Show Posts

Pages: [1]

1

Economy / Economics / Stochastic Model For The Price Of Bitcoin

on: September 12, 2018, 08:02:10 PM

Hi I have posted a paper on SSRN with the title:"Stochastic Model For The Price Of Bitcoin". It is available at this link: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3243011The abstract of the paper: This paper analyses the price of bitcoin to show that the pricedifficulty ratio can be modelled using a lognormal distribution. Building on this result it is shown that a stochastic model for bitcoin can be constructed that uses a model similar to the stochastic model for stocks, but with the growth of difficulty as the drift. Further, certain constraints on the price of bitcoin are derived that exist after the introduction of short futures. These show that bitcoin should trade below the cost of production, where the cost of production is the sum of the electricity cost and the cost due to financing. Based on very limited recent price information it seems that a floor might exist at the cost due to electricity. It is also shown that these levels will grow with a growth in difficulty. This would imply that, should the difficulty of bitcoin keep rising, that the price of bitcoin will also keep rising while staying within a range that also keeps rising. Finally, it will be explained that the percentage that the electricity cost makes up as part of the production cost will rise as the rewards for mining are reduced, thus possibly shrinking the trading range of bitcoin and reducing its volatility over time.
Comments and suggestions are welcome.



3

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 07, 2018, 04:26:41 PM

@aliashraf I have updated the paper that I wrote with all the details we have discussed. It summarizes it all together. I will be uploading it soon. As you and empty[g] have provided valuable insights I wish to add you as authors. If you wish to allow this please email me your names and the email I should include and I will update the paper to reflect this. Regarding the impact of collisions on the homomorphic hashing I included the following in the paper to discuss this: The presence of collisions has implications for the homomorphic feature of the proposed hash function. Specifically a hash can have more than one secret. This implies that equation 7 can have multiple solutions. If Alice is able to determine two secrets that have the same hash, she can use the one to generate hashes and sums to send to Bob, but use the other secret to unlock the coins Bob sent to her. This will stop Bob from being able to solve equation 5 correctly and unable to claim his coins. After a time delay Alice will then claim the coins. This increases the requirement for a large search space. An attacker must not be able to determine any of the secrets that generate the same hash except using brute force.
A large search space is required, but also when choosing n and p to have collisions there should be no obvious double roots to a collision, e.g n = 2, p = 13, s _{1} = 4, h _{1} = 3, s _{2} = 9, h _{2} = 3 where 4 mod 13 = 9 => s _{1} mod p = s _{2} when n = 2 If you want to find out more about the upper bound of the collisions, please look at Lagrange's Theorem on congruence of polynomials under modulo a prime. I also discuss this in the paper.



4

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 07, 2018, 08:36:57 AM

@aliashraf
I agree with what you said. Yes, if (p1) mod n = 0, it will not be reversible, and I agree that it seems if it is not reversible there are collisions. We therefore want something with collisions, but as little as possible. This also means that n can be even.
It terms of the collision rate, I think I can help with that.
For h_{1} = h_{2}
s_{1}^{n}  s_{2}^{n} mod p = 0
If p is prime then it has at most n roots
=> for a hash h, there are at most n secrets that create that hash.
=> brute force search space is reduced to 1/n of its original size
for n = 2
all primes will yield (p1) mod 2 = 0, it will be reversible and I suspect have collisions (at most 2 per hash)
and the search space will only halve.



5

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 06, 2018, 11:34:29 AM

Hi
For those following this thread, here is a proof that this hash can be broken
Using Eulers totient function it is known that
s^{phi(p)} = 1 (mod p)
Raising to a power t using modular arithmetic yields
s^{phi(p).t} = 1 (mod p)
Multiplying by s
s^{(phi(p).t + 1)} = s (mod p)
Therefore if a secret s was raised to a power n to hash, then the hash can be undone by raising to such a power m so that
phi(p).t + 1 = n.m
(phi(p).t + 1)/n = m
Examples:
p = 11 n = 3
phi(p) = 10 t = 2
phi(p).t + 1 = 21
m = 7
s^{21} mod 11 = s mod 11 (you can easily verify this numerically)
for example
s = 9
s^{3} mod 11 = 3 = h
h^{7} mod 11 = 9 = s
This proof is holds for s < p. If s > p then it does not hold, but then collisions become unavoidable as k.p + 1 and (k+1).p + 1 will result in the same hash.
At this point one probably will have to change the hash function to h = g^{s} mod p ( where g is some fixed generator number)
(The problem with this hash function is that it can be computationally intensive)
This would change this attack to a brute force attack that has to solve
h^{m} = 1 (mod p)
which would mean
g^{s.m} = 1 (mod p)
And then they would have to use brute force to solve
s = phi(p).t/m
with no remainder
ie phi(p).t mod m = 0
I am not sure how hard this would be



