Stealth Payment IDs 0.7.8

1. /*Stealth Short Payment IDs - proposal for shortening "user" payment IDs (to 64 bit) while keeping full 32 byte "blockchain" payment IDs, incorporating a stealth feature to improve anonymity, and adding a new v2 integrated address
2.  
3. We are basically discussing three different aspects here, which aren't strictly related:
4. 1. Stealth IDs, which change every TX, just like (or rather, similar to) addresses
5.  
6. 2. Shortened IDs, less characters to display, copy, etc. The current space 2^256 is absurdly large and unnecessary, but whether that justifies changing (while the "network" version remains 256-bit), I'm not sure. CN addresses are "long" in any case, but I believe there's a cutoff point around 110-120 characters that results in line wrapping even on 1080p screens on many webpages. I think it's warranted to try to keep it under that bound if there is little reason not to. I guess it boils down to: is public address space precious even though it's already very long, or is "wasting" more characters not of any/much consequence?
7. Example Addresses:
8. Standard (95):
9. 45BEPXEXAN6YrvHgP3owF8GCzBZ2vCZNb9sMxZG6D7iuSvjVret5ciY2GfqVMHZiPoTEEcmSmVhcyaReTjJafrSqV26ZoYE
10. 64-bit ID integrated (106):
11. 4TZ76dT4mbsizsTtJzy7kYBo9f8xduc8wTsWb86pCmx5Cmh43CDxNS1FRcMrE3CNQ2ZT17vzCudc5TbNYBzizwqZFah5K1Js7VpL88qPSi
12. Full 256-bit ID integrated (139):
13. 4LRv6jJYxh5Ba1Z4UfCZYmTzP7g1mP5uUC32KgWcMtBi2QV6xGjHpqs5ZeEnpAwaWVNgF7b7xtumQGoL9posmQMfRvFupJBXkZyWGdcDizfMUAiEgrG7cA98yf6vcqJzZT1EPg8A69e
14.  
15. 3. New (v2) integrated addresses: not strictly necessary, unless implementing 2 as well.
16.  
17. Part of the idea is to not keep changing things all the time, so it seems reasonable to (at least try to) get it into a state where it can operate for years with no additional changes. #3 acts as a nice way to "tie it up with a bow", because shorter is better than longer (right?), and it creates an easy way to "enable" stealth IDs as the receivers take the time to implement them. If you just implement tx construction logic for stealth IDs, the existing payment ID implementation breaks (that seems bad). Thus if a receiver hands out v2 integrated addresses, they would be expected to support stealth IDs; if not, then use old method.
18.  
19. If shortening "user" payment IDs gets a general nack (there are some possibly valid considerations about out-of-band revealing of unwanted data by the ID generator/higher chance of "accidental" collision, etc, with a smaller set size), I would recommend the solution be to re-purpose the "existing" integrated address to use stealth logic (since no one has implemented it yet, it's not in a tagged release, etc) and continue to treat manual payment IDs the same as today (untouched). Even with consensus for shortening, I still feel it appropriate to "overwrite" v1 integrated addresses with the new short version; since no one supports them yet, we can avoid supporting them into perpetuity.
20.  
21. Chance of collision for randomly generating 1 million IDs at 64-bit: 1,000,000^2 / (2^64 * 2) = ~1/36,893,488
22. 50% chance happens at 5.06 billion IDs generated.
23. If receivers are randomly generating IDs (and they should be, to avoid revealing data to their customers) with non-negligible chance of collision, values should be checked against existing.
24.  
25. For reference to those unfamiliar with the integrated address in current head, it looks like:
26. "netbyte (0x13)" + "32 byte public spend key" + "32 byte public view key" + "32 byte payment ID (8 byte proposed for v2)" + "4 byte checksum of all previous data"
27.  
28. Another option for v2 integrated addresses is variable length IDs. This loses the consistency of all addresses being the same cnBase58 and hex length (BTC has the same hex length, but variable base58 length), but is only marginally more difficult for wallets to parse and account for.
29. */
30.  
31. /*varint analysis for key generation for those unfamiliar with varint encoding (I was)
32. 1 = 0x01
33. 127 = 0x7f
34. 128 = 0x8001
35. 129 = 0x8101
36. 255 = 0xff01
37. 256 = 0x8002
38. 16,383 = 0xff7f
39. 16,384 = 0x808001
40. 16,385 = 0x818001
41.  
42. We have to avoid using any valid varints, as those are used for output indexes. 0x80 - 0xff gives us 128 options using only one byte. I've not come up with any not-completely-arbitrary choice, so here's an arbitrary one: charcode(I) + charcode(D) = 0x49 + 0x44 = 0x8d
43. */
44.  
45. //apologies for using javascript, it's the easiest way at present for me to express the implementation proposal
46. //using cnUtil.js from mymonero.com for functions
47.  
48. //---------------------------------------------------------
49. //proposal 1.4.2 (older ideas discarded as subpar and/or unscalable)
50. //pad the short ID to 32-bytes, then xor with our one-time key
51. var receiverKeys = create_address(rand_32()); //for example only
52. var payId = "0123456789abcdef"; //64-bit example
53. var paddedPayId = payId;
54. while (paddedPayId.length < 64){paddedPayId += "00";}
55. var txkey = random_keypair();
56. var der = generate_key_derivation(receiverKeys.view.pub, txkey.sec);
57. var stealthKey = cn_fast_hash(der + "8d");
58. var realPayId = hexXor(stealthKey, paddedPayId); //JS can only xor numbers, made up function to xor hex strings
59.  
60. //receiver would:
61. var der = generate_key_derivation(txkey.pub, receiverKeys.view.sec); //txkey.pub from tx_extra
62. var stealthKey = cn_fast_hash(der + "8d");
63. var paddedPayId = hexXor(stealthKey, realPayId); //realPayId from tx_extra
64. //*compare paddedPayID.slice(0,16) with known set*
65. //---------------------------------------------------------
66.  
67.  
68. //I appreciate any and all feedback!
69. //luigi1111