I apologize for the confusion. Here's a concise and accurate explanation:
### Sender’s Action
1. **Recipient's XPub**: The sender has the recipient’s XPub.
2. **Random Nonce `r`**: The sender generates a random nonce `r`.
3. **Ephemeral Public Key `R`**: The sender computes `R = r * G` (where `G` is the generator point on the elliptic curve).
4. **Shared Secret**: The sender computes the shared secret `S`:
\[
S = H(r * XPUB)
\]
5. **Unique Address**: The sender generates a unique address:
\[
A = H(XPUB + S)
\]
6. **Transaction**: The sender sends Bitcoin to address `A` and includes `R` in the transaction output script (not in metadata, but as part of the output).
### Recipient’s Detection
1. **Retrieve `R`**: The recipient retrieves `R` from the transaction output.
2. **Compute Shared Secret `S`**: Using their private key `xprv`, the recipient computes:
\[
S' = H(xprv * R)
\]
3. **Derive Address `A'`**: The recipient uses their XPub and the shared secret to derive the potential address:
\[
A' = H(XPUB + S')
\]
4. **Match Check**: The recipient’s wallet compares `A'` with the addresses in the transaction outputs.
5. **Recognition**: When a match is found, the recipient identifies the transaction as theirs and can use their private key to spend the funds.
### Example
1. **Sender’s Process**:
- Recipient’s XPub: `XPUB123`.
- Random nonce `r`: 456.
- Ephemeral public key: `R = 456 * G`.
- Shared secret: `S = H(456 * XPUB123)`.
- Unique address: `A = H(XPUB123 + S)`.
- Transaction: Sends Bitcoin to `A` and includes `R` in the transaction output script.
2. **Recipient’s Process**:
- Retrieve `R` from the transaction output script.
- Compute shared secret: `S' = H(xprv * R)`.
- Derive potential address: `A' = H(XPUB123 + S')`.
- Compare `A'` with transaction outputs.
The recipient’s wallet performs these steps to detect the transaction and identify it as theirs, without needing to know the nonce `r`.
OK…
Oddbean new post about login | logout