TAG explanation
On or around June 14, 2018, Matt explained the tag system to us and how it fits in with the WOTS+ addressing scheme that we use.
Contents
Tag Explanation
Okay, I feel like a jerk for putting tags in and not explaining them to literally anyone. Inside of the WOTS+ address there is a 12-byte field that was originally designed by Andreas Huelsing to be used as a reference pointer to where you could find the WOTS+ address in a XMSS wrapper. Now, that's neither here or there - those 12 bytes allow us to embed information of our choosing in an address and is ultimately why we chose WOTS+ versus SPHINCS (notwithstanding some decreased size considerations). The purpose of the TAG is to allow the block-chain to retain an identity chain for a series of one-time-use addresses that works like this: A tag, when bound to one WOTS+ address in the block chain can never be claimed by anyone else. Additionally, that tag can only be transferred to the Change address of a transaction that is signed by the owner of the source address that is tagged. Now the secret sauce comes when we have a lookup operation that the wallet can perform that goes something like: User A wants to send money to User B. Their wallet asks an node to look in the Blockchain and answer the question: What is the WOTS+ address associated with this 12-byte tag value? The node replies, it's XYZ right now. And the wallet says, "okay, I'll send the transaction to XYZ". Now, once User B (the owner of XYZ) SPENDS that address if they so choose, the tag can migrate to their CHANGE address. Next time someone asks "What is the WOTS+ address associated with this tag", the new one-time use address will be returned. In this way, we can retain the post-quantum security of a one-time use address, but users can also share a tag that never changes where people can always send them money. This is projected to be very helpful in allowing people to use Mochimo for commerce, donations or even person to person transactions, since sharing a 12-byte tag is hella easier than sharing a 2208-byte address that can only ever be spent once.
Our addresses are flexible in a way that no other addresses are (or will be, because Tags are patented). With address tags, the wallet and the server can be agnostic to the underlying digital signature algorithm. I did this to make sure that we are never in the position that Bitcoin is in. Which is having a compromised DSA that requires prohibitive development to re-engineer. While our actual cryptographic key pairs are 2208 bytes long, the tag obscures that information from the end users, and we need only exchange 24-character address tags to send/receive money. Those tags are "bound" to the current active one-time-use WOTS address, and they migrate to the "new" one-time-use WOTS address as addresses are spent. That binding happens on-chain. A source address when tagged will have its tag migrate to the "change address" of the transaction.
Exchange Scenario
So from any exchange's perspective, to answer your question, the logic of their wallets would be as follows:
1. Create and register a new tag for each customer. 2. Maintain that tag from transaction to transaction using the SRC->CHG binding functionality already built into the ledger. 3. When the exchange wants to send to the user, make use of the typical OP_RESOLVE API call to get the current bound address. 4. When the user wants to receive externally to their exchange held wallet, the exchange will present the user with their 24-character TAG and that is what the user will use now (and always) to receive coins on. The underlying WOTS+ addresses never need to be exposed to the end user.
What's cool about this whole system is that future iterations of Mochimo can have multiple DSA support, and people can still use their original TAGs. The mechanics of how the ledger records and manipulated the tags won't care if we're binding your tag to a WOTS address or to whatever DSA future generations might imagine. This will allow for the smooth integration of new digital signature algorithms in a future where quantum computers are being replaced by Quantum-Quantum computers or whatever the thing is that we thought would never exist.
The tag is interesting because it allows the tag-owner to have permanent ownership of it. In network parlance you could say the tag is within a single administrative domain. If you wanted to transition your coins off of the exchange, you'd send them to a Destination address that you own. That Destination address could be tagged or untagged, whatever you prefer. In current mercantile use of crypto addresses if you use an exchange address you are already aware that you do not "own" that address, since you don't have keys for it. When you have coins on an exchange THEY own the address. This is true beyond just MCM. It's their address, they have the secret key for it. Likewise, they own the tag.
When you want to send your MCM to "yourself" really you are taking possession of those coins for the first time. In that case the Tag doesn't leave the exchange - it goes to the exchange's change address. The COINS leave that address and come to you. SRC-ADDRESS DST-ADDRESS CHG-ADDRESS You are the Destination address. You Destination address will probably be tagged, and owned inside of a wallet you wholly control. Your account on the exchange still has your original tag. The 15 MCM are in your wallet with whatever tag you created there. If you want to send the 15 MCM back to the exchange, you send it back to the original tag the exchange created for you, since it has migrated to the new WOTS address.
There's this interesting misconception about Mochimo floating around out there... "Mochimo addresses are one-time use, how is that ever going to work, blah blah..." Literally, this Tag system is super easy to use and pretty intuitive - in fact when we stop calling Tags Tags, and just refer to them as people's addresses, future MCM users won't even know there's an underlying WOTS address. That's all a matter of positioning the communication/marketing of the thing. Address tags are pretty much the best possible answer to post-quantum secure digital signatures... the other bullshit you see out there is subject to side-channel attacks and other attacks, or is just so slow it can never scale for any practical use on a blockchain (like XMSS). "We can sign multiple times with our XMSS, blah blah..." yah, okay have fun with your network-wide 5 TPS.