Stealth address (anonymous payments)

Abdussamad

legendary

Activity: 3682

Merit: 1580

Quote from: bitpop on April 22, 2014, 04:12:02 AM

I'm under the assumpion they send to a normal address which is randomly generated. Then they give you the nonce so you know which one. Perhaps you're also thinking of getting the private key which isn't possible but part of receive.

Try forcing the nonce in the send function.

I am thinking of a random observer who has two public pieces of data i.e. the nonce, which was posted on some forum somewhere as outlined in the stealth address docs, and the stealth address which he suspects is the intended recipient of the coins. He wants to connect the two and the only way to do that is to derive the regular bitcoin address (using just the nonce and stealth address) and then check if that regular address has coins in it. The diffie-helman key exchange seems to make that impossible.

bitpop

legendary

Activity: 2912

Merit: 1060

Quote from: Abdussamad on April 22, 2014, 04:09:32 AM

Quote from: bitpop on April 22, 2014, 02:59:30 AM

Quote from: Abdussamad on April 21, 2014, 07:41:15 PM

Sorry, to bump up this thread but I have a question regarding stealth addresses. If you only have the stealth address and the nonce can you derive the "normal" bitcoin address to which the payment was made?

I think so because that's how the payer pays

Well I'm not an expert but it doesn't look like its possible without the private key behind the stealth address or the key pair the payer generated.

initiate stealth: https://github.com/spesmilo/sx/blob/master/src/sx-stealth-send
uncover stealth: https://github.com/spesmilo/sx/blob/master/src/sx-stealth-recv

In my scenario only the stealth address and nonce are known. S1 and c are not known.

I'm under the assumpion they send to a normal address which is randomly generated. Then they give you the nonce so you know which one. Perhaps you're also thinking of getting the private key which isn't possible but part of receive.

Try forcing the nonce in the send function.

Abdussamad

legendary

Activity: 3682

Merit: 1580

Quote from: bitpop on April 22, 2014, 02:59:30 AM

Quote from: Abdussamad on April 21, 2014, 07:41:15 PM

Sorry, to bump up this thread but I have a question regarding stealth addresses. If you only have the stealth address and the nonce can you derive the "normal" bitcoin address to which the payment was made?

I think so because that's how the payer pays

Well I'm not an expert but it doesn't look like its possible without the private key behind the stealth address or the key pair the payer generated.

initiate stealth: https://github.com/spesmilo/sx/blob/master/src/sx-stealth-send
uncover stealth: https://github.com/spesmilo/sx/blob/master/src/sx-stealth-recv

In my scenario only the stealth address and nonce are known. S1 and c are not known.

bitpop

legendary

Activity: 2912

Merit: 1060

Quote from: Abdussamad on April 21, 2014, 07:41:15 PM

Sorry, to bump up this thread but I have a question regarding stealth addresses. If you only have the stealth address and the nonce can you derive the "normal" bitcoin address to which the payment was made?

I think so because that's how the payer pays

Abdussamad

legendary

Activity: 3682

Merit: 1580

Sorry, to bump up this thread but I have a question regarding stealth addresses. If you only have the stealth address and the nonce can you derive the "normal" bitcoin address to which the payment was made?

bitpop

legendary

Activity: 2912

Merit: 1060

Quote from: Kosta# on January 30, 2014, 04:13:47 AM

Quote from: tacotime on January 21, 2014, 08:10:06 AM

Sender uploads a pubkey and nonce (secret which appears as a bunch of random characters) to the network via OP_RETURN function, and sends some money to the generated address

Just to make sure I got it right: by the pubkey you mean stealth-address, and by nonce you mean private-key-to-actual-address encrypted by pubkey/stealth-address. Is it correct?

Nonce could literally mean nonce which you use against a curve

Kosta#

newbie

Activity: 55

Merit: 0

Quote from: tacotime on January 21, 2014, 08:10:06 AM

Sender uploads a pubkey and nonce (secret which appears as a bunch of random characters) to the network via OP_RETURN function, and sends some money to the generated address

Just to make sure I got it right: by the pubkey you mean stealth-address, and by nonce you mean private-key-to-actual-address encrypted by pubkey/stealth-address. Is it correct?

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: Peter Todd on January 22, 2014, 12:27:21 PM

Your homework problem: read the paper where that's explained and tell everyone else here how that works. Grin

yeah... I wouldn't wait for it, though.
I don't remember doing homework even back at school - no way to start it now

Peter Todd

legendary

Activity: 1120

Merit: 1152

Quote from: piotr_n on January 22, 2014, 03:59:53 AM

Quote from: Peter Todd on January 21, 2014, 02:50:11 PM

FWIW most people don't realize this, but multiple non-clustered addresses reduces your privacy when you use SPV nodes to query peers for blockchain data relevant to your wallet: http://www.mail-archive.com/[email protected]/msg03612.html

But how do you then see using stealth addresses in SPV nodes?

Your homework problem: read the paper where that's explained and tell everyone else here how that works. Grin

e4xit

sr. member

Activity: 302

Merit: 250

Quote from: Peter Todd on January 21, 2014, 11:58:57 AM

---snip---
The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds.
---snip---

Nice! I'm sure I didn't notice this when I read the run-through you posted on Sourceforge!
Edit: archive of the mailing list on SF

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: Peter Todd on January 21, 2014, 02:50:11 PM

FWIW most people don't realize this, but multiple non-clustered addresses reduces your privacy when you use SPV nodes to query peers for blockchain data relevant to your wallet: http://www.mail-archive.com/[email protected]/msg03612.html

But how do you then see using stealth addresses in SPV nodes?

