delete

[ButtcoinEXpress]

I should have avoided the alcohol with my popcorn last night.

Anything fun happen? 

~BCX

[1714869670]

1714869670

[1714869670]

1714869670

[1714869670]

1714869670

[1714869670]

1714869670

[TheFascistMind]

My response:

https://bitcointalk.org/index.php?topic=789978.msg8942201#msg8942201

You'll excuse the curt reply, but I'm just going to infodump from IRC, as we're quite tight on time -


[15:48:52] sarang: I can't prove a negative
[15:48:54] sarang: that's the trouble
[15:49:05] sarang: I can't say "there is no way to use three equations like that to recover x, here's proof"
[15:49:11] sarang: I can only say "there are no known ways to do so"
[15:49:36] sarang: The onus is on him. Unfortunately, if the world wants us to counter it with Magic Negative Proof, then they'll be disappointed
[15:50:37] sarang: But, let me review out loud
[15:50:45] sarang: We know I=xH(P) is one equation
[15:51:36] sarang: We know r=q-cx is another
[15:51:50] sarang: and we know x=H(aR)+b is a third

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

https://cryptonote.org/whitepaper.pdf#page=7

[15:52:00] sarang: You have, indeed, three equations for x
[15:52:19] sarang: How many unknowns is important here (though the security of ECDLP is important too)
[15:53:25] sarang: Unknowns are x itself, q, c, a, b, and technically r since it's indexed

They forgot that using my proposed de-anonymization algorithm i == s can be known, thus c is known.

So we have 2 unknowns x and q and 3 equations.

[15:53:40] sarang: Given three equations and six unknowns, he can go right back to the drawing board

Duh! Did they really assume I am that stupid. Hubris is the source of many failures.

[15:56:43] sarang: So my answer to him would be that the private key is obscured in all cases by either the ECDLP or random affine goodness
[15:57:06] sarang: and that the three equations means that you STILL have three extra degrees of freedom
[15:57:41] sarang: and the degrees of freedom are carefully chosen from random distributions
[15:57:55] sarang: If he has an actual attack or a suggestion of how to reduce the parameter space, fine, share it
[15:58:21] sarang: But we don't spend our time proving negatives... we review carefully and hunt down any flaws we see that seem reasonable given our expertise
[15:59:42] sarang: If he wants to argue with linear algebra or the ECDLP, he can go right ahead
[15:59:48] sarang: Those are better listeners anyway
[16:00:28] sarang: We don't need to explain how linear algebra works anyway... it's assumed the whitepaper is written for someone who knows what all those little symbols mean
[16:02:56] sarang: Real mathematicians don't rub unknowns in people's faces. They point out flaws and offer constructive input

Thanks for dumping their condescending attitude in public. I guess you were hoping for revenge for the upthread exchange between you and I?

I aced college Linear Algebra in 1985. And I aced college Calculus I in night school at college while I was still in high school in 1983.

I sent my suggestion to smooth with the implied (from earlier discussion) caveat that I was not providing a complete analysis nor was I sure there is a vulnerability. So I was under no obligation to follow what "real mathematicians" do because I don't have skin in this game. I am not trying to prove myself in the math field. I was simply trying to help develop ideas for what could have any chance of being BCX's alleged exploit. It is not my role to take it further than that. I had already provided a real anonymity attack with pseudocode, thus this was off-the-cuff quick suggestion to smooth was purely me trying to help share ideas. Not to be used as fodder to insult me in public.

[16:06:31] sarang: Oh, and the equations use different base points, so you gain no benefit from a common base point

I didn't see that. Where is that written or it just an assumption? I noticed the requisite mod l are implied and not written. So this must be one of those typical things you are supposed to know and is not explicit?

But note above we have 3 equations and afaics only 2 unknowns.

[TheFascistMind]

this ends the show.

Sorry it doesn't.

[TheFascistMind]

this ends the show.

Sorry it doesn't.

yes it does. I doubt BCX is a genius like at your level.

I have no comment on that. I won't speculate further about that. My role was only to help find any potential vulnerabilities in order to strengthen CN.

[TheFascistMind]

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

Just checked. Apparently I was too sleepy when I messaged smooth (and probably multitasking too). I sent him the wrong equation. Mea culpa.

https://bitcointalk.org/index.php?topic=789978.msg8942201#msg8942201

x = Hs(aR) + b, so as P = xG

Attacker could possibly know Hs(aR).

But you'd think the mathematicians would take a look at page 7 of the whitepaper and figure out the attacker knows the symmetrical equation.

[NewLiberty]

this ends the show.

Sorry it doesn't.

yes it does. I doubt BCX is a genius like at your level.

BCX was never the issue.
Getting this right is the issue, and always was.

As crypto evolves, there are much bigger boogiemen, this is just a fire drill.

[Skinnkavaj]

[TheFascistMind]

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

Note this doesn't really apply to a widescale attack by a single attacker. Rather if it is valid, then it means senders can steal back what they sent to you if they can de-anonymize you and they can rewind the chain, which isn't likely.

