Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 9:01 PM
- longandshort
- Hey guys/gals
- 9:01 PM
- im wondering if i coudl get someoens expert opinion
- 9:02 PM
- with regards to chandran signitures and the stealthsend whitepaper
- 9:02 PM
- which is here https://www.dropbox.com/s/do4urdefwoungjz/Steal...
- 9:03 PM
- im in a debate with their comunity over their devs claims that they ar not infact linkable/tracaeble in the way that paper implys can somebosy give me their presious time and give me their opinion?
- 9:03 PM
- sorry for my terible typing
- 9:05 PM
- currently i dont belive the dev is capable of implimenting chandran sigs in the way he is implying because they are not linkable/tracaeble
- 9:31 PM
- gmaxwell?
- 9:32 PM
- anyone lol
- 11:26 PM
- andytoshi
- longandshort: that wp certainly doesn't inspire confidence..
- 11:27 PM
- longandshort
- ikr
- 11:27 PM
- i just want another view because i cant seem to get thgourhg to the comunity here
- 11:27 PM
- and its an industry wide issue becasue it effects the rest of the anon networks that this coin damage user confidence ect ect balbla lol
- 11:28 PM
- andytoshi
- this nonce this is pretty clever
- 11:28 PM
- though it requires something like my and gmaxwell's output value blinding to work properly with output values..
- 11:29 PM
- longandshort
- right
- 11:29 PM
- andytoshi
- calling two nonces "O(0)" space is a weird use of the number 0..
- 11:29 PM
- longandshort
- they are implying that cryptonotes group sig will solve the unlinkable tracable issue
- 11:30 PM
- andytoshi
- is that right? i'm still perusing the nonce page..
- 11:30 PM
- longandshort
- my bad
- 11:30 PM
- i dont think its applicable
- 11:30 PM
- andytoshi
- wat "scrypt is low energy"
- 11:31 PM
- longandshort
- hah
- 11:31 PM
- sorry im tired tahst funny
- 11:31 PM
- Luke-Jr
- lol
- 11:31 PM
- longandshort
- gday luke
- 11:31 PM
- andytoshi
- longandshort: appears there is no mention of linkability at all in the wp
- 11:32 PM
- longandshort
- btw i have mancrush on you all just gonna put that out there thankyou all for your contributions
- 11:32 PM
- andytoshi
- :P very flattering
- 11:32 PM
- longandshort
- tis true
- 11:32 PM
- sipa
- andytoshi: O(0) implies that for some x, every input over x results in an output 0
- 11:33 PM
- Luke-Jr
- longandshort: btw, please don't make an altcoin for this :/
- 11:33 PM
- longandshort
- Luke-Jr lol
- 11:33 PM
- not a chance not even a chance mate
- 11:33 PM
- andytoshi
- sipa: for all ε exists L such that inputs > x are < ε no?
- 11:34 PM
- longandshort
- it is what im trying so hard right now to present to their toxic comunity it is impossible and vaporware
- 11:34 PM
- Luke-Jr
- longandshort: "Therefore, stealthsend will be a proof-of-work coin,"
- 11:34 PM
- longandshort
- right
- 11:34 PM
- 6 minute long blocktime
- 11:34 PM
- andytoshi
- other problems here are that they are using pairing-based crypto for signatures, it will take literally a thousand times as long to validate sigs as it does in bitcoin..
- 11:34 PM
- (iir)
- 11:34 PM
- iirc
- 11:35 PM
- Luke-Jr
- longandshort: oh, this isn't yours?
- 11:35 PM
- longandshort
- no
- 11:36 PM
- Luke-Jr im after more expert opinions to back up my claims that it is not possible what they are implying
- 11:36 PM
- they didnt know how to pick the correct paper
- 11:36 PM
- andytoshi
- well, i suspect it's possible ... given a pairing it should be easy to devise a key image
- 11:36 PM
- maybe not. i don't really wanna try :)
- 11:37 PM
- longandshort
- sub-linear traceable ring signatures could operate on the same principle as what they are implying, but chandran signatures aren't linkable / traceable
- 11:37 PM
- andytoshi
- but given the level of reasoning displayed in the wp, i don't think they'd be able to produce a provably-secure scheme with a key image
- 11:38 PM
- longandshort: right. but bytecoin sigs were based on a scheme by fujisaki/suzuki that wasn't linkable in a way that was usable for a cryptocurrency...but the cn people hacked it up a bit to get one that was
- 11:39 PM
- longandshort
- right with their group sigs
- 11:39 PM
- andytoshi
- ofc, hacking an already-linkable scheme to be linkable in a slightly different way is a much easier job than introducing linkability where there was none before. in particular, CN was able to reuse the FS security proof almost verbatim
- 11:39 PM
- longandshort
- but comes with bloat
- 11:39 PM
- andytoshi
- longandshort: a "group sig" has a trusted dealer/setup, a "ring sig" does not, are you using the right terminology?
