Come-from-Beyond (OP)
Legendary
 Offline
Activity: 2142
Merit: 1009
Newbie
|
 |
January 14, 2014, 06:37:34 AM |
|
It's one of the best crypto-primitives, it's not supposed to "natively support signing". Different signing schemes could use Curve25519. |
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 14, 2014, 06:40:35 AM |
|
someone can generate a block in legit way and try to modify some bytes so that it has block_id = 0, as pushBlock only check blocks.get(block.getId()) != null where it does = null, the next generated block will override genesis block in analyze() if (previousBlock == 0) {
lastBlock = GENESIS_BLOCK_ID;
blocks.put(lastBlock, this);
baseTarget = initialBaseTarget;
cumulativeDifficulty = BigInteger.ZERO;
Account.addAccount(CREATOR_ID);
}Good catch. Post ur Nxt account, plz. PS: This is not the flaw. |
|
|
|
|
liyi3c
Newbie
Offline
Activity: 26
Merit: 0
|
|
January 14, 2014, 06:46:28 AM |
|
8921045556724335400  thx I also doubt if it is the flaw. Fine, let's keep dig |
|
|
|
|
|
jkoil
|
|
January 14, 2014, 08:48:43 AM |
|
looks like a needless if-block for (i = 32; i--!=0; ) {
if (i==0) {
i=0;
}
or does it have any purpose? At least a place for a breakpoint ...  U should ask the author of the code. yes ... hmmmm, no... maybe the one should ask, who decides to compile that  |
|
|
|
|
gimre
Legendary
Offline
Activity: 866
Merit: 1002
|
|
January 14, 2014, 09:57:05 AM |
|
@CfB, have the developers considered switching to Ed25519 instead?
Do u have fast java implementation? I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it. |
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 14, 2014, 09:58:54 AM |
|
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.
Currently we don't need it coz Curve25519 works fine. |
|
|
|
|
|
NxtChoice
|
|
January 14, 2014, 12:18:04 PM |
|
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.
Currently we don't need it coz Curve25519 works fine. Hi all experts on crypto science, I'm wondering whether I understand it clear, so I have some naive questions here. Is there any flaw in Curve25519? So we need to have an independent review of those crypto class and sign/verify function? If it's an open question or argument, then it should be an academic research on Curve25519 and I don't think one independent reviewer can conclude it in a short time. Is Ed25519 better than Curve25519? Is it because Ed25519 is slow in Java that Nxt doesn't use Ed25519? If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions? Thanks. |
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 14, 2014, 12:31:15 PM |
|
I have to say I don't, but I could spend some time doing one if I knew there'll be possibility to include it.
Currently we don't need it coz Curve25519 works fine. Hi all experts on crypto science, I'm wondering whether I understand it clear, so I have some naive questions here. Is there any flaw in Curve25519? So we need to have an independent review of those crypto class and sign/verify function? If it's an open question or argument, then it should be an academic research on Curve25519 and I don't think one independent reviewer can conclude it in a short time. Is Ed25519 better than Curve25519? Is it because Ed25519 is slow in Java that Nxt doesn't use Ed25519? If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions? Thanks. Ed25519 is a cryptographic system. Curve25519 is a cryptographic primitive. If u want to compare something u have to compare Ed25519 and [EC-KCDSA based on Curve25519]. |
|
|
|
|
gimre
Legendary
Offline
Activity: 866
Merit: 1002
|
|
January 14, 2014, 01:35:05 PM |
|
No, i have not. Only equations of the algorithm. Trying to understand if Curve.sign|verify does what its supposed to. Join the irc channel and we can talk further.. if you want. There are some good guys in there, ZjP is one of them.
Regards
j0b
Can you please ask that guy what the reasoning behind the strange is_negative(long10 x) function is? It's kind of hard to understand. I'm also interested in this. a) why there is is_overflow at all... (I thought it'd be simpler to have element of long10 have always reduced mod q....) b) the second part is magic, as there shouldn't be something like "negative", so I assume job of that xor is to split values into two groups... (why?) (edit: added is_negative, snippet) /* checks if x is "negative", requires reduced input */
private static final int is_negative(long10 x) {
return (int)(((is_overflow(x) || (x._9 < 0))?1:0) ^ (x._0 & 1));
}
|
|
|
|
gimre
Legendary
Offline
Activity: 866
Merit: 1002
|
|
January 14, 2014, 01:50:44 PM |
|
If Curve25519 is proved to have flaw, is it easy for us to upgrade the system to other crypto functions?
