K, looked it up. Its addresses derived from a public address, so you can use your private key to scan for funds sent to such one time use addresses. Intriguing. But also... What does it change? If you sweep the funds, then it was pointless. I'm missing something. Also leery of whatever software would be involved with this.
Discussion
yeah, it's based on an arcane construction, which i think was probably one of the key elements of Satoshi's original discoveries that enabled it to be what it is
the payment addresses have to be hashed to reveal, from the pubkey, which is made visible for the first time when you already have published the transaction
this address previously cannot be connected to the pubkey that is derived from the secret key that enables spending
so it's basically a case of you not being able to see ahead of time who might have that key, because you don't know what the key is, only the RIPEMD160 hash of the key, which is a shorter hash than the one used in the signature algorithm (the SHA256 hash of the transaction creates the txid which the signing key must sign on, using teh pubkey, related to the address that was derived from the pubkey by the recipient
it also includes an unusual construction where instead of getting one bit of true/false when verifying, you take the txid (transaction hash) and the signature of the spend transaction, and this gives you something that should be the pubkey, and this can be verified because the pubkey, fed into ripemd160 hash, generates the address specified as teh "out point" in the transaction
so you see, it creates a fog of war on the network that can't be broken, the address hashes are deliberately fully 116 bytes shorter than the hash of the txid and the pubkey so that's a LOT of security against reversing the hash function, 116 bits of security is pretty much still considered to be 1000 years of brute force prevention security for AES style encryption algorithms
nobody had put it all together in this way before, and even, Satoshi, i don't think he had the whole picture before he started on the project, but once he discovered it, the fate of bitcoin was sealed, it was the first time anyone had created a peer to peer cryptocurrency system that was invulnerable to any kind of cryptanalysis attack
this is also why i'm also very hostile to the ecash people, because Chaum's blinded signatures did not solve this problem, and Adam Back is definitely not Satoshi even though some of his ideas that he tried to implement were related, and even that famous NSA paper that describes about 90% of what bitcoin is, was missing critical things, and this irreversible hashing of pubkeys to addresses and teh use of signatures that only give the (maybe) pubkey means that once the spend has hit the p2p network, the holder is now done, you don't know who the two addresses are controlled by (spend and change) and you don't know which of those two is the spend, and you don't know whether they are even another person or not, it can never be known ahead of time where a bitcoin transaction is going to be spent and once it is, it's too late to catch them
ooh, yeah, 116 bits is literally how much bruteforce countermeasure there is between a bitcoin address and the pubkey it relates to, that is VERY strong protection, you can't generate that many hashes in a thousand years even if computer's continue to proliferate at the rate they are now, certainly it's unlikely to happen in less than 100 years, assuming a massive breakthrough in mathematics and computational device technology
That's a lot to wrap my puny brain around, but I guess wallet software can do the work of finding any hidden addresses it can access. Is anyone actually implementing it?
yeah, HD keychains have been around since like, idk, 2014 or something, and it's simple to scan for them, you just generate the next 20 or so keys and monitor the mempool for the ripemd160 hash of the pubkeys from your keychain
satoshi was already gone by the time that all became commonplace, it's also a critical security element of the tech, without HD keychains you can easily lose your sats
Ohhh its just the HD stuff? I thought it was a new thing
Does this mean that the private key generates a public key, and the public key is hashed into an address? So that you can't actually derive a public key from the address, and therefore can never determine an address's related private key?
exactly
I'm looking at the white paper, and it only shows the sender signing a combination of his utxo's hash and the recipient's public key. Where does the address come into the picture and how does the signature work out if the recipient's public key is obfuscated in that signature?
I think you explained that in your note but it went over my head.
The addresses are the out points, there is usually 2 but there can be any number, and each of these addresses designate the spending key for next time. The signature itself, when combined with the hash of the transaction, reveals the public key the address is derived from, and thus proves the right of ownership.
The public key is hidden until the tx is lredy history. This means also that quantum computers don't matter so long as you don't reuse and continue to hold coins at the dress.
The signature logarithm is based on a specific number series that is derived from a tiny seed, which is too small to manipulate to back door it, meaning to hide numbers in it that allow multiple solutions. The other ones used in blockchins do not have this property.
The vulnerability that was discovered that led to segwit related to the ECDSA signatures, which llow a much larger set of other solutions that is referred to as malleability. Schnorr signatures, like used in nostr, and taproot, don't have this problem. They can also be used in the same way here the txid hash and signature reveal the public key, but lso make it easy to function like a keychain, creating a mechanism for encoding multiple codes tied to a single key, which can be used to represent the lternte pths of execution of a smart contract.
Geniuses... F'n geniuses...
Your A key isn't hitting
yeah, touchscreen display is not great on the edge... you can tell i'm using it because it puts capital letters and especially missing teh A and often breaks a sentence by putting a full stop in there
yeah just wanted to clear something, each utxo has to be signed on, and that reveals the public key, the specification of where they go is defined by the out points
in the transaction there is inpoints, which are the address that is spent to, and outpoints, which is where you are sending them... if you have had two payments go to an address, you can spend those with one signature that authorises that address balance to move
so if you are spending a larger amount, you will often have several signatures to create, and usually all but one will be going to one destination, by joining utxo's to spend them into one new balance at a new addresn, so yeah they can be split and joined, and from the point of view of an observer, it can be unclear which is change and which is payment, also, this is one of the core problems with chain analysis, because a better design of transaction can defeat any notion of which is payment and which is change, in fact, for example you could conceivably ask someone to give you 3 addresses to send to, and make 4 of your own change addresses, and who's gonna know which is which?
this is a neat thing you can do with Bitcoin Core also, in the settings enable coin control and you can be selective about everything, including, if you create several of your own change addresses manually, make it entnirely impossible to determine what is "spending" and what is not.
Thank you, I needed that simplification
that's right, UNTIL you move the coins from that new address when it receives them, then the public key is publicised