ShadowCash is mathematically broken. I urge all SDC supporters to join Monero.

[erok]

Personally I believe this thread should be locked until there is a clear cut answer as to whether or not there is a fatal cryptographic flaw in Shadow Cash.

Here's your clear cut answer:

https://botbot.me/freenode/bitcoin-wizards/2016-02-11/?msg=59856660&page=3

MRL-Relay | [shen] I mean, for this one, the past year of transactions on sdc are de-anonymized, it's not like that's fixable no matter what they do now
MRL-Relay | [shen] that's the problem with having a public blockchain

That isn't proof at all. That is the guy flinging the crap reiterating the crap he "thinks". Gotta hand it to you guys though, your PR sure is organized when malicious. Too bad your community didn't try this hard for your last update.

AM asked for a "clear cut answer" not "proof."

But since you brought it up, here you go:

De-anonymizing Shadowcash

https://gist.github.com/ShenNoether/3686113566bc23bf836f

Code:

Shadow-cash

https://github.com/shadowproject/shadow/blob/682891e656b5be2c2b819aa4977aa3b7e9f3f464/src/ringsig.cpp

static int hashToEC(const uint8_t *p, uint32_t len, BIGNUM *bnTmp, EC_POINT *ptRet)
{
    // - bn(hash(data)) * G

    uint256 pkHash = Hash(p, p + len);

    if (!bnTmp || !(BN_bin2bn(pkHash.begin(), EC_SECRET_SIZE, bnTmp)))
    {
        LogPrintf("hashToEC(): BN_bin2bn failed.\n");
        return 1;
    };

    if (!ptRet
        || !EC_POINT_mul(ecGrp, ptRet, bnTmp, NULL, NULL, bnCtx))
    {
        LogPrintf("hashToEC() EC_POINT_mul failed.\n");
        return 1;
    };

    return 0;
};

https://github.com/shadowproject/shadow/blob/master/src/ringsig.cpp#L136
int generateKeyImage(ec_point &publicKey, ec_secret secret, ec_point &keyImage)
{
    // - keyImage = secret * hash(publicKey) * G

    if (publicKey.size() != EC_COMPRESSED_SIZE)
        return errorN(1, "%s Invalid publicKey.", __func__);

    int rv = 0;
    BN_CTX_start(bnCtx);
    BIGNUM   *bnTmp     = BN_CTX_get(bnCtx);
    BIGNUM   *bnSec     = BN_CTX_get(bnCtx);
    EC_POINT *hG        = NULL;

    if (!(hG = EC_POINT_new(ecGrp)))
    {
        LogPrintf("%s: EC_POINT_new failed.\n", __func__);
        rv = 1; goto End;
    };

    if (hashToEC(&publicKey[0], publicKey.size(), bnTmp, hG) != 0)
    {
        LogPrintf("%s: hashToEC failed.\n", __func__);
        rv = 1; goto End;
    };

    if (!bnSec || !(BN_bin2bn(&secret.e[0], EC_SECRET_SIZE, bnSec)))
    {
        LogPrintf("%s: BN_bin2bn failed.\n", __func__);
        rv = 1; goto End;
    };
    
    

Go right ahead then. De-anon something.

LOOK WHAT I CAN DO!

Code:

Line 42: if (!(hG = EC_POINT_new(ecGrp))) //generates new generator.
Line: 48: if (hashToEC(&publicKey[0], publicKey.size(), bnTmp, hG) != 0) //passes new hG to hashToEC.
Which should result in the usage of a random new point if the code strictly does what's described here: Line 8: // - bn(hash(data)) * G

BTW I realize that this now is going to be a positive thing for shadow no matter how it ends (forkfix or not). Even though your team's PR has been dismissive of all the work SDC devs have put in and mostly derogative, the attention you have brought SDC has been fantastic. The more eyes on at this point the better. By far SDC leads through the SDT function as well as the dectralized application platform and marketplace. Thanks doods!

[1714053503]

1714053503

[1714053503]

1714053503

[1714053503]

1714053503

[1714053503]

1714053503

[iCEBREAKER]

Go right ahead then. De-anon something.

It's not about the ability to de-anon "something."

The problem is that *everything* (ie all ShadowTrash transactions) are not really anon.

I hope you didn't spend your fake anon coins on anything naughty!   

[pandher]

Even if i am not sure about the claims made here, i find replies from apparent sdc holders hilarious. I think they do not understand software or math. Bugs do not mean the end of everything. People do not 'FUD' Bitcoin if they find a bug. This activity deserves applause and reward. But Shens claim that sdc had been public for the past year is a question on its existence

[erok]

Go right ahead then. De-anon something.

It's not about the ability to de-anon "something."

The problem is that *everything* (ie all ShadowTrash transactions) are not really anon.

I hope you didn't spend your fake anon coins on anything naughty!  