Thanks.
Changing it won't be easy and won't be instant, but should be doable. Basically, the code would have to be released earlier with some hardcoded number - let's call it X - where to start "new" signature system. After block X all sigs would be checked with NEW system More problematic is that public keys would have to be updated, but still doable, NXT could require to send first transaction signed with both NEW and old privkeys. P.S. more problematic would be what to do with user IDs... |
|
|
|
|
ImmortAlex
|
|
January 14, 2014, 02:50:40 PM |
|
Devs, can you do Peer.sendToAllPeers() in new thread? At least for "sendMoney". It's takes minutes to send request to 150+ peers.
Workaround is to press F5 and re-unlock account immediately, just to watch transaction confirmation.
|
|
|
|
|
|
gbeirn
|
|
January 14, 2014, 03:07:51 PM |
|
Does the fatal flaw have to do with creation of blocks from 1 to say 1440? Maybe to 720.
|
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting. |
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 14, 2014, 03:09:52 PM |
|
Does the fatal flaw have to do with creation of blocks from 1 to say 1440? Maybe to 720.
Pardon? I don't get the question. |
|
|
|
|
liyi3c
Newbie
Offline
Activity: 26
Merit: 0
|
|
January 14, 2014, 03:42:52 PM |
|
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
|
|
|
|
|
|
ImmortAlex
|
|
January 14, 2014, 04:44:15 PM |
|
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
Yes... First of all, I hope there's some limit to response size on Jetty side, else attacker can spam nodes with very long answer to any request. Then, NRS should test blocks from "getNextBlocks" response on: 1. Matching with ids from "getNextBlockIds" response. 2. Matching each other before put to futureBlocks. You can do almost all checks you do in pushBlock()! At least it makes attaker's life harder. Right now he can send any garbage to "getNextBlock" response, that is parseable as empty block for example. There's is common problem with peering code in NRS: you test only cryptographic part of data (hashes, keys and so on), but assume that data structures is correct. Remember that famous payloadLength=2147483647?... |
|
|
|
|
liyi3c
Newbie
Offline
Activity: 26
Merit: 0
|
|
January 14, 2014, 05:15:55 PM |
|
wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...
Remember that famous payloadLength=2147483647?... what's that, 2^31 - 1? |
|
|
|
|
liyi3c
Newbie
Offline
Activity: 26
Merit: 0
|
|
January 14, 2014, 05:37:08 PM |
|
let's see this. As far as I know, only transaction sender or block generator will get his public key put into Account. So if I create an account a_1 with secret phase s_1, public key p_1, ID id_1. and send some nxt to it. note the public p_1 will not known to public as a_1 is just reciever. Now I can just prepare many accounts with ID id_1 but diff s_n and p_n due to public key -> id collision. after a_1 get mature after 1440 blocks, I choose the best one of my infinite secret phases s_1....s_n to generate next block with very high success possibility. this is possible because in Transaction.verify() and Block.verifyBlockSignature(), we only check: Account account = accounts.get(Account.getId(generatorPublicKey));
if (account == null) {
return false;
} else if (account.publicKey == null) {
account.publicKey = generatorPublicKey; // we will get here and pass the checking below
} else if (!Arrays.equals(generatorPublicKey, account.publicKey)) {
return false;
} In the same way, I can prepare many other id_n with a secret phase set <s>n and generate subsequent blocks, Now, can I predict future?... |
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 14, 2014, 05:38:39 PM |
|
In the same way, I can prepare many other id_n with a secret phase set <s>n and generate subsequent blocks,
It's too expensive. |
|
|
|
|
|
Jaguar0625
|
|
January 14, 2014, 11:04:07 PM |
|
Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?
It was already reported. Where? What am I missing? Why isn't this a big deal? |
NEM - nem.io
|
|
|
gimre
Legendary
Offline
Activity: 866
Merit: 1002
|
|
January 14, 2014, 11:59:40 PM |
|
Are you saying that you can't verify 25% of signatures? Isn't that a pretty serious issue?
It was already reported. Where? What am I missing? Why isn't this a big deal? there's uber hack for this: sign; while( cannot verify) { change timestamp; sign again } |
|
|
|
|
