Author: Greg Sanders 2017-08-22 19:26:30
Published on: 2017-08-22T19:26:30+00:00
The discussion is about securing partially signed transactions for inputs in a way that doesn't compromise privacy. One suggestion is to have each input come with an ownership proof, which is essentially a signature over H(A || x) using the key for A. The 'x' is a private fixed key that only the signing device knows, and most likely along some unique bip32 path. This makes it identifiable and privacy-losing across inputs. To avoid "re-use", one would want to sign some message like HMAC("ownership proof", H(A || x) ) instead. Public verifiers see HMAC("ownership proof", some_random_hash_connected_to_A ) and the owner can recreate some_random_hash_connected_to_A by H(A || x). The goal is to create a proof of non-ownership, or a proof that the hardware wallet doesn't own the address. However, to verify the signature, 'x' should be public. There's also a need to prevent the reuse of signatures as ownership proof for different purposes.
Updated on: 2023-06-12T14:59:42.328426+00:00