Kosta# (OP)
Newbie
Offline
Activity: 55
Merit: 0
|
|
January 19, 2014, 10:49:07 PM |
|
The topic is discussed hereUnfortunately, being newbie, I can't post my question there, so here it is. Step 3 of the protocol ( Generate your private key for recovering your stealth funds [recipient]) requires recipient to know nonce used by sender. Therefore, (1) the step of securely communicating nonce from sender to recipient is missing and (2) the whole thing is equivalent to: Step 1. Sender generates completely random address and sends money to it Step 2. Sender sends information required to access funds to recipient, encrypted by recipient's public key. Please let me know what I am missing. Thank you in advance.
|
|
|
|
Kosta# (OP)
Newbie
Offline
Activity: 55
Merit: 0
|
|
January 21, 2014, 01:36:12 AM |
|
ping
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 21, 2014, 02:13:16 AM |
|
Yeah I don't get it either. And what's the point if the address part is simply transformed into an address? Unless it's random but I don't think so.
Check my signature for a much better tool
|
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 21, 2014, 02:17:39 AM |
|
Yeah I don't get it either. And what's the point if the address part is simply transformed into an address? Unless it's random but I don't think so.
It is random - that's the whole point. The only people who can figure out what stealth address was being paid by the transaction are the sender and the receiver, no-one else.
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 21, 2014, 02:43:46 AM |
|
O
|
|
|
|
tacotime
Legendary
Offline
Activity: 1484
Merit: 1005
|
|
January 21, 2014, 01:10:06 PM |
|
O
Yup; most explanations of this are really confusing so far, so I'll try to explain it again Sender gets stealth address, generates a Bitcoin address based on this Sender uploads a pubkey and nonce (secret which appears as a bunch of random characters) to the network via OP_RETURN function, and sends some money to the generated address Receiver scans the blockchain for pubkey and nonce that allows him to generate a private key to the address the sender created and sent funds to, and then he claims ownership of the address Important stuff: 1.) No one aside from the sender and the receiver can possibly know where the money is going, because a new, random address for the receiver is generated every time. 2.) Receiver has to scan every OP_RETURN tx on the blockchain in search for his funds. 3.) The receiver and only the receiver can spend funds at these addresses the sender generates.
|
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 21, 2014, 04:01:19 PM |
|
tacotime: That's encrypted nonce. I think using the word encrypted is what makes it "click" for people. Also, point out that a nonce is just "a random number used once" (edit: oh, no you did, good!)
|
|
|
|
bitpop
Legendary
Offline
Activity: 2912
Merit: 1060
|
|
January 21, 2014, 04:45:34 PM |
|
Isn't there a similar bip coming?
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
January 21, 2014, 04:46:09 PM |
|
All I can tell you about stealth addresses is: good luck using them with a cold wallet!
The only way to figure out which outputs belong to your wallet goes through decrypting every possible nonce with each private key that you have ever used for a "stealth address". It is a huge overhead in the client and IMHO implementing this idea is just not worth all the effort - considering that it does not really improve privacy more than sending a regular unique address to each of your payers, using an actually encrypted channel. So personally I would rather suggest to focus on providing a proper encryption for sending a bitcoin addresses to other parties.
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 21, 2014, 04:58:57 PM |
|
All I can tell you about stealth addresses is: good luck using them with a cold wallet!
The only way to figure out which outputs belong to your wallet goes through decrypting every possible nonce with each private key that you have ever used for a "stealth address". It is a huge overhead in the client and IMHO implementing this idea is just not worth all the effort - considering that it does not really improve privacy more than sending a regular unique address to each of your payers, using an actually encrypted channel. So personally I would rather suggest to focus on providing a proper encryption for sending a bitcoin addresses to other parties.
Incorrect. The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds. Regarding a unique address for each payer, the idea behind stealth addresses is to make the process of getting funds more convenient so that using bitcoin in the most private way is always simple and easy rather than annoying. Stealth addresses are a form of "proper encryption" for sending a bitcoin address to other parties.
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
January 21, 2014, 05:25:25 PM |
|
The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds. Oh, thanks for explaining. In such case it is much better design that I had though. Sorry for doubting in you Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct? What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
prezbo
|
|
January 21, 2014, 05:49:53 PM |
|
Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct?
That is correct but I don't think it's that much of an overhead. What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster I don't really see how one would benefit from more than one stealth address though.
|
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 21, 2014, 05:56:50 PM |
|
Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct? What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster My thinking is that a wallet would only use a single stealth address, so you only need to test tx's matching your adjustable prefix (a bandwidth/anonymity tradeoff) against the single key. Disambiguating payments could be done with a encrypted "payment ID", or just by value and time. (quite sufficient I think for individuals) After all, the whole point of stealth addresses is that you only need a single one! The idea came about when we were trying to figure out how to put a bitcoin address in a OpenPGP key yet still keep payments to that address private.
|
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
January 21, 2014, 06:08:16 PM |
|
Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct? What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster My thinking is that a wallet would only use a single stealth address, so you only need to test tx's matching your adjustable prefix (a bandwidth/anonymity tradeoff) against the single key. Disambiguating payments could be done with a encrypted "payment ID", or just by value and time. (quite sufficient I think for individuals) After all, the whole point of stealth addresses is that you only need a single one! The idea came about when we were trying to figure out how to put a bitcoin address in a OpenPGP key yet still keep payments to that address private. What if I have multiple identities? Is it possible to have many different stealth addresses which are all controlled by a single private key, while no one could tell these addresses are related?
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY) LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC) PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 21, 2014, 07:50:11 PM |
|
What if I have multiple identities? Is it possible to have many different stealth addresses which are all controlled by a single private key, while no one could tell these addresses are related?
That's not possible unfortunately. Just a limitation of how the underlying cryptography primitive works; I'd be very interested if anyone can come up with a way to do it without that limitation. FWIW most people don't realize this, but multiple non-clustered addresses reduces your privacy when you use SPV nodes to query peers for blockchain data relevant to your wallet: http://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg03612.htmlLots of engineering trade-offs here.
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
January 22, 2014, 08:59:53 AM |
|
But how do you then see using stealth addresses in SPV nodes?
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
e4xit
|
|
January 22, 2014, 09:31:24 AM |
|
---snip--- The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds. ---snip---
Nice! I'm sure I didn't notice this when I read the run-through you posted on Sourceforge! Edit: archive of the mailing list on SF
|
Not your keys, not your coins. CoinJoin, always.
|
|
|
Peter Todd
Legendary
Offline
Activity: 1120
Merit: 1152
|
|
January 22, 2014, 05:27:21 PM |
|
But how do you then see using stealth addresses in SPV nodes? Your homework problem: read the paper where that's explained and tell everyone else here how that works.
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
January 22, 2014, 05:42:09 PM |
|
Your homework problem: read the paper where that's explained and tell everyone else here how that works. yeah... I wouldn't wait for it, though. I don't remember doing homework even back at school - no way to start it now
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
Kosta# (OP)
Newbie
Offline
Activity: 55
Merit: 0
|
|
January 30, 2014, 09:13:47 AM |
|
Sender uploads a pubkey and nonce (secret which appears as a bunch of random characters) to the network via OP_RETURN function, and sends some money to the generated address
Just to make sure I got it right: by the pubkey you mean stealth-address, and by nonce you mean private-key-to-actual-address encrypted by pubkey/stealth-address. Is it correct?
|
|
|
|
|