6

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 06, 2018, 08:27:23 AM

Hi I agree with your assessment. I verified that there are collisions for n=3 and p = 1291. My mistake lies in assuming (s _{1}^{(n1)} + s _{1}^{(n2)}.s _{2} + ... + s _{1}.s _{2}^{(n2)} + s _{2}^{(n1)}) in (1)
if n is odd
= (s_{1} s_{2}).(s_{1}^{(n1)} + s_{1}^{(n2)}.s_{2} + ... + s_{1}.s_{2}^{(n2)} + s_{2}^{(n1)})
= (s_{1}  s_{2}).q(s_{1})
=> 1 root s_{1} = s_{2}
=> no collisions
has no roots mod p. This is incorrect. For example s _{1}^{2} + s _{1}.s _{2} + s _{2}^{2} mod 1291 has roots. Therefore you are correct that p would have to have a specific value to allow/disallow collisions. The problem is my previous proof regarding an attack on the system h ^{m} mod p = s where h = s ^{n} mod p is also incorrect. Specifically an attack could succeed if there are no collisions for a specific value of m Basically by raising the hash to the correct power, the secret can be discovered. From limited numerical simulation it seems that if there are no collisions, then a specific value om m exist for all s If collisions are possible, then this attack is not possible. The downside is then that it might make a brute force attack easier I am therefore going to remove the paper from SSRN, as this is a major problem.



7

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 04, 2018, 02:25:02 PM

Hi
Just thought I might share this. It is a simple attack, that the following proof shows will not work
h = s^{n} mod p
Assume an attacker want to find a power m such that
h^{m} mod p = s
=> s = s^{(n.m)} mod p
=> s^{(n.m)}  s = 0 (mod p)
The attacker would have to solve the above congruence.
Using the theorem from my previous post, this implies that the congruence can be factorized to yield
s.(s^{(n.m1)}  1)
This yields roots s = 0, s = 1 and possibly s = 1 for all values of n and m
Therefore for s > 1 there are no values of m that can be used to determine the preimage s from the hash h.



