That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.
Just checked. Apparently I was too sleepy when I messaged smooth (and probably multitasking too). I sent him the wrong equation. Mea culpa. But you'd think the mathematicians would take a look at page 7 of the whitepaper and figure out the attacker knows the symmetrical equation. |
|
|
|
this ends the show.
Sorry it doesn't. yes it does. I doubt BCX is a genius like at your level. I have no comment on that. I won't speculate further about that. My role was only to help find any potential vulnerabilities in order to strengthen CN. |
|
|
|
this ends the show.
Sorry it doesn't. |
|
|
|
You'll excuse the curt reply, but I'm just going to infodump from IRC, as we're quite tight on time -
[15:48:52] sarang: I can't prove a negative
[15:48:54] sarang: that's the trouble
[15:49:05] sarang: I can't say "there is no way to use three equations like that to recover x, here's proof"
[15:49:11] sarang: I can only say "there are no known ways to do so"
[15:49:36] sarang: The onus is on him. Unfortunately, if the world wants us to counter it with Magic Negative Proof, then they'll be disappointed
[15:50:37] sarang: But, let me review out loud
[15:50:45] sarang: We know I=xH(P) is one equation
[15:51:36] sarang: We know r=q-cx is another
[15:51:50] sarang: and we know x=H(aR)+b is a third
That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r. https://cryptonote.org/whitepaper.pdf#page=7
[15:52:00] sarang: You have, indeed, three equations for x
[15:52:19] sarang: How many unknowns is important here (though the security of ECDLP is important too)
[15:53:25] sarang: Unknowns are x itself, q, c, a, b, and technically r since it's indexed
They forgot that using my proposed de-anonymization algorithm i == s can be known, thus c is known. So we have 2 unknowns x and q and 3 equations.
[15:53:40] sarang: Given three equations and six unknowns, he can go right back to the drawing board
Duh! Did they really assume I am that stupid. Hubris is the source of many failures.
[15:56:43] sarang: So my answer to him would be that the private key is obscured in all cases by either the ECDLP or random affine goodness
[15:57:06] sarang: and that the three equations means that you STILL have three extra degrees of freedom
[15:57:41] sarang: and the degrees of freedom are carefully chosen from random distributions
[15:57:55] sarang: If he has an actual attack or a suggestion of how to reduce the parameter space, fine, share it
[15:58:21] sarang: But we don't spend our time proving negatives... we review carefully and hunt down any flaws we see that seem reasonable given our expertise
[15:59:42] sarang: If he wants to argue with linear algebra or the ECDLP, he can go right ahead
[15:59:48] sarang: Those are better listeners anyway
[16:00:28] sarang: We don't need to explain how linear algebra works anyway... it's assumed the whitepaper is written for someone who knows what all those little symbols mean
[16:02:56] sarang: Real mathematicians don't rub unknowns in people's faces. They point out flaws and offer constructive input
Thanks for dumping their condescending attitude in public. I guess you were hoping for revenge for the upthread exchange between you and I? I aced college Linear Algebra in 1985. And I aced college Calculus I in night school at college while I was still in high school in 1983. I sent my suggestion to smooth with the implied (from earlier discussion) caveat that I was not providing a complete analysis nor was I sure there is a vulnerability. So I was under no obligation to follow what "real mathematicians" do because I don't have skin in this game. I am not trying to prove myself in the math field. I was simply trying to help develop ideas for what could have any chance of being BCX's alleged exploit. It is not my role to take it further than that. I had already provided a real anonymity attack with pseudocode, thus this was off-the-cuff quick suggestion to smooth was purely me trying to help share ideas. Not to be used as fodder to insult me in public.
[16:06:31] sarang: Oh, and the equations use different base points, so you gain no benefit from a common base point
I didn't see that. Where is that written or it just an assumption? I noticed the requisite mod l are implied and not written. So this must be one of those typical things you are supposed to know and is not explicit? But note above we have 3 equations and afaics only 2 unknowns. |
|
|
|
|
Official version of Bitmessage is functioning for me again, even though the broadcast spam is still high.
Apparently many users moved to the new experimental version.
|
|
|
|
|
Official version of Bitmessage is functioning for me again, even though the broadcast spam is still high.
Apparently many users moved to the new experimental version.
|
|
|
|
The fact is, this coin IS BY FAR the best choice for ANON right now.
Is it true? Impossible to know under we read formal specification. Sounds like the built their own Tor-like network. Tor is not enough to provide unlinkability and untraceability. We can use Tor now with Bitcoin. I am guessing. How can I know what they have when they don't describe it formally. The title of this thread is very opportunist. Caveat emptor. |
|
|
|
Note the original title of this thread was saying I confirmed the exploit. And when I posted in this thread noting that there are two simultaneous equations, that is when BCX said "exactly" he must do the attack because presumably I revealed too much about the exploit.
The mathematicians showed the two simultaneous equations is equivalent to Diffie-Helman exchange thus not broken. I responded with a third simultaneous equations over an orthogonal number space (afaik multiplication and subtraction do not inhabit the same field). Since then I have discovered another similar insight which I informed the developers about. My current math abilities are such that I don't know if I can be of more assistance on that.
No offence there, but is it possible to have a more formal explanation of what you have discovered. Talking in blured shadow turns things understandable. I can understand the math, to feel free to really enter into details. Thanks you in advance ! not him but give a look: http://lab.monero.cc/pubs/multiple_equations_attack.pdfMy response: https://bitcointalk.org/index.php?topic=789978.msg8942201#msg8942201 |
|
|
|
Note the original title of this thread was saying I confirmed the exploit. And when I posted in this thread noting that there are two simultaneous equations, that is when BCX said "exactly" he must do the attack because presumably I revealed too much about the exploit.
The mathematicians showed the two simultaneous equations is equivalent to Diffie-Helman exchange thus not broken. I responded with a third simultaneous equations over an orthogonal number space (afaik multiplication and subtraction do not inhabit the same field). Since then I have discovered another similar insight which I informed the developers about. My current math abilities are such that I don't know if I can be of more assistance on that.
No offence there, but is it possible to have a more formal explanation of what you have discovered. Talking in blured shadow turns things understandable. I can understand the math, to feel free to really enter into details. Thanks you in advance ! Please ask smooth for the last insight, because I didn't want to share it publicly until they have evaluated it and are ready to refute or fix it publicly. And you may read my upthread posts which revealed the terse formal details of the prior insights. |
|
|
|
If the mathematicians that looked over the CryptoNote whitepaper missed what you have found, does that mean that perhaps there are no other people who can actually look into this with any degree of expertise?
That doesn't mean they don't have the expertise. They probably weren't looking at what I had the insight on. Now they can look because insight has been shared with them. I believe they only considered the two simultaneous equations, because that is what they were told to look at. Or they did see those extra equations and dismissed them as irrelevant for some reason. Different people have different epiphanies at different times. I am out of practice on math because I don't use it in programming much. That was nearly 3 decades ago that I was in university. Cryptography gives me a chance to use it more, but I find that a lot of concepts slipped away from me over the years. Might be an age effect. They say our peak ability to discover new math is in our 20s or at most 30s. By 40s, we are reduced to being managers and teachers. I am trying to prove to myself this is not so and I pushing 50. Worsened by being out-of-practice, unlike for example Bruce Schneier. |
|
|
|
Cross-posting... Yep I agree, this is an awesome coin.
~BCX~
Are you qualified to evaluate an anonymity algorithm that isn't even adequately described? http://neoscoin.com/whitepaper/neoscoin.pdfhttp://www.coinssource.com/neoscoin-is-a-different-breed-of-digital-currency/Afaik, Cloakcoin, Darkcoin, jl777's Telepods, BTCD, and this (Neocon) are all suffering in one way or another from serious Sybil or DoS (on the anonymity, e.g. see what is happening to Bitmessage now) vulnerabilities. Their algorithms are also continually being "refined" which means to me "changing". If they ever formally and technically fully specify their algorithms, then I can evaluate if their algorithms can be de-anonymized. Based on past digging, I think that (de-anonymization via Sybil or DoS) is very likely. I am not saying their experiments are not worthy. But they are experiments and not well specified (yet). Add: Will be useful to develop a whitepaper comparing CN anonymity to off chain anonymity. The recent insight I provided might be helpful for quantifying this comparison. I can contribute to such a whitepaper. |
|
|
|
Yep I agree, this is an awesome coin.
~BCX~
Are you qualified to evaluate an anonymity algorithm that isn't even adequately described? http://neoscoin.com/whitepaper/neoscoin.pdfhttp://www.coinssource.com/neoscoin-is-a-different-breed-of-digital-currency/Afaik, Cloakcoin, Darkcoin, jl777's Telepods, BTCD, and this (Neocon) are all suffering in one way or another from serious Sybil or DoS (on the anonymity, e.g. see what is happening to Bitmessage now) vulnerabilities. Their algorithms are also continually being "refined" which means to me "changing". If they ever formally and technically fully specify their algorithms, then I can evaluate if their algorithms can be de-anonymized. Based on past digging, I think that (de-anonymization via Sybil or DoS) is very likely. I am not saying their experiments are not worthy. But they are experiments and not well specified (yet). |
|
|
|
Yawn.. this isn't nearly as entertaining as I thought it would be.
