I'm imagining a "publishable seed" such that:

- someone can derive a random bitcoin address from it - and send funds to it.
- the possible derived address space is large enough that generating all possible addresses would be a barrier

- the receiver, however, knowing the private key, can easily scan the blockchain fairly efficiently and determine which addresses he has the keys to

- another interested party cannot easily do so

Perhaps homomorphic encryption may need to be involved?

On Thu, Aug 11, 2016 at 8:36 PM, Gregory Maxwell <greg@xiph.org> wrote:

On Thu, Aug 11, 2016 at 8:37 PM, Erik Aronesty via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Still not sure how you can take a BIP32 public seed and figure out if an
> address was derived from it though. I mean, wouldn't I have to compute all
> 2^31 possible public child addresses?

Which would take a quad core laptop about 8 hours with competent software

And presumably you're not using the whole 2^31 space else the receiver
also has to do that computation...