|
November 14, 2013, 05:31:42 PM Last edit: November 14, 2013, 06:01:05 PM by etotheipi |
|
I have made a proposal for this before. I was under the impression that the Payment Protocol could be extended for this. Better yet, BIP 32 is technically already capable of executing this process. At the moment, I'll be working with individual merchants to implement this, though I'd love to have it be more widely accepted.
Functionality:
-- Merchant has root public key that is truly public (but the chaincode is not). -- Whenever a merchant gives you an address, they give you the root key and the multiplier/tweak along with the address -- The client verifies the public key provided matches the known value for the merchant -- The client software will multiply the root public key by the tweak and confirm they get the same payment pubkey/address -- Client software provably knows that the address belongs to the merchant's wallet -- There's no way for the client to see any other addresses in the merchant's wallet without the chaincode that goes with the root public key
Similarly, you can have:
-- Customer creates a new BIP 32 wallet -- Customer opens an account on the merchant website -- Customer makes a deposit, of which the first input address is X -- Customer software will supply the service with the root key and multiplier that produces X -- Merchant will store the root public key(s) in the customer account/metadata -- On a withdrawal, the customer software will send the address, along with the multiplier -- The merchant software can verify that the address belongs to the same wallet as X -- If the wallet is different (or do not supply that info), then the merchant will use extra authentication techniques.
How does it work? All BIP 32 chains have a root public key and chaincode. To get a particular address, you do mangle the key and chaincode with the address index to get a multiplier. Knowing the multiplier does not allow you to backtrack the chain code. But it does allow you to prove that the address is related to a given root public key.
In this way, merchants with persistent business relationships, or customers accessing well-known websites will pre-verify the merchant public key, and then can prove that all payment addresses belong to that actual wallet (which could be an offline wallet of the merchant, doesn't really matter). Similarly, if the customer uses the same set of wallets persistently, the merchant at least knows that there's a recognized wallet being provided for withdrawal/payment. Of course, they don't know if that wallet is compromised, but it still adds an extra layer of security.
The root public keys could easily be distributed via SSL/CA mechanisms. It would then be a very simple addition to the payment protocol -- only requiring a couple extra fields to be transmitted with the addresses. On the other hand, you can also exchange and verify root public keys manually and sidestep all the SSL/CA stuff.
This is extremely powerful, and I hope to see some adoption of this technique, though I suspect Armory will be the first, and will have to demosntrate its power before other really believe/understand it.
|