From Mochimo Wiki
Jump to: navigation, search

Instead of static addresses, Mochimo uses customizable tags. These serve as a reference pointer for the disposable WOTS+ addresses. Once a user has a tag neither they, nor the people they transact with, need to know what the WOTS+ address in the ledger is.

These tags are all 24 characters long and generated from the hexadecimal base, which means they can contain numbers from 0 to 9 and letters a to f.

A user can also create their own, custom tag.

How tags work

Inside of the WOTS+ address, there is a 12-byte field that was originally designed by Andreas Huelsing to be used as a reference pointer to where you could find the WOTS+ address in a XMSS wrapper. Now, that's neither here or there - those 12 bytes allow us to embed information of our choosing in an address and is ultimately why we chose WOTS+ versus SPHINCS (notwithstanding some decreased size considerations). The purpose of the TAG is to allow the blockchain to retain an identity chain for a series of one-time-use addresses that works like this: A tag, when bound to one WOTS+ address in the blockchain can never be claimed by anyone else. Additionally, that tag can only be transferred to the Change address of a transaction that is signed by the owner of the source address that is tagged.

Now the secret sauce comes when we have a lookup operation, that the wallet can perform, that goes something like:

 User A wants to send money to User B.
 Their wallet asks a node to look in the blockchain and answer the question "What is the WOTS+ address associated with this 12-byte tag value?"
 The node replies, "It's XYZ right now."
 And the wallet says, "Okay, I'll send the transaction to XYZ."
 Now, once User B (the owner of XYZ) SPENDS that address, if they so choose, the tag can migrate to their CHANGE address.
 Next time someone asks "What is the WOTS+ address associated with this tag?", a one-time use address will be returned.

In this way, we can retain the post-quantum security of a one-time use address, but users can also share a tag that never changes, where people can always send them money. This is projected to be very helpful in allowing people to use Mochimo for commerce, donations or even person to person transactions, since sharing a 12-byte tag is hella easier than sharing a 2208-byte address that can only ever be spent once.

Our addresses are flexible in a way that no other addresses are (or will be, because Tags are patented). With address tags, the wallet and the server can be agnostic to the underlying digital signature algorithm. I did this to make sure that we are never in the position that Bitcoin is in. Which is having a compromised DSA that requires prohibitive development to re-engineer. While our actual cryptographic key pairs are 2208 bytes long, the tag obscures that information from the end-users, and thus we only need to exchange 24-character address tags to send or receive money. Those tags are "bound" to the current active one-time-use WOTS address, and they migrate to the "new" one-time-use WOTS address as addresses are spent. That binding happens on-chain. A source address when tagged will have its tag migrate to the "change address" of the transaction.

What's cool about this whole system is, that future iterations of Mochimo can have multiple DSA support, and people can still use their original tags. The mechanics of how the ledger records and manipulates the tags won't care if we're binding your tag to a WOTS address or to whatever DSA future generations might imagine. This will allow for the smooth integration of new digital signature algorithms in a future, where quantum computers are being replaced by Quantum-Quantum computers or whatever the thing is that we thought would never exist.

The tag is interesting because it allows the tag-owner to have permanent ownership of it. In network parlance, you could say the tag is within a single administrative domain. If you wanted to transition your coins off of the exchange, you'd send them to a Destination address that you own. That Destination address could be tagged or untagged, whatever you prefer. In current mercantile use of crypto addresses if you use an exchange address you are already aware that you do not "own" that address, since you don't have keys for it. When you have coins on an exchange THEY own the address. This is true beyond just MCM. It's their address, they have the secret key for it. Likewise, they own the tag.

Exchange Scenario

So from any exchange's perspective, the logic of their wallets would be as follows:

  1. Create and register a new tag for each customer.
  2. Maintain that tag from transaction to transaction using the SRC->CHG binding functionality already built into the ledger.
  3. When the exchange wants to send to the user, make use of the typical OP_RESOLVE API call to get the current bound address.
  4. When the user wants to receive externally to their exchange held wallet, the exchange will present the user with their 24-character TAG and that is what the user will use now (and always) to receive coins on. The underlying WOTS+ addresses never need to be exposed to the end-user.

When you want to send your MCM to "yourself", what you are really doing is taking possession of those coins for the first time. In that case, the tag doesn't leave the exchange - it goes to the exchange's change address. The coins leave that address and come to you. SRC-ADDRESS DST-ADDRESS CHG-ADDRESS You are the Destination address. Your Destination address will probably be tagged and owned inside of a wallet you wholly control. Your account on the exchange still has your original tag. The 15 MCM are in your wallet with whatever tag you created there. If you want to send the 15 MCM back to the exchange, you send it back to the original tag the exchange created for you, since it has migrated to the new WOTS address.

There's this interesting misconception about Mochimo floating around out there... "Mochimo addresses are one-time use, how is that ever going to work, blah blah..." This tag system is really easy to use and pretty intuitive - in fact, when we stop calling tags Tags, and just refer to them as people's addresses, future MCM users won't even know there's an underlying WOTS address. That's all a matter of positioning the communication and marketing of the thing. Address tags are pretty much the best possible answer to post-quantum secure digital signatures... the other stuff you see out there is subject to side-channel attacks and other attacks or is just so slow it can never scale for any practical use on a blockchain (like XMSS). "We can sign multiple times with our XMSS, blah blah..." yah, okay have fun with your network-wide 5 TPS.