Hi James, m is the message to be signed  . The signature is the pair (r, s). Andrew tricky! m for message e = sha256(m || (αG + βG)) ok so m can just be sha256(msg) and the "||" presumably can be XOR, so: e = sha256(sha256(msg) ^ (αG + βG)) then if the following three are just normal 256 bit arithmetic: (α - xe) (β - ye) (s' + s'') the only missing piece is how to calculate (αG - βG), it seems it is just one point not two and in the code it was {9} for the keypair calculation, so if it is as simple as just using {9} then I can code up something that tests this James |
|
|
|
Hi James, It seems like are a few misunderstandings here. Let me start with some background. It is easier to explain what's going on if we abstract a bit: let's start by defining a group. A group is simply a set with an operation (called +), some set element 0 such that 0 + x = x + 0 = x for all x in the group, and a unary operation - such that x + (-x) = 0 for all x in the group. So, the integers with addition are a group (as are the reals, rationals, etc), the reals with multiplication are a group, the set of invertible nxn matrices are a group under matrix multiplication, etc. An important group in cryptography is an elliptic curve group, which is a group whose elements are pairs (x, y) of numbers which satisfy an elliptic curve equation. Addition is defined in a bit of a funny way, but there is a Wikipedia page on it that is interesting. What's important about these groups for cryptography is the following: given a group element G, you can "multiply" by an integer n by adding G to itself n times. (If n is negative, add -G to itself -n times.) It turns out that if you fix an element G in some group, then take all the elements {nG} for integers n, this set is itself a group such that (nG) + (mG) = (n + m)G. It's a true statement that given any nonzero elements in this group, say P and Q, there is always some number n such that P = nQ. But for elliptic curve group, there is the so-called "discrete logarithm assumption" which says that actually calculating n is very hard. There is also the "Diffie-Hellman" assumption which says that given nG, mG in the group, it is hard to calculate nmG. (Of course, if you know n or m, it's easy to calculate. This is why the "shared secret" scheme you described is efficiently computable by the participants, and the Diffie-Hellman assumption is why it is a secret.) So...everywhere you say Curve25519(n, G), you really mean nG, where G is some element in the elliptic curve group defined by djb's curve25519 curve. Where you say Curve25519(A, B) where both A and B are elements .... I don't know what you mean. Can you clarify what you are actually computing here? It is possible you are interpreting curvepoints as numbers without realize it, in which case you should use a better programming language that has a type system. (In particular, C is has a very weak type system and djb's code uses char* for everything, which is an asinine thing to do in public code with subtle operation. But possibly it compiles to faster code than it would if he'd used wrapper structs..) It is possible to convert a group element to a number, e.g. by choosing a binary encoding, hashing this, and interpreting the hash as a number. Now, shared secrets are not really useful for building multisignature schemes. They let you build 1-of-N signatures (every party who has the secret is able to sign) but nothing stronger. The reason is that any party who knows the shared secret is able to use this to sign arbitrary messages. As an example of an actual multisig scheme, I will show how to construct a N-of-N multisig Schnorr signature. The semantics will be that as long as all parties agree to sign a specific message, they are able to form a signature on that message. However, no individual will see enough secret material to form signatures or her own, or even with the cooperation of (fewer than N) other members. djb's ed25519 signature scheme is based off the standard Schnorr signature, but has some changes to allow efficient batch validation. I don't recall what these changes are (and don't have the paper with me on the bus that I'm typing this from), so I'm not sure if this is directly applicable .... but it is illustrative in any case. So here it is: Suppose we have a public key P, and let G be a generator of some elliptic curve group, and let H be a hash function. A standard Schnorr signature is a pair (s, e) of numbers which satisfy the following relation: if R = eP + sG then e = H(m || R). It is possible to create such a signature if you know x such that xG = P (so x is the secret key here, and the "discrete logarithm assumption" above is why it is secret even though P is public), by the following mechanism: choose random secret k and compute R = kG; then set e = H(m||R) and s = k - xe. The signature is (s, e). Given some very strong assumptions on the hash function (that it is a opaque mystical source of uniformly random numbers except that it returns the same output when given same input), we can prove that any algorithm which forges Schnorr signatures can be extended to extract the secret key. So given such a hash function, forging Schnorr signatures is as hard as the discrete log problem. Now, the question is: how can we make a 2-of-2 signature? One idea, as you suggested, is to use a shared secret: users have secret values x and y and form a private key from (a hash of) xyG. The problem with this is as mentioned: both parties knows the whole secret, so they can both form signatures on their own. So this is really a 1-of-2 multisig scheme. To get 2-of-2, we need to be a bit more clever. Here is a protocol: 0. Suppose we have two keypairs (x, xG) and (y, yG) belonging to parties A and B. We will show how to construct a signature with the "2-of-2" key (x + y, (x + y)G). 1. Both parties choose secret random numbers. Call A's secret α and B's secret β. A sends αG to B, and B sends βG to A. Now both parties can compute R = αG + βG = (α + β)G, and they compute e = H(m||R). 2. A computes s' = α - xe and B computes s'' = β - ye, and they send these to each other. Then both compute s = s' + s''. Now (s, e) is a signature of m on public key (x + y)G, which required both parties' cooperation to form, but neither party gained enough information to produce such a signature alone. It's a worthwhile exercise to (a) verify that the standard Schnorr signature k - xe actually satisfies the relation (e = H(m||R) where R = sG + eP) that I claimed it did, and (b) so does the 2-of-2 version. This isn't really an answer to your question, but I hope it sheds some light on things. Andrew yes! this makes it a lot clearer, but still struggling to map all these operations to the C code. I was treating the curve25519 function as a blackbox that I thought was doing a field operation, but it was doing a lot of things with some bytes being polynomials, encoded or not and others being numbers: curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
limb bp[5], x[5], z[5], zmone[5];
uint8_t e[32];
int i;
for (i = 0;i < 32;++i) e[i] = secret[i];
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
fexpand(bp, basepoint);
cmult(x, z, e, bp);
crecip(zmone, z);
fmul(z, x, zmone);
fcontract(mypublic, z);
}
It seems curve25519(A,B) makes no sense and it can only be used for nG So to code your protocol: 0. Suppose we have two keypairs (x, xG) and (y, yG) belonging to parties A and B. We will show how to construct a signature with the "2-of-2" key (x + y, (x + y)G).
1. Both parties choose secret random numbers. Call A's secret α and B's secret β. A sends αG to B, and B sends βG to A.
I believe G is represented by {9} (x, xG) and (y, yG) are the standard curve25519(x,G) and curve25519(y,G) keypairs I think I need to use the cmult function to make αG and βG: /* Calculates nQ where Q is the x-coordinate of a point on the curve
*
* resultx/resultz: the x coordinate of the resulting curve point (short form)
* n: a little endian, 32-byte number
* q: a point of the curve (short form)
*/
static void cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q)
A would generate a random 256 bits -> α and sends cmult(x,z, α,G) to B B generates his random 256 bits -> β and sends cmult(x,z, β,G) to A now both A and B can calculate (αG + βG) Now both parties can compute R = αG + βG = (α + β)G,
, but I am not sure how exactly to do this, there is a "fmonty" function: /* Input: Q, Q', Q-Q'
* Output: 2Q, Q+Q'
*
* x2 z3: long form
* x3 z3: long form
* x z: short form, destroyed
* xprime zprime: short form, destroyed
* qmqp: short form, preserved
*/
static void
fmonty(limb *x2, limb *z2, /* output 2Q */
limb *x3, limb *z3, /* output Q + Q' */
limb *x, limb *z, /* input Q */
limb *xprime, limb *zprime, /* input Q' */
const limb *qmqp /* input Q - Q' */)
I think Q can be αG and Q' βG, but not sure how to get the third input (Q-Q') or (αG - βG), looking at the code it looks like it could be simply G {9}? and they compute e = H(m||R).
I assume H can be sha256 and both A and B can compute R = αG + βG e = sha256(m || (αG + βG)) and m is the signature, but I am totally confused by the following: 2. A computes s' = α - xe and B computes s'' = β - ye, and they send these to each other. Then both compute s = s' + s''.
The signature is two numbers s and e, but m is the signature and it is inside the hash function. sha256((s,e) || (αG + βG)) ?? have no idea how to do this. Assuming somehow e can be calculated, then there is the final question of these addition, mult and subtractions: A (α - xe) = s' -> B B (β - ye) = s'' -> A and the s = s' + s'' Maybe these are normal numbers and normal arithmetic can be used? I apologize for probably super simply misunderstanding, but at least now I see a lot better the type of thing that is going on. James P.S. Thank you very much for a super informative post! |
|
|
|
Thanks for the updates James. Really excited to see SuperNET in action! I assume the price will jump quite a bit once people see it working and in the wild.
I concentrate on increasing the value. The price, it goes up and down and cant be directly controlled. however, by creating more and more tech which can be used to create more and more useful end user solutions, the value of SuperNET will continue to grow. The price will oscillate around the value James Hi James, Thanks for creating the superNET and teleport.   SuperNET and teleport are both very unique and exceptional project . Your name will be recorded in the history of cryptography sciences . Thanks for your support! I am not a cryptographer, but I do have a knack for doing creating things with existing tools. The whole deaddrop routing I think is quite significant as I cant figure out how it can be attacked. once the network gets a critical mass of activity, it will look like everybody is sending to everybody, which is the same as nobody sending anything. As close to white noise as can be. I am having cassius write up a paper to explain the whole deaddrop method using DHT and n-space equidistant addresses James |
|
|
|
|
just pushed a new version with the deaddrop coded (but not tested yet) and a new SuperNET.conf field "debug"
if you like all the printouts just set "debug":1 or 2
James
|
|
|
|
Quoted from J1777 post above:
Anyway, I am glad 5000bitcoins is open minded enough to actually learn about SuperNET before making any decisions. Does any other network allow routing to an address without any node actually knowing its IP address (without broadcasting)? This is just one feature of SuperNET and it is continually being improved.
I dont think that James realizes that Crypti is not meant to be in any way an anonymous network. Crypti is to have VERIFIED MERCHANTS. The process is still in debate for verification, but it will be complete enough so that a user will be absolutely sure who they are sending their coins to, and they will have an opportunity to call back the transaction within a certain time limit. There is even plans for in-wallet escrow services.
How would he integrate XCR, designed to be anonymous-proof, onto a network that has anonymity "that is continually being improved?"
anonymity from people you want to stay anonymous from people you transact with will of course know each other, and verifiably so you can always not use the anon features if you really want govt workers to be reading all your internet usage James P.S. maybe crypti's unique feature can be that it does everything in cleartext |
|
|
|
I am curious how "The whole SuperNet functionality can be replicated by Crypti's custom block chain support when it rolls out." is possible when SuperNET doesnt have a blockchain.
It seems that you do not really understand SuperNET as it is a way to connect different coins to each other and this can only be done via offchain. You do realize SuperNET is not a coin?
James
I realize that SuperNET is not a coin, nor does it have a blockchain, but are you sure that the only way that it can be done is offchain? Is it not possible at all to replicate SuperNET with blockchain support? Let's say for example when Ethereum launches (Ethereum's platform is described similarly to Crypti's custom block-chain support), are you absolutely sure that that a network similar to SuperNET can't be created via a custom blockchain, and linked with its own blockchain with coins used as the "fuel" for the system to perform arbitrary actions? Those arbitrary actions being the connections made between different coins. Since one of the privacy features of SuperNET is not having a blockchain that is permanently there for alltime and for everyone to be able to process it, yes I am sure that using a blockchain to replicate the non-blockchain aspect of SuperNET is not possible also SuperNET is a self-reinforcing financial engine that reinvests revenue into its participating coin communities. I guess it is possible to set this up with some sort of DAC, but will it be setup? That is the question. Anyway, if you dont want to be part of SuperNET, that is fine James Okay, technicalities aside, on the financial front, to become a part of SuperNET, any coin has to "surrender" 10% of it's total supply. Don't you think that it's quite a huge ask for a coin to give away 10% of its total supply, only to join a network where it will experience a few tiny benefits from other coins, all of which are probably leeching off other coins on SuperNET to maintain their own userbases. To me SuperNET seems like a network of shitcoins (plain and simple), bringing together their, mostly useless features, to try and rival other big-currencies in the crypto-space. Let me know when coins like Ethereum, MaidSafe, BitShares X and Peercoin join SuperNET, which of course will never happen. #Take note this is my personal opinion and does not reflect that of the Crypti Team, of which I am not a part ofWulf I like you but, you haven't done your due dilligence on the matter, and can't speak for the whole community in that sense either. That being said XCR can't compare to coins in the top 20s or coins/projects that raised millions of dollars (yet). To me SuperNET seems like a network of coins taking advantages over others to strengthen their networks because the ulterior goal is to break midcap and go top. What Crypti needs is exposure, userbase, forgers, contributors to appreciate it's innovations If Crypti connects to Supernet, it does not become "CryptiSuperNet" or labelled in the same section as Vericoin. I tihnk you get the idea a little twisted, that's all. It's more of a suppliment. Just like we don't become Storj by partnering up with them but strengthen both bases. At the high level SuperNET is to crypto coins like the Internet is to websites. Just because two different websites are both on the internet, does not make either website the same as the other, nor does it make either website the internet. The multisig, DHT and MofN filesystem was all created in the last 10 days, so it is rapidly expanding. Here is the current SuperNET API: // multisig static char *cosign[] = { (char *)cosign_func, "cosign", "V", "otheracct", "seed", "text", 0 }; static char *cosigned[] = { (char *)cosigned_func, "cosigned", "V", "seed", "result", "privacct", "pubacct", 0 }; // Kademlia DHT static char *ping[] = { (char *)ping_func, "ping", "V", "pubkey", "ipaddr", "port", "destip", 0 }; static char *pong[] = { (char *)pong_func, "pong", "V", "pubkey", "ipaddr", "port", 0 }; static char *store[] = { (char *)store_func, "store", "V", "pubkey", "key", "name", "data", 0 }; static char *findvalue[] = { (char *)findvalue_func, "findvalue", "V", "pubkey", "key", "name", "data", 0 }; static char *findnode[] = { (char *)findnode_func, "findnode", "V", "pubkey", "key", "name", "data", 0 }; static char *havenode[] = { (char *)havenode_func, "havenode", "V", "pubkey", "key", "name", "data", 0 }; static char *havenodeB[] = { (char *)havenodeB_func, "havenodeB", "V", "pubkey", "key", "name", "data", 0 }; static char *findaddress[] = { (char *)findaddress_func, "findaddress", "V", "refaddr", "list", "dist", "duration", "numthreads", 0 }; // MofNfs static char *savefile[] = { (char *)savefile_func, "savefile", "V", "filename", "L", "M", "N", "usbdir", "password", 0 }; static char *restorefile[] = { (char *)restorefile_func, "restorefile", "V", "filename", "L", "M", "N", "usbdir", "password", "destfile", "sharenrs", "txids", 0 }; static char *sendfile[] = { (char *)sendfile_func, "sendfile", "V", "filename", "dest", "L", 0 }; // privacyNetwork and comms static char *getpeers[] = { (char *)getpeers_func, "getpeers", "V", "only_privacyServer", 0 }; static char *sendmsg[] = { (char *)sendmsg_func, "sendmessage", "V", "dest", "msg", "L", 0 }; static char *sendbinary[] = { (char *)sendbinary_func, "sendbinary", "V", "dest", "data", "L", 0 }; static char *checkmsg[] = { (char *)checkmsg_func, "checkmessages", "V", "sender", 0 }; // Teleport static char *maketelepods[] = { (char *)maketelepods_func, "maketelepods", "V", "amount", "coin", 0 }; static char *teleport[] = { (char *)teleport_func, "teleport", "V", "amount", "dest", "coin", "minage", "M", "N", 0 }; static char *telepod[] = { (char *)telepod_func, "telepod", "V", "crc", "i", "h", "c", "v", "a", "t", "o", "p", "k", "L", "s", "M", "N", "D", 0 }; static char *transporter[] = { (char *)transporter_func, "transporter", "V", "coin", "height", "minage", "value", "totalcrc", "telepods", "M", "N", "sharenrs", "pubaddr", 0 }; static char *transporterstatus[] = { (char *)transporterstatus_func, "transporter_status", "V", "status", "coin", "totalcrc", "value", "num", "minage", "height", "crcs", "sharei", "M", "N", "sharenrs", "ind", "pubaddr", 0 }; // InstantDEX static char *respondtx[] = { (char *)respondtx_func, "respondtx", "V", "signedtx", 0 }; static char *processutx[] = { (char *)processutx_func, "processutx", "V", "utx", "sig", "full", 0 }; static char *orderbook[] = { (char *)orderbook_func, "orderbook", "V", "obookid", "polarity", "allfields", 0 }; static char *getorderbooks[] = { (char *)getorderbooks_func, "getorderbooks", "V", 0 }; static char *placebid[] = { (char *)placebid_func, "placebid", "V", "obookid", "polarity", "volume", "price", "assetA", "assetB", 0 }; static char *placeask[] = { (char *)placeask_func, "placeask", "V", "obookid", "polarity", "volume", "price", "assetA", "assetB", 0 }; static char *makeoffer[] = { (char *)makeoffer_func, "makeoffer", "V", "other", "assetA", "qtyA", "assetB", "qtyB", "type", 0 }; // Tradebots, "code" is C code passed in to be interpreted static char *tradebot[] = { (char *)tradebot_func, "tradebot", "V", "code", 0 }; The SuperNET provides useful API that works across coin networks and each coin can also create its own set of API to be bundled with the SuperNET reference release. All of this gets put into a single user friendly GUI where users can access all the various functionality. Kind of like google letting to find all the relevant sites. James |
|
|
|
I am curious how "The whole SuperNet functionality can be replicated by Crypti's custom block chain support when it rolls out." is possible when SuperNET doesnt have a blockchain.
It seems that you do not really understand SuperNET as it is a way to connect different coins to each other and this can only be done via offchain. You do realize SuperNET is not a coin?
James
I realize that SuperNET is not a coin, nor does it have a blockchain, but are you sure that the only way that it can be done is offchain? Is it not possible at all to replicate SuperNET with blockchain support? Let's say for example when Ethereum launches (Ethereum's platform is described similarly to Crypti's custom block-chain support), are you absolutely sure that that a network similar to SuperNET can't be created via a custom blockchain, and linked with its own blockchain with coins used as the "fuel" for the system to perform arbitrary actions? Those arbitrary actions being the connections made between different coins. Since one of the privacy features of SuperNET is not having a blockchain that is permanently there for alltime and for everyone to be able to process it, yes I am sure that using a blockchain to replicate the non-blockchain aspect of SuperNET is not possible also SuperNET is a self-reinforcing financial engine that reinvests revenue into its participating coin communities. I guess it is possible to set this up with some sort of DAC, but will it be setup? That is the question. Anyway, if you dont want to be part of SuperNET, that is fine James Okay, technicalities aside, on the financial front, to become a part of SuperNET, any coin has to "surrender" 10% of it's total supply. Don't you think that it's quite a huge ask for a coin to give away 10% of its total supply, only to join a network where it will experience a few tiny benefits from other coins, all of which are probably leeching off other coins on SuperNET to maintain their own userbases. To me SuperNET seems like a network of shitcoins (plain and simple), bringing together their, mostly useless features, to try and rival other big-currencies in the crypto-space. Let me know when coins like Ethereum, MaidSafe, BitShares X and Peercoin join SuperNET, which of course will never happen. #Take note this is my personal opinion and does not reflect that of the Crypti Team, of which I am not a part ofYou really are clueless about SuperNET, I am glad you are not part of any official crypti team. SuperNET purchases the 10% stake and this is a way to create mutual financial linkages. Anyway, I am glad 5000bitcoins is open minded enough to actually learn about SuperNET before making any decisions. Does any other network allow routing to an address without any node actually knowing its IP address (without broadcasting)? This is just one feature of SuperNET and it is continually being improved. If crypti has valuable features for users and a gateway that links SuperNET to crypti is made, will that make crypti a shitcoin? Using your logic any coin that is networked to SuperNET becomes a shitcoin, so what if bitcoin is linked in? Please do some homework before making invalid conclusions, at least in that case you are making a mistake, which is understandable. James |
|
|
|
If a packet falls into a dead drop, did anybody decrypt it?
I am coding group deaddrops and random packet injection the deaddrop addresses will be shared by the nodes that are close to it, so just knowing the deaddrop address used (not easy) will not help much. It will also allow all the nodes to be mining these deaddrop addresses! the one loose end is the node that starts the DHT, it is possible for the traffic pattern to indicate which node started a particular DHT request. At least that is what I would do to try to figure out who is doing what. The solution is to use the onion routing to randomly pick a node that will inject the DHT request. Since the onion packets will include DHT traffic and non-DHT traffic and they are all the same size, it seems that packet analysis will not be very useful. Did I miss anything? James |
|
|
|
running some simulations and when we get to ~500 nodes, within a few minutes I am finding a deaddrop address that has the exact distance to ~20 nodes. this is at distance 24, which I believe is about 1/256 of total nodes and with a K factor of 7 even without any special relaxing of distance requirements, the packets will automatically arrive at your IP Are you going to be looking for people to contribute hardware/bandwidth for masternodes? there are no masternodes every wallet will be equal, it is totally decentralized The BTCD community is financing 50 to 100 VPS that will be community nodes and any additional nodes will be much appreciated! Things are rapidly evolving, but you can get the current version from https://github.com/jl777/btcdit is only for linux now, windows and mac builds are being worked on by others James |
|
|
|
I am curious how "The whole SuperNet functionality can be replicated by Crypti's custom block chain support when it rolls out." is possible when SuperNET doesnt have a blockchain.
It seems that you do not really understand SuperNET as it is a way to connect different coins to each other and this can only be done via offchain. You do realize SuperNET is not a coin?
James
I realize that SuperNET is not a coin, nor does it have a blockchain, but are you sure that the only way that it can be done is offchain? Is it not possible at all to replicate SuperNET with blockchain support? Let's say for example when Ethereum launches (Ethereum's platform is described similarly to Crypti's custom block-chain support), are you absolutely sure that that a network similar to SuperNET can't be created via a custom blockchain, and linked with its own blockchain with coins used as the "fuel" for the system to perform arbitrary actions? Those arbitrary actions being the connections made between different coins. Since one of the privacy features of SuperNET is not having a blockchain that is permanently there for alltime and for everyone to be able to process it, yes I am sure that using a blockchain to replicate the non-blockchain aspect of SuperNET is not possible also SuperNET is a self-reinforcing financial engine that reinvests revenue into its participating coin communities. I guess it is possible to set this up with some sort of DAC, but will it be setup? That is the question. Anyway, if you dont want to be part of SuperNET, that is fine James |
|
|
|
I contacted jl777, awaiting response on a few things first before publishing my full view on what XCR stands to gain or lose by joining SuperNet, also I have a possible venture correlating with XCR that may apply to both projects
Today,
#1 Where are we in terms of Poloniex / Cryptsy update?
#2 Mintpal + Bittrex adds?
#3 Gambling sites / other things to spend XCR on & other ideas to spread out coins?
#4 Contact with Lin (BTER)
Yeah I know Mintpal but still if they ever get their shit together it's worth. Surely doesn't hurt being there.
When we get 1% lifted I urge people to start spreading coins around on some exchanges anyway, to get things on a roll.
Working on point #4 in my spare time, though was halted a bit with the network pauze. I see, how's it going, how do you contact him? I'll throw him a mail about it too 5000, with all due respect I really don't think that adding Crypti to SuperNet would be a good idea. In my opinion, I think Crypti is much bigger then SuperNet and can achieve far more than SuperNet. For comparison, I think Crypti requesting to be added to SuperNet, is kind of like Facebook requesting MySpace to allow users to log into MySpace with their Facebook account. Facebook is obviously the far bigger network and they don't need to ask MySpace to comply, MySpace will make the change on their own to get more users. When Crypti's Custom Blockchains launches, the whole of SuperNets functionality can be mirrored onto Crypti via a custom blockchain, rendering SuperNet useless. I know that you might think that being added to SuperNet might bring about more network activity, but in 6 months time when Custom Blockchain support is launched, you'll see that the possibilities are endless. Why add Crypti to an inferior network, when our own is far more powerful. Here is my previous response to this along with GreXX's
I couldn't agree more, but every second person is promoting that worthless network all over Bitcointalk.
I think the best thing the devs can do is simply be silent about Supernet, or at most, say it's under consideration for the future. Those who think shortterm may still get a minor price bump. Those who think longterm won't be stuck with it, if they don't want it. The smart thing is to simply wait and see how it works out. One thing promoters probably overlook is, what if supernet is a failure? You don't want some multicoin network dragging down the price of crypti. It's not automatically a price booster... it can go the other way too. What baffles me is that, the people who want Crypti to be added to SuperNet don't realise that Crypti doesn't need it at all. The whole SuperNet functionality can be replicated by Crypti's custom block chain support when it rolls out. Why do we need to be part of another coin's network when our own network already supports it and is more robust/powerful? How about instead of trying Crypti to get added to SuperNet, promote other coins to use Crypti's custom block chain support? You guys realise that custom block chains support leads to literally endless possibilities. I don't think the possibilities of the Crypti network and custom block chains will hit home for most until they are available and we start showing what is possible. People are ramped up about BTSX right now and other coins, but everything they do can be accomplished on top of the Crypti blockchain. Once people realize what we have done with the block chain technology, the tx fee reward system, how PoT works, and that merchants and those who support and use the network get rewarded, I think our overall vision will finally start to solidify. We wanted to create something fundamentally different. First we had to create a new core currency and system. Next we will create the ability for anyone to build anything they want on the back of this new and fundamentally different network (including financial instruments, stock, apps, services, etc), and then we finally will support all of it with an easy method to find, support, review, and utilize the merchant system that supports merchants, vendors, and those who love Crypti alike. Until the entire cohesive system is visible and people can touch and use it, there will be many who can't quite see the vision. For those who do get it, you know why we aren't following the daily price swings and aren't focused on the current price. I am curious how "The whole SuperNet functionality can be replicated by Crypti's custom block chain support when it rolls out." is possible when SuperNET doesnt have a blockchain. It seems that you do not really understand SuperNET as it is a way to connect different coins to each other and this can only be done via offchain. You do realize SuperNET is not a coin? James |
|
|
|
Thanks for the updates James. Really excited to see SuperNET in action! I assume the price will jump quite a bit once people see it working and in the wild.
I concentrate on increasing the value. The price, it goes up and down and cant be directly controlled. however, by creating more and more tech which can be used to create more and more useful end user solutions, the value of SuperNET will continue to grow. The price will oscillate around the value James |
|
|
|
This is pretty cool Today I happened to read this article: http://www.bbc.co.uk/news/technology-29567782in which the head of Europol's Cybercrime Centre says, "There is confusion among the good guys on the internet between anonymity and privacy. I don't think they are the same. I think that you have right to privacy but that doesn't mean that you have the right to anonymity." The increasing trend towards greater encryption of online communications is not acceptable, he said. "Imagine in the physical world if you were not able to open the trunk of a car if you had a suspicion that there were weapons or drugs inside... we would never accept this. "I think that should also count for the digital world. I hate to talk about backdoors but there has to be a possibility for law enforcement, if they are authorised, to look inside at what you are hiding in your online world." law enforcement can always simply break down your door and confiscate your computer and torture you to get you to divulge your passwords. What I am doing does not prevent this. law enforcement has to go through your physical door, no backdoors in any of my code! In any case this is non-communications as who did you really contact by sending packets to addresses that nobody actually uses? If a packet falls into a dead drop, did anybody decrypt it? James |
|
|
|
That is an entirely different level of crazy.
Way to go james!
couldnt sleep due to this idea! have to tweak the Kademlia DHT calls a bit as this was not part of the original method, but I almost have it solved The really cool part is that all this privacy of the IP<->account is extra protection as the telepods themselves are not directly linked to your published accounts. But what extra protection it is! Imagine you are trying to figure out who is sending packets to each other, this is really required to be able to make any sort of linkage. With the Internet, basically all comms are tagged with the IP address, so if the attacker has packet level data, then they can see who you are talking to. With encryption, they cant tell what you are saying, now they wont be able to tell who is talking to who. A. Alice and Bob publish their public keys to the cloud B. Alice and Bob exchange the deaddrop addresses (actually I have an improvement on this, but let us use B. for now) C. Alice and Bob send fragments of each packet to random deaddrop addresses D. All the nodes process these packets normally, but they end up in a dead end as no node actually uses these deaddrop addresses. Ideally the deaddrop addresses are equidistant from a large number of nodes, but they are random distances from Alice and Bob so the possible nodes that are Alice and Bob are dozens if not 100+, basically random guessing. E. It just so happens that both Alice and Bob's nodes were close enough (using XOR metric) so that their nodes processed at least M/N of the packets from C and decrypted them as they were handled. F. Attacker gets a new job For those who thought the DHT was a waste of time and a distraction from completing Teleport, please realize the magnitude of this breakthrough. Whatever extra time it takes (and it is not clear we will lose much time overall as Windows build, GUI and larger network are still not in place) will be well worth it as with this deaddrop level of privacy, it is safe to say that there is nothing that compares to this. At least nothing I am aware of. Maybe somebody knows of something remotely as good as this? Originally I didnt think I could actually solve this part of the puzzle, so I made the Teleport design strong enough in other parts so that even if the IP<->acct relation was leaked, it wouldnt matter. Before Teleport was dark, now it is invisible. I guess we got a cloaking device James P.S. I realize B is the weakest link now as this is the only "direct" contact between Alice and Bob, granted it is via onion routed same sized packets, but I have an idea to make this part invisible also. |
|
|
|
|
running some simulations and when we get to ~500 nodes, within a few minutes I am finding a deaddrop address that has the exact distance to ~20 nodes. this is at distance 24, which I believe is about 1/256 of total nodes and with a K factor of 7 even without any special relaxing of distance requirements, the packets will automatically arrive at your IP
The larger the distance, the easier it is to find matches. At bigger distances, 10% or even more of the sample set are exact matched. The good thing is that when the total network size is small, we can just cache all the nodes so big distance wont matter.
I also got it so that each node creates a list of addresses to match against and when the network is bigger, each node will hav a slightly different list it will be optimizing against.
It looks like we can have a set of deaddrop addresses that each have exact distance match to 10 to 100 public privacy servers and also decent distances to a lot of other nodes. Then we can choose 64 of these deaddrop addresses to establish a super secure link.
Since the only one that actually knows the IP address is the person running the node, I think that short of it being compromised there is no practical way of correlating your IP address. keep in mind that packets are sent to 64 different deaddrop addresses that dont really exist, so I am not sure how anybody would setup a sybil attack or any other attack to link your IP address to your acct.
Now even if somehow this info leaked, just knowing your acct # and IP address is still not enough as you would be transacting with telepods which themselves have no acct linked to you. Since people had a hard time understanding the simpler form of Teleport, I fear that few will be able to understand the new deaddrop approach. Hopefully somebody will provide some feedback on its weaknesses, if it has any.
I feel this is a fundamental improvement in privacy. In all prior versions, there was at least a statistical linkage of your acct # with IP address. Now, all that is happening is that packets are being sent to dead addresses so there is nothing to correlate. Other than the distances to the other nodes, but with the mining of equidistant addresses, this only gives a statistical correlation, and that is a dynamically changing thing, especially with the randomized sending of packets to the set of deaddrop addresses.