But there is any easy fix all of you could do now. Go send your CN coins to yourself at a new address. Then you are both the sender and the recipient.

That is why I said I upthread I wasn't too concerned about this additional insight.

However, there is still the prior insight where we have two equations and two unknowns x and q.

[TheFascistMind]

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

Note this doesn't really apply to a widescale attack by a single attacker. Rather if it is valid, then it means senders can steal back what they sent to you if they can de-anonymize you and they can rewind the chain, which isn't likely.

But there is any easy fix all of you could do now. Go send your CN coins to yourself at a new address. Then you are both the sender and the recipient.

That is why I said I upthread I wasn't too concerned about this additional insight.

Whoops. I am mistaken. Sending the coins to yourself doesn't help, if the attacker can rewind the chain. And if the math is broken this could be done widespread by a single attacker, because every spend he does infects that coin downstream every where it goes, assuming he can rewind the blockchain with a TW or 51% attack.

[TheFascistMind]

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

Note this doesn't really apply to a widescale attack by a single attacker. Rather if it is valid, then it means senders can steal back what they sent to you if they can de-anonymize you and they can rewind the chain, which isn't likely.

But there is any easy fix all of you could do now. Go send your CN coins to yourself at a new address. Then you are both the sender and the recipient.

That is why I said I upthread I wasn't too concerned about this additional insight.

Whoops. I am mistaken. Sending the coins to yourself doesn't help, if the attacker can rewind the chain. And if the math is broken this could be done widespread by a single attacker, because every spend he does infects that coin downstream every where it goes, assuming he can rewind the blockchain with a TW or 51% attack.

But that is no worse than double-spending the coin in conjunction with a blockchain rewind, so (even if that math is broken) that isn't really a new vulnerability.

Only the two eqs. with unknowns q and x remains as potential new vulnerability.

[vuduchyld]

this ends the show.

Sorry it doesn't.

yes it does. I doubt BCX is a genius like at your level.

BCX was never the issue.
Getting this right is the issue, and always was.

As crypto evolves, there are much bigger boogiemen, this is just a fire drill.

Absolutely this.  And again, TheFascistMind, from my far outsiders perspective, you've done a great service here....likely far in excess of any financial reward you received.

Many, many thanks to the MEW group and devs.  Crypto is still a new technology and the space is evolving and immature.  I appreciate the way that you've handled everything so far.

I consider crypto highly speculative and I only approach it with risk capital...capital I can afford to lose completely.  I'm invested in your team and I consider you all to be advancing the cause greatly.  Consider me one of the silent majority.  I'm not a whale by any stretch of the imagination.  I might be more likely to become one, though, based on the response I've seen.

[Hueristic]

All this has done so far is bring more attention to the coin and if indeed there is no way to attack it then the value has increased. Which leads the question, Was this the desired result in the first place?

[Moneroman88]

All this has done so far is bring more attention to the coin and if indeed there is no way to attack it then the value has increased. Which leads the question, Was this the desired result in the first place?

I've said this since day one and the majority called me a troll...

[infofront]

All this has done so far is bring more attention to the coin and if indeed there is no way to attack it then the value has increased. Which leads the question, Was this the desired result in the first place?

I've said this since day one and the majority called me a troll...

You're the one who provoked him to attack to begin with...troll.

[Mumbles]

If this coin is vulnerable to one guy living in his parent's basement then it deserves to go down in flames. I agree with others on here, I want as many people attacking this coin now as possible so we can improve and strengthen it before it gets more widely adopted. Any short term price drop is nothing compared to the long term gains that will come from having a secure and robust solution for the future.

[TheFascistMind]

TheFascistMind, from my far outsiders perspective, you've done a great service here....likely far in excess of any financial reward you received.

I don't want to overstate my role. There are other developers working hard behind the scenes who don't get credit. Someone offered me an additional 5 BTC but I said it could go to those developers working behind the scenes such as to build the simulation to test my pseudocode.

We are not yet sure if anything I contributed is actually a viable attack. I reasonably strongly think so for the de-anonymization and mitigation I provided, but until they build a simulation we probably won't know. The math ideas were really just quickies and not too much effort applied (maybe an hour or two total). I did also write up my summary in this thread of some ways to think about the TW attack and mitigation, which expounds a bit I guess on what I hadn't read before writing that.

I have already received 2.5 BTC from smooth as a preliminary payment, I assume until they can verify with simulation.

Responding to his PM, I also gave jl777 my initial feedback on his Teleport anonymization in a PM. I am waiting on him to describe some of it to me better, so I could analyze more specifically and give specific suggestions, if any. My upthread post about offchain anonymity coins was not intended to say they are necessarily worse than one-time ring signatures on the block chain. I was saying we need more quantified understanding of how these methods compare. And hoping the developers of those coins will produce whitepapers that explain the specifics and do so in a way I can understand. So far the only offchain anonymity whitepaper I've seen which gives a lot of specifics is the one from jl777, but I can't really understand it. Maybe it is just me. For example, there are terms used as as "cloned" which are not defined, or at least I didn't see the definitions in that wall of text. Darkcoin's specifics were last time I checked some months ago buried in the discussion thread. I had formed an understanding, they since refined the design to do premixing, which I commented on in rpietila Altcoin observer thread. The problem with all this piecemeal analysis spread all over the place is it is not collected in one coherent whitepaper for investors to read.