Peter Todd

legendary

Activity: 1120

Merit: 1152

Quote from: jl2012 on January 21, 2014, 01:08:16 PM

What if I have multiple identities? Is it possible to have many different stealth addresses which are all controlled by a single private key, while no one could tell these addresses are related?

That's not possible unfortunately. Just a limitation of how the underlying cryptography primitive works; I'd be very interested if anyone can come up with a way to do it without that limitation.

FWIW most people don't realize this, but multiple non-clustered addresses reduces your privacy when you use SPV nodes to query peers for blockchain data relevant to your wallet: http://www.mail-archive.com/[email protected]/msg03612.html

Lots of engineering trade-offs here.

jl2012

legendary

Activity: 1792

Merit: 1111

Quote from: Peter Todd on January 21, 2014, 12:56:50 PM

Quote from: piotr_n on January 21, 2014, 12:25:25 PM

Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct?
What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster Wink

My thinking is that a wallet would only use a single stealth address, so you only need to test tx's matching your adjustable prefix (a bandwidth/anonymity tradeoff) against the single key. Disambiguating payments could be done with a encrypted "payment ID", or just by value and time. (quite sufficient I think for individuals)

After all, the whole point of stealth addresses is that you only need a single one! The idea came about when we were trying to figure out how to put a bitcoin address in a OpenPGP key yet still keep payments to that address private.

What if I have multiple identities? Is it possible to have many different stealth addresses which are all controlled by a single private key, while no one could tell these addresses are related?

Peter Todd

legendary

Activity: 1120

Merit: 1152

Quote from: piotr_n on January 21, 2014, 12:25:25 PM

Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct?
What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster Wink

My thinking is that a wallet would only use a single stealth address, so you only need to test tx's matching your adjustable prefix (a bandwidth/anonymity tradeoff) against the single key. Disambiguating payments could be done with a encrypted "payment ID", or just by value and time. (quite sufficient I think for individuals)

After all, the whole point of stealth addresses is that you only need a single one! The idea came about when we were trying to figure out how to put a bitcoin address in a OpenPGP key yet still keep payments to that address private.

prezbo

sr. member

Activity: 430

Merit: 250

Quote from: piotr_n on January 21, 2014, 12:25:25 PM

Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct?

That is correct but I don't think it's that much of an overhead.

Quote

What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster Wink

I don't really see how one would benefit from more than one stealth address though.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

Quote from: Peter Todd on January 21, 2014, 11:58:57 AM

The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds.

Oh, thanks for explaining.
In such case it is much better design that I had though.
Sorry for doubting in you

Still you need to try decrypting each nonce with each private key you have ever issued, in order to find out if a certain tx actually belongs to your wallet - did I get that part correct?
What I mean is: if you have issued like 1000 stealth addresses and 50% of the transactions use stealth-type outputs, then I don't really envy your node. That is more like a designing of a disaster Wink

Peter Todd

legendary

Activity: 1120

Merit: 1152

Quote from: piotr_n on January 21, 2014, 11:46:09 AM

All I can tell you about stealth addresses is: good luck using them with a cold wallet!

The only way to figure out which outputs belong to your wallet goes through decrypting every possible nonce with each private key that you have ever used for a "stealth address".
It is a huge overhead in the client and IMHO implementing this idea is just not worth all the effort - considering that it does not really improve privacy more than sending a regular unique address to each of your payers, using an actually encrypted channel. So personally I would rather suggest to focus on providing a proper encryption for sending a bitcoin addresses to other parties.

Incorrect.

The spec we're working on for them supports the use of a separate private key for decrypting the nonces so that you can keep that key, and only that key, online and the private keys required to spend the funds totally offline. Usually you'd use two or three keys in total in a 2-of-2 or 2-of-3 scheme with the "decrypt" key being necessary, but not sufficient, to spend the funds.

Regarding a unique address for each payer, the idea behind stealth addresses is to make the process of getting funds more convenient so that using bitcoin in the most private way is always simple and easy rather than annoying. Stealth addresses are a form of "proper encryption" for sending a bitcoin address to other parties.

piotr_n

legendary

Activity: 2053

Merit: 1356

aka tonikt

All I can tell you about stealth addresses is: good luck using them with a cold wallet!

The only way to figure out which outputs belong to your wallet goes through decrypting every possible nonce with each private key that you have ever used for a "stealth address".
It is a huge overhead in the client and IMHO implementing this idea is just not worth all the effort - considering that it does not really improve privacy more than sending a regular unique address to each of your payers, using an actually encrypted channel. So personally I would rather suggest to focus on providing a proper encryption for sending a bitcoin addresses to other parties.

bitpop

legendary

Activity: 2912

Merit: 1060

Isn't there a similar bip coming?

Peter Todd

legendary

Activity: 1120

Merit: 1152

tacotime: That's encrypted nonce. I think using the word encrypted is what makes it "click" for people. Also, point out that a nonce is just "a random number used once" (edit: oh, no you did, good!)

Topic: Stealth address (anonymous payments) (Read 3118 times)