Just read this. Seems all very reasonable at this point. I don't know why anyone is saying the devs are skeptical about my contribution.

Smooth is referring to the "Outs with guaranteed anonymity" feature of BBR, which would require a hard fork to add to XMR.

Everything you wrote is plausible except for "nor can limit anonymity as result of a fix". I am not sure about that yet. Still trying to characterize it and potential mitigation.

Also I take exception to, "looking at the abyss for long enough he thought the abyss looked back at him". My philosophical beliefs about coming global economic smashup 2016 - 2024, doesn't leak into my rational programming. I don't see how it can. For example, in my private conversation with smooth, he wrote "well as the chain gets is arbitrarily large, there is [no] guarantee it will even produce any at all (in viably finite time)". I agreed and responded with a tweak to the pseudocode.

This is complex shit that is above most your pay grades.

jl777 has promised I will get his 5 BTC portion. What the hell is wrong with you? I am trying to help. You need to go find your meds. Make one more asinine post and I am putting you on ignore.

The 11 BTC is too small to compensate me for the time lost. It is a matter of principle. People who break their word of honor with me incur my wrath.

I've never known him before yesterday. I have no such relationship with him.

I will get my 11 BTC bounty whether he attacks or not (if I am correct about my contribution).

So you are wrong as usual. STFU!

Make sure you can trace the ownership of your coins on the blockchain back to their coinbase mining transaction, because every tx they were involved with did not mix with any ring signature, i.e. n=1 in the CN whitepaper. Although that won't work if the CN code still applies the I=xH(P) when n=1. But that would be silly for the code to do that, so I assume it doesn't (haven't checked).

But it is silly for you to even do this, because if many of the other coins were stolen, the value of your coins would be destroyed too.

So the best is for us to analyze this. We need some time.

If you have real money at stake, and if he has the attack, then being nice is the way to protect your money, as we probably need the 72 hours to analyze this fully.


Maybe that is why he is escalating his threats, if the devs are may be making the same mistake as past coins which started to act arrogant.

Any way, I have not yet read their latest comments, so I don't know. I need to go interface with them now. I just woke up.

BCX appears to like coins that are much more interested in fixes than in denial. I have to agree with him. I can promise him if I ever do an altcoin, I will take his audits very seriously and I won't act arrogant.

I can understand being upset that he hasn't given us all the information upfront. Maybe he can't ascertain that some party in the chain of command wouldn't use that to attack before it could get fixed. Maybe that is why he wants us to fix it, even before we fully understand all the tricks involved. Although I am not quite clear if we can fix without knowing all the tricks involved.

And again, he could be bluffing. That is a possibility.

There is one sure way that your private keys could never be stolen by such an unconfirmed, hypothetical, threatened attack.

Make sure they've never passed through a ring signature since mining.

Checkpoint won't help us unless we can get it distributed out to all mining nodes within 72 hours.

We don't know if he can or not, although we might be very skeptical, it doesn't help for you to push him.

If he does that, he destroys the value of the coins he stole.

My understanding is that the only people who can loan a huge amount of XMR for shorting are the whales, who thus I assume won't loan him the XMR so he could sell them before such an attack. Also they want BTC collateral so they might not return the BTC after such an attack. Perhaps this is why he challenged Rpietila to a 500 BTC escrowed bet.

I wish you all would stop punching him in the nose. I am trying to think and work on mitigation, so we fix everything within the 72 hours if there is anything that needs to be fixed.

I am trying to be careful with my words, because even though I feel reasonably confident there is a problem that needs fixing, I haven't written down proofs and exactly mathematical characterizations of everything.

Again we have not yet confirmed math for how he could steal coins. But that doesn't mean it is impossible. Normally it is impractical to factor a private key from a public key, in the equation P=xG mod l. But because the breakdown in the anonymity identifies the sending key P(i) where i = s, then another equation is revealed from the one-time ring signature, I=xH(P) mod l. If there exists some trick for factoring that is sufficiently sped up by combining the information from the two equations, which would make cracking the private key 'x' plausible, then he threat would be real. But we don't yet know that trick, if one exists.

Yeah it is possible that BCX is bluffing, but why push him and erase the 72 hours he gave us to get this fixed.

