Author: Gregory Maxwell 2014-01-03 18:30:38
Published on: 2014-01-03T18:30:38+00:00
In an email exchange, Nadav Ivgi suggested a payment scheme using key derivation where the payer would derive the addresses instead of the payee. The payee would publish their master public key and the payer would generate a random "receipt number" to derive an address and make payment. The payer would then send the receipt to the payee who would derive a private key with it and add it to their wallet. In response, another wild idea was introduced where the payee publishes two public keys PP and PP2 and the payer picks a k value for signatures. The multiplier of PP2*k is paid to pubkey PP+n with r in the first signature or in an OP_RETURN additional output if none of the txins are ECDSA signed. The payer advises the payee that PP+(pp2_secret*r) is something that can be redeemed. The advantage of this method is that if the payer's computer crashes after making the payment, the funds are not lost, and it remains confidential. However, the particular way specified breaks using deterministic DSA unless an OP_RETURN is used. These schemes allow the first round of communication to be broadcast while still preserving privacy.
Updated on: 2023-05-19T17:58:37.881033+00:00