8

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 04, 2018, 06:38:39 AM

Hi Hopefully this expanded proof of no collisions works. Please let me know if I have made any mistakes. I use the following theorem Theorem 9.5 Let p be a prime. The noncongruent numbers a _{1}; a _{2}; : : : ; a _{k} are roots of the polynomial congruence f(x) = 0 (mod p) if and only if there exist two integral polynomials q(x) and r(x) such that f(x) = (x  a _{1}).(x  a _{2}) . . . (x  a _{k}).q(x) + p.r(x) and deg r(x) < k. The proof is available at www2.math.uu.se/~astrombe/talteori2016/lindahl2002.pdfh _{1} = s _{1}^{n} mod p h _{2} = s _{2}^{n} mod p For collisions h _{1} = h _{2} and s _{1} != s _{2}Therefore determine roots of (s _{1}^{n}  s _{2}^{n}) = 0 (mod p) This is equivalent to s _{1}^{n}  s _{2}^{n} = t.p So for completeness sake we can find the roots of (s _{1}^{n}  s _{2}^{n}  t.p) = 0 (mod p) Applying the above theorem, we can set r(s _{1}) = t Then we have to find the roots of s _{1}^{n}  s _{2}^{n}There are three possibilities: 1) n is odd 2) n is even and has no odd factors 3) n is even and has odd factors  (1) if n is odd = (s _{1}  s _{2}).(s _{1}^{(n1)} + s _{1}^{(n2)}.s _{2} + ... + s _{1}.s _{2}^{(n2)} + s _{2}^{(n1)}) = (s _{1}  s _{2}).q(s _{1}) => 1 root s _{1} = s _{2}=> no collisions  (2) n is even = (s _{1}^{(n/2)}  s _{2}^{(n/2)}).(s _{1}^{(n/2)} + s _{2}^{(n/2)}) n/2 is even = (s _{1}^{(n/4)}  s _{2}^{(n/4)}).(s _{1}^{(n/4)} + s _{2}^{(n/4)}).(s _{1}^{(n/2)} + s _{2}^{(n/2)}) n/m is 2 = (s _{1}^{2}  s _{2}^{2}).q(s1) = (s _{1}  s _{2}).(s _{1} + s _{2}).q(s _{1}) => 2 roots s _{1} = s _{2} and s _{1} = s _{2}=> has collisions  (3) n is even = (s _{1}^{(n/2)}  s _{2}^{(n/2)}).(s _{1}^{(n/2)} + s _{2}^{(n/2)}) n/2 is even = (s _{1}^{(n/4)}  s _{2}^{(n/4)}).(s _{1}^{(n/4)} + s _{2}^{(n/4)}).(s _{1}^{(n/2)} + s _{2}^{(n/2)}) n/m is odd = (s _{1}^{(n/m)}  s _{2}^{(n/m)}).(s _{1}^{(n/m)} + s _{2}^{(n/m)}).q'(s1) = (s _{1}  s _{2}).(s _{1}^{(n/m1)} + ... + s _{2}^{(n/m1)}).(s _{1} + s _{2}).(s _{1}^{(n/m1)}  s _{1}^{(n/m2)}.s _{2} + ...  s _{1}.s _{2}^{(n/m2)} + s _{2}^{(n/m1)}).q'(s _{1}) => at least 2 roots s _{1} = s _{2} and s _{1} = s _{2}=> has collisions  Therefore to assure no collisions, n has to be odd and p must be a prime. As soon as I have a chance I will update the paper with these details.



9

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 02, 2018, 01:49:35 PM

@empty[g]
I understand the point you are trying to make. I had not considered that issue. That is why I prefer sharing work on these forums as you get people looking at your work which you do not come across in daily life. Your input is much appreciated.
I will consider the point you made and will see if I can find a solution. If you do find a solution I would appreciate if you share it.
Regards
Johan



10

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 01, 2018, 07:56:10 PM

Hi vlad.gelfer You are correct, you can use EC. Specifically the proposal by Andrew Poelstra is a manner to use Schnorr signatures on EC curves to achieve this. From what I have learnt they approaches achieves something very similar. The main differences are that this proposal would use 2 transactions and Andrew's would use 4 and that there is already a BIP in the works to make Schnorr signatures part of Bitcoin. What I am interested in seeing is what else the Scriptless Script's of Andrew can achieve. As for this proposal, the following example is another type of transaction that it could be applied to (as discussed in previous post): 1) Alice generates a secret s1 and Bob generates a secret s2; 2) they both hash their secrets to generate h1 and h2; 3) they sum the hashes to generate ht 4) They can now use this ht in a transaction 5) If either s1 or s2 is revealed the other party can determine st which is the preimage of ht.
Hope this answers your question



11

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: September 01, 2018, 01:56:40 PM

