Crypto question: Attaching metadata to a receive address.

[greBit]

I need to generate a receive address that is directly associated with some metadata, M, that forms part of a verifiable contract.

I require that customers can verify that an address really was generated from a specific contract message, but I do not want them to have the private key to the address.

I obviously don't want to bloat the blockchain nor do I wish to use non-standard transactions. P2SH is also not possible as it is still largely unsupported by many online wallet providers.

So here is my first attempt, based on (https://bitcointalk.org/index.php?topic=108423.0) ...

# generate an EC key pair for the company
issuer_public_key = issuer_private_key * G

# create a contract message string, M
M = 'Terms of contract bla bla and also includes issuer_public_key for safety'

# generate a hash of the message
e = SHA256(M)

# create an EC point that is known to both parties
contract_point =  (e * issuer_public_key)

# generate a public key for this contract to form our receive address. Customer agrees to contract when they send BTC to receive address.
receive_public_key = contract_point + issuer_public_key

# the private key for the receive address is thus
receive_private_key = contract_point + issuer_private_key


Feedback much appreciated

[gmaxwell]

The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.

[greBit]

The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.

Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?

Im basing it on the post from Stefan Thomas ...

So how about this.

The recipient publishes their public ECDSA point P.

A sender generates a JSON metadata object M and calculates its hash e = SHA256(M). The sender then calculates a new public point P_M = P * e. Next, the sender creates a transaction sending the money to the address RIPE160(SHA256(P_M)). Finally, he transmits M to the recipient through a secure channel - this could be sent directly via HTTPS, encrypted email, etc. or perhaps left as an message in a DHT, encrypted with ECDH and the recipient's public point P as the key.

Edit: to include quote.

[gmaxwell]

Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?

Imagine that e is 0.

[greBit]

Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?

Imagine that e is 0.

Yeah ok, barring the exceptional case that the hash of the metadata comes to zero but that seems pretty unlikely