The impact of bad crypto (DASH, SDC, etc). How much does math matter?

[TechorMarketing]

Examples:

DASH high school math:

Hey, I heard that you can break InstantX. When can we expect that to happen? I will personally tip you if you do it. Don't disappoint me. Generalize this said you could.

I found a high school level probability math error in the InstantX white paper that had been there for a guess roughly a year and nobody had done the peer review. So this tells you there is no world-class development team.

The white paper was claiming astronomical odds of colluding masternodes able to corrupt the InstantX transactions. I showed the probability was much more reasonable.

DASH paper wallet faulty RNG (January 4th - April 5th, 2016):

Hello Everyone,

Unfortunately we broke paper.dash.org on January 4th and the seeding process for generating a wallet was insecure since then. There are no known Dash thefts that have taken place because of this (yet), but if you created a wallet using paper.dash.org between January 4th and April 5th, please move your money to a new place.

We take these kinds of issues quite seriously and believe it's our fiduciary responsibility to create the most secure environment for users to store value safely in our ecosystem. To address the issue we’ve reverted the patch that caused the issue and have also reverted paper.dash.org to an earlier, much safer version.

Thanks,

Evan Duffield

https://dashtalk.org/threads/security-advisory-for-paper-dash-org.8525/#post-90291

SDC broken crypto:

https://shnoe.wordpress.com/2016/02/11/de-anonymizing-shadowcash-and-oz-coin/
https://github.com/ShenNoether/Deanon

Clearly there are not enough qualified cryptographers to go around.  Is high school math good enough if you have fancy graphics and marketing materials that can attract interest from uneducated users? Is it realistic to expect copy/paste altcoin devs to produce the type of cryptographic research generated by MRL?

https://lab.getmonero.org/
https://eprint.iacr.org/2015/1098.pdf

[1714710289]

1714710289

[AlexGR]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

[bitbite111]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

Damn it. I was hoping monero was something I could invest in.

[TechorMarketing]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

The issue was discovered and addressed by MRL. Since the latest hard fork 0 mixins are not possible (aside from a minor exception for dust transactions).

This issue is related to privacy not "bad crypto" or math errors. Monero now has a minimum mixin enforced for all transactions unlike DASH where DarkSend is optional and far less effective.

https://hellomonero.com/article/moneros-march-23-2016-hard-fork-what-you-need-know-updated
"Minimum mixin level has changed to 3.  Note that Monero does not use the term "mix" in the way other cryptocurrencies do.  A mixin is the number of ring signature partners that you have.  A mixin of 3 means that your transaction will be indistinguishable from 3 other partner transactions."  

[AlexGR]

This issue is related to privacy not "bad crypto" or math.

It's bad crypto alright. Monero users were transacting "anonymously" for a year only to discover later that they could be trivially deanonymized because those in charge hadn't fixed a "hole" in the system from the start.

As to the InstantX jamming theoretical attack:

The attack vector on InstantX was about the attacker owning hundreds or thousands of masternodes (ie paying tens of millions of USD to acquire them) just to ...jam a InstantX transaction, which, if failed, would go as a standard transaction.

So, the game theory of the attack vector is that someone will pay tens of millions of dollars to jam an instant x transaction, while undermining his money in the process.

Do you see that the game theory of the attack vector is completely broken in terms of costs to the attackers and gains for the attacker?

That's elementary logic right there.

It would be like saying "bitcoin is fundamentally flawed because someone could buy 51% of the mining equipment and attack it". Yeah, well, if they did that, their equipment would then be useless. It's an economic suicide for the attacker, so to speak. The game theory has to account for this, no?

[balu2]

The thing is: 99.9999% of inhabitants of this planet can't even track a btc-transaction on blockchain.info (so highschool-math is obviously good enough)

So the anon-coin-hype has finally worn off same as the pos-hype?

So we're back to conventional pow, right?                    

[TechorMarketing]

The thing is: 99.9999% of inhabitants of this planet can't even track a btc-transaction on blockchain.info

So the anon-coin-hype has finally worn off same as the pos-hype?

