While laying in bed this morning I had a flash of insight on how to significantly reduce the size of the signatures that prove who a payment is from.
Given Public Information (in blockchain):
dan => DANS_EXT_PUBLIC_KEY
scott => SCOTTS_EXT_PUBLIC_KEY
Assuming scott wants to send dan a payment anonymously, yet wants dan to know it is from him.
scott: Generate OneTimePrivateKey & OneTimePublicKey Pair
scott: OneTimePrivateKey * DANS_EXT_PUBLIC_KEY => SECRET
DANS_EXT_PUBLIC_KEY.child( SECRET ) => RECEIVE_PUBLIC_KEY => RECEIVE_ADDRESS
scott: RECEIVE_PUBLIC_KEY * SCOTTS_EXT_PRIVATE_KEY => CHECK_SECRET
=> SHORT_HASH(CHECK_SECRET) == SHORT_SIGNATURE
scott-broadcast: OneTimePublicKey + RECEIVE_ADDRESS + ENCRYPT( from scott + SHORT_SIGNATURE, SECRET )
dan: OneTimePublicKey * DANS_EXT_PRIVATE_KEY => SECRET
DANS_EXT_PRIVATE_KEY.child( SECRET ) =>
RECEIVE_PRIVATE_KEY =>
RECEIVE_PUBLIC_KEY => RECEIVE_ADDRESS
dan: DECRYPT( data, SECRET ) => "from scott" + SHORT_SIGNATURE )
dan: SCOTT_EXT_PUBLIC_KEY * RECEIVE_PRIVATE_KEY => CHECK_SECRET => SHORT_HASH(CHECK_SECRET)
There are only two people in the world who can generate the CHECK_SECRET (dan and scott), because the signature isn't required to verify funds transfer and is only used to prevent 'spoof payments' the SHORT_HASH(CHECK_SECRET) could reduce the signature down to 8 bytes rather than using the 65 bytes required for a normal ECC compact signature.
Total additional size to send an anonymous payment from a certified address:
33 OneTimePublicKey
4 from id
8 from check
20 [optional fixed size memo]
65 bytes, equal to a single normal signature. The fixed size memo is there to provide a description. It must be fixed size to prevent analysis by size. The memo is 20 bytes so that the entire size of the encrypted data is 32 bytes which is a multiple of the AES block size. So the encrypted info block is either 16, 32 or 48 bytes long.
I could probably avoid AES encryption all together and simply XOR data with SHA512(SECRET) as a means of encrypting/decrypting.
I am looking for ideas on what to name this Scheme.... so far Toast has proposed
Send Anonymously To A Name => SATAN
I suggested:
Transfer Invisibly to A Name => TITAN
Other names are welcome.