Author: Erik Aronesty 2016-08-11 20:37:04
Published on: 2016-08-11T20:37:04+00:00
The conversation on bitcoin-dev mailing list began when Erik Aronesty asked if there was a BIP for a public seed that could generate new random addresses but cannot easily verify if an address was derived from the seed. Tier Nolan responded that if one takes a public key and multiplies it by a non-random factor, everyone else can figure out the private key, so one needs some way to get k, the random factor, to the recipient without others figuring it out. The system must be interactive or use a shared secret. The scriptPubKey, or an OP_RETURN, contains shared secret information. The address would indicate the master public key, which equals the master private key multiplied by G. The transaction contains k*G. Both sides can compute the shared secret, which is k*master_private*G = master_private*k*G. This adds 34 bytes to the scriptPubKey. However, this method is heavy for scanning transactions sent to someone as one has to check every transaction output to see if it is the given template. It requires approximately one ECC multiply per output and is similar CPU load to what one would need to do to actually verify a block.
Updated on: 2023-06-11T19:31:30.229125+00:00