Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ----- Today October 25th, 2016 -----
- One-time BOT [12:16 AM]
- I was wondering if you guys saw this idea for one-time receiving Monero stealth addresses, and whether there is something wrong with it. From what I could tell, it seems like a promising and natural way to implementthe functionality of HD wallets in Monero. Here is the SE post: http://monero.stackexchange.com/questions/2469/one-time-receiving-monero-address
- One-time BOT [12:34 AM]
- To be more specific, if the receiver; i.e. the owner of address (A,B) = (aG, bG), picks a number k and shares (C,D) = (a^k A, a^k B) with the sender, then, after the sender chooses random r, forms P = H(rC)G+D, and submits {rG, P, k} to the network, the receiver is able to spend using x = H(a^{k+1}*R)+a^k*b. Also, the view key still works fine in this setup: with k and (a, B), the auditor can still check that P = H(a^{k+1}*R)*G
- jollymort [12:36 AM]
- (C,D) is just another Monero address
- One-time BOT [12:36 AM]
- This way, the wallet owner can produce as many stealth addresses as they wish, and check them all in constant time (as opposed to storint many unrelated keys).
- [12:36]
- Jollymort: That is correct
- jollymort [12:36 AM]
- with the link to (A,B) by means of k
- [12:37]
- you could make any (c,d) into a self-standing monero wallet
- One-time BOT [12:37 AM]
- You could, if you'd like
- jollymort [12:37 AM]
- it's a HD scheme, where you store k's on the blockchain to optimize scanning for outputs
- [12:38]
- to me it looks like the terms are getting mixed up
- [12:38]
- stealth address is never reused as it's generated from an (address + random data)
- [12:38]
- the address here, can be a normal address, or your sub-addres (C,D)
- One-time BOT [12:39 AM]
- Yes, I was referring to the pair (C,D) as a stealth address. I thought that was the convention
- jollymort [12:39 AM]
- nah, stealth address in CryptoNote context is something else
- One-time BOT [12:39 AM]
- I thought P was the one-ttime address produced from it
- jollymort [12:40 AM]
- or I misunderstood it too :slightly_smiling_face:
- One-time BOT [12:40 AM]
- Okay, no problem
- jollymort [12:40 AM]
- just to avoid confusion
- One-time BOT [12:41 AM]
- So, the idea is to use the payment ID field to store k, but I guess that is not written in stone
- jollymort [12:42 AM]
- k would start at 1 and be incremented or just random?
- One-time BOT [12:43 AM]
- I guess that is a matter of preference, and only depends on the implementation on the client side
- jollymort [12:43 AM]
- well, if it's incremented, than many transactions belonging to different users would have the same k
- [12:43]
- and your wallet would scan every one of them
- [12:44]
- (scan = attempt to decrypt with matching (c,d))
- [12:44]
- if it's random, there are some other risks involved
- [12:44]
- like the sender omits the k, and you lose your record of k's issued
- [12:44]
- and then, there's no way to recover the funds
- One-time BOT [12:46 AM]
- Our wallets already scan every tx in the blockchain. The advantage is when compared to naively storing many unrelated keys: receiver scans the tx once for (A, B), and then another time using k, so that is at most two tries per output in the blockchain vs. n on a HD wallet with n unrelated keys
- jollymort [12:47 AM]
- i know. but HD scheme is less risky and more conservative
- [12:47]
- i've been using mycelium since 2014 and i have like 144 different addresses
- [12:47]
- doesn't seem too much
- One-time BOT [12:48 AM]
- Indeed, not including k is a risk. One advantage of having this aproach being enbras=ced by the devs is perhaps having it included in the wallet's code, so that the receiver only broadcasts the tx with k attached to it
- jollymort [12:50 AM]
- well, if you just have some new address scheme, with a few extra chars to encode the `k` and the wallets would reocgnize this...
- One-time BOT [12:50 AM]
- Yeah, I was just realizing that...
- jollymort [12:50 AM]
- you kind of force them to include it
- [12:51]
- like paymentID now
- [12:51]
- (when used in integrated address scheme)
- One-time BOT [12:52 AM]
- Would that require a more profound change in the protocol? Or can we still implement this more or less superficially?
