Author

Topic: Что за confirmation code? (Read 953 times)

legendary
Activity: 1442
Merit: 1016
April 25, 2015, 11:58:16 AM
#2
https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki#confirmation-code

Confirmation code

The party generating the Bitcoin address has the option to return a confirmation code back to owner which allows owner to independently verify that he has been given a Bitcoin address that actually depends on his passphrase, and to confirm the lot and sequence numbers (if applicable). This protects owner from being given a Bitcoin address by the second party that is unrelated to the key derivation and possibly spendable by the second party. If a Bitcoin address given to owner can be successfully regenerated through the confirmation process, owner can be reasonably assured that any spending without the passphrase is infeasible. This confirmation code is 75 characters starting with "cfrm38".

To generate it, we need flagbyte, ownerentropy, factorb, derivedhalf1 and derivedhalf2 from the original encryption operation.

    ECMultiply factorb by G, call the result pointb. The result is 33 bytes.
    The first byte is 0x02 or 0x03. XOR it by (derivedhalf2[31] & 0x01), call the resulting byte pointbprefix.
    Do AES256Encrypt(block = (pointb[1...16] xor derivedhalf1[0...15]), key = derivedhalf2) and call the result pointbx1.
    Do AES256Encrypt(block = (pointb[17...32] xor derivedhalf1[16...31]), key = derivedhalf2) and call the result pointbx2.
    Concatenate pointbprefix + pointbx1 + pointbx2 (total 33 bytes) and call the result encryptedpointb.

The result is a Base58Check-encoded concatenation of the following:

    0x64 0x3B 0xF6 0xA8 0x9A + flagbyte + addresshash + ownerentropy + encryptedpointb

A confirmation tool, given a passphrase and a confirmation code, can recalculate the address, verify the address hash, and then assert the following: "It is confirmed that Bitcoin address address depends on this passphrase". If applicable: "The lot number is lotnumber and the sequence number is sequencenumber."

To recalculate the address:

    Derive passfactor using scrypt with ownerentropy and the user's passphrase and use it to recompute passpoint
    Derive decryption key for pointb using scrypt with passpoint, addresshash, and ownerentropy
    Decrypt encryptedpointb to yield pointb
    ECMultiply pointb by passfactor. Use the resulting EC point as a public key and hash it into address using either compressed or uncompressed public key methodology as specifid in flagbyte.

Decryption

    Collect encrypted private key and passphrase from user.
    Derive passfactor using scrypt with ownersalt and the user's passphrase and use it to recompute passpoint
    Derive decryption key for seedb using scrypt with passpoint, addresshash, and ownerentropy
    Decrypt encryptedpart2 using AES256Decrypt to yield the last 8 bytes of seedb and the last 8 bytes of encryptedpart1.
    Decrypt encryptedpart1 to yield the remainder of seedb.
    Use seedb to compute factorb.
    Multiply passfactor by factorb mod N to yield the private key associated with generatedaddress.
    Convert that private key into a Bitcoin address, honoring the compression preference specified in the encrypted key.
    Hash the Bitcoin address, and verify that addresshash from the encrypted private key record matches the hash. If not, report that the passphrase entry was incorrect.
member
Activity: 63
Merit: 10
April 21, 2015, 05:12:42 AM
#1
Всем привет.

Вчера делал платеж на одном сайте. Кликнул на url с адресом и суммой оплаты и после оплаты получил следующее сообщение:



Первый раз такое вижу, хотя плачу биткоинами довольно часто.

Гугление ничего не дало, хотелось бы почитать про то, что это за сonfirmation code и как он работает. Буду рад, если кто-нибудь поделиться информацией.
Jump to: