Added BIP39 support,  that passes Trezor's test vectors.
https://github.com/bitsofproof/supernode/blob/master/api/src/main/java/com/bitsofproof/supernode/wallet/BIP39.java

Added Shamir's secret shares algorithm
https://github.com/bitsofproof/supernode/blob/master/api/src/main/java/com/bitsofproof/supernode/wallet/ShamirsSecretSharing.java

You can create a random word list e.g.:

You may now create a BIP32 master out of a word list as e.g.

Instead of storing the secret word list you could create 3 backups of which 2 is needed to recreate the list (and one is useless alone).


Now take any two of the three to reconstruct the key:


Use the passphrase option (the "" in parameters) to get plausible deniability of the wallet, since you may fund more than one passphrase.

As you may heard that Bits of Proof will provide the ticket technology for this event.

The reason is that BOP can create a solution that is worthy for this watershed event, demonstrating the world that Bitcoin's ledger is
capable of much more than a payment solution. Here are the unique features of the ticket sale:

1. Payment requests for 1 Bitcoin is generated via bopshop.
    bopshop is unique if compared to other similar services as it generates addresses using the BIP32 master public key of the
    merchant, therefore the payment flows from customer to merchant without BOP taking the funds in possession, not even
    temporarily. BOP can facilitate processing without being a payment processor in any legal sense, since it has no
    access to the funds transferred. See http://bopshop.bitsofproof.com for details and API.

2. The 1 Bitcoin received by the organizer will be immediately split into two parts 999 mB goes to the Vault, see point 3
    and 1 mB goes to the address of a paper wallet you generate, that will act as an entry ticket.

3. The Vault is a P2SH address (see https://en.bitcoin.it/wiki/BIP_0016) for a 2 out of 3 multi signature script. The three organizer
    generated their own key and sent the public part to BOP, so it could compute the P2SH address and automate the
    transfer of the 999 mB to it. This Vault address will be public, so you may use any block explorer to audit the holding and spend
    of the funds by the organizer.

4. At entry to the event you will be required to show your paper wallet's private key as a QR code, so it can be swept by a BOP
   mobile program that the same time spends and validates that the mB you presented is in fact a mB that was the part of a
   payment to the Vault. Since the mB will be taken no copies of the same paper wallet will be admitted at the second attempt.
   Note that the organizer might stop ticket sale if the event is sold out. Direct payments to the Vault
   bypassing Step 1 can be identified and will be considered as donations, not as entry fees. The process is a simplified
   demonstration of colored coins.

5. The organizer will be supplied with a special purpose Wallet by BOP, so they can spend the Vault to any address they need to
   fund the event, provided 2 out of them signs the same transaction. Note that, BOP will be at no point in possession of the
   funds, nor any of the organizer individually.

6. All tools involved and specific to the process, such as the coin splitter, event entry validation mobile application and the special
   purpose wallet will be open sourced to demonstrate Bitcoins' and BOP capabilities to go far beyond simple payments without
   requiring trust into the technology provider.

All above was agreed by BOP and the event organizer as Bitcoin was far away from its current value. As you know Bitcoin rose
much faster than most of us imagined, and this project became much more urgent than anticipated by any of us.

I hope you agree that above technology demonstration adds to the anticipated positive media effect of the party, and therefore
forgive us for being not able to match the stunning speed of Bitcoin's appreciation with development and testing.

Our current plan is to start ticket sales on 9. December.

You are great Roger. Did everything right, again. Thank you.

I'd be surprised if Bitcoin would not soon become the medium of transport for in-game perks and currency from one game to the other.

Thanks for updating the link, yes it moved.

Not really. To create a valid signature you have to hash in the output script of the transaction outputs you are spending. Assuming you sign with the right key, you could even imply those output scripts without retrieving them. You can't responsibly do that know since you would not know the amount spent consequently the fee you spend.

Having the source transaction on hand helps and you can easily verify if it is the right source transaction by rehasing it and comparing the hash to the source in the transaction you sign. The source transaction can however be arbitrary large with outputs you do not care this is a problem for memory constrained hardware devices. In addition it means you need source transaction for offline (cold-wallet) signing.

The burden of retrieving the source transaction could be eliminated if the to be signed hash would contain the assumption on the output value you spend. Is the assumption correct, then you can create a valid transaction without seeing the input, no harm done if not, the signed transaction is just invalid.

You missed that the transaction hash contains the output value therefore Trezor can rehash the input transaction presented to check that its hash that is in the input.

So the approach is secure but expensive since you need the entire source transaction for the re-hash instead of just the value the output(s) the transaction spends. The source transaction might be arbitrarily large having lots of outputs that do not play any role in the to be signed transaction.

With this proposal the signing device would only need to know the value of the previous output, since even the output script could be implied by the key the device uses to sign. The signature and therefore the transaction would then be either valid with correct fee or invalid entirely.

In contrary, the current situation forces the wallet to know the previous input, especially its value.

The proposal does not require to fetch previous input for signature but to have an opinion on the value of the previous input. If that opinion is wrong the transaction will be rejected and therefore avoided that a value incorrectly assumed goes to the miner.

Bits of Proof is launching a JV product that uses P2SH before end of this year. Can't tell more yet.

In addition it also facilitates ticket sales for the btc1k party in Frankfurt am Main for which the vault will also use P2SH.

The consensus unlikely includes those developing wallets. It is the single most dangerous "feature" I came across while implementing Bitcoin that one is not able to validate the fee of a transaction on its own but need to retrieve its referenced predecessors. We should do this.

https://eprint.iacr.org/2013/622.pdf

The authors of the paper claim in the abstract:


If that holds shouldn't Payment Protocol's use of CA be revisited?

It would be useful for applications that care of the origin e.g. colored coins.

What do you think of a protocol extension for SPV style chain download of the subset relevant for one's wallet?

A node would query SPV style proofs for transaction inputs relevant to it until proofs reach coin bases or verified by previous proofs.

I see, I missed that this works if the attacker can choose the original script.

How is this easier than mining private keys that lead to public key hash (aka. an address) of pay to address transaction?

nlocktime is usable and could be utilized to create an offsetting transaction in advance.
It would be a similar scheme thane implemented in bitcoinj micropayment channel:

https://bitcointalk.org/index.php?topic=244656.msg2593783#msg2593783

While work might become feasible, a successful attack on P2SH needs more than a collision: an alternate script valid and redeemable by the attacker.

I did not re-implement a "bitcoin client" but a protocol server facing P2P and other modules that connect to the protocol server using its message bus.

Those modules implement wallets, exchanges, a payment processor and more to come. The payment protocol is a puzzle that will fit into some modules or be implemented as part of specific business processes.

I would eventually replace my protocol server with the reference client if it was moving into a direction of being extensible instead of embedding yet an other proof of a concept. I agree with the concept but not the implementation and the priority it enjoys.

Would it not be easier to achieve wide support by implementing the payment protocol self contained, so it can be connected to other wallet implementations?

I know, bitcoin-qt does not currently have interfaces to allow such loose coupling, but should that be the excuse to embed yet an other complex protocol instead of implementing a better interface?

We do suffer under a monolithic reference implementation and this extension, if added as usual, compounds the problem.

This is great, but why is it planned to be closely coupled and embedded with the code base of bitcoin-qt in 0.9 ?