Topic: Order ID in a new transaction type? (Read 7050 times)

I was answering a different question and came up with the following:


It’s a form of check in bitcoin. The key idea is that the receiver adds a well formed transaction to the block chain, not the sender. This can be made to solve the merchant problem as well without having to add a new transaction type to the block chain. It would work as follows:

Define  a well formed Transaction as Tw.
Define a covered transaction, Tc, as one where a field in the transaction is “covered” redering the transaction invalid as far as the normal client is concerned.
Assume the sender uses the receiver’s public key to generate the cover in such a manner that only the receiver (using his private key) can uncover it.
So, the sender starts by creating a well formed transaction Tw. He then covers it using the receivers public key producing Tc. He sends Tc to the receiver out of band (it’s exported from the client and sent in some other transaction, encoded for pasting in an email for example.) Only the receiver can uncover Tc to produce Tw which he can check and submit to the network if he wants to cash the check.

One detail. The sender should put the amount of the check into a single public key he owns before creating the check. The sender can effectively cancel the check by sending himself the amount of the check from that key. If his cancel went in before  the merchant’s cashing of the check then the check is canceled. If the merchant got Tw published first then the cancel is too late. This mechanism allows an effective expiration time limit on the check.

what if

-customer checks out using form
-server encrypts, sends to somewhere running mail::gpg perl script
-decrypts, parses email form into database
-creates a reply email, inserts either one of the bulk generated bitcoin addresses or uses bitcoind to generate one
-sends customer an email invoice saying 'here's your payment address. give it to this exchanger kthx'
-sends merchant an encrypted copy for records/shipping
-nukes all history out of the database

bonus if it can parse a gpg key the customer optionally sends and encrypt their reply email with it.

or just populate sql database with mybitcoin addresses and present a page on checkout with info and address, and email customer same info..?

I see a couple of issues:

* If you have a limited number of public keys, information about the merchant's transaction volume is still leaked when the merchant spends their revenue coins.  Normally you'd be able to guess the merchant's profit margin, so just divide the outgoing transactions by (1 - profit_margin) to calculate the original revenue and transaction volume.

* Verifying funds received still needs to be done, so a bitcoind connection still has to be established before shipping.  If bitcoind interaction is required, might as well generate a batch of keys every hour or every day.

So it seems to me that generating unique transactions keys in batch and ahead of time is still the way to go.

Satoshi has a bunch of features that he 'figured out from the start' that are not implemented yet; I'll ask him if this is one of them after I figure out exactly what feature I want and convince myself it is possible to do securely.  So I'm going to try to gather my thoughts and see if there is much point:

This is the main problem I was trying to solve:

• A merchant's website should give the customer a unique payment address during the chekcout process.  Ideally, generating that unique address would be done entirely on the web server without requiring a RPC call to a bitcoind process running somewhere.

Communicating with bitcoin or some merchant-services website during the checkout process adds another possible point of payment failure-- it is better for the merchant if their customers can continue to pay them even if their bitcoin daemon (or MyBitcoin or MtGox merchant services) is temporarily down for maintenance.

OP_OVER OP_ADD solves that problem, and, thinking about it, has some other very nice properties.  Here's how it would work in practice:

1. Merchant gets one or more public keys to use for payments.  They're stored in the web server's database.

2. Customer checks out:  web server computes HASH160(public_key+order_id), and converts the result to a bitcoin address version#2 (first byte is not base58-encoded-0, but something else).

3. That bitcoin address makes its way to bitcoin software running on the customer's machine (or at an online wallet service).  Since it is a version#2 address, bitcoin creates an OP_OVER OP_ADD.... transaction for it instead of an OP_DUP ... transaction.

4. Merchant's web server software tells a bitcoind running somewhere "if you see payments to HASH160(public_key+order_id), that's one of mine."

5. When the merchant want's to spend the bitcoins it got from the customer, it has to tell a bitcoind running somewhere the public_key,order_id pair.


If the merchant doesn't completely trust the payment processor then keeping steps (4) and (5) separate is very nice-- the payment processor can't spend the merchant's bitcoins until the merchant tells them the order_ids  (merchant would have to use truly random order_ids to be completely safe, of course).

And, as noted before, this is a little more private than standard bitcoin transactions because the public key isn't revealed until the coins are spent.

True. You'd want to add the hash of the public key to the random number instead of the full public key, though, or else address transactions won't be possible.

... I think that's right, you don't need the OP_OVER OP_ADD.  You have to know the random number to generate a valid signature, given only its hash.

You'd have to be very careful NEVER to use the same random number anybody else has ever used or will ever use; if your 'random' number is an order number (or even common-hash-of-an-order-number) then you're sunk, anybody can generate a valid triple.

For two extra bytes per transaction it might be better to hash in the public key, just so people don't shoot themselves in the foot.

Is OP_ADD necessary? It prevents address payments, and the hash of the random number is already unguessable.

