Bytecoin, this is great stuff.
Thanks! I'm glad you've taken the time to understand it.
So B doesn't need to know anything about A in advance, and A only needs a public key of B.
Correct. If addresses are more like public keys instead of their hashes then schemes like this become possible. One can do almost no cryptographically useful operations on a hashed public key.
Even if A picked any transaction he knew belonged to B, he could send him such a transaction, and B would eventually be able to find it if he scanned every transaction, trying all of his keys on each one looking for ones that match.
Yes. There is an obvious implementation detail that would discourage A from sending to the "wrong" address of B which would also shave a few bytes from the size of the public key. Similar concerns would also discourage users from holding too many different active public keys as they provide essentially no additional anonymity and the computational burden increases linearly.
I really like this idea. This makes any key in your wallet a generator of keys/addresses, the next one is generated by whoever is sending you money. And people who know your public key can't identify it as belonging to you.
It means that one can make one backup of one's wallet and then it's safe forever. In the existing situation you need to back up your wallet every time a new "block" of addresses are generated.
My main problem with using this as the primary source of communication is that EC multiplies are expensive, and when transaction volume increases, you're going to be spending a lot of CPU time just scanning new transactions for whether one of them is yours.
The two parties can agree on some easily identified, optional OP_DROP tag for the transactions. Alternatively, the identification of transactions can be handed off to a trusted third party. Remember that full nodes have to verify all transactions anyway and it may be possible to arrange this scheme that one's own transactions can be identified with insignificant extra work as a side-effect of this verification.
The "difficulty" of recognizing transactions is inevitable if you want anonymity. In the current system, to have the same anonymity, each time you want a payment, you have to distribute a new address to your payer. To do this securely you really have to have a public key of theirs already. Some interested party could observe the exchange to compromise the anonymity. They might not know what the consequence of the interaction was but they know that you and your payer were communicating securely for some reason.
Similarly, if B loses his wallet and has to recover from an initial set of keys, that's going to be a very long scan. It gets longer as you receive more transactions, as you accumulate more addresses from which someone could've based another tx to you.
We'd try and avoid this by having B start with one key and by making it difficult for A to send to anything but B's intended key. I'm having trouble thinking of a good justification for having more than one key in a wallet under my scheme.
ByteCoin