 Show Posts
|
|
Pages: [1] 2 »
|
Read the white paper, have a few questions. Would greatly appreciate if the team could clarify.
Section 2) Tnet) please further explain the need and role of Forwarding nodes.
Can wallet nodes directly communicate with Validator nodes? Forwarding nodes help to balance the load. If you want to have a client that does not have a full ledger on its own, like a phone app, you need a service to consult for account information. This is equivalent to services like Blockchain.info in the Bitcoin world. We think that a full client is not the right solution for most users, so made this part of the protocol. This has the advantage that in the future, app users can freely configure which forwarding node to consult, because they are all using the same protocol. tl;dr: In Bitcoin language, a forwarding node would be a full node (having full ledger copy) which is not mining (in our case voting). Section 3.1) Sync) Is the ledger public or only shared by Validator nodes?
Do all the Validator nodes have a complete copy of the ledger? Everybody can run validator and forwarding nodes, which have a full copy of the ledger. Section 3.2) Deposits) If i'm an attacker with resources, is it possible to create multiple Validator nodes at the same time, wait 6 hours and then attack the system? Yes. But you need a lot of resources, because validator nodes require deposit. It is analogous to buying a lot of mining hardware and overtake Bitcoin mining. Section 3.3) Redeem) Would this result in the formation of independent clusters of Validator nodes or a network where all the nodes are not directly connected but are connected at different levels to each other? Kind of like six degrees of Kevin ( https://oracleofbacon.org/)  Random here does not mean “connect to any node”, but select nodes in a mathematically random way from the full list of nodes. The full list of nodes is literally public, because deposit accounts are listed in the ledger. If anything remains unclear, feel free to ask more specific questions. Note that the project is under active development and more detailed documentation will be released over time, of course. |
|
|
|
Sorry, but I cannot let this statement unchallenged: 4. If a majority decides that a transaction is valid, that transaction is validated, irrespective of any algorithm preventing trests to be created out of thin air; not even Trestor, because again, they have no proof-of-work. You are assuming that there is an “algorithm” in Bitcoin preventing the creation of new coins “out of thin air”. That assertion is full of misconceptions. The creation of coins is defined by the protocol. The protocol is, whatever the majority of miners defines it to be. The Bitcoin protocol is not unchangeable, quite the opposite: It changes a lot over time in order to improve Bitcoin. This also comes with bad side effects like the fork a few day ago: Coindesk: Double Spending Risk Remains After July 4th Bitcoin ForkThe only thing that prevents miners from changing the number of newly created coins is their incentive to not devalue their reward. This can easily change in the future as default reward is going down and income from fees may not rise to the same level. The situation is the same with Trestor validators. They will reject any transaction that is not covered by existing accounts, rendering creation of coins impossible. It is in the hand of the majority how all these aspects of the protocol are defined, and maybe changed in the future. And all of this by the way has nothing to do with proof-of-work. |
|
|
|
This is Stephan, one of Trestor's protocol architects. Problems that Trestor's developers said they did not understand:
1. Trests only get sent from one app to another if they are validated by validators. The right to become a validator is by "buying" it from trestor but there is no return as profit! So why would someone become a validator? Either to earn from fees or to earn by selling trests. Thus it becomes a pyramid scheme where investors who will continue to recruit other investors for an incentive that is presented as an investment opportunity - the right to sell a particular product or to earn fees from them. Not true. The idea is that Trestor Foundation provides deposits to institutions (e.g. universities), which are willing to voluntarily run a node. Pretty much like Tor nodes. As running a node does not require vast resources like mining, it can be easily run by any willing institution. The more independent institutions from different jurisdictions are getting on board, the more decentralized control over the network will become. 2. If there is a dispute, there is no history and resolving it is purely a matter of Trestor's discretion.
