Bitcoin Forum
April 19, 2019, 01:27:32 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: [Tracker] Stealth Address Support  (Read 4874 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 04:02:56 PM
Last edit: September 23, 2014, 05:13:50 PM by justusranvier
 #1

This thread is to track the progress of stealth address support in various Bitcoin clients.

In order for stealth addresses to be useful, it's necessary for Bitcoin clients to support sending funds to them, even if those clients do not support receiving funds via a stealth address.

To accelerate this process, anyone who would like to see stealth addresses become a standard feature of the Bitcoin landscape should ask the developers of their wallets they use to support at least sending to stealth addresses. Since in some cases the developers may be reluctant to add this feature and may be unwilling (or unable) to explain why, asking them in a public forum is best so that their answer - or refusal to answer - is also public.

Please feel free to create feature requests, etc for clients that aren't in this list and link them in this thread so I can add them to this post.

sx
Status: supports sending and receiving

http://sx.dyne.org/stealth.html

Dark Wallet
Status: supports sending and receiving

https://wiki.unsystem.net/en/index.php/DarkWallet/Stealth

Electrum
Status: Sending support:: https://github.com/spesmilo/electrum/pull/817

Bitcore
Status: Sending support: https://twitter.com/ryanxcharles/status/514224778052243456

https://gist.github.com/ryanxcharles/1c0f95d0892b4a92d70a
https://github.com/ryanxcharles/bitcore2/blob/master/lib/expmt/stealthmessage.js
https://github.com/ryanxcharles/bitcore2/blob/master/lib/expmt/stealthaddress.js

btcwallet
Status: interested, no immediate plans: https://github.com/conformal/btcwallet/issues/90

airBitz
Status: "very interested", no immediate plans https://twitter.com/anonymouscoin/status/496513836133154816

Mycelium
Status: Tentatively interested: https://twitter.com/MyceliumCom/status/500327004022243328

Coinkite
Status: "at some point": https://twitter.com/Coinkite/status/509489249826373632

Armory
Status: no official comment: https://github.com/etotheipi/BitcoinArmory/issues/226

Blockchain
Status: unknown

Bitcoin-Qt
Status: unknown

Multibit
Status: unknown

Coinbase
Status: unknown

Crypto Casino Since 2014
Level Up & Get Even More Rewards!
Daily Treasure Chest
& Much More
Roll Hunt
Rakeback
Blackjack
Jackpot
Dice
Slots
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1555637252
Hero Member
*
Offline Offline

Posts: 1555637252

View Profile Personal Message (Offline)

Ignore
1555637252
Reply with quote  #2

1555637252
Report to moderator
1555637252
Hero Member
*
Offline Offline

Posts: 1555637252

View Profile Personal Message (Offline)

Ignore
1555637252
Reply with quote  #2

1555637252
Report to moderator
1555637252
Hero Member
*
Offline Offline

Posts: 1555637252

View Profile Personal Message (Offline)

Ignore
1555637252
Reply with quote  #2

1555637252
Report to moderator
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 04:44:19 PM
 #2

From IRC:

Quote
2014-08-04T16:12:34 <@jrick>I marked the issue as low prio for now since there are just other things that need to happen first, but I would like to see support for it in btcwallet
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2702
Merit: 2156



View Profile
August 04, 2014, 04:47:06 PM
 #3

Petertodd claimed to be working on a BIP and reserved a number but hasn't proposed any text. https://github.com/bitcoin/bips/blob/master/bip-0063.mediawiki

New address types should not see widespread use without extensive review for cryptographic and privacy weaknesses and functionality footguns. This really needs a clear specification.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 04:51:06 PM
 #4

New address types should not see widespread use without extensive review for cryptographic and privacy weaknesses and functionality footguns. This really needs a clear specification.
All true, and at the same time we don't want this to turn into a Waiting for Godot situation.

"Inadequate review" could be a great excuse to pigeonhole the functionality indefinitely.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 04:57:57 PM
 #5

In addition, stealth addresses only need to be better than the current standard of "publish a static address that anyone can look up in blockchain.info" in order to represent an improvement. The only thing they could possibly get wrong and be worse than what we have now is leak private keys.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2702
Merit: 2156



View Profile
August 04, 2014, 05:13:01 PM
 #6

There are a great many things that can be done wrong— including the fact that a poorly done reusable-address proposal can preclude adoption of a good and usable one ("We've already got that, low priority to add another one",  "We're not going to spent time on that— as you can see it's not widely used"). An early flaw was already avoided where it would be incompatible with having a third party scan for you or hardware wallets... lots of stuff to possibly get wrong in this space.

