jharveyb
commented
10 months ago Instead of an ephemeral secret on the sender side, could we use the private key from one of the keys already being used by the sender during the transfer? Like the top-level taproot key for the first input to the TX.
Then we could address #740 by both parties computing a DH point from those keys and use that to derive a hashmail stream ID / mailbox address.
Background
Today we use the hashmail courier to send proofs from sender to receiver. One unresolved TODO is to use an encryption scheme to preserve privacy between the sender and receiver: https://github.com/lightninglabs/taproot-assets/blob/4a0a16cc166f4bab1819947a7eba4ec368779b15/proof/courier.go#L571-L583
This can be generalized to other mailbox-like transports such as nostr.
In the TODO above, I propose using the Elliptic Curve Integrated Encryption Scheme (ECIES), which is a hybrid encryption scheme. In our domain, we can use the script key of the receiver as the main DH point, with the sender generating an ephemeral secret themselves, then doing DH between this points to derive a secret key. The secret key would then be used to encrypt the payload with an AEAD scheme. The final payload is the ephemeral DH point, concatenated with the AEAD payload.
Steps To Completion
[ ] Decide if the courier interface should make this opaque, or create a new superset interface,
EncryptedProofCourier[ ] Implement ECIES in a new module (maybe to be upstreamed to
btcd/btceceventually? For the symmetric encryption scheme, we'd likely go with ChaChaPoly.[ ] Update the existing hashmail impl to use this new scheme. We may want to use a new URI for this? Depends on timing w.r.t v0.3 IMO. Either way, clients should have a way to detect if this is being used or not.