@gmaxwell,
Thank you for making me aware of the CoinSwap and the Adaptor signatures. I was not aware of this work and will update my paper to reference and discuss how it compares to my work. I will also discuss this here as you asked how they compare.
As I understand from what I have read on the CoinSwap method it has the following features relevant to your question: 1) It runs on current cryptocurrencies without them needing modification and no novel cryptography is needed; 2) It uses scripts that are frequently used, so that it can blend in with the environment; 3) It uses between 4 and 6 transactions to execute, of which the first two are 2of2 multisignature transactions; and 4) All the coins that are being swapped are swapped together.
From my understanding of the Adaptor signature it has the following features relevant to your question 1) It would require a soft fork to implement Schnorr signatures; 2) It will use Schnorr signatures to release coins; 3) It uses 4 transactions to execute; and 4) All the coins that are being swapped are swapped together.
If there is something I do not understand correctly, please bring this to my attention.
The main features of my proposal that are relevant to your question are: 1) It would require a soft fork to implement the needed homomorphic hash opcode; 2) It will use the created homomorphic hash code to release coins; 3) It uses a minimum of 2 transactions to execute; and 4) The coins can be swapped in a variety of combinations.
Let me explain at the hand of the items above what the differences therefore are.
The CoinSwap does not require modification; the Adaptor signature does but it seems a BIP is in the process. My proposal will require due investigation to make sure it is secure and would then require a BIP.
The CoinSwap blends in much more with the environment than the other two which require special opcodes. But this might not be as safe as it sounds. It is true that the CoinSwap multisig transactions would not be found among all the other multisigs, but what would happen in practice is that someone would investigate a person by following the history of their coins. If they encounter a multisig transaction they would as a matter of course search for another multisig transaction for the same amount around the same block height. If they found such a multisig they would fork their investigation to follow both coin histories.
In my opinion any anonymous swap of coins will leave some sort of fingerprint. That cannot be eliminated. What needs to happen is for that the anonymous swap must be the standard method of swapping crypto assets and it must be possible for the swap to be broken up into smaller transactions with different amounts. That way if an investigation is following coins and it finds a swap has occurred, it must search for an unknown number of transactions in a sea of similar transactions.
That brings me to the last point. To my understanding the CoinSwap and Adaptor signature methods swap coin for coin in a fixed set of transactions. In other words A gives 1 BTC to B in TX1 and B gives 1 BTC to A in TX2. In my proposal I make the point that implies the following is possible: 1) A creates 3 transactions with amounts 0.2 BTC, 0.3 BTC and 0.5 BTC to send to B; and 2) B creates 2 transactions with amounts 0.4 BTC and 0.6 BTC to send to A.
The amounts all add to 1 BTC, each transaction will have a different hash, all hashes are related by a set of shared secrets, and if A claims a single transaction in (2) B will be able to claim all transactions in (1). These transactions can also happen in different blocks. This is a very important point that is not made in any of the literature that I read on the CoinSwap and Adaptor signature methods. I suspect it is possible for the Adaptor signature methods but not for CoinSwap.
But to hide the swap with the homomorphic opcode that flags it as a swap, these swaps would need to be the standard method of crypto asset swapping. I believe this is true no matter which of these three methods are used, even for the CoinSwap method for reasons mentioned above.
On a side note, a homomorphic hash might also have applications other than atomic swaps. For example: 1) Alice generates a secret s1 and Bob generates a secret s2; 2) they both hash their secrets to generate h1 and h2; 3) they sum the hashes to generate ht 4) They can now use this ht in a transaction 5) If either s1 or s2 is revealed the other party can determine st which is the preimage of ht. At this time this transaction is a bit of a hammer looking for a nail. I mention it because someone might be able to use it and it helps you to understand the possible value of the proposed homomorphic hash.
I hope this answers your question to your satisfaction. If you have any further questions on this, please let me know.

@aliashraf
I look forward to hearing from you regarding any results your investigation produces.



12

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: August 31, 2018, 09:12:31 AM

Hi
I think I can prove the difficulty of finding e = 0 for e = s_{1}^{3} + c^{3}  t [where c = ceil((t  s_{1}^{3})^{1/3}) ] scales with increasing size of space. (e is the error) (please refer to previous post)
First define b = ceil(a, d) where b is the number greater than a with d decimal places, e.g. b = ceil(a,0) wil give the integer larger than a and b=ceil(a,1) will give the number larger than a and divisible by 0.1
Then observe that b = ceil(10 * a, 0) = 10 * ceil(a, 1). That is, we can multiply a by 10 and then ceil to closest integer, or we can ceil to closest 0.1 and then multiply by 10.
Then scale space with m so that s_{1}^{'} = 10^{m} * s_{1}, t^{'} = 10^{3*m} * t,
e = (s_{1}^{'})^{3} + (ceil((t^{'}  (s_{1}^{'})^{3})^{1/3},0))^{3}  t^{'}
e = (10^{m} * s_{1})^{3} + (ceil((10^{3*m}*t  (10^{m}*s_{1})^{3})^{1/3},0))^{3}  10^{3*m}*t
e = (10^{m} * s_{1})^{3} + (ceil(10^{m}*(t  (s_{1})^{3})^{1/3},0))^{3}  10^{3*m}*t
e = (10^{m} * s_{1})^{3} + (10^{m}*ceil((t  (s_{1})^{3})^{1/3},m))^{3}  10^{3*m}*t
e = 10^{3*m} * (s_{1}^{3} + (ceil((t  (s_{1})^{3})^{1/3},m))^{3}  t)
If we now increase m, the ceil can be approximated by removing it and this then reduces to
e = 10^{3*m} * (s_{1}^{3} + (t  (s_{1})^{3})  t)
e = 10^{3*m} * 0
Therefore e reduces to 0 for all values of s_{1} and t if m becomes large enough.
Effectively as m increases the search space changes from integer space to rational space.
Thus the search for a unique solution to (s_{1}^{3} + c^{3})  t becomes intractable.
As before comments and questions are welcome.



13

Bitcoin / Development & Technical Discussion / Re: Anonymous Atomic Swaps Using Homomorphic Hashing

on: August 30, 2018, 11:08:21 PM

Hi aliashraf
Firstly, thank you very much for your feedback. It is very insightfull.
You have mentioned a weakness that I have not considered and that I would like to address.
You are correct in that an attacker could try to guess the two secrets using the sum provided.
There are actually two attacks that I see possible. The first you have mentioned, but I also realised there is another possibility.
If the sum t is very low or very high, very few secrets will be candidates to generate that sum. For example, if we use n = 3 and 8 bit representation with p = 257 and the sum is 2, then the secrets must be 1 and 1. The same for very high sums. If the sum is 33162750 and the secrets are limited to max 255 then the secrets must both be 255.
This attack can easily be solved by limiting the sums we find acceptable to the range (2/3*p)^{3} < t < p^{3}.
The second attack is the one you mentioned. To analyse this attack it is necessary to determine the effective search space that will result from using the equation s_{1}^{3} + s_{2}^{3} = t, for a given t.
Suppose the attacker launches a brute force attack on this equation, what will the effective search space be?
The attacker will have to start with s_{1} = 1 and solve for f = floor((t  s_{1}^{3})^{1/3}) and c = ceil((t  s_{1}^{3})^{1/3}).
If f = c they would have solved the problem with s_{2} = f = c for a given s_{1}.
The error in t is (s_{1}^{3} + c^{3})  t or (s_{1}^{3} + f^{3})  t.
The attacker can 'ride the curve' closer to t by starting from a point to search for (s_{1}^{3} + c^{3})  t = 0. But there is no guarantee that it will end in a solution. (s_{1}^{3} + c^{3})  t has many jump discontinuities. As soon as it gets close to 0 it jumps. According to estimates on a small space, there are approximately 40% * t^{1/3} discontinuities. The attacker will therefore still have to search about 40% * t^{1/3} of the space.
Using the limits for t previously set, I hypothesize the search space would therefore be between 25% * p and 40% * p.
Assuming a bit space of 256 bits is used in the hash, this would still be a large space.
I understand from your description of the attack, that you would look for values near the total. And that if you have enough randomly selected hashes, you would find an exact match by moving in on the exact match. But (s_{1}^{3} + c^{3})  t has many jump discontinuities. And any starting point could lead to a solution, but most starting points wouldn't.
So even a random attack would be faced with the same search space. And it has to be an exact match, or the secrets would be slightly out and not match the required hashes.
Again, thank you for your feedback and insights. They are greatly appreciated.
Please feel free to provide further comment. If I have not explained myself correctly, please ask for clarrification.
If I have made reasoning errors, please bring them to my attention
Regards
Johan



14

Bitcoin / Development & Technical Discussion / Anonymous Atomic Swaps Using Homomorphic Hashing

on: August 30, 2018, 03:28:29 PM

Hi I've written a paper entitled: "Anonymous Atomic Swaps Using Homomorphic Hashing". It is available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3235955. Briefly, an atomic swap is the exchange of crypto between two parties using two transactions. Each transaction uses a hashedtimelockcontract (HTLC) to lock the coins being sent to the other party. The hash used in both transactions are the same, linking the transactions. The paper describes how homomorphic hashing can be used to set up the HTLC's but each with a different hash, thus breaking the public link between the two transactions. The two hashes are related by a secret shared between the two parties, enabling the swap to proceed as per normal. As soon as the first party claims their coins using their prehash, the second party can use the shared secret and the prehash used by the first party to determine the prehash they have to use to claim their coins. Any comments are welcome. I would like to hear thoughts on this.