So we're back to conventional pow, right?                      

The poll was not focused on privacy, the danger of high school level mathematics is far greater than that. The random number generator (RNG) error with the DASH paper wallet generator literally put users at risk of their entire balances being stolen.

[Monerobuyer0]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

Damn it. I was hoping monero was something I could invest in.

It is.

Monero already fixed this problem in the recent hard fork by forbidding mixin 0 transactions.

[balu2]

The thing is: 99.9999% of inhabitants of this planet can't even track a btc-transaction on blockchain.info

So the anon-coin-hype has finally worn off same as the pos-hype?

So we're back to conventional pow, right?                    

The poll was not focused on privacy, the danger of high school level mathematics is far greater than that. The random number generator (RNG) error with the DASH paper wallet generator literally put users at risk of their entire balances being stolen.

Newsflash: not even the rng in bitcoin-qt is 100% reliable as i was hearing from the horses' mouth in the technical section somewhere. All your funds are at risk due to rng being not random.


And then again: "security" is always an illusion. Wishful thinking of a human mind afraid of pain and death. There is no good corespondence to the idea of "security" in the real world so it will likely forever be a chase for unicorns but i digress.
"Security" is just an idea fueled by whishful thinking. It can never be reached in reality.

The only thing that gives us something close to security is the fact that 99.99% of people are too stupid to understand what's happening if that makes sense?

There is no security behind the curve - none whatsoever

[AlexGR]

The poll was not focused on privacy, the danger of high school level mathematics is far greater than that.

The "high school mathematics" mentioned were of the following type:

"If someone has XXX masternodes then they can jam an InstantX transaction X% of the time because InstantX locking is performed on the masternodes".

Cost for the attacker: Millions of USD to buy masternodes
Gains for the attacker: No gains. Only losses by devaluing his investment.

Elementary game theory logic = violated.

[dEBRUYNE]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

This was refuted at the time by:

https://github.com/fluffypony/chainradar-checker

I tested it against 19 transactions, some mixin 4 and some mixin 20 (excluding my own signature, so mixin 5 and 21 according to ChainRadar).

For these transactions none of them were completely compromised by ChainRadar, and ChainRadar got 0 out of 157 guesses correct.

If you are going to claim such a thing, please properly check it wasn't bogus/FUD.  

It's bad crypto alright. Monero users were transacting "anonymously" for a year only to discover later that they could be trivially deanonymized because those in charge hadn't fixed a "hole" in the system from the start.

Erroneous as well, like I've stated above and others pointed out as well.


Also, what is the point of opening these kind of threads? It will end in mud-throwing anyway. Ironically it already started in the first few posts here.
 

[smooth]

XMR / Monero broken crypto:

I think chainradar are using all the 0 mixin transactions from exchanges and pools in order to guess - the things in https://lab.getmonero.org/pubs/MRL-0004.pdf. I tried some transactions with mixing 7 and 5 between my wallets and they are successfully guessing most of them. This issue is already addressed in the MRL-0004 and we knew that, but it's scary seeing it in chainradar. Everybody should stop using mixing of 0 until this is enforced in the protocol - including pools and exchanges. I suppose some mixings between your own wallets with high mixing should resolve the issue for now. Trollfest incoming .

This was debunked both by fluffypony writing a program to analyze it (and showing the deanonymizing "results" obviously wrong) and later a reply from chainrader stating that it was just a bug in their web site showing wrong data and not even an attempt at deanonymizing at all. FUD/panic, in other words.

[AlexGR]

Mixin 0 was always a bad idea and a security weakness, no matter if a deanonymizing implementation was getting it right, wrong, or guessing.

[smooth]

Cost for the attacker: Millions of USD to buy masternodes

There is no such cost, since nothing is consumed. You still have the masternodes when you are done. If done as a malicious attack that reduces the value of the token, an attacker would have already stripped his exposure from his stake and resold it via derivatives. If merely done for spying purposes then you can continue to both spy and collect masternode rewards. This will outcompete honest masternodes over time since spying has economic value.

