Skip to main content

Handshaking for tag-hopping

Deriving a sequence of tags for tag-hopping.

Deriving a sequence of tags between Alice and Bob across all apps

For Bob to derive a shared secret for Alice:

eskhs\esk_{hs}randF\stackrel{rand}{\leftarrow} \mathbb{F}ephemeral secret key, for handshakinghshs = handshake.
Epkhs\Epk_{hs}eskhsG\esk_{hs} \cdot GEphemeral public key, for handshaking
Sm,taggingBobAlice\sharedsecret_{m,tagging}^{Bob \rightarrow Alice}eskhsIvpkm\esk_{hs} \cdot \IvpkmShared secret, for taggingHere, we're illustrating the derivation of a shared secret (for tagging) using master keys.

Having derived a Shared Secret, Bob can now share it with Alice as follows:

Tag_hs\TaghseskhsTpkm\esk_{hs} \cdot \TpkmHandshake message identification tagNote: the tagging public key Tpkm\Tpkm exists as an optimization, seeking to make brute-force message identification as fast as possible. In many cases, handshakes can be performed offchain via traditional web2 means, but in the case of on-chain handshakes, we have no preferred alternative over simply brute-force attempting to reconcile every 'Handshake message identification tag'. Note: this optimization reduces the recipient's work by 1 cpu-friendly hash per message (at the cost of 255-bits to broadcast a compressed encoding of Tag_hs\Taghs). We'll need to decide whether this is the right speed/communication trade-off.
payload\payload[Tag_hs\Taghs, Epkhs\Epk_{hs}]PayloadThis can be broadcast via L1.
Curve points can be compressed in the payload.

Alice can identify she is the indended the handshake recipient as follows:

Tag_hs\TaghstskmEpkhs\tskm \cdot \Epk_{hs}Handshake message identification tagAlice can extract Tag_hs\Taghs and Epkhs\Epk_{hs} from the payload\payload and perform this scalar multiplication on every handshake message. If the computed Tag_hs\Taghs value matches that of the payload\payload, then the message is indented for Alice.
Clearly, handshake transactions will need to be identifiable as such (to save Alice time), e.g. by revealing the contract address of some canonical handshaking contract alongside the payload\payload.
Recall: this step is merely an optimization, to enable Alice to do a single scalar multiplication before moving on (in cases where she is not the intended recipient).

If Alice successfully identifies that she is the indended the handshake recipient, she can proceed with deriving the shared secret (for tagging) as follows:

Sm,taggingBobAlice\sharedsecret_{m,tagging}^{Bob \rightarrow Alice}ivskmEpkhs\ivskm \cdot \Epk_{hs}Shared secret, for tagging

A sequence of tags can then be derived by both Alice and Bob as:

tagm,iBobAlice\tagg_{m,i}^{Bob \rightarrow Alice}pos2(“az_tag_ss_m”,Sm,taggingBobAlice,i)\text{pos2}(\text{``az\_tag\_ss\_m''}, \sharedsecret_{m,tagging}^{Bob \rightarrow Alice}, i)The i-th tag in the sequence.

This tag can be used as the basis for note retreival schemes. Each time Bob sends Alice a ciphertext\ciphertext, he can attach the next unused tagm,iBobAlice\tagg_{m,i}^{Bob \rightarrow Alice} in the sequence. Alice - who is also able to derive the next tagm,iBobAlice\tagg_{m,i}^{Bob \rightarrow Alice} in the sequence - can make privacy-preserving calls to a server, requesting the ciphertext\ciphertext associated with a particular tagm,iBobAlice\tagg_{m,i}^{Bob \rightarrow Alice}.

The colour key isn't quite clear for tagm,iBobAlice\tagg_{m,i}^{Bob \rightarrow Alice}. It will be a publicly-broadcast piece of information, but no one should learn that it relates to Bob nor Alice (except perhaps some trusted 3rd party whom Alice has entrusted with her ivskm\ivskm).

Deriving a sequence of tags from Bob to himself across all apps

The benefit of Bob deriving a sequence of tags for himself, is that he can re-sync his outgoing transaction data more quickly, if he ever needs to in future.

This can be done by either:

  • Copying the approach used to derive a sequence of tags between Bob and Alice (but this time do it between Bob and Bob, and use Bob's outgoing keys).
  • Generating a very basic sequence of tags tagapp,iBobBob=pos2(“az_tag_ovsk_app”,ovskapp,i)\tagg_{app, i}^{Bob \rightarrow Bob} = \text{pos2}(\text{``az\_tag\_ovsk\_app''}, \ovskapp, i) (at the app level) and tagm,iBobBob=pos2(“az_tag_ovsk_m”,ovskm,i)\tagg_{m, i}^{Bob \rightarrow Bob} = \text{pos2}(\text{``az\_tag\_ovsk\_m''}, \ovskm, i) (at the master level).
    • Note: In the case of deriving app-specific sequences of tags, Bob might wish to also encrypt the app*address as a ciphertext header (and attach a master tag tagm,iBobBob\tagg*{m, i}^{Bob \rightarrow Bob}), to remind himself of the apps that he should derive tags for.