Note we don't yet know the precise characterization of how much the anonymity breaks down and what % of the coins the attacker needs to own, if any. That is what I was working on before I fell asleep. The CN paper that Tacotime linked upthread already characterizes some loss of anonymity, but seems to say it isn't that severe (note I haven't had time yet to completely wrap my mind around that paper). And they were working on mitigation. I think I may have discovered a method for amplication of the anonymity loss, which may be what BCX's threatened exploit does. But I haven't yet characterized my algorithm mathematically. I just wrote down some pseudocode. Now I need to go talk with the CN devs to see what they think or discovered about my pseudocode.

Please be nice.

I haven't studied chandran signatures, so I don't yet know if they wouldn't have similar or the same problem.

I answered already upthread.

My opinion is subject to change, but for the moment before I sleep I feel the aspect of an attack that can reveal spenders is very likely. However without the ability to crack private keys, then what is the financial motivation of performing the attack?

The cracking of private keys is much less likely, probably unlikely.

Also to spend the private keys requires a TW or 51% attack. Any TW attack hole can be fixed.

Also the Sybil amplification against anonymity can likely be mitigated somewhat too.

The "Good enough for you irmeli?" wasn't there when I read it. He must have edited the post.

I saw he post confirmation in this thread before it was deleted. I guarantee you. Can't be denied any more.

Afaik BCX has explicitly stated XMR and not mentioned BBR.

Afaics the BBR feature that I mentioned upthread doesn't diminish the threat of BCX's exploit.

We have not confirmed that private keys can be cracked by this. And some mathematicians are so far skeptical. I have not spent enough time on the private key aspect yet, as I have been more focus on the amplification described below since it is a prerequisite for the private key factoring and it is all I have to prove to collect the 11 BTC.

We have confirmed that sometimes the sender of a ring signature can be determined. But this was always the case due to Sybil attacks. What is new is that I have proposed an amplification algorithm which I think makes a little Sybil attacking a lot more powerful than it was. I believe this is a key ingredient of BCX's threatened attack (but not the only ingredient he needs). But I am having trouble characterizing the algorithm's performance but we are working on it. So it is unsure if I have proven amplification, but I would say it is very likely.

BCX has admitted in the trollbox that he needs a TimeWarp attack to rewind the blockchain and spend the private keys he cracks. He claims he has that TW attack and he also thinks he can crack the private keys. But we have not yet figured out either of those two things. And we are skeptical (well lets say they are skeptical and I am not sure what I think, I'm too sleepy).

So all in all, I think we will find a solution within the 72 hours.

If nothing else, they can set ______ ( I am so sleepy I can't remember the term for locking the history of a blockchain at a certain block forward). Mental block due to sleep deprivation.

Edit: a checkpoint

No that site can't keep up any more.

I am sure everyone knows BBR has a feature which XMR doesn't have yet (and would require hard fork to add), where each coin is flagged with the minimum # of inputs it will mix with when it is transacted in the future. This enables BBR to avoid inadvertent unmasking of the anonymity.

Well when we consider an attacker do that on purpose, then XMR is much more suspectible to anonymity reduction (which we are still trying to decide if also reveals the private key).

Huh? He posted in this thread to confirm the poloniex account. Also he has sent me PMs.

He deleted his post from this thread. Strange guy 

I wanted nothing to do with it. Yesterday I received a PM from jl777 asking me how much BTC would motivate me to dig. I said 5 - 10 BTC. He then publicly offered a bounty, which BrilliantRocket upped to 10 BTC, so I felt obligated to investigate. When I awoke today, I looked at the math and didn't find the exploit I expected. So I quit.

At dinner I suddenly had an epipheny on the exploit. I initially thought I would short Monero, because it seemed it was doomed no matter what I did, because I also see another related attack against Monero because it doesn't have BBR's safety feature. I will detailing this in my next post.

But then while waiting for PMs of who would loan me XMR in sufficient size, I started to think of mitigations and then I realized if I short the whales will exhaust their BTC trying to defend and I would probably lose as mitigation would be found. Or if I won, my friend Risto could be destroyed. NFG! (no fucking good)

So then I had to decide if I do nothing, or help. I asked all by PM if we could agree on terms of the bounty.

Since I had already asked about borrowing XMR, I was being bombarded by PMs asking me if they should sell or not. I had no choice but to write a public message honestly.

Never did I intend to cause a price drop unless it would be unavoidable any way.

I agree I didn't operate calmly and methodically enough but cripes man that is too much happening in one day for an old man.

P.S. the younger CN devs have apparently gone to sleep, and my eyes are heavy now too. We've been trying to get the amplification algorithm characterized.

Careful you don't force his hand and eliminate our 72 hour window to fix this.