Already we seem to have not learned from the experience with this kind of address in Bytecoin/Monero/etc.—  Payment IDs are an important feature but also a usability challenge with the way they're implemented in BCN/XMR/.... Right now with the way dark wallet implements this if you ask two different parties to pay you with the same address and only one of them does, you cannot tell which one paid you.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 05:16:34 PM
 #7

Already we seem to have not learned from the experience with this kind of address in the Bytecoin/Monero space— the payment IDs are an important feature but also a usability challenge with the way they're implemented there. Right now with the way dark wallet implements this if you ask two different parties to pay you with the same address and only one of them does, you cannot tell which one paid you.
I don't think stealth addresses are ever going to be appropriate for anything other than online tip jars. They do a great job in that role.

If you want to know who has paid you, then you should give them an xpub specific to them and let them use that from that point on.

See my comment on this gist:
https://gist.github.com/ryanxcharles/1c0f95d0892b4a92d70a
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 05:21:27 PM
 #8

Maybe they need to be renamed to "tip addresses" or something to make sure people don't use them in situations where they are not appropriate.
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1000


View Profile
August 04, 2014, 06:34:27 PM
 #9

Hi, sx supports stealth. I wrote these commands to aid developers as a debugging tool:

http://sx.dyne.org/stealth.html

for anonymity I don't want people to differentiate payments sent to me. If it's needed you can already shard payments by grinding the prefix to differentiate. https://wiki.unsystem.net/en/index.php/DarkWallet/Stealth#Comparing_prefixes

I prefer a simple proposal that does one thing rather than trying to second guess every possible future use case we're not aware of yet. It's the UNIX philosophy: https://en.wikipedia.org/wiki/Worse_is_better
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 06:39:16 PM
 #10

Already we seem to have not learned from the experience with this kind of address in Bytecoin/Monero/etc.—  Payment IDs are an important feature but also a usability challenge with the way they're implemented in BCN/XMR/.... Right now with the way dark wallet implements this if you ask two different parties to pay you with the same address and only one of them does, you cannot tell which one paid you.
How is this any different than the problem we have right now without stealth addresses?

1) Some merchant uses a blockchain.info wallet containing a single address to accept payments (yes, people really do this).
2) They give the address to two customers.
3) Only one customer pays.
4) Merchant doesn't know which customer paid without asking them.

It doesn't make sense to delay stealth addresses because they don't solve every problem.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2702
Merit: 2156



View Profile
August 04, 2014, 06:50:25 PM
 #11

Already we seem to have not learned from the experience with this kind of address in Bytecoin/Monero/etc.—  Payment IDs are an important feature but also a usability challenge with the way they're implemented in BCN/XMR/.... Right now with the way dark wallet implements this if you ask two different parties to pay you with the same address and only one of them does, you cannot tell which one paid you.
How is this any different than the problem we have right now without stealth addresses?

1) Some merchant uses a blockchain.info wallet containing a single address to accept payments (yes, people really do this).
2) They give the address to two customers.
3) Only one customer pays.
4) Merchant doesn't know which customer paid without asking them.

It doesn't make sense to delay stealth addresses because they don't solve every problem.
Virtually all merchants (and, by definition, all competent merchants) use unique addresses in Bitcoin. This is widely supported, widely practiced, etc.   The fact that you can screw it up and a few people do is no excuse to make an uncommon mistake mandatory.

"Stealth addresses" as currently proposed break what already works pretty severely— using a different address per user makes scanning have a quadratic cpu costs in the number of payments you receive. Bytecoin/monero/etc. have payment IDs which address the issue, though the don't have a way to serialize them with the address— so they get accidentally left out a lot, which seems like an easy-to-address shortcoming.

