Bidirectionally Authenticated Derivation of Privacy Restricted Type 42 Keys
Ty Everett (ty@projectbabbage.com)
Abstract
Sometimes, there's a need for a third party to validate the linkage and key derivation process between two transacting parties. Type-42 derivation enables the private use of child keys between the parties based on an invoice number, but doesn't allow for third-party servers to verify the linkage of the keys. Proposals like BRC-84 describe ways to enable third-party verification while keeping the sender's key linked to the derivation process, but lack a means of sender authentication. By their nature, privacy is lacking in all of thes proposals, but more can be done to preserve it. When Bitcoin is not exchanged in a peer-to-peer manner, this specification outlines the most robust approach to Bidirectionally Authenticated Derivation with Privacy Restrictions (BAD Privacy).
Specification
Senders use type-42 with the anyone key as counterparty and an invoice number in this format:
2-BAD Privacy-<key> <nonce> <sig> <keyID>
The format of the signed data is:
Verifiers (and servers) check:
The signature
The nonce
The child key is derivable with the invoice number and the anyone key
The signature verification process for the signature embedded in the invoice number is:
Extract the identity key of the sender from the message
Invoice number is
2-BAD Signature-<nonce>Verification counterparty is
anyone(see BRC-3 for signature verification on public signatures)Message to verify is specified above
Last updated