3. Even if trestor starts saving the history, there is no proof of it's correctness since they do not use proof-of-work or anything. thus every new participant in the network needs to trust the pre-existing validators. Thus also vulnerable to mitm. That claim does not make sense. It is up to the majority of validators, which after some time will not be controlled by Trestor. 4. If a majority decides that a transaction is valid, that transaction is validated, irrespective of any algorithm preventing trests to be created out of thin air; not even Trestor, because again, they have no proof-of-work. What? That statement makes me think that you do not understand Bitcoin. 5. In case of a double spend the transaction gets stuck, since validators can't vote against themselves. To resolve this they have implemented time-bound validity of nodes. This doesn't solve it. Consider a scenario where first 50% validated A->B and second half validated A->C at the same time. The transaction gets stuck. Votes expire after time t and now the first half votes for A->C & the transaction gets stuck again & so on.. A (honest) node cannot vote for a transaction conflicting with a transaction it previously voted on, that is correct. But your analysis is based on assumptions about our protocol which are incorrect. A node can still get knowledge about the conflicting transaction. At that point, the node will blacklist the corresponding account until all those transactions are invalid (plus some buffer). |
|
|
|
This is Stephan, protocol designer at Trestor. There are no transaction fees because there is no security in ensuring that the digital ledger stays the same. What would you do if law enforcement told you to reverse a transaction since 'terrorists' owned trests and were using them?
When you skip that big waste of energy you refer to, there are tradeoffs. I'll pass thanks.
In our protocol, a large majority of Validator nodes is required to agree in order to change the ledger. A law enforcement agency or any other powerful entity would be required to either force a lot of node operators from various jurisdictions to cooperate, or to set up a large number of their own nodes (which would require a large amount of deposits and will not stay undetected). Trestor does not require fees, because running a Validator node does not require nearly as many resources as running a Bitcoin miner. The idea is, that these nodes are voluntarily run by enthusiasts and organizations (e.g. universities), like we all know it for Tor nodes. The incentives to run a node are of course very different from the incentives why people mine Bitcoins, but that does not change anything about the fact that they are run in a decentralized way by a variety of parties from different jurisdictions. The hardest problem is to bootstrap the whole network. In the beginning, when the number of Validator nodes is small, the deposit required to run a node has to be set high in order to effectively secure the network. Our plan to get the network started is that the Trestor Foundation will provide organizations, which are willing to run a node, with the required deposit amount. A reward-based proof-of-stake system is very hard to secure, because there is no way to prevent stake-owners to sign multiple conflicting ledgers with their stake. Some even say that reward-based proof-of-stake systems are completely impossible. We are not doing anything like that. In our system, fees would make no sense, because there is no competition among Validator nodes like we know it from miners. Who is supposed to get the fees, after a majority agreed on a new ledger update? |
|
|
|
