NBitcoin : Stealth Address, DarkWallet compliant

[Nicolas Dorier]

Just checked

Code:

Usage: sx stealth-uncover EPHEM_PUBKEY SCAN_SECRET SPEND_PUBKEY
NICO@aois-linux2:~$ sx stealth-uncover 02d3a7c713f0fb9eadaf23d121f5f66a11f4ca780a353ecb1c88ae48646529e1d6 cc411aab02edcd3bccf484a9ba5280d4a774e6f81eac8ebec9cb1c2e8f73020a  02a60d70cfba37177d8239d018185d864b2bdd0caf5e175fd4454cc006fd2d75ac
02bbc9fccbe03de928fc66fcd176fbe69d3641677970c6f8d558aa72f72e35e0cb

Which is the address where I sent.

[1714607054]

1714607054

[Nicolas Dorier]

dont ask me why it is always 03 - it is also strange for me.

but now at least I know how to recover the coins we lost before.
where do you want them?

You can send back to me.
However your result is not consistent with SX why is it the case ? Which one to trust ?

[piotr_n]

What is your address?

It seems like the implantation in sx is different from the one in DW.
DW always overwrites 02 with 03 before hashing it.
sx - doesnt seem so; takes either 02 or 03, depending how it came out.
Now we need to figure how it should be.

[piotr_n]

I think your/sx implementation makes more sense, but if I make it like this I won't be DW compatible anymore.

Look at line 42: https://github.com/darkwallet/darkwallet/blob/develop/js/util/stealth.js
... and here, line 99: https://github.com/libbitcoin/libwallet/blob/master/src/stealth.cpp

These two functions are compatible only in 50% of the cases.

[Nicolas Dorier]

need to ask to genjix on irc, i'll contact him.

mwdJkHRNJi1fEwHBx6ikWFFuo2rLBdri2h

[piotr_n]

ok. let me know what you found.

sent you back the coins.

[Nicolas Dorier]

he is afk for now.
So if I understand, the difference lies when I calculate the shared secret after the EC multiply.

My code and SX :

Code:

var pBytes = new PubKey(p.GetEncoded()).Compress().ToBytes();
var hash = Hashes.SHA256(pBytes);

DW :

Code:

var pBytes = new PubKey(p.GetEncoded()).Compress().ToBytes();
pBytes[0] = 0x03;
var hash = Hashes.SHA256(pBytes);

It about :
c = H(eQ) = H(dP) at https://wiki.unsystem.net/index.php/DarkWallet/Stealth#Dual-key_stealth

[piotr_n]

yeah I also asked it at #darkwallet, but ATM there isn't anyone around to answer

yes - except that the value is 0x03, not 0x02:

Code:

var pBytes = new PubKey(p.GetEncoded()).Compress().ToBytes();
pBytes[0] = 0x03;
var hash = Hashes.SHA256(pBytes);

I'm happy to change it in my code, but first let's figure out which approach is the desired one

[Nicolas Dorier]

I fixed my response, yes this is problematic since I don't think it is good to break existing clients and scanners.
Maybe the scanner will need to handle both case

[piotr_n]

I fixed my response, yes this is problematic since I don't think it is good to break existing clients and scanners.
Maybe the scanner will need to handle both case

nobody really uses stealth addresses yet - I don't mind changing my scanner.
it's better to do it now than to wait longer or (even worse) to check for both the values.
there are obviously two different approaches which are compatible only in 50% of cases.

I wonder which of the two is in Electrum.

[piotr_n]

it seems that this weirdness comes from electrum implementation.
see here, line 619: https://github.com/dabura667/electrum/blob/StealthAddressSend/lib/bitcoin.py

@dabura667, any comments?

[Nicolas Dorier]

From : https://github.com/darkwallet/darkwallet/blob/develop/js/util/stealth.js#L42
Is seems the JS implementation is not quite right.

A compressed pub key in the X coordinate of ECPoint, with 02 or 03 indicating if Y the odd or even.
From this two information, you can recalculate the Y which is lost during compression.

The JS implementation assume that Y is always odd... a simple modulo test on Y just before the concat would solve the problem.

[piotr_n]

agreed

but I think this implementation is based on the one from electrum, where it seems even more clear that someone just forgot to check the Y's parity, before prefixing X with the proper byte:
https://github.com/dabura667/electrum/blob/StealthAddressSend/lib/bitcoin.py#L619

[Nicolas Dorier]

sent pull request to https://github.com/darkwallet/darkwallet/pull/131, I can't run it so I hope I got it from the first time.

[piotr_n]

it is not my code, but I believe Y has a method isEven() that works faster than mod(2)

Code:

var S1 = [ point.getY().isEven() ? 2 : 3 ].concat(point.getX().toBigInteger().toByteArrayUnsigned());

EDIT:
actually, I believe the proper way is to just use the function that is already there for it:

Code:

var S1 = point.getEncoded(true)

[piotr_n]

sent pull request to https://github.com/darkwallet/darkwallet/pull/131, I can't run it so I hope I got it from the first time.

and why you cannot run it? don't you have chrome?

[Nicolas Dorier]

I hate javascript, I'll let the creator of the lib take the relay for the pull
I sent an issue for the electrum python version of the bug.

sent pull request to https://github.com/darkwallet/darkwallet/pull/131, I can't run it so I hope I got it from the first time.

and why you cannot run it? don't you have chrome?

I'm just lazy to setup a page that include these scripts, and creating a piece of code that will pass where the bug is.
I hate javascript so much.

[piotr_n]

I'm just lazy to setup a page that include these scripts, and creating a piece of code that will pass where the bug is.
I hate javascript so much.

You don't need to setup any page - its a fully functional extension for chrome.

Just checkout the repo from github, go to Chrome's "Extensions" page, enable "Developer mode" and "Load unpacked extension..." pointing it to the darkwallet folder (the one with manifest.json)

It will load the extension and then you can already use DW.
For a start better stick to testnet - it will ask you when creating a new wallet.

[dabura667]

it seems that this weirdness comes from electrum implementation.
see here, line 619: https://github.com/dabura667/electrum/blob/StealthAddressSend/lib/bitcoin.py

@dabura667, any comments?

I was aware that sticking an 0x03 on it no matter what was incorrect, but that was the only way for me to get it to work with DW.
I was meaning to do a PR for a while on DW for it, but by the time I got around to it, I couldn't find it for the life of me.
Then I forgot about it.

I should have added a comment there including my big "" that I had when I saw this in DW.

[piotr_n]

so DW was first, and you just copied it.
then I copied it...

the question is: what now?
are you going to change it?
I think we should.