Making stealth addresses "tip jar only" makes them far less interesting. There is no reason that all payments couldn't be done with this kind of address— assuming it was well constructed, and users would be much less private if only a narrow usecase uses them.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 2702
Merit: 2156



View Profile
August 04, 2014, 06:58:07 PM
 #12

On the Payment Ids issue - if 2 people are sending to me anonymously why not create a "satoshi" string at the end.
For example
Justus owes me 1 BTC as does you for a service -
I work with Justus and have him send me 1.00001234 string and gmaxwell is 1.00001235
Thats pretty inefficient and not very private.  It would be straightforward enough to just allow a suffix on addresses e.g. 

B123456789BCDFG-00001  and encrypt the suffix using the negotiated  ephemeral key and include it in the aux data.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 04, 2014, 06:58:17 PM
 #13

There is no reason that all payments couldn't be done with this kind of address— assuming it was well constructed, and users would be much less private if only a narrow usecase uses them.
So the entire Bitcoin ecosystem should wait around for your NIH solution to be ready instead of taking advantage of the immediate improvement that's available right now?
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1000


View Profile
August 04, 2014, 07:03:13 PM
 #14

can you explain payment ids? how do users make sense of the data?

say a website posts a single address, users send payments to it... at some point the user has to send something to the website so they know which payment is which... why don't they just transmit the decrypted shared secret that only the sender should have? that way the website knows it was them that sent the payment.

or if the website sends a nonce to the user so they can make repeating payments then the website can issue the same stealth address but with different prefixes for each user. that makes it highly efficient for the website to receive payments by scanning a single stealth address and separating based on their stealth_prefix into different users.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
August 05, 2014, 01:14:34 PM
 #15

https://twitter.com/anonymouscoin/status/496513836133154816
laurentmt
Sr. Member
****
Offline Offline

Activity: 386
Merit: 250


View Profile
August 05, 2014, 04:18:47 PM
 #16

"Stealth addresses" as currently proposed break what already works pretty severely— using a different address per user makes scanning have a quadratic cpu costs in the number of payments you receive. Bytecoin/monero/etc. have payment IDs which address the issue, though the don't have a way to serialize them with the address— so they get accidentally left out a lot, which seems like an easy-to-address shortcoming.
Seems to me that the payment protocol solves this problem. The merchant should look for tx(s) received in Payment messages, not for stealth payments.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
September 11, 2014, 12:44:32 AM
 #17

Bitcore PoC: https://github.com/ryanxcharles/bitcore2/blob/master/lib/expmt/stealthmessage.js
BurtW
Legendary
*
Offline Offline

Activity: 2408
Merit: 1027

All paid signature campaigns should be banned.


View Profile WWW
September 18, 2014, 03:25:47 PM
 #18

If I want to actually use a stealth address right now, for example publish one in my signature, what are my options?

If I were to publish a stealth address in my signature would anyone be able send me BTC?

Has the specification been completed or are the details still being hashed out?  If there is a specification where can it be found?

I obviously really like this idea and I just want to get a sense of where we are at on it and learn more about the technical details with an eye to contributing in some way.

Privacy/fungibility is a hot topic item for me.  I am a very experienced programmer (>30 years of experienced) with very good cryptographic and Bitcoin knowledge.  Where is the most effective and current work being done on this idea?  In other words, where would I go to be most effective in my contributions?

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile WWW
September 18, 2014, 03:33:13 PM
 #19

If I want to actually use a stealth address right now, for example publish one in my signature, what are my options?

If I were to publish a stealth address in my signature would anyone be able send me BTC?
Right now I believe you'd have to be using Dark Wallet to receive stealth address payments.

Also, only Dark Wallet is capable of sending to stealth addresses, but as noted above at least one other client is actively working to implement DW-compatible stealth addresses

Has the specification been completed or are the details still being hashed out?  If there is a specification where can it be found?
It's complete enough to be implemented in Dark Wallet (which Works For Me, despite it's scary alpha warning)

This the only documentation I know of:

https://wiki.unsystem.net/en/index.php/DarkWallet/Stealth

BurtW
Legendary
*
Offline Offline

Activity: 2408
Merit: 1027

All paid signature campaigns should be banned.


View Profile WWW
September 18, 2014, 04:34:06 PM
 #20

Thanks!  I will read up on it.

gmaxwell:  what is your opinion on this?  Seems like you are saying that it is a good idea but not yet ready for prime time (needs more work)?  Or, is the DW specification good enough to implement in other wallets and get this thing off the ground?

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!