Topic: What is the status of the stealth addresses? - page 2. (Read 2834 times)

That's very useful - thanks!

You are getting mixed up.

First let's see what you have to do first to send to a stealth address:

1. check the checksum! (convert from base58 to hex, strip last 4 bytes, SHA256 twice, compare first 4 bytes with checksum, if match then continue)
2. check if mainnet
3. check version byte (not used)
4. check N (number of keys for multisig)
5. check required number of sigs (for multisig)

6. create a new pub/priv keypair (lets call its pubkey "ephemkey" and privkey "e")
7. IF there is a prefix in the stealth address, brute force a nonce such that SHA256(nonce.concate(ephemkey)) first 4 bytes are equal to the prefix. IF NOT, then just run through the loop once and pickup a random nonce. (probably make the while condition include "or prefix = null" or something to that nature.
8. Once you have the nonce and the ephemkey, you can create the first output, which is 9. Now use ECC multiplication to calculate e*Q where Q = scan_pubkey and e = privkey to ephemkey and then hash it.
10. That hash is now "c". use ECC multiplication and addition to calculate D + (c*G) where D = spend_pubkey, and G is the reference point for secp256k1. This will give you a new pubkey. (we'll call it D')
11. Create a normal P2KH output spending to D' as public key.
12. make the tx with the two outputs from #8 and #11 and broadcast it. (Don't forget to create any change outputs you need!)

Edit: I forgot to say, if it is multisig, then repeat #10 for every spend_pubkey, A becomes A' B becomes B' etc... then take all the pubkeys from A' B' C' D' etc etc. and make a p2sh multisig address. Then in step 11 create normal P2SH output to multisig. so with multisig only #10 and #11 will change. everything else is same.

I'm still a bit confused, to be honest.
I wanted to use DW to send some money to my own stealth addresses, just to see how it works.
But my transactions have been pending for days already, so I am now trying to send it myself, using my own s/w.

Anyway, please explain me one thing. I have a stealth address with two public keys: scanKey and spendKey - I want to send some coins there.
So what I would do is:

1. I pick up a secret C - some random 32 bytes

2. Do I have to do anything with C here???

3. I calculate C*scanKey - and put it inside the first null-ouptut, like this:

4. I calculate C*spenKey - and use it in the next output (one that actually spends the coins):

5. I sign and broadcast the transaction.


In general it seems pretty clear, but the devil is in the details.
Obviously I want my txs to be compatible with the existing solution (not just with my own), so I have these questions:
1. Do I need to do anything with my random C, between point 1 and 3?
2. You have this StealthDH() function that takes X from a result of EC multiplication, prefixes it with 03 and then does sha256 on it - at which point is it actually used?
3. The 4 random bytes in point 3 - are they just random, or what?

Cool, keep us updated!

sorry, never mind - I was printing wrong values.
didn't realize that pub.x.x is not the actual x.
what a sucker I am

now everythign makes much more sense.

That is what I had initially thought, but the thing is that for the example test vector:

... the JS function returns:

while the EC multiplication k*(x,y) that I have here would return:

Also, bip32 code may be doing similar calculations.

That's elliptic curve point multiplication, you should have a library in your language of preference taking care of that.

The sx implementation uses an old spec, we just published some more information about how we do it in darkwallet:

https://bitcointalksearch.org/topic/stealth-addresses-in-darkwallet-592518

We have some test vectors in our unit tests, check the above link, i can provide you test vectors in a different format if you so prefer.

I would say is the status now is need to make a spec but it should be production ready (the stealth address idea), we have it working in real world and seems to work as advertised.

OK. It seems that I have a proof of concept software that I am able to run and use as a reference.
Now, if someone could please advise me...
This function (that's javascrip from the darkwallet):

It seems to multiply this(x,y,z) point, by a big int k - to return R(x,y,z)

Non-Adjacent Form - right, that explains a lot!
Except that I have no idea what it means

Anyway, such a function had not been used for anything else in Bitcoin before - had it?
I mean, I need to code it in, if I want my wallet to be able to send coins to stealth addresses - right?

Is there some simpler (less optimized) version of such a function?
One that would operate solely on big-int arithmetic, instead of this for/if/bit/add stuff?
Just so I'd be able to understand what it actually does and the actual math behind it.

Thanks, but this one didn't solve it.
Other issues. Seems to need boost 1.49 when my OS has 1.46. After changing the script to use 1.46, still crashes on building getx_responder.lo

EDIT:
nvm, took me a few hours, but somehow managed to build it already.
but it doesn't even seem to support the "New stuff" so it doesn't really help me.

EDIT2:
Found it: https://wiki.unsystem.net/index.php/DarkWallet/Stealth

Yeah, common problem. Try this script instead:

https://github.com/mastercoin-MSC/install-msc/blob/master/res/install-sx.sh

Ref: https://bitcointalksearch.org/topic/m.6099554

I tried that today but cannot get this sx tool to build on my Ubuntu.
So I cannot execute these commands.

Also I'm curious about the encryption part and how the actual transaction looks inside.
I guess there is some extra null output with this encrypted nonce.

I'm asking about a format of a stealth payment transaction - is such thing even defined yet?

https://en.bitcoin.it/wiki/Sx/Stealth
http://sx.dyne.org/

I'm kind of bored recently and even though I was never very enthusiastic about the stealth addresses, it still seems to be the most exciting feature to add to my wallet software.
I know that there are all kind of mailing lists with less and more outdated specs flying around, but since I don't monitor them, could anyone please update me on the most recent status?

Today I have been playing with DarkWallet a bit and from what I see each wallet there has by default one stealth address assigned to it.
I also figured out what this address represents.
For all I know, there are two public keys - one is to encrypt the message (nonce or whatever it is called), while the other one is there to calculate the actual destination for the coins that are being spent.

So, for instance, I got an address vJmyoyfHgvkW2fRbqpANQircWiWDFMHtzyUxbcGsnUCX6z1jEjfArypDBNMeQdmsczkLVoSwYRZ5pS8 YAxxQY7Q2m8SUXB2sZWjB6q - it decodes to:

Now, I want to extend my wallet so it would be able to send coins to such an address.
How do I build the transaction?

Is there any spec that I can read?
Any actually working code that makes a transaction which sends money to such an address?