That's because you can't. Also I invest in technology, I am not in this for drugs like you probably are. I am here to help technology go forward. I myself am a HUGE fan of dual-key blockchain tech fundamentally. Which is why I was also invested in Monero and Aeon before all of this FUD (not anymore though). Best of luck but this PR FUD campaign is crap and has been handled as poorly as possible. Was good insight into the Monero community for me.

Even if i am not sure about the claims made here, i find replies from apparent sdc holders hilarious. I think they do not understand software or math. Bugs do not mean the end of everything. People do not 'FUD' Bitcoin if they find a bug. This activity deserves applause and reward. But Shens claim that sdc had been public for the past year is a question on its existence

Glad I can amuse. You here to mock or contribute? It is catagorized as FUD (by me) because of the collaborative dedicated post (this) along with a reddit post and a dedicated blog all while multiple "dev" accounts actively attacked the main SDC bitcointalk thread (simultaneously). This wasn't merely a bug bounty being collected on. There was no proof, there was just a PR FUD push that makes Monero devs look horrible.

[iCEBREAKER]

You here to mock or contribute? It is catagorized as FUD (by me) because of the collaborative dedicated post (this) along with a reddit post and a dedicated blog all while multiple "dev" accounts actively attacked the main SDC bitcointalk thread (simultaneously). This wasn't merely a bug bounty being collected on. There was no proof, there was just a PR FUD push that makes Monero devs look horrible.

Damn bro, are you mad?  You sound mad.   

The mere fact an ongoing investigation was initiated demonstrates Shen deserves to be awarded the bug finder bounty.

What's the point of offering bug bounties if when they are reported the response is to deflect, spin, and prevaricate in order to avoid admitting fault and the need to reward the bounty hunter?

Furthermore, the bug bounties should be paid in Bitcoin, not BrokenCoin.  Who wants ShadowTrash when it's being dumped?

[erok]

You here to mock or contribute? It is catagorized as FUD (by me) because of the collaborative dedicated post (this) along with a reddit post and a dedicated blog all while multiple "dev" accounts actively attacked the main SDC bitcointalk thread (simultaneously). This wasn't merely a bug bounty being collected on. There was no proof, there was just a PR FUD push that makes Monero devs look horrible.

Damn bro, are you mad?  You sound mad.  

The mere fact an ongoing investigation was initiated demonstrates Shen deserves to be awarded the bug finder bounty.

What's the point of offering bug bounties if when they are reported the response is to deflect, spin, and prevaricate in order to avoid admitting fault and the need to reward the bounty hunter?

Furthermore, the bug bounties should be paid in Bitcoin, not BrokenCoin.  Who wants ShadowTrash when it's being dumped?

Now this post solidifies the idea that it is a solid troll campaign. And no bug bounties arent handed out to people with ideas, they are handed out to people that demonstrate the ideas through proofs. And usually people don't create blogs and PR campaigns dedicated to bugs they think they found. But I have nothing to do with that so really this whole post is a troll filled non-sequitur.

But damn "bro", I am only disappointed in Monero's community and punk bitches like you. Grow the fuck up. Pulling out the "umadbro" LOL what year is it?  

I just ate a snickers, so I'm good now.

CONFIRMS MY TROLLING THEORY: Shen Noether has now created 3 reddit posts in 3 different subs today dedicated to this TROLLFUD. Your dev team is so professional! 100% TROLL PR. What a community of Monero trash. Can't wait for the pump and dump you are in to pull the trigger on the dumpfest. I will take losses to fuel Monero's crash and laugh the entire way down.

[smooth]

Proof of concept code has been posted by shen:

There was some doubt about whether this post is purely theoretical, or whether it in fact allows one to de-anonymize the sdc chain in practice. In fact, I originally thought it would be too much effort to install these other coins clients, which I am really familiar with, and then muck about in their code enough to get it working. However, after some prodding, I have created a simple replacement for their “ringsig.cpp” (see https://github.com/ShenNoether/Deanon) in the shadowcoin code, which, when run, after resyncing the chain, you will be able to determine who the signer of any ring sig is (read the debug.log in .shadowcoin directory). For example, here is the output according to the first ring signature sent on their blockchain:

ProcessBlock: ACCEPTED a801e125053dcc556b94
verifying ring sig asdf

index i = 0 / 4

index i = 1 / 4

index i = 2 / 4

index i = 3 / 4
signer is index 3

BTW, shen has a file with every single ring signature from the chain broken. Anyone can reproduce using the code from his blog.

EDIT: https://raw.githubusercontent.com/ShenNoether/Deanon/master/sdcDeAnon.txt

[americanpegasus]

If you find a game breaking bug in Monero, please shout it from the rooftops.  Everyone needs to know - that's how you handle game-breaking bugs. 
 