- 11:39 PM
- i think, "group signature" is never interesting here :)
- 11:40 PM
- longandshort
- sorry i am tired they keep pointing me to 4.1 of the cn paper https://cryptonote.org/whitepaper.pdf
- 11:41 PM
- andytoshi
- section 4.1 says what i just said :)
- 11:41 PM
- longandshort
- we dot think they have the right paper for what they want to achive
- 11:41 PM
- yes
- 11:41 PM
- andytoshi
- well, they definitely don't, as you say these sublinear-size ringsigs are not usable as is
- 11:41 PM
- longandshort
- almost to the "T" :)
- 11:42 PM
- andytoshi
- and if they care about efficiency pairings should be dismissed out of hand, nobody will be able to validate this blockchain
- 11:42 PM
- longandshort
- so do you guys think that wp is doable
- 11:42 PM
- yeah
- 11:42 PM
- Luke-Jr
- andytoshi: well, they already think scrypt is low energy.. :p
- 11:42 PM
- andytoshi
- :P
- 11:43 PM
- longandshort
- thast what im thinking with unlinkle/tacable its just going to be a doublespend spreee
- 11:43 PM
- andytoshi
- longandshort: i don't think it's actually impossible, no
- 11:43 PM
- longandshort
- luke you love scrypt don't you
- 11:43 PM
- fess up
- 11:44 PM
- Luke-Jr
- longandshort: for passphrases maybe
- 11:44 PM
- longandshort
- andytoshi yes sorry i actually do hate using such an absolute almost imposible imo for them
- 11:45 PM
- their code is ported form everythign else and they have an sms relay thats it and have put up this wp and a hard date for somethign they seem to be encouraging people to bet on
- 11:45 PM
- its not doable and will prolly burn in flames imo i just want other expert opinion
- 11:46 PM
- andytoshi
- longandshort: you are correct to be suspicious, i don't think they have or are able to do what they claim
- 11:46 PM
- certainly the wp does not give an hint as to a mechanism for doing so, but does hint that they are confused
- 11:47 PM
- longandshort
- yeah, i think they have allowed themselves time to research but havent quite got there yet
- 11:47 PM
- andytoshi
- ...but if i wanted a stupidly slow BRS-like scheme with sqrt(N)-sized sigs, i would be able to do it...
- 11:47 PM
- longandshort
- and have kind of chosen it out of default becuaese there is nothing they can pport
- 11:47 PM
- sure
- 11:47 PM
- stupidly slow exacly solves non but in an inefficient way
- 11:48 PM
- it wont scale either will it
- 11:48 PM
- thanks i really apreciate yrou time i really really do
- 11:49 PM
- andytoshi
- :P thx for the nonce idea
- 11:49 PM
- longandshort
- i apologise for my typing im kind of..well im not good at it so thanks for taking me seriosuly i do have a genuin conern
- 11:49 PM
- lol
- 11:49 PM
- np
- 11:49 PM
- andytoshi
- why can't you type well? non-native speaker?
- 11:50 PM
- longandshort
- im australian belive it or not
- 11:51 PM
- im not really sure i cant spell or type well or puncuate
- 11:51 PM
- im highly dyslexic
- 11:51 PM
- kanzure
- intoxicated kangaroo, i'm calling it now
- 11:51 PM
- longandshort
- lol thats what it looks like dosnt it
- 11:55 PM
- how can i tip you guys can i have your addresses please andytoshi , Luke-Jr sipa
- 11:55 PM
- andytoshi
- longandshort: for my part, don't worry about it :)
- 11:55 PM
- btw i think these chandran sigs have a trusted setup that allows forgery by the setting up party..
