Bitcoin Forum
April 16, 2021, 06:27:43 PM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Is it possible to generate public keys using public info and other public info?  (Read 799 times)
sebastian
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
August 23, 2015, 07:23:31 PM
 #1

Imagine this:
I have a EC keypar Ks and Kp. (secret and public).

Now I have a system with access card for customers. I want them to be able to refill the cards. Each card contains a number, lets say "1013853254", which is denoted "n".

By publishing Kp, a customer should be able to combine Kp and n, in such a way he gains a public key Kp(1013853254).
If a customer sends Money to the associated adress of this public key Kp(1013853254), then the funds
should be spendable by combining Ks with n in such a way I gain Ks(1013853254).

How is this possible with lets say EC primitives?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1618597663
Hero Member
*
Offline Offline

Posts: 1618597663

View Profile Personal Message (Offline)

Ignore
1618597663
Reply with quote  #2

1618597663
Report to moderator
hexafraction
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250

Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ


View Profile
August 23, 2015, 07:31:31 PM
 #2

This seems fairly close to BIP32. You can derive keys, but you may need the hardened keys for this (for security if anyone knows xpub and their own private key)

I have recently become active again after a long period of inactivity. Cryptographic proof that my account has not been compromised is available.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 2450
Merit: 3718


Just writing some code


View Profile WWW
August 23, 2015, 07:32:32 PM
 #3

This is similar to what vanitygen uses to find other people's vanity addresses without letting the generator know the entire privkey. The thread is here: https://bitcointalk.org/index.php?topic=25804.0 and the part about combining keys is partway down the OP. There is also a handy tool here: https://gobittest.appspot.com/VanitySum that both does it for you and tells you how its done.

sebastian
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
August 23, 2015, 07:53:02 PM
 #4

On this page:

https://gobittest.appspot.com/VanityMult

What does "modified base Point" mean? Anyone that have the exact mathematics involved?
hexafraction
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250

Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ


View Profile
August 23, 2015, 08:07:16 PM
 #5

On this page:

https://gobittest.appspot.com/VanityMult

What does "modified base Point" mean? Anyone that have the exact mathematics involved?

Adding private keys is the same as point addition for public keys.

For vanity addresses, I generate pri1 and corresponding pub1. I provide pub1 to the vanity address search service. The service searches for a pri2 such that pub1+pub2 is an address that has the right prefix. Pri2 is returned to the requester.

I have recently become active again after a long period of inactivity. Cryptographic proof that my account has not been compromised is available.
Delek
Full Member
***
Offline Offline

Activity: 157
Merit: 100


Salí para ver


View Profile WWW
August 23, 2015, 10:48:25 PM
 #6

The fact that you can actually generate public keys from random data is the proof that you can generate them from anything.

\/\/\/\/\/\/\/
-> delek.net <-
/\/\/\/\/\/\/\
hexafraction
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250

Tips welcomed: 1CF4GhXX1RhCaGzWztgE1YZZUcSpoqTbsJ


View Profile
August 23, 2015, 10:49:39 PM
 #7

It is possible to generate public keys from anything, actually generating public keys from random data is the proof that you can generate them from anything.

Doesn't really answer this topic though. The OP wants to derive keys, e.g. from a master key and a number.

I have recently become active again after a long period of inactivity. Cryptographic proof that my account has not been compromised is available.
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 160


View Profile
August 23, 2015, 11:21:41 PM
 #8

By publishing Kp, a customer should be able to combine Kp and n, in such a way he gains a public key Kp(1013853254).
If a customer sends Money to the associated adress of this public key Kp(1013853254), then the funds
should be spendable by combining Ks with n in such a way I gain Ks(1013853254).

How is this possible with lets say EC primitives?

The associative law and the distributive law hold for EC and can be used.  Kp = Ks * G, hence
   (1013+Ks) * G = 1013*G + Ks*G = 1013*G + Kp
and
   (1013*Ks) * G = 1013 * (Ks * G) = 1013 * Kp

Note that + and * have two different meanings above.  Operator + is point addition or number addition modulo group order.  Operator * is point multiplication or number multiplication modulo group order.

So 1013+Ks is the private key for 1013*G + Kp  and 1013*Ks is the private key for 1013 * Kp.

I think it doesn't really matter which method you use.  See also BIP32, which uses a variant of the first method for non-hardened derivation  (hardened derivation is not what you want, because then you cannot compute the public key without the private key).  A problem is that if one private key is leaked the others can easily be computed, but there is no general way to avoid it.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!