public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd•org>
To: Jeremy Spilman <jeremy@taplink•co>
Cc: Bitcoin Development <bitcoin-development@lists•sourceforge.net>
Subject: Re: [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses)
Date: Sun, 2 Feb 2014 07:26:10 -0500	[thread overview]
Message-ID: <20140202122610.GA22329@savin> (raw)
In-Reply-To: <op.xanddiq6yldrnw@laptop-air>

[-- Attachment #1: Type: text/plain, Size: 3255 bytes --]

On Sun, Feb 02, 2014 at 01:16:20AM -0800, Jeremy Spilman wrote:
> >
> >Consequently you can now securely and very network/space efficiently
> >securely delegate searching a block by computing the private key for the
> >IBE pub key that any sender would use for that block, and sending it as
> >a query to a random (or node-capture defended random selected node).
> >The node can decrypt the encrypted bloom baits with it, but remains
> >powerless to correlate with bloom baits to other payments received by
> >the same user in bother blocks.
> >
> 
> I'm not sure I've fully wrapped my head around it.
> 
>   d/Q        - Identity key
>   E          - Generate an epoch-pubkey: E = Q * H1(epoch)
>   r/P        - Ephemeral privkey/pubkey, or discoverable from inputs
>   S = r * K  - Shared secret (ECDE)

There needs to be two separate payor pubkeys, which I called elsewhere
the "Filter" and "Recover" pubkeys - the latter I think corresponds to
what you meant by identity key. From those two pubkeys two separate
shared secrets are derived.

The key idea is that you can encrypt a short string of zeros with the
"Filter" pubkey using ECDH and place the resulting "filter bait" in the
transaction. This lets the payor give the secret key corresponding to
that pubkey to a semi-trusted third party. That third party can then
trial decrypt all filter bait seen in transactions in the blockchain,
and every time the decrypted string has a sufficient number of zeros
it's considered a filter pass and the transaction is given to the payor.
For n zero bits one in 2^n transactions will match at random, which sets
your false positive rate.

Basically think of it as a way to outsource the work required for
zero-prefix stealth addresses, but with (less) of a sacrifice of
anonymity compared to just giving the third-party your recovery pubkey.
Identity-based encryption only comes into it because it's nice to be
able to further limit what transactions the server knows about to
specific time intervals rather than forver into the future.

Interestingly both schemes can be used at once - a short public prefix
combined with a second private filter. What's interesting there is that
the public prefix can do a first-pass filtering, with the second private
filter relatively long but still providing plausible deniability - you
can always claim 100% of the matching transactions were false positives
because you didn't receive any funds!

> The full node then uses this privkey to decrypt the same byte in all
> the transactions in that epoch/block which match the expected
> layout/template, e.g. given a certain length OP_RETURN, pull the
> specific byte and decrypt.
> 
> This decrypted byte is then in turn used as bloom bait which may or
> may not cause the transaction to be sent back to the SPV client.

There's no bloom filters involved; as I said before "bloom bait" is a
misleading name. "Filter bait" is a better term given it's a generic
concept.

> What encryption scheme is being used here?

XOR with the ECDH-calculated nonce is fine. (run the nonce though a hash
function first)

-- 
'peter'[:-1]@petertodd.org
000000000000000075829f6169c79d7d5aaa20bfa8da6e9edb2393c4f8662ba0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 685 bytes --]

  reply	other threads:[~2014-02-02 12:26 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-16  1:23 [Bitcoin-development] Bait for reusable addresses Gregory Maxwell
2014-01-24  9:02 ` Peter Todd
2014-01-24 12:26   ` Mike Hearn
2014-01-24 15:26     ` Peter Todd
2014-01-24 21:58       ` Jeremy Spilman
2014-01-24 23:15         ` Mike Hearn
2014-01-24 15:42     ` Adam Back
2014-01-24 16:13       ` Peter Todd
2014-01-25 16:19         ` [Bitcoin-development] (space) efficient reusable addr via weil pairing IBE (Re: Bait for reusable addresses) Adam Back
2014-02-02  2:36           ` Peter Todd
2014-02-02  9:16             ` Jeremy Spilman
2014-02-02 12:26               ` Peter Todd [this message]
2014-02-02 15:26                 ` Adam Back
2014-02-02 11:55             ` Peter Todd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140202122610.GA22329@savin \
    --to=pete@petertodd$(echo .)org \
    --cc=bitcoin-development@lists$(echo .)sourceforge.net \
    --cc=jeremy@taplink$(echo .)co \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox