Bitcoin Forum
May 24, 2024, 01:58:12 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Alternate cryptocurrencies > Altcoin Discussion > Eclipse is the first TRULY cryptographically anon coin (bye bye SDC)
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Eclipse is the first TRULY cryptographically anon coin (bye bye SDC)  (Read 432 times)
BleedCrypto (OP)
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
February 29, 2016, 06:56:35 PM
 #1
did Eclipse just kill off SDC? 

sounds like it to me.  bye bye SDC trolls, hello Eclipse!

taken from original thread: https://bitcointalk.org/index.php?topic=1378922.0

Quote from: Eclipse Crypto on February 29, 2016, 05:52:43 PM

To hell with it, here comes the cat out of the bag.

Eclipse is the first truly cryptographically anonymous coin based on the bitcoin protocol.

It is forked from shadowcash, which was completely de-anoned. See here: https://shnoe.wordpress.com/2016/02/11/de-anonymizing-shadowcash-and-oz-coin/

You will see from Shen Noether's write-up that they used a cryptographically insecure hashToEC function.

Here, we replaced their hashToEC with a cryptographically secure variant. Right now shadowcash is still not anonymous. Eclipse is anonymous.

The writeup linked above describes how the shadowcash hashToEC is broken, so I won't go into it here.

We use what is known as "try-and-increment hashing to an elliptic curve". It is a simple algorithm that is used in several cryptosystems. Key image with our algo goes like this:

1. take a scalar hash (e.g. SHA256d) of the public key (k) and map it to x on the secp256k1 discrete field
2. determine whether this x is a quadratic residue of secp256k1
3. if x is not a quadratic residue, set x = x+1 and go to 2
4. else x is a quadratic residue so keep the point x, y, where y is the positive solution to x for secp256k1, let's call this point p
5. multiply the point p = (x,y) by the scalar representing the private key x, such that key image I = xp

You can verify this is our algo by looking at secp256k1_hash_to_ec_xy_bytes() in our source tree at src/secp256k1/secp256k1/src/secp256k1.c. Rather than re-invent the wheel, we used bitcoin's secp256k1 library to determine the suitability of x and to find it's root to map point x,y.

Happy mining!


Edit:

I forgot to add that anyone who investigates may come across a caveat about try-and-increment where it is subject to "timing attack". Timing attack is absolutely not relevant to ring signatures though, because everyone already knows what a timing attack might reveal: the curve, the input k, and the scalar hash algorithm used. Going back to the original cryptonote white paper, the private key x is protected by discrete logarithm hardness.

Edit:

We have a whitepaper coming that goes into more detail and summarizes Shen's work.
Mark Zuckerberg
Member
**
Offline Offline

Activity: 80
Merit: 10

Yes. The answer is yes.


View Profile
February 29, 2016, 08:50:55 PM
 #2
Mining on suprnova now.

Down with the stupid SDC trolls!  I knew their time would come.
Pages: [1]
  Print  
Bitcoin Forum > Alternate cryptocurrencies > Altcoin Discussion > Eclipse is the first TRULY cryptographically anon coin (bye bye SDC)
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!