[Bitcoin-development] unlinakble static address? & spv-privacy (Re: Stealth Addresses)

Jeremy Spilman jeremy at taplink.co
Tue Jan 21 04:00:05 UTC 2014 

On Wed, 15 Jan 2014 17:32:31 -0800, Gregory Maxwell <gmaxwell at gmail.com>  
wrote:
> I'd point out that regardless of how long the desired prefix is, the
> encoded prefix should probably always be constant length in all
> reusable addresses.

I might be misunderstanding, but I think prefix length must be specified  
in the reusable address, however I agree the prefix actually published to  
the blockchain should be constant length.

> If you don't want a particular prefix then the
> sender should just pick random data for the rest of the space. There
> is no need to publish any additional distinguishing data in the form
> of how long the prefix is.

Let's say the payee's reusable address is '<version> <prefix> <Q1> <Q2>  
...', where <prefix> is 2 bytes. Without any length indicator. What's the  
payer going to put on the blockchain? How would they know what the 'rest  
of the space' is? They would have to put the whole <prefix> verbatim into  
the OP_RETURN without knowing how many bits of <prefix> the payee actually  
wants to see there.

If instead, the address is '<version> <prefix> <prefixLen> <Q1> <Q2> ...'  
where <prefix> is 2 bytes, and <prefixLen> is 1 byte, representing number  
of bits of prefix that should be fixed.

Then payer will know how much of <prefix> from the address should be taken  
verbatim, and the rest of the two bytes would be replaced with random  
data, and exactly two bytes would be put in the OP_RETURN.

If <prefixLen> was zero, the 2 byte prefix in the reusable address must be  
ignored, and an entirely random 2 byte prefix would be put into the  
OP_RETURN.

I'm a bit worried about broken implementations copying the <prefix> from  
the reusable address into OP_RETURN when <prefixLen> is 0, and ending up  
basically identifying the payee. That's the only reason I can think of to  
make '<prefix> <prefixLen>' optional in the reusable address, to prevent  
the opportunity to screw it up. You would *still* put a 2-byte random  
prefix in the OP_RETURN, even if the fields weren't in the address at all.  
It's just a minor concern though.

More information about the bitcoin-dev mailing list