I'm imagining a "publishable seed" such that:

 - someone can derive a random bitcoin address from it -  and send funds to
it.
 - the possible derived address space is large enough that generating all
possible addresses would be a barrier
 - the receiver, however, knowing the private key, can easily scan the
blockchain fairly efficiently and determine which addresses he has the keys
to
 - another interested party cannot easily do so

Perhaps homomorphic encryption may need to be involved?


On Thu, Aug 11, 2016 at 8:36 PM, Gregory Maxwell <greg@xiph.org> wrote:

> On Thu, Aug 11, 2016 at 8:37 PM, Erik Aronesty via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > Still not sure how you can take a BIP32 public seed and figure out if an
> > address was derived from it though.   I mean, wouldn't I have to compute
> all
> > 2^31 possible public child addresses?
>
> Which would take a quad core laptop about 8 hours with competent software
>
> And presumably you're not using the whole 2^31 space else the receiver
> also has to do that computation...
>