[NewLiberty]

TheFascistMind, from my far outsiders perspective, you've done a great service here....likely far in excess of any financial reward you received.

I don't want to overstate my role. There are other developers working hard behind the scenes who don't get credit. Someone offered me an additional 5 BTC but I said it could go to those developers working behind the scenes such as to build the simulation to test my pseudocode.

We are not yet sure if anything I contributed is actually a viable attack. I reasonably strongly think so for the de-anonymization and mitigation I provided, but until they build a simulation we probably won't know. The math ideas were really just quickies and not too much effort applied (maybe an hour or two total). I did also write up my summary in this thread of some ways to think about the TW attack and mitigation, which expounds a bit I guess on what I hadn't read before writing that.

I have already received 2.5 BTC from smooth as a preliminary payment, I assume until they can verify with simulation.

Responding to his PM, I also gave jl777 my initial feedback on his Teleport anonymization in a PM. I am waiting on him to describe some of it to me better, so I could analyze more specifically and give specific suggestions, if any. My upthread post about offchain anonymity coins was not intended to say they are necessarily worse than one-time ring signatures on the block chain. I was saying we need more quantified understanding of how these methods compare. And hoping the developers of those coins will produce whitepapers that explain the specifics and do so in a way I can understand. So far the only offchain anonymity whitepaper I've seen which gives a lot of specifics is the one from jl777, but I can't really understand it. Maybe it is just me. For example, there are terms used as as "cloned" which are not defined, or at least I didn't see the definitions in that wall of text. Darkcoin's specifics were last time I checked some months ago buried in the discussion thread. I had formed an understanding, they since refined the design to do premixing, which I commented on in rpietila Altcoin observer thread. The problem with all this piecemeal analysis spread all over the place is it is not collected in one coherent whitepaper for investors to read.

Those are good readings for historical perspective, but code has moved forward since then too.
The KGW is not in play on XMR, even though it still has fast difficulty adjustment.  As you probably know, it uses a net-difficulty metric for chain length not just size or depth for determination and has incorporated 20% anomaly dropping in the difficulty algo (which was not in the original KGW) across a sliding window of 720 blocks.  One of the TW risks is the differentiation time required between chains of different length.  We want that fast or immediate, as well as accurate.  Checkpointing is the historical solution, but with respect to Bitcoin, it has heretofore been developer dependent.

What we may likely to get from the recent TW threat is some even better decentralized solutions to such threats.  Really cool stuff if they can pull it off.

Your anonymity issues also continue to be interesting, and merit some additional working for developing best case fungibility.  This is pretty exciting and  I'm eager to see where it leads us.  

[TheFascistMind]

...I did also write up my summary in this thread of some ways to think about the TW attack and mitigation, which expounds a bit I guess on what I hadn't read before writing that.

Those are good readings for historical perspective, but code has moved forward since then too.
The KGW is not in play on XMR, even though it still has fast difficulty adjustment.  As you probably know, it uses a net-difficulty metric for chain length not just size or depth for determination and has incorporated 20% anomaly dropping in the difficulty algo (which was not in the original KGW) across a sliding window of 720 blocks.  One of the TW risks is the differentiation time required between chains of different length.  We want that fast or immediate, as well as accurate.  Checkpointing is the historical solution, but with respect to Bitcoin, it has heretofore been developer dependent.

What we may likely to get from the recent TW threat is some even better decentralized solutions to such threats.  Really cool stuff if they can pull it off...

Here is a novel idea for you from my private research think tank of one person hehe.

When the network is presented with 2 chains which forked such a long time ago, my insight is this is equivalent to what will happen with a temporarily fragmented internet. Thus my private designs have focused on making a coin that can re-merge itself, rather than chose one chain or the other.

Edit: some insight into what I was thinking can be gleamed from the discussion in the thread "The Longest Chain Rule...".

[argentinx]

TheFascistMind is a good idea
but the remerge
I think it can be implemented
inserting in the source code if
if a node have at some point on
blocks different from those of other nodes
to download the different blocks and
automatically do block + block
in a short time all nodes will settle
and transactions that occurred in the original blockchain
and fork
are all valid
and not
there will be
a double expense

[Come-In-Behind]

TheFascistMind is a good idea
but the remerge
I think it can be implemented
inserting in the source code if
if a node have at some point on
blocks different from those of other nodes
to download the different blocks and
automatically do block + block
in a short time all nodes will settle
and transactions that occurred in the original blockchain
and fork
are all valid
and not
there will be
a double expense

Just One Question: Why the hell are you typing like that?