- jollymort [12:52 AM]
- i think no protocol change needed at all
- [12:52]
- just a wallet convention thing
- One-time BOT [12:54 AM]
- Could we just use integrated address, you think? I mean, there is still the possibility that the sender would separate the two in their client, but they would have to actually mean to do that
- jollymort [12:55 AM]
- i guess you could. 1. generate random payment ID, calculate (C,D), create a integrated address of (C,D)+pID and give to sender
- [12:55]
- hell, you could be the only one using this scheme and nobody would know
- [12:55]
- and you'd have your personal HD wallet
- [12:56]
- without anyone else having to change anything
- One-time BOT [12:56 AM]
- So, it is just a matter of programming it into the wallet? Maybe there is even no need to bother the devs about this? :)
- jollymort [12:56 AM]
- if you can code, you could make a branch to experiment with this
- One-time BOT [12:57 AM]
- True. Sounds like a good exercise
- jollymort [12:58 AM]
- just one note
- [12:58]
- i think there's a risk of generating random pID
- [12:58]
- some incremenal k with some hashing should do it
- [12:58]
- no, wait, i'm wrong
- [12:59]
- you can just pretend that every tx with pID is conforming to your scheme and try to decrypti it
- One-time BOT [12:59 AM]
- Yes, that is what I understand too
- jollymort [1:00 AM]
- but generating these pIDs with something like pID=hash((A)+k) where k would be incremental
- [1:00]
- might make everything faster
- [1:00]
- as you could just check the pID first, without trying the decrypt
- [1:01]
- dunno, i'm overthinking it now
- [1:01]
- at first i didn't really like the proposal, but now with this pID scheme i'm kind of getting excited :smile:
- [1:02]
- best part is, you don't have to tell anyone you use this scheme
- [1:02]
- you just give out a integrated address
- [1:02]
- like any other
- One-time BOT [1:03 AM]
- Yes, I think it is pretty cool too!
- jollymort [1:05 AM]
- now I'm not versed in cryptography, so I guess we'd want someone to look at the way you go from (a,b) to (c,d) to be sure it can't be linked back or linked together
- One-time BOT [1:05 AM]
- About your previous comment about the tx with unknown PID, you might want to check that one too, just in the off chance that it was sent to (A,B) and the PID means something else. The sender might decide to put anything as PID after all
- jollymort [1:05 AM]
- pinging our resident amateur-cyryptographer @theking01
- theking01 [1:06 AM]
- yo
- [1:06]
- What's the question?
- One-time BOT [1:06 AM]
- Sure. That is one of the things I was looking for as well. I am not that confident in my understanding of crypto as well
- jollymort [1:07 AM]
- you saw this proposal for HD scheme with passing `k` ?
- theking01 [1:07 AM]
- Me either, but I'm another person, at least.
- [1:07]
- I think so.
- One-time BOT [1:07 AM]
- We would like to know how safe a scheme is. I will copy what a I wrote:
- theking01 [1:07 AM]
- A simply scheme is just to wait for multisig.
- One-time BOT [1:07 AM]
- To be more specific, if the receiver; i.e. the owner of address (A,B) = (aG, bG), picks a number k and shares (C,D) = (a^k A, a^k B) with the sender, then, after the sender chooses random r, forms P = H(rC)G+D, and submits {rG, P, k} to the network, the receiver is able to spend using x = H(a^{k+1}*R)+a^k*b. Also, the view key still works fine in this setup: with k and (a, B), the auditor can still check that P = H(a^{k+1}*R)*G
- theking01 [1:07 AM]
- *simpler
- One-time BOT [1:08 AM]
- Doesn't that solve a different problem?
- jollymort [1:08 AM]
- its could already be simple "generate random payment ID, calculate (C,D), create a integrated address of (C,D)+pID and give to sender"
- [1:08]
- the only change would be on the receiver end
- [1:08]
- for the sender, it'd be just another integrated address
- theking01 [1:09 AM]
- It would appear so, but multisig will actually allow you to solve the problem your trying to solve, I think.
- One-time BOT [1:09 AM]
- This is just so the user doesn't have to handle the same address to different people, websites, exchanges eta
- [1:09]
- etc
- theking01 [1:10 AM]
- Like, what you do is you have a base address P, and for each person you need to send to, you give them the address 2-of-2 P, P'
- jollymort [1:10 AM]
- one-time i think it's a good idea if implemented adequately considering what we discussed
- theking01 [1:11 AM]
- a is view key, right?
- jollymort [1:11 AM]
- yeah
- [1:11]
- a and c
- One-time BOT [1:11 AM]
- @theking01: Maybe. But even if it does, this seems like an elegant way to solve the issue of address reuse
- [1:11]
- Yes
- [1:11]
- And this feels like a low hanging fruit too :)
- theking01 [1:12 AM]
- You would need a new k for every transaction, for one.
- jollymort [1:12 AM]
- no
- [1:12]
- you can reuse it too
- One-time BOT [1:12 AM]
- no
- jollymort [1:12 AM]
- no risk
- [1:12]
- every (C,D) is a regular monero address
- One-time BOT [1:12 AM]
- Every output would still use the random r, just the same as a regular tx
- theking01 [1:12 AM]
- People would see reused k's.
- jollymort [1:12 AM]
- it's just that there's a one-way link (c,d) = f(a,b,k)
- theking01 [1:13 AM]
- If they are one chain.
- [1:13]
- Defeating the reason for stealth addresses.
- jollymort [1:13 AM]
- so what? people reuse payment id's too
- theking01 [1:13 AM]
- *on chain
- jollymort [1:13 AM]
- thing is, nobody could tell the difference
- theking01 [1:13 AM]
- Reusing payment ids are fine if they are encrypted.
- jollymort [1:14 AM]
- i mean, if you give out a integrated address
- theking01 [1:14 AM]
- But clear text payment ID reuse is a problem
- jollymort [1:14 AM]
- all tx sent to it will have same TX_EXTRA data, no?
- theking01 [1:14 AM]
- No
- [1:15]
- If you send to an integrated address twice, the tx extra will be unlinkable.
- [1:15]
- Since encrypted tx keys use a one time key.
- [1:15]
- *tx ids
- jollymort [1:16 AM]
- need to read up on this
- [1:16]
- but i think we're getting somewhere with this idea
- theking01 [1:16 AM]
- So if I reuse an encrypted payment id, it's fine.
- [1:16]
- I'm been thinking about the address reuse problem for sometime.
- jollymort [1:17 AM]
- read up for some ideas :slightly_smiling_face:
- theking01 [1:17 AM]
- Anyways, a^k would better be a*k.
- jollymort [1:17 AM]
- EC multiplication?
- theking01 [1:17 AM]
- Exponents are unnecessary.
- [1:17]
- Regular multiplication.
- [1:17]
- Since they are both numbers.
- [1:18]
- I think bilinear group cryptography would be required for an adequate solution.
- [1:19]
- The problem is you need to tell the receiver how to receive it, but without knowing what their keys are.
- [1:20]
- Like, you have Alice, Bob, and the world.
- [1:21]
- Alice wants Bob to pay her, but not know that she is Alice, and Bob wants to pay Ecila (Alice's pseudonym), without the world linking the transactions.
- moneromooo BOT [1:23 AM]
- luigi1111w: luigi1114: luigi1112: luigiiiiii: ^
- theking01 [1:23 AM]
- Alice at least needs to remember her pseudonym with the current methods I think, since if you put it in txextra, the world wins.
- [1:23]
- Unless Alice gives Bob her keys, and then Bob wins.
- One-time BOT [1:23 AM]
- @theking01: One thing is that, if k is small, say k = 2, one can check that C = 2*(A) = (2*a)*G without knowing a, whereas it would be hard to check whether C = (a*a)*G without knowing already a. Also, teh exponentiation is realy just a few multiplications already, if we use fast exponentiations.
- [1:24]
- that is: successive squarings
- theking01 [1:24 AM]
- Hmm, true
- jollymort [1:24 AM]
- the main problem i see is communicate `k` safely without it getting `lost`
- One-time BOT [1:25 AM]
- k can be public\
- theking01 [1:25 AM]
- Actually, k can be small.
