[bitcoin-dev] Question regarding Confidential Transactions

Jeremy Papp pappjm at gmail.com
Wed Feb 10 16:39:25 UTC 2016


On 2/10/2016 5:53 AM, Henning Kopp wrote:
> Hi Jeremy,
>
>> My understanding of the paper is that the blinding factor would be included
>> in the extra data which is incorporated into the ring signatures used in the
>> range proof.
> Yep, that is a possibility. The blinding factor could be encrypted
> with the public key of the receiver. Thus it is only visible for the
> receiver who can then check that the correct amount has been sent.
ECC doesn't work like RSA; you can't encrypt directly with a public 
key.  That's why you generate a shared secret between sender and 
receiver.  See also, ECDH. (Basically, if (m, M = m*G) is your 
private/public key pair, and (n, N = n*G) is your recipient's private 
public key pair, you can both generate shared secret S = m*N = n*M = 
m*n*G without revealing your private keys to each other, and without 
revealing the secret to anyone else as long as they don't know either 
private key. You then use S as the basis for the key to some symmetric 
algorithm.)
>> you'd transmit it then, though in any case, since using it will pretty much
>> require segwit, adding extraneous data isn't much of a problem.  In both
>> cases, I imagine the blinding factor would be protected from outside
>> examination via some form of shared secret generation... Although that would
>> require the sender to know the recipient's unhashed public key; I don't know
>> of any shared secret schemes that will work on hashed keys.
> Here you lost me.
> Why do we need to create a shared secret? Is this shared secret used
> as the blinding factor?
> Also I think the sender knows the unhashed public key of the receiver.
> The only reason not to include it in the transaction script is that an
> external observer is unable to see the receiver directly in the
> blockchain.
Normal Bitcoin transactions are made to the hash of a public key because 
once the public key is known, it becomes easier to break it if we ever 
develop quantum computers. That's why it's recommended that you only 
spend from a particular address once (if possible) since its only in 
spending that you are required to reveal your public key.   Since you 
can't do a shared secret with a public key hash, AFAIK, you'd have to 
know the public key of your recipient to be able to do ECDH.

Jeremy Papp


More information about the bitcoin-dev mailing list