[Proposal?] Public keys availability for watch-only wallets

[BlackHatCoiner]

You're revealing the public key(s) of your address(es) once you spend an output, so it can be verifiable from your signature obviously. While ElectrumX is written in a way to only keep the UTXOs of the block chain, I'd like to know why it shouldn't also keep the addresses' public keys.

For example, in a watch-only wallet that wasn't created using a master public key, you won't be able to get an address' public key if it has revealed it. In the above example, it'd be good to know the public key of the address, because it's an extra information I can gain.

I smudged them with red for private reasons.

[ranochigo]

No point adding additional resources to try to index each of the public keys that has ever been exposed on the network. You have to individually use the scriptsig of each transaction to find the public key. Possible to do, but mostly not very useful for most people. I'm not sure about the resource usage for something like this but I assume that this could take up more resources as well.

You can probably make a pull request for that though I believe it would be quite an intensive code change, from ElectrumX to Electrum protocol as well. Not worth the effort, IMHO.

I'm intrigued though, what would people gain or what use would they have by knowing the public key?

[BlackHatCoiner]

I'm intrigued though, what would people gain or what use would they have by knowing the public key?

Well, you could encrypt a message to the owner of the address without having to ask him to give it to you. You could avoid a possible MITM attack this way.

1. Maybe there's no function to extract public key from signature.

Maybe? Is this something new that comes with Taproot or Schnorr signatures? Because I'm completely unaware of those two. As far as I know, you can extract the public key of a scriptSig to verify the message.

How should ElectrumX handle script which contain multiple signature or no signature?

How could one spend an output without proving it with a signature? I may have misunderstood this. As for the multi-signature, it could show any key that is exposed from the specified address. Maybe not all of them, if it's not a N-of-N multi-sig.

[ranochigo]

Well, you could encrypt a message to the owner of the address without having to ask him to give it to you. You could avoid a possible MITM attack this way.

Fair. I would probably recommend people to start using implementations that are designed for secure message exchange instead, PGP etc. Electrum's ECIES was incorrectly implemented in the past and AFAIK isn't widely reviewed either.

How could one spend an output without proving it with a signature? I may have misunderstood this. As for the multi-signature, it could show any key that is exposed from the specified address. Maybe not all of them, if it's not a N-of-N multi-sig.

Not all unlocking scripts require a signature.

Electrum's current protocol documentation doesn't include this. Might be a bit of a hassle implementing this?

[NotATether]

One (not so ethical depending on who you ask) way of implementing this without committing changes to Elextrum's protocol or breaking compatibility with other servers' protocols is to retrieve the list of all addresses inside the show_banner or other initialization method, use a block explorer's API to fetch the public keys for the addresses and then print a map between the addresses and the public keys.

I say "not so ethical" because some people are against silent harvesting of addresses & pubkeys.

[pooya87]

There is no point in the Electrum nodes storing anything extra for something that is not really needed by users (ie. requesting public key).
Additionally if you want your public key then your wallet that knows both your address and your transaction history can easily extract it from any of the outgoing transactions locally without needing the node it connects to doing it for them.

There are very simple steps that could be added to the code:
1. Find a single outgoing transaction (a tx spending your coins)
2. Search among the inputs to see which one belongs to your wallet
[Electrum already performs these two steps]
3. Fetch the wallet/address type then the corresponding hard-coded signature script pattern that this type uses.
4. Evaluate and extract public key(s) that belong to that address.

For example if the third input of the tx is from your address that is of type P2SH-P2WPKH then the second witness stack item of the third witness is your public key.