- jollymort [1:25 AM]
- thought we could use integrated address but seems i was wrong becasue i forgot pID there is encrypted with a
- One-time BOT [1:25 AM]
- Oh, you mean the sender not including it?
- theking01 [1:25 AM]
- Alice still has to remember not to reuse k's though.
- [1:26]
- Also, instead of a^k, why not H(a,k)?
- One-time BOT [1:26 AM]
- Why?
- jollymort [1:26 AM]
- but you can't stop a sender from sending again to the same kCD pair
- One-time BOT [1:26 AM]
- I mean, sure :)
- theking01 [1:26 AM]
- If she reuses k, the identities will be linked.
- One-time BOT [1:26 AM]
- Right, I agree
- jollymort [1:27 AM]
- ok how about this then
- [1:27]
- ignore, let me form my thoughts for 5min and i come back :slightly_smiling_face:
- One-time BOT [1:27 AM]
- But that is the same deal with other implementations of HD wallets
- theking01 [1:27 AM]
- You could make k small id numbers.
- [1:28]
- That could efficiently be searched.
- One-time BOT [1:29 AM]
- That would be an advantage. On the other hand, if you are sending a bunch of txs in short sucession, those sequential values could leak that fact a bit
- theking01 [1:29 AM]
- And could search the blockchain to see which id numbers have already been used.
- [1:30]
- But the ids could be hidden. You wouldn't need to store them in tx extra.
- One-time BOT [1:30 AM]
- JollyMort suggested a Mycelium style pID=hash((A)+k)
- theking01 [1:31 AM]
- If k is small, it can be bruteforced by the receiver.
- One-time BOT [1:32 AM]
- I see that now that you mention
- jollymort [1:36 AM]
- Ok, here goes:
- Note: `(A,B)` refers to main address, `(C,D)` to some sub-address. Small caps are private view,spend keys.
- 1. The `k` will be incremented from 1 to ...
- 2. `k` is padded to the size of short pIDs with 0s, but the first byte could be "AA" or something.
- 2. User encrypts `k` with `a`, obtain `K`
- 3. User generates (C,D)=f(A,B,k)
- 4. User prepares integrated address consisting of (C,D) + K
- 5. sender pays to user
- 6. user decrypts K, and checks for first byte "AA", if yes, decrypt the output with (C,F)=f(A,B,k)
- [1:38]
- 3 & 6 should be small caps (private keys)
- [1:42]
- think there should be some sender random data + DK exchange added somewhere in the process :smile:
- [1:42]
- DH
- One-time BOT [1:43 AM]
- Jollymort: I like the idea of carrying the information that the address was derived using this scheme by having a sufix, because I was just noticing that (A,B) would enjoy a special treatment in the user's wallet compared to any other (C,D) generated from it, in that the wallet always checks if a tx belongs to (A,B), or (A,B) plus the PID, which would be a (C,D), but never for (C,D) plus the PID.
- [1:44]
- Otherwise we would just revert to regulat HD linear grouth
- [1:44]
- in number of addresses to check
- jollymort [1:44 AM]
- this way you have a fallback method to restore all
- [1:45]
- but i still suspect i misunderstood integrated addresses, again
- [1:45]
- (looking for the paper describing them)
- [1:46]
- this: http://pastebin.com/bp5RKXuC
- Pastebin
- [JavaScript] Stealth Payment IDs 0.8.5 - Pastebin.com (19KB)
- One-time BOT [1:47 AM]
- I am not sure I understand how the address and PID are encoded together, but it seems to reversible by playing with the wallet. I haven't tried reversing an integrated address that wasn't created by me though
- jollymort [1:47 AM]
- it's described in this link ^
- [1:47]
- reading it now
- [1:48]
- also, check out http://xmrtests.llcoins.net/addresstests.html
- [1:48]
- theres a nice explanation at the bottom of the page
- jollymort [1:54 AM]
- ah it can't work with integrated addresses in the current form
- [1:55]
- at least not in the way i imagined it
- One-time BOT [1:55 AM]
- What problem did you see? I am still trying to understand
- jollymort [1:56 AM]
- encryption key = H(sharedSecret + 0x8d)
- One-time BOT [1:57 AM]
- Is sharedSecret the r value?
