Author: Peter Todd 2014-01-14 14:19:08
Published on: 2014-01-14T14:19:08+00:00
In an email exchange, Jeremy Spilman asked why two EC points in the stealth address were not used, as discussed with Peter Todd on IRC. The reason for using two points was that it made delegating detection possible and spending keys did not have to be online to detect payments. However, Todd explained that he had implemented the use of both pubKeys in a 2-of-2 multisig instead of keeping one of the pubKeys in the OP-RETURN to prevent a malicious sender from triggering false positives on the online detection key while the funds were still controlled by the payer. Although false positives could still occur, the funds would be trapped, making this unlikely. In response to Spilman's question about how false positives could be triggered, Todd explained the payee recovers the nonce with ECDH from the payor's ephemereal pubkey and their online detection secret key. They use BIP32 public derivation with their offline spending pubkey(s), and if the derived pubkeys match the actual scriptPubKey, they know the output is spendable by them.
Updated on: 2023-06-07T23:44:09.590794+00:00