Author

Topic: Crypto question: Attaching metadata to a receive address. (Read 589 times)

hero member
Activity: 714
Merit: 500
Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?
Imagine that e is 0.


Yeah ok, barring the exceptional case that the hash of the metadata comes to zero but that seems pretty unlikely Smiley
staff
Activity: 4284
Merit: 8808
Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?
Imagine that e is 0.
hero member
Activity: 714
Merit: 500
The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.

Yeah the output `e` would be a scalar.  But when it is multiplied with the issuer_public_key point, would the resulting `contract_point` not be a valid elliptic curve point?

Im basing it on the post from Stefan Thomas ...


So how about this.

The recipient publishes their public ECDSA point P.

A sender generates a JSON metadata object M and calculates its hash e = SHA256(M). The sender then calculates a new public point PM = P * e. Next, the sender creates a transaction sending the money to the address RIPE160(SHA256(PM)). Finally, he transmits M to the recipient through a secure channel - this could be sent directly via HTTPS, encrypted email, etc. or perhaps left as an message in a DHT, encrypted with ECDH and the recipient's public point P as the key.


Edit: to include quote.
staff
Activity: 4284
Merit: 8808
The output of SHA256 is not guaranteed to be a valid point, so as described this procedure can fail.
hero member
Activity: 714
Merit: 500
I need to generate a receive address that is directly associated with some metadata, M, that forms part of a verifiable contract.

I require that customers can verify that an address really was generated from a specific contract message, but I do not want them to have the private key to the address.

I obviously don't want to bloat the blockchain nor do I wish to use non-standard transactions. P2SH is also not possible as it is still largely unsupported by many online wallet providers.

So here is my first attempt, based on (https://bitcointalksearch.org/topic/transaction-metadata-do-we-need-an-opdrop-transaction-type-108423) ...

# generate an EC key pair for the company
issuer_public_key = issuer_private_key * G

# create a contract message string, M
M = 'Terms of contract bla bla and also includes issuer_public_key for safety'

# generate a hash of the message
e = SHA256(M)

# create an EC point that is known to both parties
contract_point =  (e * issuer_public_key)

# generate a public key for this contract to form our receive address. Customer agrees to contract when they send BTC to receive address.
receive_public_key = contract_point + issuer_public_key

# the private key for the receive address is thus
receive_private_key = contract_point + issuer_private_key


Feedback much appreciated Smiley
Jump to: