1
1
After making a transaction and receiving all the hashes and ids, is there a number that is secret and only the two people involved in the transaction know?
1
1
After making a transaction and receiving all the hashes and ids, is there a number that is secret and only the two people involved in the transaction know?
1
Yes. You can view a transaction as being a public link between a number of public keys. If different people have the secret keys for those public keys then they have all the necessary information to calculate shared Diffie-Helman elliptic curve points. So in the simple case that you transfer all the bitcoins in an address to someone else's address then you can use his address and your private key to calculate a point which will be the same as the point calculated by him using his private key and your address. Nobody else can calculate these points.
0
No.
However, it would be possible to build a scheme on top of the public and private keys that they used to exchange a secret key, similar to how RSA/DSA is used to make session keys for encryption.
This would require the receiver to transmit additional information back to the sender, correct? – John Henry – 2013-09-12T20:34:06.517
1@JohnHenry: No, there are schemes that have no such requirement, such as ECIES, which instead require the sender to disclose a public key and to know the recipient's public key. – David Schwartz – 2013-09-14T16:42:43.237
ECIES does establish a shared session key, but there is still bidirectional communication involved (one way is the disclosure of the public key, the other is the message + ephemeral key). In any case, I don't see how that is relevant here - the question is about Bitcoin transactions I assume. – Pieter Wuille – 2013-09-15T13:38:50.593
1@PieterWuille The question only asks about establishing a shared secret, which an ECIES session key is. So you would only need the part of ECIES that doesn't require any bidirectional communication. – David Schwartz – 2013-10-15T10:57:34.237
-1
No.
This is because the receiver does not play any role in the transaction. They don't even have to know about it. The transaction actually takes place between the sender and the bitcoin network, and the sender needs to have a private key which (hopefully) is secret.
1There are schemes that create a shared secret without one party playing any role in the transaction. – David Schwartz – 2013-09-14T16:43:06.927
Could you elaborate on how this works? In particular, is it a problem that an address is not itself a public key, but only its hash? – Nate Eldredge – 2013-10-15T13:26:16.997
With current whitelisted scripts, all transactions (apart from coinbase) allow the recipient to obtain a public key where the sender knows the private key. You are right that if the coins are sent to an address from which there have never been any spends then the sender cannot complete their half of the key agreement until the recipient spends the coins or otherwise reveals the relevant public key. – Barack Obama – 2013-10-15T22:35:40.933
The public key of the receiver is not in the transaction, only the public key of the sender. The hash of the public key of the receiver is in the transaction, but I don't see how that is enough to make a shared secret. – Eyal – 2013-10-22T08:33:23.803