Bitcoin Forum
June 27, 2019, 11:41:19 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: TwoStep: Post Quantum Secure Transactions  (Read 940 times)
skycoin
Hero Member
*****
Offline Offline

Activity: 498
Merit: 500


View Profile WWW
January 11, 2014, 11:05:10 AM
 #1

Future advances in mathematics may render Bitcoin insecure. This is a draft protocol for securing cryptocoin transactions against future advances in mathematics or computing which render discrete logarithm based public key cryptography insecure.

TwoStep is part of QuantumEclipse, a suite of next-gen cryptocoin protocols developed under OP Darknet Plan for the Skycoin Project.

This protocol is
- simple
- adaptable to Bitcoin
- lower overhead than Lamport Signatures
- works with SHA256 preimages equally as well as Secp256k1 signatures
- not dependent on the security of discrete logarithm based public key cryptography

Overview:

Protocol:
1> A user creates a transaction and publishes the SHA256 of the transaction onto the block chain
2> The user waits several blocks and publishes the transaction. Miners enter the transaction onto the block chain.

A transaction has a pre-published hash it is "timestamped" by the publication of the hash. A transactions without a prepublished hash is a "non-timestamped" transaction.

Rules Followed by Miners:
- if an unconfirmed non-timestamped transaction spends outputs used by a non-confirmed timestamped transaction, the non-timestamped transaction is invalid (time-stamped transactions have priority over non-timestamped transactions).
- if two unconfirmed timestamped transactions spend non-disjoint sets of unspent outputs, the transaction with the earliest timestamp is the valid one.

Analysis:

This protocol relies on
- address pub keys are not published until they are first used in a transaction (address non-reuse)
- private keys cannot be recovered from public keys until the public key is published (preimage resistance of ripmed120(sha256(sha256(x))) )
- the publication of transaction hash into the block chain is a reliable timestamp (no 51% attack, total ordering on transactions)

This protocol delays the publication of the public key for an address until transaction publication and then renders any transactions an attacker creates from the recovered private key invalid.

The attack must now recover the private key, 51% attack the block chain to orphan the user's timestamp and enter an earlier time-stamp for his transaction that would steal the Bitcoin. The longer the user waits between the publication of the hash and the publication of the transaction, the more difficult the required 51% attack becomes.

Integrating into Bitcoin:

Skycoin supports this protocol naively. Bitcoin requires a small modifications to support TwoStep.

- We need an op code for the publication of transaction timestamps. The OP code should include a time or block number when the hash expires. The expiration should be capped, to allow pruning of old timestamps.
- Miners should obey the two precedence rules. The protocol is only secure if miners do not collude with people who are able to recover secp256k1 private keys from public keys.

Weaknesses:

There is no way in Bitcoin to enforce precedence rules if miners are dishonest. There is no way in Bitcoin to prove that a particular block violated the precedence rules. Bitcoin can therefore only support soft/voluntary precedence rule enforcement. There is no mechanism in Bitcoin to blacklist provably dishonest miners.

Enforcement of TwoStep transaction protocols requires new cryptocoin blockchain primitives. The Skycoin Obelisk whitepaper will introduce two new block chain primitives which enable "hard" enforcement of transaction precedence rules.

More information about Skycoin: https://bitcointalk.org/index.php?topic=380441.0

1561635679
Hero Member
*
Offline Offline

Posts: 1561635679

View Profile Personal Message (Offline)

Ignore
1561635679
Reply with quote  #2

1561635679
Report to moderator
The most profitable cloud-mining from Siberia
Verified mining provider
No commissions
Everyday payouts
First payout in 1 hour
24\7 online support
Grab your
12% off
Sign Up
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1561635679
Hero Member
*
Offline Offline

Posts: 1561635679

View Profile Personal Message (Offline)

Ignore
1561635679
Reply with quote  #2

1561635679
Report to moderator
kdrop22
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
January 20, 2014, 04:34:00 AM
 #2

Forgive the question if it is too basic,

How is the time determined, what prevents the spender from adding an earlier time to the message.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!