- jollymort [1:57 AM]
- i think so
- luigi1111w BOT [1:57 AM]
- sharedSecret is rA or aR
- smooth BOT [1:58 AM]
- which one?
- luigi1111w BOT [1:58 AM]
- the one that encryption key =
- jollymort [1:58 AM]
- but if you give out (C,D) you need to know which (c,d) to use to decrypt it
- luigi1111w BOT [1:58 AM]
- indeed
- jollymort [1:59 AM]
- so that's why.. idea was to be able to use (a,b) to find these (C,D,k) transactions
- luigi1111w BOT [1:59 AM]
- I'm still catching up on backlog, feel free to ignore me
- One-time BOT [2:04 AM]
- Sorry, I have to be afk for a moment
- jollymort [2:13 AM]
- pero BOT [1:39 AM] some hoppers in #monero-dev are solving P=NP
- [1:39] moon soon
- [2:13]
- lol
- luigi1111w BOT [2:14 AM]
- rofl
- [2:14]
- pretty sure that wouldn't be moon
- jollymort [2:15 AM]
- quite the opposite
- One-time BOT [2:20 AM]
- I am back
- [2:20]
- But still reading
- [2:20]
- Will have to leave in 20 min again though...
- theking01 [2:29 AM]
- aR=rA
- [2:29]
- That's the point.
- jollymort [2:29 AM]
- so One-time, the problem of my proposal before is in step 6., because you're decypting the pID with `c`, but you can't know which `c` to use because you don't know the `k` which is hidden inside..
- luigi1111w BOT [2:30 AM]
- you can't encrypt k, right
- jollymort [2:30 AM]
- so, bugger
- [2:30]
- if using ordinary pID
- [2:30]
- then you could give out a `k` encrypted with your a, just to obfucsate what's it for
- [2:31]
- but if sender uses the same pID few times, the transactions can be linked
- theking01 [2:31 AM]
- Can you generate random k in such a way that chance of collisions is negligible but can still be bruteforced?
- [2:31]
- @luigi1111
- jollymort [2:31 AM]
- all belonging to the same address (C,D)
- luigi1111w BOT [2:31 AM]
- yes @jollymort that is the concern
- [2:32]
- you negate the advantage of stealth addresses if you reuse these "HD" ones
- [2:32]
- unless k is small
- jollymort [2:32 AM]
- yeah
- theking01 [2:32 AM]
- Like would 64-bits work?
- luigi1111w BOT [2:32 AM]
- that's not small enough to negate the linkability thing
- theking01 [2:33 AM]
- I think 128 would be too big.
- jollymort [2:33 AM]
- 16 bits
- luigi1111w BOT [2:33 AM]
- "any" is fine if you don't reuse
- theking01 [2:33 AM]
- Couldn't bruteforce k
- luigi1111w BOT [2:33 AM]
- if you do reuse you have to be really small
- [2:33]
- so there's lots of collisions
- [2:33]
- but then you have to check them
- [2:34]
- most won't be for you
- [2:34]
- but that's less than checking all outputs now
- jollymort [2:34 AM]
- so again, plain HD would work better
- theking01 [2:34 AM]
- Yeah, I guess doing 64-bit bruteforce for every output would be a bit much.
- luigi1111w BOT [2:35 AM]
- yes way too much :)
- jollymort [2:35 AM]
- 16bits gives you 65535 sub-addresses
- [2:35]
- more than enough for normal people
- [2:35]
- 179 years of tx/day
- theking01 [2:35 AM]
- 32 bits is way too many k-collisions
- luigi1111w BOT [2:35 AM]
- why do we need to bruteforce k?
- theking01 [2:35 AM]
- So we don't need the put it in tx extra.
- [2:36]
- Or remember it.
- jollymort [2:36 AM]
- but if small enough you could put it in txextra, as it would collide with other users
- luigi1111w BOT [2:36 AM]
- then there's nothing to identify it...
- theking01 [2:36 AM]
- (you could be using two wallets, for example)
- jollymort [2:36 AM]
- so you lose some linkability
- [2:36]
- anonymity set would be all the users who're using the scheme
- theking01 [2:36 AM]
- (and you don't want them to generate the same k if they aren't synced)
- [2:38]
- If you have memory, it's easier.
- [2:39]
- To make a new address, do A'=H(k,a)G+A, B'=H(k,a)G+B
- [2:39]
- And remember k
- jollymort [2:39 AM]
- what's G?
- luigi1111w BOT [2:40 AM]
- the basepoint
- jollymort [2:40 AM]
- ah yes
- luigi1111w BOT [2:40 AM]
- but how do you remember k?
- One-time BOT [2:40 AM]
- Jollymort: I see. It just started to sink in for me that k can't go out in the clear, otherwise the trasactions that reuse it can be linked... Feeling a bit stupid right now, hahaha
- theking01 [2:40 AM]
- Computer memory
- jollymort [2:40 AM]
- nah, it was interesting
- luigi1111w BOT [2:40 AM]
- One-time are you the reddit user?
- [2:40]
- @theking01 what about restoring the wallet?
- jollymort [2:40 AM]
- i learned something more, and i think you did too :slightly_smiling_face:
- theking01 [2:40 AM]
- I'm saying if you can save k to a file, for example.
- jollymort [2:40 AM]
- but if you lose it?
- luigi1111w BOT [2:40 AM]
- yes but your computer crashes
- jollymort [2:40 AM]
- bruteforce
- theking01 [2:41 AM]
- And you could make them small.
- One-time BOT [2:41 AM]
- No
- theking01 [2:41 AM]
- You need to remember them to prevent reuse though.
- luigi1111w BOT [2:41 AM]
- who is user141?
- theking01 [2:41 AM]
- If your computer crashes, you need to salt the hash.
- new messages
- [2:41]
- For future hd addresses.
- [2:42]
- Or generate a new base address.
- luigi1111w BOT [2:42 AM]
- you need to find old outputs with the restore..
- [2:42]
- you can't do that unless you can bruteforce the ks
- theking01 [2:42 AM]
- If k is small, that should be fine.
- luigi1111w BOT [2:42 AM]
- or have them be deterministic
- theking01 [2:42 AM]
- Like sequential I'd numbers.
- One-time BOT [2:42 AM]
- I have to go now. Catch up with you guys later
- theking01 [2:42 AM]
- *id
- jollymort [2:43 AM]
- the point of the idea was to avoid to have to try out each derived address, like you would in a HD scheme
- [2:44]
- maybe it's one of the "impossible" problems
- luigi1111w BOT [2:44 AM]
- which is basically attaching k
- jollymort [2:44 AM]
- which could be proven impossible
- [2:44]
- yeah
- luigi1111w BOT [2:44 AM]
- which isn't really different than a plaintext id
- jollymort [2:44 AM]
- exactly
- luigi1111w BOT [2:44 AM]
- but yes I've given this some thought
- [2:44]
- haven't come up with a reasonable solution yet
- [2:45]
- (not HD)
- theking01 [2:45 AM]
- It would only be necessary during crashes.
- luigi1111w BOT [2:45 AM]
- I mean the scan time vs linkability issue
- [2:45]
- they seem diametrically opposed
- jollymort [2:45 AM]
- yeah
- theking01 [2:45 AM]
- @luigi1111 I think bilinear groups could be a solution
- luigi1111w BOT [2:46 AM]
- I haven't looked at those
- theking01 [2:46 AM]
- They essentially allow you to "multiply" group elements.
- [2:47]
- So you could do R=rG and X=R*C
- [2:47]
- Or something like that.
- luigi1111w BOT [2:47 AM]
- interesting
- theking01 [2:48 AM]
- It might not work with monero's elliptic curve though. I haven't looked into it enough.
- jollymort [2:51 AM]
- it's an interesting problem, feels like the 5th piece to add to the privacy puzzle (1.unlinkability 2.untraceability 3.rCT 4.Kovri 5.no-address-reuse)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement