Cryptography and Security 14 JAN, 2012

Homomorphic Payment Addresses and the Pay-to-Contract Protocol

Homomorphic Payment Addresses and the Pay-to-Contract Protocol

We propose an electronic payment protocol for typical customer-merchant relations which does not require a trusted (signed) payment descriptor to be sent from the merchant to the customer. Instead, the destination “account” number for the payment is solely created on the customer side. This eliminates the need for any encrypted or authenticated communication in the protocol and is secure even if the merchant’s online infrastructure is compromised. Moreover, the payment transaction itself serves as a timestamped receipt for the customer. It proves what has been paid for and who received the funds, again without relying on any merchant signatures. In particular, funds and receipt are exchanged in a single atomic action. The asymmetric nature of the customer-merchant relation is crucial. The protocol is specifically designed with bitcoin in mind as the underlying payment system. Thereby, it has the useful benefit that all transactions are public. However, the only essential requirement on the payment system is that “accounts” are arbitrary user-created keypairs of a cryptosystem whose keypairs enjoy a homomorphic property. All ElGamal-type cryptosystems have this feature. For use with bitcoin we propose the design of a deterministic bitcoin wallet whose addresses can be indexed by clear text strings.

💡 Research Summary

The paper introduces a novel payment protocol designed for the typical customer‑merchant relationship, eliminating the need for a merchant‑signed payment descriptor. Instead of the merchant providing a pre‑generated address, the customer creates the destination address locally using a homomorphic property of ElGamal‑type cryptosystems. The protocol is built around a “pay‑to‑contract” construction: the merchant publishes a fixed public key P, the customer hashes the contract data to obtain h, and then derives a new public key P′ = P · h (or P + h) which is converted into a cryptocurrency address. The customer sends a transaction to this address; the transaction itself becomes a timestamped receipt, proving both the amount paid and the recipient without any merchant signature.

Key technical steps are: (1) contract preparation and hashing, (2) deterministic address derivation using the merchant’s public key and the contract hash, (3) transaction creation and broadcast, (4) on‑chain receipt generation, and (5) merchant recovery of the funds by computing the corresponding private key s′ = s · h (or s + h) from its own private key s. Because the derivation uses only public information, the merchant’s server can be compromised without exposing any past or future derived private keys. An attacker would need to solve the discrete‑logarithm problem to recover s′, which is computationally infeasible for properly chosen parameters.

The authors also propose a deterministic, index‑based wallet design. By feeding a clear‑text string such as “order‑12345” into the same hash‑and‑multiply process, a customer can generate a unique address for each order without storing a large list of keys. Backup is reduced to preserving the original master public key and the indexing scheme.

Security analysis assumes: (a) the merchant’s master public key is distributed over a trusted channel, (b) the hash function is collision‑resistant (e.g., SHA‑256), and (c) the underlying group provides hard discrete‑logarithm problems. Under these assumptions the protocol resists man‑in‑the‑middle attacks, address tampering, and signature forgery. Moreover, because payment and receipt are combined into a single atomic blockchain transaction, there is no need for separate receipt issuance or verification.

While the paper focuses on Bitcoin, the construction is applicable to any cryptocurrency that uses key pairs with a homomorphic property, such as other ECC‑based coins. Adaptation would require mapping the derived public key to the specific address format of the target chain, but the core cryptographic idea remains unchanged.

In summary, the protocol leverages the homomorphic nature of ElGamal‑type keys to let customers generate contract‑specific payment addresses on the fly, turning the blockchain transaction itself into an immutable receipt. This simplifies the payment flow, removes reliance on trusted merchant infrastructure, and enhances privacy and security while preserving the transparency of public ledgers.