Care to explain how the coins will be generated and distributed ? This is not a technical question, but I will try to answer from my tech-team perspective. There is a fixed number of coins which in the beginning are controlled by the Foundation. This is similar to Ripple, but note the following differences: - Trestor Foundation is a non-profit, there are no stock holders who personally own these coins. - As the coins are more and more distributed, the Foundation's control will go down. - Since our network is not federated, there are no “better” nodes who dictate the protocol rules. The rules are whatever the majority of nodes decides. Like in Bitcoin, they can be changed if the majority of rules decides to, including the rules about how many coins there are and how they are generated/distributed in the first place. Comparison to Bitcoin: - With Bitcoin, a large part of the coins is owned by early miners, nobody really knows who, while with Trestor you know that they are controled by the Foundation which is dedicated to support and promote the Trestor project. - With Bitcoin, vast resources (hardware investments, electricity) are required in order to run a miner, while with Trestor a deposit of Trests in the ledger is required in order to run a validator node. And how will the price be decided ? Trests can be traded at any market place, just like any other coin. Also, should I be seeing this as a currency which will be added to an exchange, or will be have a centralized control with the founders ? Trests are controlled by the user via a wallet with secret keys, just like Bitcoin. He is free to trade Tests with any other person on any platform of his choice. |
|
|
|
I also do have this account here. Ok trestor foundation. Two simple questions - Is this decentralized ? If yes, opensource the code and let others run a node. If this is centralized I really don't care what algorithm you use
As you can read on our website, one of our primary goals is that all the software involved will be open source. At the moment, we are still in a very early stage of development. (Our project is not a (direct or indirect) fork of the Bitcoin software (unlike the dozens of altcoins, who did nothing but change the logo in bitcoin-qt and some parameters like block generation rate). That's why it takes some time.) To get a first idea about how the Trestor network will work, you should take a look at our tech draft. In a nutshell: - Coin ownership and transactions are based on digital signatures, like in all crypto-curriencies. - Unlike Bitcoin, there is no work-based mining, but voting among “validator” nodes. - Unlike Ripple, voting is not based on federated trust relationships. Validator nodes are backed by deposit accounts in a proof-of-stake manner. This makes it decentralized: No validator is valued more than others. Note that some of this is work in progress. We are sharing this information early with you in order to counter the scam accusations, which we are facing. Feel free to ask any questions. Best, Stephan |
|
|
|
|
I don't get why you insist on calling it “blinding”, since no message is hidden here. Using commitments to cooperatively generate a random bitstring is pretty common.
|
|
|
|
To prevent any leakage due to simulated communication failures by the hardware wallet I propose making the whole protocol deterministic.
The user now stores a table TX[msg,pubk] of the h value received for the transaction with the message msg to sign and the public key pubk. This table is used to check that the signer is using a deterministic method to build h. Also the user has a private HMAC key s, that the signer does not know (it's not stored in the hardware wallet).
In bold are the modified steps.
1-2. These steps are similar to the standard protocol.
2.1. The user tells the signer which private key it should use, by sending the pubkey pubk.
3. The signer computes u = HMAC(privkey,msg). Where msg is the transaction hash to sign and privkey is the ECDSA private key.
3.1. The signer calculates Q=u * G.
3.2. The signer calculates h=HASH(Q). This is a commitment to Q.
3.3. The signer sends h to the user.
3.4. The user verifies if TX[msg,pubk] exists. If exists then the user checks that TX[msg,pubk] = h. If not then the signer is cheating and he will never ever use this signer again. Then the user computes t = HMAC(s,msg | pubk )
3.5. The user sets TX[msg,pubk] = h and sends t to the signer.
3.6. The signer verifies t is [1, n-1]. The signer sends Q to the user.
3.7. The user verifies that HASH(Q)=h and that Q lies on the curve. If not then the signer is cheating.
3.8. The signer calculates k = t * u.
4-7. These steps are similar as the standard protocol.
8. The user calculates the curve point (x_2, y_2) = t * Q.
9. The user verifies that r = x_2 (mod n). If not equal, then the signer is cheating.
Do I get this right that the table only checks whether the signer's current behavior is consistent with the signer's past behavior? I don't get how the user could possibly know what “h” or “Q” is correct for a certain secret key (or its corresponding public key). |
|
|
|
This protocol has another nice feature: The non-signer party in this protocol does not have to be the party who generates the message to be signed. This is a relevant difference to the blind-signature variant. This means you have the following setup: online | offline offline
[Application] <---> [Signing Wallet Device] <---> [Verifying Device]
dangerous connection internal connection
Signer and Verifier can prepare a number of choices for “u” and “t” like in gmaxwell's Hashtree proposal. After that, the App can request Transactions from the Wallet, and the independent verifier device can verify that they are leak-free. Note that “u” may contain secret messages, but only the verifying device (which can be offline) knows the “u” values. |
|
|
|
Interesting observation from that paper I don't remember ever seeing before: Another slightly related security issue also arose from the fact that k has to be chosen by the signature algorithm. If two values k1, k2 in two different signatures have a known linear relationship k2 = ak1 + b with a, b ∈ Z, the private key d can be extracted from the two signatures without the knowledge of the values k1, k2, since it results in two linear equations with only d and k1 unknown. It means that two R values don't have to be identical (reused) for their private keys to be breakable, it's enough for them to be "close" to each other, so that R 2 can be found adding G to R 1 relatively small number of times, few million for instance so it would be implementable in practice to check the neighborhood of every R value ever used against the complete set of R's. I know that two R values in theory should not ever be close to each other if RNG is decent, but we see in practice that not only they are close but often identical. It doesn't have too much to do with closeness. There is a linear relationship between any pair of two numbers in the “Z_n” (with n from Bitcoin's secp256k1 curve). The question is whether you know it. Easier “k” is much easier to break, because it results in identical “r” appearing in the blockchain. Anybody can detect them immediately. But for an evil programmer who manipulates the generation of “k”, there is much more potential to leak values, without having obvious appearances in the blockchain. |
|
|
|
Does not help against the attack from here, because the manipulated random numbers are provably indistinguishable, but it would have prevented the ridiculous bug in MyWallet. |
|
|
|
|
This is a very nice protocol to tackle the problem of leakage, but it is not perfect either. It is practically the same as mine with ZK proofs or gmaxwell's based on Schnorr, because leakage can still happen via “u”.
But it is better than mine because it is easily computable. It is better than gmaxwell's because it does not require a protocol change.
|
|
|
|
Thanks, I trust my offline wallet implementation of the rfc as much as I can. Under this condition, is there an attack? The whole attack scenario here is about malicious wallet implementations. If your wallet implementation is doing what it is supposed to do, everything is fine, even if it is not deterministic. Note that there is no way to tell that from looking only at the resulting transactions, as the attacker hides the leak well. You have to make sure that you (or a person you trust) know the code, understand the code and actually know that the source code you have actually matches the code that is running on the offline wallet. This is a theoretical/technical discussion about a potential attack and suitable counter-measures. There are no documented cases of this attack being done. |
|
|
|
This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store. It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based. From his 1985 paper: Note 2: If any k is used twice in the signing, then the system of equations is uniquely determined and x can be recovered. So for the system to be secure, any value of k should never be used twice. |
|
|
|
In other words, the online device transfers the digest and pubkey to the signer. The signer returns (r, s) where k follow RFC 6979. The online device builds the transaction and the user checks that the inputs/outputs are what he expects.
Can something still go wrong?
Yes. “k” can be deterministic, but it has to be unknown, otherwise you can extract the private key “d” from “(r, s)”. In RFC6979, the choice of “k” depends on the private key “d”, it (hopefully) cannot be reproduced without it. tl;dr thread summary: gmaxwell's proposal based on blind Schnorr signatures prevents that by replacing the “r” component of a signature with a different value “r'” which depends on two random choices, only one of which is made by the offline wallet itself. “r” is still generated in the process, but not published into the blockchain. Problems: -- The original “r” has to be kept secret. -- Schorr signatures are not compatible with ECDSA, so this solution requires a change of the Bitcoin protocol. In my proposal using ZK proofs, the offline wallet outputs a proof “p” together with the signature “(r, s)”, where “p” proves the following statement: (“Q” is the public key, “m” the message.) There exist integer numbers “d”, “x”, “k” such that: Q=dG AND k=H(m||d) AND (r, x) = kG. Since the formula has only existentially quantified variables, it is an NP statement and we know that there exist ZK proofs for it. Since the wallet knows the witnesses “d” and “k”, it has all the knowledge necessary to generate such a proof “efficiently”. Problems: -- How to make sure that the wallet does now leak secrets through the proof, as most ZK proofs require lots of random choices by both parties (prover and verifier). -- Alternatively the proof has to be kept secret like the original “r” in the blind Schnorr signature scheme. -- How to make the proof efficient enough for practical applications, especially the part “k = H(m||d)” for a complicated cryptographic hash function “H”. |
|
|
|
So thats what I currently strongly recommend.