This is a bit of unexpected extra work, but the qualitative increase in privacy is well worth it. Not sure if you realize that this does the "impossible", routing packets to someone on the Internet (IP) without knowing their IP address and without broadcasting or wasting bandwidth.
Imagine being able to send email to someone without knowing their email address and without spamming everyone. This is on that level of crazy.
James
|
|
|
|
running some simulations and when we get to ~500 nodes, within a few minutes I am finding a deaddrop address that has the exact distance to ~20 nodes. this is at distance 24, which I believe is about 1/256 of total nodes and with a K factor of 7 even without any special relaxing of distance requirements, the packets will automatically arrive at your IP The larger the distance, the easier it is to find matches. At bigger distances, 10% or even more of the sample set are exact matched. The good thing is that when the total network size is small, we can just cache all the nodes so big distance wont matter. I also got it so that each node creates a list of addresses to match against and when the network is bigger, each node will hav a slightly different list it will be optimizing against. It looks like we can have a set of deaddrop addresses that each have exact distance match to 10 to 100 public privacy servers and also decent distances to a lot of other nodes. Then we can choose 64 of these deaddrop addresses to establish a super secure link. Since the only one that actually knows the IP address is the person running the node, I think that short of it being compromised there is no practical way of correlating your IP address. keep in mind that packets are sent to 64 different deaddrop addresses that dont really exist, so I am not sure how anybody would setup a sybil attack or any other attack to link your IP address to your acct. Now even if somehow this info leaked, just knowing your acct # and IP address is still not enough as you would be transacting with telepods which themselves have no acct linked to you. Since people had a hard time understanding the simpler form of Teleport, I fear that few will be able to understand the new deaddrop approach. Hopefully somebody will provide some feedback on its weaknesses, if it has any. I feel this is a fundamental improvement in privacy. In all prior versions, there was at least a statistical linkage of your acct # with IP address. Now, all that is happening is that packets are being sent to dead addresses so there is nothing to correlate. Other than the distances to the other nodes, but with the mining of equidistant addresses, this only gives a statistical correlation, and that is a dynamically changing thing, especially with the randomized sending of packets to the set of deaddrop addresses. This is a bit of unexpected extra work, but the qualitative increase in privacy is well worth it. A key thing to realize is that all of the SuperNET just gets this level of privacy for all comms James |
|
|
|
|
pushed new version with bugfixes and is a bit incompatible with new version
please update with:
./m_unix
|
|
|
|
|
Each node runs a public IP privacy server. this means people will be able to link your IP to your servers' NXT acct number, so it is suggested to just use an acct without anything in it, maybe a few NXT just so you can lock it in as yours.
This IP/acct will then participate in the DHT routing for all SuperNET packets.
To transact privately, you let people you are dealing with your public NXT acct. this is another throwaway acct, but it is used for authenticating that it is really you doing the transactions.
Here comes the magic!
Each session, you generate a new keypair and without the current keypair, nobody can transact with you. So you publish your session's pubkey into the cloud. Now anybody that knows your public NXT acct can get your current pubkey. If you want to prevent this, you can encrypt the pubkey and only share this with a small number of people, but divulging the pubkey is not so bad, so additional steps are for the truly cautious.
For super private comms, both parties generate a "sphere" of deaddrop acct numbers that minimizes the distance difference between your privacyServer's acct # and its neighbors. What this means is that even if the deaddrop acct number(s) are compromised, there is no direct link to your IP address. This exchange is done under encryption and is automated process and only needs to be done once per session.
Each side would split up each packet into M of N fragments, M of N chosen so enough of the packets are within the maxdistance limit of being routed the DHT packets. From the natural DHT routing process, your server will route these M of N packets to the closest nodes to each deaddrop acct #, but there is not even an acct behind the deaddrop acct. it is just an address that just happens to be close to your server's address, but far enough away that it could be close enough to any number of other IP addresses. Using M of N, allows the sphere of addresses to be significantly larger than what is hardcoded to be routed to your node. This is build into the DHT, eg. sphere of radius 28, and all packets destination within 24 bits guaranteed delivery.
Now the packets that are flowing through are fully encrypted so only your node can decrypt it. Output packets are randomly delayed so timing analysis cant determine if your node decrypted it or not based on packet traffic. All packets (other than ping) are fixed size 1400 byte UDP packets. Using UDP prevents TCP DOS attack locking up the sockets for the tcp timeout.
James
TL:DR it is possible to transact with someone without ANYBODY actually knowing the IP address of the destination, and therefore very private comms are possible. If these comms happen to have telepods and funds are being transacted, then commerce can happen using this method.
|
|
|
|
|
Each node runs a public IP privacy server. this means people will be able to link your IP to your servers' acct number, so it is suggested to just use an acct without anything in it, maybe a few NXT just so you can lock it in as yours.
This IP/acct will then participate in the DHT routing for all SuperNET packets.
To transact privately, you let people you are dealing with know your public acct. this is another throwaway acct, but it is used for authenticating that it is really you doing the transactions.
Here comes the magic!
Each session, you generate a new keypair and without the current keypair's public key, nobody can transact with you. So you publish your session's pubkey into the cloud. Now anybody that knows your public NXT acct can get your current pubkey. If you want to prevent this, you can encrypt the pubkey and only share this with a small number of people, but divulging the pubkey is not so bad, so additional steps are for the truly cautious.
