- http://bitcoinpete.com/2014/05/05/on-reusing-bitcoin-addresses

I still don't get how a dozen people sending to a single address of mine is protecting their privacy better than if I provide one address per transaction.  And I'm more interested in MY privacy than theirs, anyway.  If they want privacy, that's their job to mix or obfuscate -- not mine.

And then further that post reads ...


I don't even.

It's not, IMO.

If a large number of people are all sending to a single address, that address
becomes conspicuous.  So you are losing a layer of obfuscation there.
In other words, if you were looking at someone's wallet or transactions,
you would more easily be able to spot a well known address, as
well as determine what that address is for.

Peter,

Which language?  It is in the bitcoin-core (QT) sourecode.  Probably in the bitcoin libs for just about any language now.  In general the concept is called "ECDSA Public Key Recovery".  A very cool property of ECC that doesn't existing in all public key cryptography.  In Bitcoin it is only used in message (not transaction) signing.

Here is the standard.  Key Recovery starts on page 47.

http://www.secg.org/download/aid-780/sec1-v2.pdf

There is one thing i am unsure about.  The PubKey (in the absence of additional information) has to be found by trial and error (generate possible PubKey from sign, verify sig w/ possible key.  if valid then you have found key, if not try next possible key, if no possible key validates sig then sig is invalid). 

When locating the proper key one iterates from i=0 to i=h (domain parameter).  For secp256k1 h = 1 so the only possible i values should be 0 or 1.  Most code I have seen iterates from 0 to 3 I wonder if that is just an oversight.  If I am right then there will never be a recovery using an i of 2 or 3.

For Bitcoin messages the i value is encoded in the message header so only one recovery and verification needs to be done.  It is encoded as a byte as follows.
0x1B = Uncompressed PubKey, First Even Key (i = 0)
0x1C = Uncompressed PubKey, First Odd Key (i = 1)
0x1D = Uncompressed PubKey, Second Even Key (i = 2)  <- impossible for secp256k1?
0x1E = Uncompressed PubKey, Second Odd Key (i = 3) <- impossible for secp256k1?
0x1F = Compressed PubKey, First Even Key (i = 0)
0x20 = Compressed PubKey, First Odd Key (i = 1)
0x21 = Compressed PubKey, Second Even Key (i = 2) <- impossible for secp256k1?
0x22 = Compressed PubKey, Second Odd Key (i = 3) <- impossible for secp256k1?

Well, suppose you are collecting donations from co-workers for your boss's birthday present. If you give them all the same address, you see the incoming transactions and the total balance, but you won't know who paid what, so they have some anonymity. If you give a different address to each co-worker, and remember who got which address, then you can tie the amount of each donation to the person who sent it. Then you can inform your boss about who didn't pay for her present. Clearly, your co-workers' anonymity has been compromised in a way that affects (some of) them adversely.

The above makes sense to me, but I can't relate it to Peter Dushenski's article, so he may have been saying something different. Quite a lot of that article makes no sense to me.

That's your choice. In the above scenario, their loss of privacy is to your benefit. If you were running something like Wikileaks, you might get more donations if you did respect your benefactor's privacy.

There's not a lot they can do in the above scenario.

I had updated my post but forgot to click submit.  I see you found the SEC spec.


I think the bolded part is more likely.  Satoshi also seemed unaware of the advantages of compressed keys as well.  A lot about the early code would suggest that Satoshi was a genius "big picture thinker" but cryptography may not have been his strongest suit.  None of this should be taken as criticism, it is amazing that Bitcoin worked effectively and securely from day 0, it is just an observation.

As I indicated above I believe (unless I am misreading the spec) that there are only two possible j values (0,1) for secp256k1 and thus two possible pubkey Q. The "j" can be encoded in the transaction making it unnecessary to try all permutations of j.  Bitcoin does this for signed messages by putting a flag byte in the header.  Even if the pubkey is recovered since Bitcoin supports both

Explicit PubKey = 34 (or 64) bytes per output.
Recovered PubKey (w/ hint) = 1 byte (and one recovery required) per output.
Recovered PubKey (no hint) = 0 bytes (and 1.5 recoveries on average) per output.