If the community chooses to continue despite it - or chooses to fix it, that is a course for the community to decide. 
 
But errors and flaws are most malicious and evil when they are selectively shared or kept secret.  Making a lot of noise about it is the *responsible* thing to do because then it forces the issue to either get fixed or the asset reconsidered. 
 
I can assure you that if such an error is found in one of my assets, my response will not be to attack the person who found/spreads the information.  The truth does not fear inquiry and does not mind being challenged.

[erok]

If you find a game breaking bug in Monero, please shout it from the rooftops.  Everyone needs to know - that's how you handle game-breaking bugs. 
 
If the community chooses to continue despite it - or chooses to fix it, that is a course for the community to decide. 
 
But errors and flaws are most malicious and evil when they are selectively shared or kept secret.  Making a lot of noise about it is the *responsible* thing to do because then it forces the issue to either get fixed or the asset reconsidered. 
 
I can assure you that if such an error is found in one of my assets, my response will not be to attack the person who found/spreads the information.  The truth does not fear inquiry and does not mind being challenged.

You just used it to try to steal the marketcap. Don't even try to take the high road.

[americanpegasus]

You just used it to try to steal the marketcap. Don't even try to take the high road.

Absolutely untrue.  Let's say that such a bug does render Shadowcash unviable as a privacy-oriented currency.  What's the responsible thing to do?  Again, being secretive or coy is the duplicitous tactic.  The responsible thing to do is announce the situation, and make an open statement of support for the best alternative.  I think that no one can argue that XMR is the best alternative, even if you were 1000% sold on SDC before.  
  
As always, the low road is to selectively disseminate the information.  I saw the topic on the /r/Monero subreddit and realized that gave potential dual-holders of both Monero and ShadowCash an advantage - and we are seeking to be as fair and transparent as possible.  When big news hits, it needs to be disseminated in a loud and transparent manner.  
  
The low road would have been to *not* make the topic, and wait for the news to trickle out on its own.  The low road would have been to take the opportunity to kick SDC or its supporters while they are down.  
  
Instead I have expressed concern over the situation, provided references, and extended an olive branch to our competitors.  It seems you are upset about the situation itself, to which I can definitely empathize with.  I would be upset too, but I would also take prudent action to make sure I stayed on the bleeding edge of money.  
  
We're not talking about tokens going from 50 cents to $8 each on some Litecoin-esque pump.  No, I am talking about a full blown global network and $4,000 tokens... and more.  SDC supporters have made contributions to the art in their own way - they don't deserve to get left behind.  I once was an ardent believer in Dogecoins and Nyancoins, and some kind soul slowly steered me down the right path.  
  
When I was redirected towards Cryptonote, I wasn't angry at the community for having an amazing product - I was just thankful for the chance to participate.  I'm hoping those who are reading this will feel the same.
  

[smoothie]

If you find a game breaking bug in Monero, please shout it from the rooftops.  Everyone needs to know - that's how you handle game-breaking bugs. 
 
If the community chooses to continue despite it - or chooses to fix it, that is a course for the community to decide. 
 
But errors and flaws are most malicious and evil when they are selectively shared or kept secret.  Making a lot of noise about it is the *responsible* thing to do because then it forces the issue to either get fixed or the asset reconsidered. 
 
I can assure you that if such an error is found in one of my assets, my response will not be to attack the person who found/spreads the information.  The truth does not fear inquiry and does not mind being challenged.

You just used it to try to steal the marketcap. Don't even try to take the high road.

Proof please.

Otherwise your comment is all speculation.

[TPTB_need_war]

If I am not mistaken, Shonoe did say he identified where in Shadowcash's source code it is using the wrong deterministic hash H_p. That is all the proof that is necessary. Those of us who are very knowledgeable about one-time ring sigs can clearly see that if H_p doesn't have the correct properties then the anonymity is toast. Award him the bounty and stop whining. If you offer bounties and then make someone do nonsense extra work, then your bounties are not worth attempting.

As for whether Shadowcash should quit and join Monero or Aeon, what americanpegasus is trying to say is he doesn't think Shadowcash's cryptographer is sufficiently capable and thus Shadowcash can't be relied upon to innovate on anonymity, e.g. Monero is improving by replacing one-time ring sigs with RingCT. Shadowcash made an error when they "reinvented" one-time ring sigs, so it is reasonable to conclude they will make more errors when trying to keep up with Monero's improvements.

I do understand that Shadowcash has innovated in other areas which they may feel provide some alternatives to Monero/Aeon/Boolberry. That is their decision to make and I think americanpegasus should respect their right to flog themselves with a paddle if they so desire.

Bottom line is Zcash is going to replace all this shit any way. And none of the anonymity coins have an significant user level adoption and never will.

I laugh at americanpegasus with his delusion about the coins he is invested in becoming world dominant. The guy has been drinking the KoolAid.

