1
I mean in satoshi paper we read sender and receiver have limited anonymity.
By keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.
By keeping public keys anonymous how miners can verify that sender has enough money ?
1
by keeping public keys anonymous.
The whitepaper is referring to how, by default, it is not know which human or organisation controls a public key. ---The public key itself can be recovered from the signature on a Bitcoin transaction--- The public key is included as part of the scriptSig on a transaction input, and then hashed and validated against the public key used to create the address.
Since a signature can only be produced by the corresponding private key, you can validate that it is the correct key for the given address.
Thus, although you can see the amounts being moved around, you don't know who is spending them, or where they are going (without doing off chain analysis).
By keeping public keys anonymous how miners can verify that sender has enough money
Now that we've established that the key itself is available, miners validate that the amounts are correct by referencing the chain of inputs. Each input in a transaction refers to a specific output created in the past. When validating, the node will look up all of the previous transactions referenced, add up all of their output values, and then check the current transaction's outputs. If the outputs created by the transaction are less than or equal to the input sum, it is valid.
In practice, outputs are less than the input currently, since 0 fee transactions are no longer allowed (they can still be mined, but you will find it quite difficult to broadcast them). The difference between the inputs and the outputs is claimed by the miner as the transaction fee.
The complete signature and address verification process involves:
HASH_160, and comparing it to the hash embedded in the addressThis verifies that:
0
If you were asked to verify a cash transaction, all you have to do is check that the bills being exchanged is authentic. You don't need to know who the two parties are or what their motives are.
In a similar way, miners just verifies that the sending party has the private keys of an address that has the bitcoin and that they have not already sent the bitcoin somewhere else.
actually i'm searching a way for complete anonymity i know about mixing services or using multiple wallets but they have low anonymity – sara afshar – 2018-08-04T07:02:01.947
@saraafshar Key recovery is described on Crypto.SE: https://crypto.stackexchange.com/a/18106/2301
– Raghav Sood – 2018-08-03T13:09:14.423thank's for your answering, but i can't understand when miners don't have public key how can they verify the signature? you mean miner can find sender's public key from signature? – sara afshar – 2018-08-03T13:14:33.030
Correct, I edited my answer a little more to elaborate on how the recovered pub key verifies the address as well – Raghav Sood – 2018-08-03T13:17:20.327
if i understand it correctly because finally miners find public key so they know who is sender and we don't have any anonymity ? – sara afshar – 2018-08-03T13:32:34.773
They know the key, but they do not know who owns that key. Unless you have somehow publicly linked an address to your real world identity (by posting it on a forum, social media, blog, whatever), it is not possible to guess or prove who an address belongs to. – Raghav Sood – 2018-08-03T13:34:00.260
@RaghavSood the public key is explicitly included in the scriptsig not recovered from the signature. it could be recovered from the signature but isn't in practice because it's a CPU intensive process. – Abdussamad – 2018-08-03T13:41:09.317
@Abdussamad Oh dear, you are correct. I was thinking of ethereum txs. I will update the answer, thank you! – Raghav Sood – 2018-08-03T13:43:21.970