|
iddo (OP)
|
 |
March 30, 2014, 04:49:23 PM |
|
|
|
|
|
|
|
|
|
|
|
|
|
Even if you use Bitcoin through Tor, the way transactions are handled by the network makes anonymity difficult to achieve. Do not expect your transactions to be anonymous unless you really know what you're doing.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
roslinpl
Legendary
 Offline
Activity: 2212
Merit: 1199
|
|
March 30, 2014, 05:20:48 PM |
|
at first yes it does looks very interesting.
Evolution of BTC safety is very important - even perhaps most important to make millions of new users join us!
|
|
|
|
|
voisine
Member
Offline
Activity: 115
Merit: 19
|
|
March 30, 2014, 11:08:26 PM
Last edit: March 30, 2014, 11:26:36 PM by voisine |
|
I would love to see the implementation they used to create their example transaction. Apparently built on top of bitcoinj. I don't see any references to it though. Also, are there any plans to turn this into a BIP?
|
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1129
|
|
March 31, 2014, 09:02:40 AM |
|
They told me they plan to release the code after working on it some more.
|
|
|
|
|
|
trout
|
|
March 31, 2014, 02:46:44 PM |
|
Very interesting paper!
Just to check my understanding on one point. In the suggested approach
there's an owner of the full private key, who then can share this private key
so that "m of n" transactions can be made, but he still can use the whole private
key to spend the balance himself. Is this correct?
That's a major difference with respect to the multisig approach.
|
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4158
Merit: 8382
|
|
March 31, 2014, 08:43:25 PM |
|
In the suggested approach there's an owner of the full private key, who then can share this private key
so that "m of n" transactions can be made, but he still can use the whole private
key to spend the balance himself.
They note in the paper that it's possible to do the dealing step in a distributed manner where no one party learns the key (indeed, the proposed protocol does something like that internally for sharing shares of the ECDSA nonce) but they don't go into detail about it. I think any practical implementation would want to do this simply due to the difficulty in obtaining a single device whos security you can be confident of... The differences I'd make between this and multisig is that it requires a synchronous protocol to both establish keys initially (assuming a distributed dealer) and to sign. E.g. it might be harder to make a signature using N offline wallets as you'd have to shuttle data back and forth to the offline wallets multiple times. It's also harder to 'show' that an address is multisig— e.g. for the purpose of making your policy public, though I'm not sure how much this matters since you can 'fake' multisig too. It also requires a more complex signer software. On the plus side it's much more efficient in the blockchain, esp with high N, and the transactions are indistinguishable from non-multisig which is good for privacy. |
|
|
|
|
|
waxwing
|
|
April 01, 2014, 05:19:17 PM |
|
They note in the paper that it's possible to do the dealing step in a distributed manner where no one party learns the key (indeed, the proposed protocol does something like that internally for sharing shares of the ECDSA nonce) but they don't go into detail about it. I think any practical implementation would want to do this simply due to the difficulty in obtaining a single device whose security you can be confident of...
All the details are in the Ibrahim et al paper (ref 11). This new paper just seems to be mostly a commentary on those algorithms ("by the way this works with Bitcoin and this is why it's cool"). I agree with all your points about advantages/disadvantages. It will be a bit clunky with the synchronicity. Note for example that the no-trusted-dealer secret sharing steps will require private communication channels between each of the participants; I guess the most natural way to implement might be to use encryption to pgp keys (some kind of ssl via a central server would defeat the purpose, after all). Gives you an idea though of how messy it's going to be in distributed scenarios. |
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
instagibbs
Member
Offline
Activity: 114
Merit: 12
|
|
April 01, 2014, 06:52:10 PM |
|
Gives you an idea though of how messy it's going to be in distributed scenarios.
I think it will make most sense inter-machine for one user(security by spreading out "keys"), or a group of mutually known people. |
|
|
|
|
|
waxwing
|
|
April 01, 2014, 07:41:08 PM |
|
I do too, but it does rather temper the sense that it's a replacement for existing P2SH applications. (Escrow being the most obvious case, but also think about voting pools and probably many others).
|
PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
|
|
|
Crowex
Member
Offline
Activity: 111
Merit: 10
|
|
April 01, 2014, 07:46:07 PM
Last edit: April 01, 2014, 08:08:52 PM by Crowex |
|
I pointed out in my thread where this was first posted that the degree of the dealer distributed polynomial should be t if you want the threshold to be t. They edited it but I'm going to have to wait until the next edit.  EDIT I've got a few versions of this pdf, the one with degree (t-1)/2 definitely didn't give a threshold of t but maybe the latest version is ok but it doesn't coincide with the original paper. |
|
|
|
|
ysangkok
Newbie
Offline
Activity: 10
Merit: 3
|
|
January 06, 2015, 03:45:05 PM |
|
AFAIK, the source release never happened. Why not? What happened?
|
|
|
|
|
elm
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
March 08, 2015, 06:22:20 PM |
|
any news?
|
|
|
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4158
Merit: 8382
|
|
March 10, 2015, 02:49:36 AM |
|
Hm. I cannot find the distributed setup in that source code. Can you point me to it? |
|
|
|
|
|