[erok]

If you find a game breaking bug in Monero, please shout it from the rooftops.  Everyone needs to know - that's how you handle game-breaking bugs.  
  
If the community chooses to continue despite it - or chooses to fix it, that is a course for the community to decide.  
  
But errors and flaws are most malicious and evil when they are selectively shared or kept secret.  Making a lot of noise about it is the *responsible* thing to do because then it forces the issue to either get fixed or the asset reconsidered.  
  
I can assure you that if such an error is found in one of my assets, my response will not be to attack the person who found/spreads the information.  The truth does not fear inquiry and does not mind being challenged.

You just used it to try to steal the marketcap. Don't even try to take the high road.

Proof please.

Otherwise your comment is all speculation.

Logic you mean. Speculation would be if the title of the thread (ShadowCash is mathematically broken. I urge all SDC supporters to join Monero.) would just be the first sentence and not the second.

[slapper]

Why waste time in time to prove that a shitcoin that no one cared about , is a shitcoin? OP is a fucking retard too.

[smooth]

Why waste time in time to prove that a shitcoin that no one cared about

If you read shen's blog post he explained it. He identified the potential flaw first and then looked to see if any coins were implemented in the broken manner. He found one that isn't even a launched coin, more of a proof-of-concept, as well as SDC.

[iCEBREAKER]

If I am not mistaken, Shonoe did say he identified where in Shadowcash's source code it is using the wrong deterministic hash H_p. That is all the proof that is necessary. Those of us who are very knowledgeable about one-time ring sigs can clearly see that if H_p doesn't have the correct properties then the anonymity is toast. Award him the bounty and stop whining. If you offer bounties and then make someone do nonsense extra work, then your bounties are not worth attempting.

I don't often quote Anonymint, but when I do it's because there is a point to be made, and a lesson to be learned.

So erok, do you want to man up and admit fault, or continue burning what infinitesimal social capital you have left after your previous nattering about "digging in mud" and "flinging crap?"

Pro tip: when a cryptographer of vaunted ability such as Shen Noether tells you your shit is fucked, it's best not to double down by rambling about unrelated nonsense that invokes irrelevant, futile deflection frames such as "children digging in mud" and "people flinging crap."

Because it turns out you are the metaphorical child digging in mud, who (upon being upset by harsh reality) resorted to flinging rhetorical crap.

Learn to know and respect your superiors, then submit to their authority as appropriate.  Or you will be taunted a second time!

You may go now.  You are dismissed.  Good day, sir.

[Bavaria]

I remember how SDC bastards fudded Stealth Coin when it revealed some weaknesses.

These bastard trolls were led by longandshort.

Now this disgusting SDC community will get fud from XMR !!!

[erok]

If I am not mistaken, Shonoe did say he identified where in Shadowcash's source code it is using the wrong deterministic hash H_p. That is all the proof that is necessary. Those of us who are very knowledgeable about one-time ring sigs can clearly see that if H_p doesn't have the correct properties then the anonymity is toast. Award him the bounty and stop whining. If you offer bounties and then make someone do nonsense extra work, then your bounties are not worth attempting.

I don't often quote Anonymint, but when I do it's because there is a point to be made, and a lesson to be learned.

So erok, do you want to man up and admit fault, or continue burning what infinitesimal social capital you have left after your previous nattering about "digging in mud" and "flinging crap?"

Pro tip: when a cryptographer of vaunted ability such as Shen Noether tells you your shit is fucked, it's best not to double down by rambling about unrelated nonsense that invokes irrelevant, futile deflection frames such as "children digging in mud" and "people flinging crap."

Because it turns out you are the metaphorical child digging in mud, who (upon being upset by harsh reality) resorted to flinging rhetorical crap.

Learn to know and respect your superiors, then submit to their authority as appropriate.  Or you will be taunted a second time!

You may go now.  You are dismissed.  Good day, sir.

I already did. I see you like kicking an investor while he is down almost as much as the community enjoyed this PR blast. While I appreciate the clarity I still think you all went about it in the most abrasive way possible ("digging in mud" and "flinging crap"). Now you want to keep taunting me or you about ready to move on? Because as an investor, I am about ready to move on.

I do suppose I owe an apology though to iCEBREAKER for calling him a  "punk bitch". Sorry about that. Same goes to AP. I couldn't swing my sword fast enough.

[JosNekoKopa]

Which system is used more by people? SDC or MONERO?
I'm not person with much technical knowledge.
Why DASH still have much more volume than those two mentioned?

[GTO911]

Which system is used more by people? SDC or MONERO?
I'm not person with much technical knowledge.
Why DASH still have much more volume than those two mentioned?

Monero has the most hashpower in Cryptonotes.
Dash has a Masternode pyramid scheme artificially inflating the price