[AlexGR]

Cost for the attacker: Millions of USD to buy masternodes

There is no such cost, since nothing is consumed. You still have the masternodes when you are done. If done as a malicious attack that reduces the value of the token, an attacker would have already stripped his exposure from his stake and resold it via derivatives. If merely done for spying purposes then you can continue to both spy and collect masternode rewards. This will outcompete honest masternodes over time since spying has economic value.

Yeah, well, if you want it that way, buying the monero supply to sybil all the mixins (a la BCN-83% "their mixin is insecure"), would also be a feasible economic attack. So XMR = REKT by the "theoretical" buyer of most coins  

In practice it doesn't work that way.

[smooth]

Cost for the attacker: Millions of USD to buy masternodes

There is no such cost, since nothing is consumed. You still have the masternodes when you are done. If done as a malicious attack that reduces the value of the token, an attacker would have already stripped his exposure from his stake and resold it via derivatives. If merely done for spying purposes then you can continue to both spy and collect masternode rewards. This will outcompete honest masternodes over time since spying has economic value.

Yeah, well, if you want it that way, buying the monero supply to sybil all the mixins (a la BCN-83% "their mixin is insecure"), would also be a feasible economic attack. So XMR = REKT by the "theoretical" buyer of most coins 

Unlike masternode ownership that continues to pay rewards, that can't work without an ongoing cost post MRL-0004, given the math in MRL-0001 (not necessary to follow the math -- the chart showing the 'burnout' effect is good enough). Even Bytecoin could fix this eventually if they implemented a minimum mixing, although it would take quite a while for 82% premine to burn out.

[AlexGR]

These types of attacks where someone comes and buys all the coins are too theoretical for my preference.

[smooth]

These types of attacks where someone comes and buys all the coins are too theoretical for my preference.

All of the coins are not even needed for many masternode attacks. That was the point of the "incorrect high school math" discussion. In many cases the number required is far lower than "all". It is analogous to hash rate attacks which can be done with <50% hash rate, except that in the hash rate case, there is a cost when the attack doesn't succeed. In the masternode case that cost doesn't exist, because a node that is a laying-in-wait attacker is being rewarded at the same rate as any other node.

Also, I would guess a large part of the reason you dismiss these sorts of attacks is a false inference from the word "attack" as something that needs to be done on demand (i.e. go buy up all the coins quickly on an exchange -- which will obviously fail). A better way to phrase it may be "failed incentives", which can also occur over an extended period. For example, in PoW, mining becoming extremely concentrated is not an active attack (where you go and buy up all the hash rate quickly), it is something that may very well happen (and arguably has happened, at least to some extent) over time that still very much undermines the security assumptions of the system.

[AlexGR]

We are talking about ...jamming a transaction, after spending a shitload of money. And that's to jam 0.x% of instantx transactions that at worst will be confirmed 150seconds later per the casual block confirmation... that doesn't make any sense.

If it's a valid game theory scenario, and makes sense for the attacker, we'll see it happen. I don't see it happening.

[smooth]

We are talking about ...jamming a transaction, after spending a shitload of money. And that's to jam 0.x% of instantx transactions that at worst will be confirmed 150seconds later per the casual block confirmation... that doesn't make any sense.

If it's a valid game theory scenario, and makes sense for the attacker, we'll see it happen. I don't see it happening.

I was talking about darksend spying, which you can't see happening, but is all but inevitable (and the only way out there is essentially an accidental miracle) given the incentives.

InstantX has other issues, worse than jamming, as far as not seeing it happening, there really isn't any incentive to even jam right now (who cares?). If it got to the point where Bitcoin is or even beyond, with real reasons for various interests to attack each other, that could and likely would be very different.

Analyzing soundness and especially over the longer term when it really matters is very different from just observing no one is attacking now. The same can be said for every single vulnerable system that has ever been attacked, looking at it the day before.