Revealing Key Linkages
PreviousAdmin-reserved and Prohibited Key Derivation ProtocolsNextProtecting BRC-69 Key Linkage Information in Transit
Last updated
Was this helpful?
Last updated
Was this helpful?
Ty Everett (ty@projectbabbage.com)
This BRC proposes two methods for revealing key linkages under the key derivation scheme and . One method reveals the root shared secret between two counterparties, allowing anyone to link all interactions between them. The other method reveal only a specific link (the key offset value) between a root identity key and one of its child public keys. This establishes proof of association with a particular derived key and provides an audit trail for a specific protocol ID, key ID, and counterparty. While these methods enable signature verification and transaction auditing, they do not allow anyone to decrypt data encrypted using , preserving privacy.
The key derivation architecture and allow for privacy-preserving transactions between parties. However, there are scenarios where users may wish to prove key associations and provide audit trails for their interactions. For example, a user may want to establish their ownership of a key used in a transaction, or authorities might need to audit transactions between specific parties. This technical standard aims to fulfill these requirements, allowing users to prove key associations and reveal transaction linkages between parties, while preserving the confidentiality of interactions with unrelated parties.
This method returns the root ECDH shared secret between a user's identity key and a specified counterparty's key. Revealing this key allows any party to link all past and future transactions between these two entities, since the shared secret is used as the HMAC key for computing all child key derivation offset values.
Although this enables transaction traceability, and the ability to verify signatures computed with , it does not allow for decryption of any data encrypted using a encryption mechanism. This is because while the child public keys are derivable by the person who has been given the shared secret, the corresponding private keys are not, and the shared secret used for encryption is computed between the two child keys, and not the root keys.
This method must never be used where the counterparty is the user themself (counterparty=self), as that would reveal keys used internally by the user. The method is also ineffective where the counterparty is "anyone", as the anyone private key is already publicly known (it is the value 1).
This method reveals the offset value (the link) that connects a root identity key to one of its derived child public keys, under a specified protocol ID, key ID, and counterparty. By exposing this link, the user can prove their association with the specific derived key, allowing for auditing of all activity involving this key for the specified protocol and counterparty.
This method allows the user to create an audit trail for specific protocols, key identifiers, and counterparties without exposing all interactions with the particular counterparty. This is because, while the root shared secret is used to compute the HMAC, it is not revealed — only the resulting HMAC is shared.
Below is TypeScript code that implements the described methods:
The two methods in this technical standard are essential building blocks for creating protocols that support accountability and provide an added layer of security to Bitcoin and MetaNet client software implementing and protocols. Implementations should ensure that these methods are only used in ways that maintain user privacy and do not reveal linkage information — especially counterparty root shared secrets — to the public.