Is Monero being attacked or not? If someone is performing a TW attack is there any way to tell?
From my experience with time warps attacks it takes a couple of days before the symptoms start to occur, but when they do....the chaos is sweet. ~BCX~ Will the devs keep the exchanges locked for days? If you were successful and if you know the problem can be fixed, so presumably you would buy XMR cheap and ride it back up to recoup your expenses? I am contemplating that you really didn't want the hassle and risk of this but you were pushed into it as your reputation was slandered? Except that his reputation is permanently slandered. Are you forgetting that BCX said he had an exploit, sandbox tested too, that could steal funds from private keys? Am I dumb, or is this not what a time warp attack is? Even if BCX succeeds in a time warp, his reputation is still ruined, because he lied. I must be missing half the story. n XMR there exist a flaw involving the keyrings that under the right conditions will allow an attacker to steal your wallets and hijack your addresses. To fix this, anonymity will need to be sacrificed. That doesn't sound like stealing wallets by running a TW attack to reset the coinbase mining rewards, which is another way to erase wallets. There is one possible interpretation where if it is possible to so mix up the txs with rings during the TW attack, so it makes it impossible to unwind it. But I doubt that is what he meant above. Note my post yesterday that I sent a new math insight to the devs. I did not confirm anything, but I guess there is an extremely unlikely chance someone found a way to break private keys. I assume the mathematicians are looking at it. Note the original title of this thread was saying I confirmed the exploit. And when I posted in this thread noting that there are two simultaneous equations, that is when BCX said "exactly" he must do the attack because presumably I revealed too much about the exploit. The mathematicians showed the two simultaneous equations is equivalent to Diffie-Helman exchange thus not broken. I responded with a third simultaneous equations over an orthogonal number space (afaik multiplication and subtraction do not inhabit the same field). Since then I have discovered another similar insight which I informed the developers about. My current math abilities are such that I don't know if I can be of more assistance on that. |
|
|
|
Yawn.. this isn't nearly as entertaining as I thought it would be.
Is Monero being attacked or not? If someone is performing a TW attack is there any way to tell?
From my experience with time warps attacks it takes a couple of days before the symptoms start to occur, but when they do....the chaos is sweet. ~BCX~ Will the devs keep the exchanges locked for days? If you were successful and if you know the problem can be fixed, so presumably you would buy XMR cheap and ride it back up to recoup your expenses? I am contemplating that you really didn't want the hassle and risk of this but you were pushed into it as your reputation was slandered? |
|
|
|
Heres Moneromann88,
He got sloppy on signing into another site I have admin access to using the same login name.
~BCX~
picture removed
What an awesome advertisement for Cryptsy. "Register and verify your account with us and we'll leak your ID to criminals" lol. BCX wrote in another thread that his birthday is also Feb 18, but he is 30 or 31 years old. |
|
|
|
Freezing the deposits and withdrawals doesn't stop the exchange transactions from accumulating on the mixed up chains.
Can you please clarify what you mean by "exchange transactions" above? Someone wrote that trading wasn't suspended. But I brain farted. Sorry I really should sleep. |
|
|
|
|
Another zany idea. At least you know it is valuable.
Boolbling (BBL or BBG)
|
|
|
|
Could he have changed the time because of the new checkpoints? Or perhaps he is lying about his intended time frame? Could be the checkpoints, now the exchange (poloniex) also has frozen deposit and withdraws for 24 hours, perhaps that will force him to delay even further. Judging from his reply to TFM I got the impression that he would load up on XMR using TW then dump them on the exchange for BTC. In that case his plan failed (for now). If BCX is really kickass, they will need to keep it frozen forever (or eventually accede to defeat and let BCX keep his coins which can't be identified) because everything will get so thoroughly mixed that it can't unwound. But I have no idea if that is feasible. Freezing the deposits and withdrawals doesn't stop the exchange transactions from accumulating on the mixed up chains. BCX would need to have some really kickass technical guys working for him. |
|
|
|
Cross-posting... Central (Samar) and southern Philippines (Davao) are making big waves in crypto.  P.S. I had no affiliation with BCX other than messages on this forum past 2 days. |
|
|
|
Central (Samar) and southern Philippines (Davao) are making big waves in crypto. P.S. I had no affiliation with BCX other than messages on this forum past 2 days. |
|
|
|
|
Show Posts
