sZWjB6q - it decodes to: 2a - version
00 - options
03b5ca63d7bda5b8f70a68864fafa0587e446c52be23150da2b95ad9d6f3e6f71f - scan_pubkey
01 - number of spend keys
0351bec154c01c4f26794da8b0a3019b163b633ea933387f48288ed35cbc833f53 - spend pubkey 1
01 - number sigs
00 - prefix_length
b3fe7b1a - standard checksum of the address
Now, I want to extend my wallet so it would be able to send coins to such an address. How do I build the transaction? Is there any spec that I can read? Any actually working code that makes a transaction which sends money to such an address? |
|
|
|
Probably, sorry. I only read the highlighted text and I confused it with the argument which I read on a malign list sooner today, that "Bitcoin is a technology, which can and should be embraced by people of any political affiliation" - and that argument was supporting Mr Google's projects. Of course that it will be embraced by all kind of sociopaths. But I don't like sociopaths. |
|
|
|
So what is your counter argument? You want to change the core of bitcoin to allow intervention, politicization, reversibility? What?
The opposite. Mr Google wants to change the core of bitcoin to allow censorship. But, let's face it: he is too stupid to achieve this goal, no matter how hard he tries. He may though achieve a goal of making hard to exchange some bitcoins, at some exchanges, that he had manged to "color" using one of his "innovations". Except that this guy's achievements are not more innovations than PRISM. He must be very proud of his life's mission |
|
|
|
Who would argue with this?
Me. But it is not that "Bitcoin economy cannot have these layers". Every society can have sociopaths - no question about it and we cannot help it. It is just that I despise them and I'm not going to pretend otherwise. They do heir job - I do mine. We will never be friends with Mr Google - it's quite clear by today. |
|
|
|
Ok, I tried it [...] I just changed the first line and submited the code again v = '00132233445566778899AA112233445566778899AAc1255966'.decode('hex_codec')
This created the adress which is no valid adress ... It's because after changing anything in the fist 21 bytes, you must recalculated the checksum (the last 4 bytes). > echo "00132233445566778899AA112233445566778899AA" | xxd -p -r | openssl sha256 -binary | openssl sha256
(stdin)= 0fdea213764e1ab31be82f35da547fab8a65d3118bbd96a99086d232767509d9 So the first line should be: v = '00132233445566778899AA112233445566778899AA0fdea213'.decode('hex_codec')
[...] And then you get: 12kAovPuREtsCckGsZePjFfNMFaN1dsq7g - this one is valid. |
|
|
|
@piotr_n - thank you for the descriptions. Unfortunately I have zero experience with python or any other coding-software.
I changed the code into the link to a webpage that can run the script for you. Of course much easier is to use blockchain.info to evaluate all the 3 steps for you, from the random 20 bytes: https://blockchain.info/address/112233445566778899AA112233445566778899AABut then you won't learn anything  |
|
|
|
Thanks for all the great answers. Yes, you can create a valid address without a private key, but you won't be able to spend from it.
Yes, that's what I want. Just for experimentation. I want to destroy bitcoins without loosing the private key (that would be too easy), so I need an adress nobody has the priv key. I don't know why you'd want to conduct such an experiment, but to achieve your goal, you do not need to read about ECDSA. You do it like this: 1. Pick up any random 20 bytes (e.g 112233445566778899AA112233445566778899AA) and put the version byte (00), in front of it: 00112233445566778899AA112233445566778899AA 2. Calculate the check sum - run sha256 over the 21 bytes and then again over the result: echo "00112233445566778899AA112233445566778899AA" | xxd -p -r | openssl sha256 -binary | openssl sha256 This will give you the double sha256 of the 21 byes: c1255966acaa9359140af8c13bce4c5639481f73a3ed7fde097d596e7cb102c9 The first 4 bytes (c1255966) is the checksum you need - just append it at the end of your previous 21: 00112233445566778899AA112233445566778899AAc1255966 3. Use any base58 encoder to convert these 25 bytes (that represent a 200-bit big integer, MSB encoded) into a string. For instance, you can do it with such a simple python script: http://codepad.org/mVzFVQpu (put the hex-encoded 25 bytes in the first line) Executing the script above will output the base58 encoded string - that is a valid bitcoin address, for which most likely nobody knows a private key. You can repeat this procedure for any random 20 bytes you can think of. A chance of someone having a private key for 20 bytes that you'd choose randomly is always bigger than zero, but astronomically low. In theory there is no single address that would not refer to a specific private key. That's because the hash in the address is 200 bits long while a private key is 256-bits. So statistically for each valid bitcoin address there are 2^56 matching private keys. |
|
|
|
Had he been smart, he would have chosen a right team to play for. |
|
|
|
|
Show Posts