Well.. it's already possible to see who paid you using the block navigator... as long as they paid from a 'known' address...

How about we have single use sending accounts.. you could assemble the funds for making payment into a temporary local account from your other accounts and then send it on to the merchant's public bitcoin address.

You can then prove it was you that sent it by sending the merchant the private key for this temporary wallet address. The wallet nolonger contains any coins as you already sent them to the merchant's public address but they can see that this wallet is where the coins came from. You'd want to serialize these temporary wallet files into some format that could easily be pasted into an email.

Large merchants probably would want to use single use receiving addresses as it's easier to automate but single use source addresses could be made to work for small merchants that have static html websites and take orders through email - which may well be our best bet for growing the bitcoin market.. small businesses that can start taking bitcoin payments simply by adding a bitcoin address to their website may just do it to see if they get any orders.

If this were easy then surely Satoshi would have implemented it from the start; after all the address is one step removed from the public key presumably to prevent offline attacks trying to find the private key. It seems like you're looking to be another step removed. Is there much point?

ByteCoin

Actually, falling asleep last night I realized what I proposed would be yet another variation on an 'anybody can claim' transaction (anybody can just choose an r1 that make r1 XOR hash_xor_r1 evaluate to a hash that they own).

I think this would work:
... supply to claim.

I'm not suggesting anything like this get implemented any time soon, I started this thread just to explore what is possible.

Very interesting idea! I added it to the script page on the wiki.

OP_XOR is disabled, unfortunately, so it would require updating everyone.

Although not really the same thing, this reminds me of ArtForz' idea for theymos' bitcoin scratch-off cards.  Seems like a neat and doable idea.

Yeah... I can imagine clever ways of obfuscating it such that you can't tell who's getting paid until they actually sign the transaction and spend the output.  Make the txout something like:
... and to spend the txin is:   (where r1 is a random number used to obfuscate the publicly visible hash160).  Or something like that (I shouldn't be thinking about cryptography when I'm this tired).

Can't you work out how many order and the value the merchant was getting just by looking in the block chain at the number and value of payments to the publicly posted "pay me" address? Surely there's no way around this other than the merchant using a new receiving address for every sale he makes?

It would be useful if you would specify the details of what you are trying to achieve in exhaustive detail as at the moment it is unclear.

It is possible to encode fairly significant amounts of information in currently permissible bitcoin transactions by specifying the random value (often termed k) in the ECDSA signing algorithm.  32 bits could be easily encoded without any significant decrease in security.  

An explanation can be found on the Wikipedia page for Subliminal Channels.

ByteCoin

There's a number of problems with stores and anonymity mainly if the stores hold my information and their servers are broken into or worst then my information is out in the open. So a solution to solving this would be to include a public key with my bitcoin transaction. The store receives my public key and the transaction and my account which is labeled by public key is credited. When I go to make an order on the stores website, I encrypt my order with my private key, the store then receives the encrypted file and decrypts the file which they then process, take the money out of my account and destroy the encrypted contents. This way at no time will my order or information be stored on a database. In addition, the store can prove that I in fact made the order because the complete order information will be encrypted by the same keypair that I sent with the bitcoin transaction.

Yup. Secret sharing. Really easy math wise as well...it's just a system of linear equations IIRC.

Orders can be verified/filled by a system without any external services (eg, only port 8333).

I don't know the crypto side of things-- is it possible to create a half-key which can be combined with another half-key? So for example, the webserver can customize half the key per transaction (leading to unique addresses for the customer), but not have the information to spend that tx until its half-key is combined with the locked-up-safe master-half-key...

But you still need to know when the coins arrive right?

I'm not sure how it's possible to run an online shop that accepts BitCoins without having a node or using something like MyBitcoin. Unless the merchant does it all manually.

Perhaps the real solution is to try and organize people to integrate BitCoin with popular shopping cart software. I know some of it was already done but did the changes make it upstream?

As to keeping the node secure and up to date, hopefully it's secure out of the box and making it auto-update (even on Linux) is probably easier than many alternatives. First step would be to have it provided via an apt repository hosted on bitcoin.org (the official distributions are way too slow).

Right, that was the problem I was hoping to brainstorm about.  I didn't want to re-open the "add data to the transaction database" discussion (I think "add data to the block chain" is misleading, since transaction data isn't actually part of the block-header-chain or transaction-merkle-tree).

I'm still wondering if there is a way to create transactions on the web server, without talking to bitcoind, using a small-ish number of pregenerated public keys, such that each transaction is unique and competitors can't tell how many transactions belong to any particular merchant.

Pre-generating a bunch of keys works, assuming that competitors don't know the pre-generated keys (bad assumption long-term if they keys are re-used, since they could just order a bunch of stuff and note the keys used for paying).

If order IDs are put in transactions the next most common question will become "so how do I stop my competitors finding out my sales volume?".

Agreed with those who say the solution is just better webstore integration, pre-generating keys, or the use of a service like MyBitcoin.