summaryrefslogtreecommitdiff
path: root/bip-0047.mediawiki
diff options
context:
space:
mode:
Diffstat (limited to 'bip-0047.mediawiki')
-rw-r--r--bip-0047.mediawiki21
1 files changed, 13 insertions, 8 deletions
diff --git a/bip-0047.mediawiki b/bip-0047.mediawiki
index c8397a7..8247e00 100644
--- a/bip-0047.mediawiki
+++ b/bip-0047.mediawiki
@@ -99,11 +99,13 @@ Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform
## Alice selects the private key corresponding to the first exposed public key, of the first pubkey-exposing input, of the transaction: <pre>a</pre>
## Alice selects the public key associated with Bob's notification address: <pre>B, where B = bG</pre>
## Alice calculates a secret point: <pre>S = aB</pre>
-## Alice expresses the secret point in compressed DER format, then calculates a scalar shared secret: <pre>s = SHA256(S)</pre>
+## Alice calculates a 64 byte blinding factor: <pre>s = HMAC-SHA512(x, o)</pre>
+### "x" is the x value of the secret point
+### "o" is the outpoint being spent by the first pubkey-exposing input of the transaction.
# Alice serializes her payment code in binary form.
-# Alice renders her payment code (P) unreadable to anyone except Bob by:
-## Replace the x value with x': <pre>x' = s XOR (x value)</pre>
-## Replace the chain code with c': <pre>c' = sha256(s) XOR (chain code)</pre>
+# Alice renders her payment code (P) unreadable to anyone except Bob:
+## Replace the x value with x': <pre>x' = x XOR (first 32 bytes of s)</pre>
+## Replace the chain code with c': <pre>c' = c XOR (last 32 bytes of s)</pre>
# Alice adds an OP_RETURN output to her transaction which consists of P.
<img src="bip-0047/reusable_payment_codes-01.png" />
@@ -113,10 +115,12 @@ Prior to the first time Alice initiates a transaction to Bob, Alice MUST inform
## Bob selects the first exposed public key, of the first pubkey-exposing input, of the transaction: <pre>A, where A = aG</pre>
## Bob selects the private key associated with his notification address: <pre>b</pre>
## Bob calculates a secret point: <pre>S = bA</pre>
-## Bob expresses the secret point in compressed DER format, then calculates a scalar shared secret: <pre>s = SHA256(S)</pre>
+## Bob calculates the binding factor: <pre>s = HMAC-SHA512(x, o)</pre>
+### "x" is the x value of the secret point
+### "o" is the outpoint being spent by the first pubkey-exposing input of the transaction.
## Bob interprets the 80 byte payload as a payment code, except:
-### Replace the x value with x': <pre>x' = s XOR (x value)</pre>
-### Replace the chain code with c': <pre>c' = sha256(s) XOR (chain code)</pre>
+### Replace the x value with x': <pre>x' = x XOR (first 32 bytes of s)</pre>
+### Replace the chain code with c': <pre>c' = c XOR (last 32 bytes of s)</pre>
## If the updated x value is a member of the secp256k1 group, the payment code is valid.
## If the updated x value is not a member of the secp256k1 group, the payment code is ignored.
@@ -138,7 +142,7 @@ Bitcoins received via notification transactions require special handling in orde
## Alice selects the next unused public key derived from Bob's payment code, starting from zero: <pre>B, where B = bG</pre>
### The "next unused" public key is based on an index specific to the Alice-Bob context, not global to either Alice or Bob
## Alice calculates a secret point: <pre>S = aB</pre>
-## Alice expresses the secret point in compressed DER format, then calculates a scalar shared secret: <pre>s = SHA256(S)</pre>
+## Alice calculates a scalar shared secret using the x value of S: <pre>s = SHA256(Sx)</pre>
### If the value of s is not in the secp256k1 group, Alice MUST increment the index used to derive Bob's public key and try again.
## Alice uses the scalar shared secret to calculate the ephemeral public key used to generate the P2PKH address for this transaction: <pre>B' = B + sG</pre>
<img src="bip-0047/reusable_payment_codes-04.png" />
@@ -248,6 +252,7 @@ In order to use Bitmessage notification, the recipient must have a Bitmessage cl
* [[bip-0032.mediawiki|BIP32 - Hierarchical Deterministic Wallets]]
* [[bip-0043.mediawiki|BIP43 - Purpose Field for Deterministic Wallets]]
* [[bip-0044.mediawiki|BIP44 - Multi-Account Hierarchy for Deterministic Wallets]]
+* [[https://bitcoin.org/en/glossary/outpoint|Outpoint]]
* [[https://github.com/petertodd/dust-b-gone|dust-b-gone]]
* [[https://en.bitcoin.it/wiki/Base58Check_encoding|Base58Check encoding]]
* [[https://bitmessage.org/bitmessage.pdf|Bitmessage]]