Drak gives Alice (not Bob) an MPK (chain code).
The MPK corresponds to a public key (say key 0 or whatever).
Drak generates a secret.

Drak generates an address from the MPK + secret.
Drak encrypts the secret using the MPK public key.
Drak sends payment to the address including the encrypted secret.

------------------

Alice has a list of secrets (which can be slimmed down using an prefix -
maybe one she specified in her initial address).
Alices (tries to) decrypt the secrets. She combines her public MPK with
the secret (as Drak did) and see if it matches the pubkey hash in the
output. If so then that was a payment to her.

So this is a public MPK where payments from A -> B are purely anonymous.

Very nice. Encrypting the secret is what makes it all work. Before I
didn't think putting in the blockchain could work and was thinking to
use a transport mechanism but encrypting it makes this possible.

On 15/01/14 01:38, Amir Taaki wrote:
> I'm not sure that's true (asked Peter about it):
>
> <petertodd> stealth addresses are "I give you a chain code, you derive new
> pubkeys with random 32-byte nonces, and then encrypt that nonce in the tx
> itself so I can decrypt it and recover the funds"
>
> if so then combined with CoinJoin this is holy-grail, and we don't need to
> worry about Twister/XMPP/BitMessage for transmitting secrets around.
>
>> So sad that you're fed up with me.
>>
>> This seems great for fairly anonymous payments.
>>
>> My only problem is if the deterministic offset n is encoded in the paying
>> transaction then anyone else you also gave that mpk to, will also see the
>> address.
>>
>> So I still really prefer some solution where payment addresses are
>> contracted and signed by a key, for either a one off payment or a sequence
>> of payments over a period.
>>
>> Thanks
>> Bob
>> On 14 Jan 2014 00:31, "Nicolás Mendoza" <nicolasmendo@???> wrote:
>>
>>> Thanks for using Drak in your example, I'm fed up with Bob and Alice
>>>
>>>
>>> On Tue, Jan 14, 2014 at 5:29 AM, Amir Taaki <genjix@???> wrote:
>>>
>>>> great, thanks for showing me this. I know the basic idea. The only
>>>> thing
>>>> I'd add is that once you know the nonce, that the payor doesn't need to
>>>> recreate these txs repeatedly. So when I pay Drak, I only need to do
>>>> this the first ever time I pay Drak.
>>>>
>>>> On 13/01/14 19:49, Drak wrote:
>>>>> Have you guys seen this discussion on the bitcoin mailing list (and
>>>> now
>>>>> there is a working
>>>>> implementation):
>>>> http://sourceforge.net/mailarchive/message.php?msg_id=31813471
>>>>>
>>>>> Seems to be a major step forward in terms of privacy. Probably needs
>>>> a
>>>>> few more technical eyes on it but it looks really promising.
>>>>>
>>>>> Drak
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> unSYSTEM mailing list: http://unsystem.net
>>>>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> unSYSTEM mailing list: http://unsystem.net
>>>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>>>>
>>>>
>>>
>>>
>>> --
>>> Nicolas Mendoza
>>>
>>> PhD Researcher
>>> School of Creative Media
>>> City University of Hong Kong
>>> China PDR - HKSAR
>>>
>>>
>>> _______________________________________________
>>> unSYSTEM mailing list: http://unsystem.net
>>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>>>
>>>
>> _______________________________________________
>> unSYSTEM mailing list: http://unsystem.net
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>>
>
>
> _______________________________________________
> unSYSTEM mailing list: http://unsystem.net
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem
>