For super private comms, both parties generate a "sphere" of deaddrop acct numbers that minimizes the distance difference between your privacyServer's acct # and its neighbors. What this means is that even if the deaddrop acct number(s) are compromised, there is no direct link to your IP address. This exchange is done under encryption and is automated process and only needs to be done once per session.
Each side would split up each packet into M of N fragments, M of N chosen so enough of the packets are within the maxdistance limit of being routed the DHT packets. From the natural DHT routing process, your server will route these M of N packets to the closest nodes to each deaddrop acct #, but there is not even an acct behind the deaddrop acct. it is just an address that just happens to be close to your server's address, but far enough away that it could be close enough to any number of other IP addresses. Using M of N, allows the sphere of addresses to be significantly larger than what is hardcoded to be routed to your node. This is build into the DHT, eg. sphere of radius 28, and all packets destination within 24 bits guaranteed delivery.
Now the packets that are flowing through are fully encrypted so only your node can decrypt it. Output packets are randomly delayed so timing analysis cant determine if your node decrypted it or not based on packet traffic. All packets (other than ping) are fixed size 1400 byte UDP packets. Using UDP prevents TCP DOS attack locking up the sockets for the tcp timeout.
James
TL:DR it is possible to transact with someone without ANYBODY actually knowing the IP address of the destination, and therefore very private comms are possible. If these comms happen to have telepods and funds are being transacted, then commerce can happen using this method.
|
|
|
|
|
I pushed a new version with findaddress API
./b SuperNET '{"requestType":"findaddress","refaddr":"8894667849638377372","dist":24,"numthreads":20,"duration":6000,"list":["13434315136155299987","8894667849638377372","10694781281555936856","18429876966171494368","16163006958863727986","1838354277347686608","17572279667799017517","14815310753561302584"]}'
The refaddr is your privacyServer's NXT address, dist is the distance in bits (after xor), numthreads is the number of parallel tasks doing the search, duration is in seconds and list is the reference list of public server addressees
This will run in the background until the time runs out and it will print out a password and stats for your super private account. I havent done the storing in encrypted file or anything else yet. while it is running, if it finds a better acct, it will print:
>>>>>>>>>>>>>>> new best (super secret password) ...
so you can always search for this and get decent accounts to use while the findaddress keeps working in the background. It is kind of like mining! But what it is doing is actually very useful. It is finding the perfect address for you to use by making it look like an address that could be linked to any of the other public servers.
Due to the way the accounts are created, bruteforce random guessing is the best way to find such an address. This is a good thing as it means that the encryption is quite good. After all if the distance between the mined acct and the reference account went to zero, we have effectively hacked it!
The search is creating an N dimensional space where each dimension is the distance from one of the server accts in the list. The metric function is a bit more complicated, but conceptually we want a point in N-space that is equidistant from as many public nodes as possible. With the current number of nodes being so small, it is hard to come up with any address that meets this criteria, but at a distance of 24, given enough time, it should be possible to find an address that is +/- 3 distance from most of the list.
I am hoping that with more nodes, it will be possible to find addresses that are around 20 bits distant and still have the above characteristic.
Now why on earth do we care about such things?
The reason is that this solves the "last mile" problem of how to establish totally private comms without resorting to broadcasting to everybody. My coding the DHT is what allowed me to solve this, so those that think these seemingly unrelated things are slowing down the progress, it is quite the opposite. It is helping achieve the ultimate goal!
To understand how this allow comms without divulging the IP address, requires a bit of background on DHT, especially the Kademlia XOR distance method. Using XOR as a distance function sounds so simple, but it has some very powerful mathematical properties. Namely, you can know if another node is closer or farther away from the desired location, totally in the abstract. Imagine that you start searching for something. It gets a delivery address (in the abstract not IP). Now you find all the nodes you know about that are closest to this address and ask them to deliver it. You only know they are closer to the destination that you are.
That's it!
Of course a lot more details, but this is emergent behavior, eg. out of very simple behavior at the local level, some powerful global functionality emerges. Imagine you got the packet from someone that was farther away than you are. Now you do the same thing and the packet keeps getting closer and closer to the destination. Finally it gets to the nodes that are as close as possible that are in the network.
All the SuperNET nodes are part of this "bucket brigade", each passing the packet one step closer to the destination. This means that your node is also going to be involved in this and everybody knows your public server's acct and IP address. If not because you publish it, but if they wanted to the attacker can do sybil attacks and get this info. It is simply unavoidable to get an account linked to the IP address if you are transacting with it.
However, we have the private address that only people you transact with know. Your privacyServer's acct is known along with its IP address, but as long as you are careful with who finds out your privateaddress, then it is just an address that happens to be equidistant from N other privacy servers. Which one? Could be any of them as the way the DHT works is that it replicates the info to all the nodes closest to the destination, which in this case is your address. Taking advantage of this property of the DHT and the fact that your privacyServer will be handling the routing allows packets that are encrypted to your private address to be received by your computer and you can decrypt it as it is sent on to the closer nodes.
As the network grows, it will become harder and harder even to identify the set of possible nodes your private address belongs to. So even if your private address is compromised, there isnt a way to link it to any IP address!
James
|
|
|
|
|
Show Posts