I second your recommendation as a current solution, together with the obvious recommendation to always prefer verifiable implementations. But it does not make me stop thinking about new solutions, and the fact that the two of us are searching in different directions will only make us richer.  |
|
|
|
It would require a conspiracy with the host device. Such a conspiracy can simply not be prevented... e.g. if _Every_ device you have is lying to you about what transaction you're authorizing you could be authorizing anything. Depends on what kind of attack you are looking at. As I said, a full attack application on Bitcoin requires some additional steps. But even without that, it is an attack with the “offline property”. The host does not really have to actively do anything. All information about the keys may eventually be on the host, and only the attacker can know that. It would have to be offline as well. Yes, it requires schnorr signatures. Which is why it's not in use yet in Bitcoin; though we have soft plans to adopt schnorr signatures for many other reasons in any case. Interesting. I think it matters greatly... you're certainly not going to see a trezor like device generating such at thing. And, as you noted... the ZKP has freedom and can create a side-channel. (and I believe thats inherent if the zero knowledge is perfect). Yes, it is not suitable for an embedded wallet, but that is not the only offline wallet. For a disconnected PC this wouldn't be a problem. On the plus side, you can prevent the attacker from seeing the proof, which would help. Yes, but that is no different to your blind-signature solution. If your host successfully keeps the messages from the protocol secret, it would be fine. And both (my proof or your protocol messages) don't have to be stored after once used/verified. |
|
|
|
|
I found some time to look into blinded Schnorr signatures now. It does not prevent my attack, but it indeed makes a practical application of my attack harder. The values “R = kG” and thus information about the private keys are still leaving the offline wallet. But it is not displayed in the transaction any more.
In addition, this solution is not compatible with classic ECDSA, it requires a change to the protocol. This is not required in my proposal of deterministic “k” plus proof.
I think the problem that ZK proofs are comparatively slow is a minor issue in comparison. If a user wants to make a transaction with an offline wallet, it requires time anyway (let alone the time for confirmations). Even if the proof requires minutes to generate and megabytes to store, it does not really matter. The proof is created for the user himself, and he only has to verify it once, he can forget it afterwards. It has NOT to be sent to any other Bitcoin peer and it has not to be stored in the blockchain or anywhere else. If a user transfers his transaction from an offline wallet via a removable medium or something, the size and time is not really that big of an issue. This solution makes sense for some use cases. Note that I don't claim that this is perfect for every Offline wallet setup and use case. Every user* has to decide himself what requirements of security, performance etc.
*) I mean power users who care about offline wallets, e.g. professional users like online merchants or exchanges.
|
|
|
|
I think I may be missing something in the discussion here.
You can never test a program as a black box to see if it is correct except by exhaustively testing all possible inputs, and even then only if the program has no internal state. If you want to trust a bitcoin device that has your private keys you won't be able to test all possible inputs. The attacks presented by gmaxwell and me go even further. Even if you would ensure that the inputs and outputs are correct, you cannot detect the malicious behavior, because the outputs provably look like regular outputs, i.e. they are following a statistical distribution that cannot be distinguished by any efficient algorithm. This complexity is part why I'd previously proposed the alternative where the online requesting device blind the signature request, then give the signing device a ZKP that the blinded message being signed is the message being signed... The result is the that the sidechannel is reduced to 1 bit (sign/don't sign) unless the requesting device and the offline device conspire. (also the aforementioned fact that it's much easier to verify a proof than create it)
I don't get how this would prevent the leakage of private keys at all. My attack does not need to know what the message is, and it does not even need to know what the private key is. It just creates a choice of “k” in a way that enables the attacker to extract “k” from two signatures. If one knows how the wallet implementation works, it would be enough for this attack to just inject the right “random numbers” into the wallet's entropy source. |
|
|
|
|
