[ANN][EC]▲ Eclipse ▲ Ring Signatures | Anonymous | TOR | Stealth Addresses

[Mark Zuckerberg]

Dev interested ?

NICE!!

That is great looking work. 

I'm shocked at the reveal after the iffy launch.

[stoner19]

Sometimes communication is easier on IRC vs the forums here at bitcointalk, so I registered and created the channel if anyone is interested in joining/participating. #eclipsecoin on freenode.

https://kiwiirc.com/client/irc.freenode.net/#eclipsecoin

[stoner19]

Is there a block explorer yet? If not, I'd suggest making that next on your list of things to do.

[Bank_sy]

what is the purpose of this coin?

To hell with it, here comes the cat out of the bag.

Eclipse is the first truly cryptographically anonymous coin based on the bitcoin protocol.

It is forked from shadowcash, which was completely de-anoned. See here: https://shnoe.wordpress.com/2016/02/11/de-anonymizing-shadowcash-and-oz-coin/

You will see from Shen Noether's write-up that they used a cryptographically insecure hashToEC function.

Here, we replaced their hashToEC with a cryptographically secure variant. Right now shadowcash is still not anonymous. Eclipse is anonymous.

The writeup linked above describes how the shadowcash hashToEC is broken, so I won't go into it here.

We use what is known as "try-and-increment hashing to an elliptic curve". It is a simple algorithm that is used in several cryptosystems. Key image with our algo goes like this:

1. take a scalar hash (e.g. SHA256d) of the public key (k) and map it to x on the secp256k1 discrete field
2. determine whether this x is a quadratic residue of secp256k1
3. if x is not a quadratic residue, set x = x+1 and go to 2
4. else x is a quadratic residue so keep the point x, y, where y is the positive solution to x for secp256k1, let's call this point p
5. multiply the point p = (x,y) by the scalar representing the private key x, such that key image I = xp

You can verify this is our algo by looking at secp256k1_hash_to_ec_xy_bytes() in our source tree at src/secp256k1/secp256k1/src/secp256k1.c. Rather than re-invent the wheel, we used bitcoin's secp256k1 library to determine the suitability of x and to find it's root to map point x,y.

Happy mining!


Edit:

I forgot to add that anyone who investigates may come across a caveat about try-and-increment where it is subject to "timing attack". Timing attack is absolutely not relevant to ring signatures though, because everyone already knows what a timing attack might reveal: the curve, the input k, and the scalar hash algorithm used. Going back to the original cryptonote white paper, the private key x is protected by discrete logarithm hardness.

Edit:

We have a whitepaper coming that goes into more detail and summarizes Shen's work.

that is cool, I was expecting just another shitcoin but this looks like it might have some actual potential.
you have caught my interest. I am hoping that you will be able to bring more to the table than just the fix in shadowcash.

[Eclipse Crypto]

that is cool, I was expecting just another shitcoin but this looks like it might have some actual potential.
you have caught my interest. I am hoping that you will be able to bring more to the table than just the fix in shadowcash.

It's not "just a fix". You actually have to know what you are doing and be able to do it correctly. It's not like we fixed a typo somewhere. Shadowcash didn't know what they were doing and got completely de-anoned. They are still trying to figure out the correct way to do it.

[Bank_sy]

that is cool, I was expecting just another shitcoin but this looks like it might have some actual potential.
you have caught my interest. I am hoping that you will be able to bring more to the table than just the fix in shadowcash.

It's not "just a fix". You actually have to know what you are doing and be able to do it correctly. It's not like we fixed a typo somewhere. Shadowcash didn't know what they were doing and got completely de-anoned. They are still trying to figure out the correct way to do it.

I did not mean to underplay your fix for shadowcash, apologies if I have offended.
Just wanted to say I hope you will continue to improve eclipse in ways other than fixing the anonymity flaw in shadowcash because there is potential for eclipse.
Suggestion: if the fix is indeed correct, having it verified somehow will bring much more credibility and attention to eclipse.
I am not capable of verifying it otherwise I would gladly volunteer.

[Eclipse Crypto]

that is cool, I was expecting just another shitcoin but this looks like it might have some actual potential.
you have caught my interest. I am hoping that you will be able to bring more to the table than just the fix in shadowcash.

It's not "just a fix". You actually have to know what you are doing and be able to do it correctly. It's not like we fixed a typo somewhere. Shadowcash didn't know what they were doing and got completely de-anoned. They are still trying to figure out the correct way to do it.

I did not mean to underplay your fix for shadowcash, apologies if I have offended.
Just wanted to say I hope you will continue to improve eclipse in ways other than fixing the anonymity flaw in shadowcash because there is potential for eclipse.
Suggestion: if the fix is indeed correct, having it verified somehow will bring much more credibility and attention to eclipse.
I am not capable of verifying it otherwise I would gladly volunteer.

We hope to offer Shen Noether a bounty for a review of our method.

[Bank_sy]

that is cool, I was expecting just another shitcoin but this looks like it might have some actual potential.
you have caught my interest. I am hoping that you will be able to bring more to the table than just the fix in shadowcash.

It's not "just a fix". You actually have to know what you are doing and be able to do it correctly. It's not like we fixed a typo somewhere. Shadowcash didn't know what they were doing and got completely de-anoned. They are still trying to figure out the correct way to do it.

I did not mean to underplay your fix for shadowcash, apologies if I have offended.
Just wanted to say I hope you will continue to improve eclipse in ways other than fixing the anonymity flaw in shadowcash because there is potential for eclipse.
Suggestion: if the fix is indeed correct, having it verified somehow will bring much more credibility and attention to eclipse.
I am not capable of verifying it otherwise I would gladly volunteer.

We hope to offer Shen Noether a bounty for a review of our method.

Great idea

Shen providing a review would be great for Eclipse.

I was getting the opinion of others on SDC/Eclipse and a good point was brought up.

any input or thoughts from the XMR camp? Does this mean Eclipse is cryptograhically anonymous?

They seem to have at least tried to fix the one identified flaw in SDC. Whether SDC has other flaws they didn't fix or whether their fix is even correct is not something anyone can answer without spending a lot of time reviewing it all, which probably won't ever happen.

Valid points, I am hoping they will be able to get their 'fix' properly reviewed.
Assuming the fix is indeed correct, would that mean that it is then truly anonymous?
In other words: if recently exposed flaw in SDC anonymity was fixed, does it make SDC as/more anonymous as XMR? or is SDC still inferior to XMR for anonymity?

What about the other 99.999% of SDC, developed by the same people who made a basic math/crypto error, and which no one has ever reviewed?

Shen found that one flaw effectively by accident, while working on something else.

If SDC were comprehensively reviewed, then one could make claims about it. At this point, I would not.

Have you considered the possibility of this? Is there a reason why you chose shadowcash method of anonymity over other ways of anonymity?  

[Eclipse Crypto]

Great idea

Shen providing a review would be great for Eclipse.

I was getting the opinion of others on SDC/Eclipse and a good point was brought up.

any input or thoughts from the XMR camp? Does this mean Eclipse is cryptograhically anonymous?

They seem to have at least tried to fix the one identified flaw in SDC. Whether SDC has other flaws they didn't fix or whether their fix is even correct is not something anyone can answer without spending a lot of time reviewing it all, which probably won't ever happen.

Valid points, I am hoping they will be able to get their 'fix' properly reviewed.
Assuming the fix is indeed correct, would that mean that it is then truly anonymous?
In other words: if recently exposed flaw in SDC anonymity was fixed, does it make SDC as/more anonymous as XMR? or is SDC still inferior to XMR for anonymity?

What about the other 99.999% of SDC, developed by the same people who made a basic math/crypto error, and which no one has ever reviewed?

Shen found that one flaw effectively by accident, while working on something else.

If SDC were comprehensively reviewed, then one could make claims about it. At this point, I would not.

Have you considered the possibility of this? Is there a reason why you chose shadowcash method of anonymity over other ways of anonymity?  

As usual, smooth has beautiful insight, but it's not an insight that wasn't also obvious to us.

It's important to understand that SDC ported the cryptonote ring signature system to the bitcoin codebase, almost in it's entirety. You can see what I mean in the naming of the methods:

CN: hash_to_ec --> SDC: hashToEC
CN: generate_key_image --> SDC: generateKeyImage
CN: generate_ring_signature --> SDC: generateRingSignature

Why is this important? Because where SDC has an opportunity to deviate, they may create security flaws. Here, they chose to use curve secp256k1, which has a number of useful properties, most notably the potential for an very efficient implementation, as has been created by bitcoin. In choosing secp256k1, they had no template function by which to map a scalar hash (SHA256d) to an EC point. So they did the most "obvious" and provably wrong thing, they took the scalar multiple of the EC base point, using the hash as the scalar.

Shen discovered this flaw, we absolutely do not want to take credit for his insight.

In general, SDC did not deviate significantly from cryptonote elsewhere from what we can tell. Thus, since they followed the cryptonote recipe, the rest of the ring signature system will be as secure as cryptonote for the simple reason that there are not many ways to screw it up. Once you have the EC point from the hash, generating the signature and key image is identical to the cryptonote method.

[NextGenCrypto]

I dunno what any of this mumbo jumbo means, but I hope someone reputable can provide some input.

Thanks again to stoner19 for the early pool.  Sometimes ya just gotta take the risk.  In my case, I just love to waste BTC mining what are normally shitcoins. 

[Bank_sy]

Great idea

Shen providing a review would be great for Eclipse.

I was getting the opinion of others on SDC/Eclipse and a good point was brought up.

any input or thoughts from the XMR camp? Does this mean Eclipse is cryptograhically anonymous?

They seem to have at least tried to fix the one identified flaw in SDC. Whether SDC has other flaws they didn't fix or whether their fix is even correct is not something anyone can answer without spending a lot of time reviewing it all, which probably won't ever happen.

Valid points, I am hoping they will be able to get their 'fix' properly reviewed.
Assuming the fix is indeed correct, would that mean that it is then truly anonymous?
In other words: if recently exposed flaw in SDC anonymity was fixed, does it make SDC as/more anonymous as XMR? or is SDC still inferior to XMR for anonymity?

What about the other 99.999% of SDC, developed by the same people who made a basic math/crypto error, and which no one has ever reviewed?

Shen found that one flaw effectively by accident, while working on something else.

If SDC were comprehensively reviewed, then one could make claims about it. At this point, I would not.

Have you considered the possibility of this? Is there a reason why you chose shadowcash method of anonymity over other ways of anonymity?  

As usual, smooth has beautiful insight, but it's not an insight that wasn't also obvious to us.

It's important to understand that SDC ported the cryptonote ring signature system to the bitcoin codebase, almost in it's entirety. You can see what I mean in the naming of the methods:

CN: hash_to_ec --> SDC: hashToEC
CN: generate_key_image --> SDC: generateKeyImage
CN: generate_ring_signature --> SDC: generateRingSignature

Why is this important? Because where SDC has an opportunity to deviate, they may create security flaws. Here, they chose to use curve secp256k1, which has a number of useful properties, most notably the potential for an very efficient implementation, as has been created by bitcoin. In choosing secp256k1, they had no template function by which to map a scalar hash (SHA256d) to an EC point. So they did the most "obvious" and provably wrong thing, they took the scalar multiple of the EC base point, using the hash as the scalar.

Shen discovered this flaw, we absolutely do not want to take credit for his insight.

In general, SDC did not deviate significantly from cryptonote elsewhere from what we can tell. Thus, since they followed the cryptonote recipe, the rest of the ring signature system will be as secure as cryptonote for the simple reason that there are not many ways to screw it up. Once you have the EC point from the hash, generating the signature and key image is identical to the cryptonote method.

It appears that the devs behind eclipse are at least somewhat competent at coding and if you have managed to successfully fix the flaw then great job.
I have some realistic concerns about eclipse though. If the fix is the only new implementation for eclipse then eclipse will simply fade away when SDC applies a fix as well. There would be no appeal to utilize SDC over Eclipse with all things being equal in terms of anonymity. My next concern is potential flaws in other parts of SDC code, this means Eclipse will also be vulnerable to them.
Do you guys have plans for eclipse other than applying the fix?

[Eclipse Crypto]

Just a reminder about our Twitter promo!  We've had a good number of responses so far.   

Eclipse Twitter Promotion!

In order to star to bring awareness to Eclipse, we are going to be making a large push on Twitter and rewarding our followers who participate!

The first promotion will reward users with 15 EC simply for following twitter.com/EclipseCrypto and providing your EC address.

Step 1: Sign on to Twitter and follow twitter.com/EclipseCrypto
Step 2: Fill out this Google form to provide us your address so we can track activity without annoying you every time: http://goo. gl/forms/ga2gcFsUsO (copy/remove space)

Here are the rules:
1: Obviously you've gotta be a follower
2: You have to have at least 50 REAL followers (we'll verify on TwitterAudit)
3: Participate and earn EC

That's it.  Stay tuned to the thread and we'll have regular promotions to earn additional EC!

[Black Mamba]

POS starts after POW is done?

[pol5]

I like this coin   

[NextGenCrypto]

POS starts after POW is done?

PoS has already started...

[Bank_sy]

POS starts after POW is done?

PoS has already started...

Currently PoW/PoS

PoS V2

PoS Min Age: 8 hours

HiPoS Length: 4 Weeks

HiPoS Reward: 300 Corona, decreasing by 10/day to 20 Corona

Post-HiPoS Reward: 10 Corona

this coin is promising, just hope devs have more planned than the anonymity fix.

[snortex]

POS starts after POW is done?

PoS has already started...

Currently PoW/PoS

PoS V2

PoS Min Age: 8 hours

HiPoS Length: 4 Weeks

HiPoS Reward: 300 Corona, decreasing by 10/day to 20 Corona

Post-HiPoS Reward: 10 Corona

this coin is promising, just hope devs have more planned than the anonymity fix.

What is Corona?

[Eclipse Crypto]

It appears that the devs behind eclipse are at least somewhat competent at coding and if you have managed to successfully fix the flaw then great job.
I have some realistic concerns about eclipse though. If the fix is the only new implementation for eclipse then eclipse will simply fade away when SDC applies a fix as well. There would be no appeal to utilize SDC over Eclipse with all things being equal in terms of anonymity. My next concern is potential flaws in other parts of SDC code, this means Eclipse will also be vulnerable to them.
Do you guys have plans for eclipse other than applying the fix?

Yes, we have an internal roadmap. But before we make it public, we need to see for ourselves what kind of potential there is for an anonymous coin.

Our motivation was to get some people who know cryptography and math (us) together with a coin that has good anonymity. We aren't for bells and whistles until the potential of the underlying protocol is fully realized. However, if you like bells and whistles, those that come with shadowcoin are pretty good.

If you insist, our near-term plans are twofold and a little technical.

1. First, we need to bring the bitcoin secp256k1 library to the entirety of the Eclipse code base. This means not only using it as an API for patching the broken shadowcash ring signatures (which we have done), but also to use it for all of the operations over secp256k1. This also means integrating Schnorr signatures, which are native to the bitcoin secp256k1 library.
2. Second the current implementation needs proper blockchain pruning.

[Bank_sy]

It appears that the devs behind eclipse are at least somewhat competent at coding and if you have managed to successfully fix the flaw then great job.
I have some realistic concerns about eclipse though. If the fix is the only new implementation for eclipse then eclipse will simply fade away when SDC applies a fix as well. There would be no appeal to utilize SDC over Eclipse with all things being equal in terms of anonymity. My next concern is potential flaws in other parts of SDC code, this means Eclipse will also be vulnerable to them.
Do you guys have plans for eclipse other than applying the fix?

Yes, we have an internal roadmap. But before we make it public, we need to see for ourselves what kind of potential there is for an anonymous coin.

Our motivation was to get some people who know cryptography and math (us) together with a coin that has good anonymity. We aren't for bells and whistles until the potential of the underlying protocol is fully realized. However, if you like bells and whistles, those that come with shadowcoin are pretty good.

If you insist, our near-term plans are twofold and a little technical.

1. First, we need to bring the bitcoin secp256k1 library to the entirety of the Eclipse code base. This means not only using it as an API for patching the broken shadowcash ring signatures (which we have done), but also to use it for all of the operations over secp256k1. This also means integrating Schnorr signatures, which are native to the bitcoin secp256k1 library.
2. Second the current implementation needs proper blockchain pruning.

Thanks for your continued responses. It is good to hear that you have a vision for eclipse that expands beyond the anonymity fix. The sky is the limit for an anonymous coin but only if it is truly anonymous.
I am looking forward to see everything take hold and hope to see eclipse as a top contender for anonymity.
I remain a bit skeptical of how dedicated you will be to eclipse because quite frankly the altcoin scene is just an absolute mess but I am liking eclipse much more than any other recent garbage launches.
Hard work will pay off so I hope you remain dedicated to eclipse and success will follow!

[cryptohunter2]

bring it to some exchanges else will end up in the hands of 10 people who mine shart 256 and the coin will fail already?