Author: Timo Hanke 2013-06-19 20:03:07
Published on: 2013-06-19T20:03:07+00:00
In an email thread from June 2013, Timo Hanke and Alan Reiner discuss a subtle issue with the use of a standard address in conjunction with the payment protocol. Hanke explains that if the payee has spent the output (i.e., the pubkey corresponding to "destination"), which is publicly known as PubKeyParent * Multiplier[i], then anyone can create arbitrary pairs {PublicKeyParent, Multiplier} that lead to the same "destination." Depending on what the transaction should "prove," this could be an unwanted feature, so Hanke suggests replacing PubKeyParent * Multiplier[i] by PubKeyParent * HMAC(Multiplier[i],PubKeyParent), which eliminates ambiguity about PubKeyParent. However, this modification would no longer be compatible with BIP32. The attack vector is the discrete log problem of spoofing a relationship between a target public key and one that you control. While you can produce essentially-random pairs of {PubX, Mult} pairs that give the same PubB, you won't have the private key associated with those public keys.
Updated on: 2023-06-06T18:53:22.391019+00:00