He did at the time but I still wonder about that (and my guess is it wasn't a decision).  At the current rate the network is creating about 20 million transactions annually.  The average number of inputs per transaction is 2.4.  Even assuming 100% of them are compressed pubkeys that is still 34 bytes per PubKey or ~ 1.6 GB per year.  At the 1MB block limit the blockchain would increase by about 52 GB per year.  PubKeys would make up about a quarter of that if average number of inputs and outputs per transaction remain the same.  Computing power is the resource least likely to be a bottleneck (we are talking about tens of thousands of ECDSA validations per core per second).  It is far more likely as transaction volume grows and full nodes support more SPV nodes that bandwidth will be the first real world bottleneck. 

If necessary Bitcoin could be extended to support a new version of addresses that requires compressed keys, drops redundant DER encoding, and uses PubKey recovery to reduce the size of the average tx by 25%. It shouldn't be any more difficult than adding support for P2SH was unless I am missing something major.

I already said this on this thread but I'll say it again: Stealth addresses. A lot simpler than cutting up pieces of paper, and achieves the same result  




There may be a way around this problem, using Gregory Maxwell's Merkle tree-based auditing technique:

1. After receiving the donations to various addresses, the donation collector creates a Merkle tree: every leaf contains hash(address to which coins were donated, sum donated); every node contains hash(child 1, child 2) and the total sum of the donations contained in the children.
2. The donation collector creates a separate file for every donator, which includes the branch of the tree relevant to that donator (the path from the donation address to the root).
3. Since even the collector doesn't know who donated to which address (and therefore who should get each file), she encrypts each of these files with the public key of the address from which the donation came, and publishes all the encrypted files.  
4. Each donator decrypts the relevant file and verifies her inclusion in the root.
5. The donation collector publishes a receipt, proving that she bought the boss a gift which cost at least as much as the sum of the root.

This way, nobody knows who donated what, everybody knows the total sum donated, only the donation collector knows how many people donated and the distribution of the donation sums, and everybody knows that the collector didn't steal.

It's a bit complicated for such an obscure use case, but I just love how smart cryptography can solve everything  



EDIT: Now that I think about it, maybe it's not such an obscure use case. We already discussed on this thread the advantages of stealth addresses for charities. Think about a charity that wants to initiate a limited-time fundraiser for a specific cause. It publishes a stealth address for donations. Every donation ends up in a different address, thus distancing donators from each other as well as from the charity. This increases privacy for the charity and for its donators, but lowers transparency.
To regain transparency, the charity uses the above auditing technique as soon as the fundraiser is over. It then produces evidence that it spent a sum of money at least as large as the root sum towards advancing the cause.
This could also be useful for things like crowdfunding campaigns on the bitcoin-only version of Kickstarter (does that exist yet?).

Big!

k must be on the interval [1, n-1] where n is the integer order of G (and G is the base point for secp256k1).  n is the big prime number:

n = 115792089237316195423570985008687907852837564279074904382605163141518161494337

or in hex:

n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

If you pick a 256-bit unsigned integer at random, it will be a permissible value for k 99.99999999999999999999999999999999999962655% of the time.

This also shows that it is not feasible to "randomly" generate the same k value twice (well, unless your random number generator is broken à la the Android bug but then it wasn't really random).  

Well it has to be a 256 bit number.  0x0000000000000000000000000000000000000000000000000000000000000001 is a 256 bit number.

Are you asking, do the k values generated really have 256 bits of entropy?  That is a very hard thing to prove, which is why I am an advocate of RFC6979.  It bypasses that concern entirely by making the k value deterministic.  With RFC6979 and HD wallets you could process a lifetime of bitcoin transactions with just 128 random bits (a small enough amount to generate by rolling dice or flipping coins).

No, I wasn't asking that to be honest.

It would have been a much smarter question.

I guess I was somehow thinking it might be too big of
a number to calculate the curve point or something.

But I now I see that is the whole point here...