- 11:56 PM
- longandshort
- right how so
- 11:56 PM
- sorry wrong chat
- 11:57 PM
- andytoshi thanks thats nice of you :)
- 11:59 PM
- andytoshi
- yeah, they do, i think these are totally unsuitable for a cryptocurrency actually
- October 10th, 2014
- 12:00 AM
- longandshort
- right
- 12:00 AM
- do you have a source for that or its your conclusion?
- 12:00 AM
- andytoshi
- because even if you introduce linkability somehow, this CRS thing still lets the system setup forge signatures
- 12:00 AM
- longandshort: well, in the chandran et al paper they say that forgery is possible by a maliciously generated reference string
- 12:01 AM
- but say "no big deal, the CRS generator is just always implicitly in every ring"
- 12:02 AM
- longandshort
- yeah no biggie right :P
- 12:02 AM
- andytoshi
- yeah :P but even ignoring the fact that this is a big deal actually, if you want any sort of linkable scheme this will be a serious problem because the forged sigs won't be exculpable
- 12:02 AM
- meaning, the malicious CRS generator could use other people's key images undetectably
- 12:03 AM
- longandshort
- ewww
- 12:03 AM
- andytoshi
- oh, ignore "exculpable", that is related but irrelavent ... "trusted party can use two different key images" means the scheme is not linkable
- 12:04 AM
- end of story
- 12:04 AM
- longandshort
- .
- 12:05 AM
- andytoshi
- (ofc, i am just speculating on what a "linkable" modification of this chandranian signature scheme would look like, i don't have one to point at)
- 12:06 AM
- but if you could make a linkable scheme which didn't suffer this flaw, then you could easily tweak it to remove the CRS dependence from the old one, i.e. produce a sublinear size non-CRS ringsig, which i think has never been done..
- 12:06 AM
- longandshort
- sure i get that its intresting and no there dosn't seem to be one thats what im concerned about i don't think they have the ability/skillset to do so certainly don't have the history to prove they can
- 12:06 AM
- right
- 12:08 AM
- but its doable in a fassion but it dosnt seem like something you just cook up in a month!
- 12:08 AM
- nor does it seem like a viable option to begin with certainly not if you are creating a completly new chain
- 12:09 AM
- andytoshi
- maybe it's doable. i didn't realize earlier that there was a CRS assumption that would have to be removed
- 12:09 AM
- so now i'm unsure.
- 12:14 AM
- longandshort
- so your overall opinion in a nutshell master andytoshi?
- 12:15 AM
- because i appreciate the opinion and rate it highly im extremely concerned here tbh but am willing to give benifit of a doubt if there really is much
- 12:16 AM
- andytoshi
- longandshort: i like the nonce trick :) as for this wp corresponding to something, at best it is just hot air
- 12:16 AM
- longandshort
- perosnally i cant seem them pulling it off nor do i think its a viable option to be proposing
- 12:16 AM
- andytoshi
- if they say "they are starting research" then they will realize quickly it is doomed and stop it
- 12:17 AM
- or they might try the peercoin thing where they have a point of trust and just sweep it under the rug in all PR..
- 12:17 AM
- longandshort
- sure thats what i figure i dont think they are really set to start untill next week®
- 12:17 AM
- right yes the point of trust...
- 12:19 AM
- thanks for your time i really appreciate your expert opinions enjoy the nounce trick :)
- 12:25 AM
- TrollsRoyce
- nice discussion here. it reminds me of a scene from Aliens: http://www.youtube.com/watch?v=dsx2vdn7gpY
- 12:26 AM
- “Game Over Man, GAME OVER!“
- 12:26 AM
- xD
- 1:33 AM
- gmaxwell
- well if there is a CRS assumption then there are lots of plain accumulator options.
- 1:34 AM
- longandshort
- can you elaborate gmaxwell
- 1:35 AM
- gmaxwell
- CRS (usually) means there is a trusted setup. Generally in this space we consider trusted setup to be a serious killer. If you're willing to tolerate a trusted setup there are many possibilities.
- 1:35 AM
- (not just this approach)
- 1:36 AM
- longandshort
- sure thast kinda what the anon crowd are trying to move away form right trust
- 1:36 AM
- but sure its an option great
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement