SHARE
TWEET

XST Shot Down by Bitcoin Core Dev

a guest Oct 10th, 2014 480 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 9:01 PM
  2. longandshort
  3. Hey guys/gals
  4. 9:01 PM
  5. im wondering if i coudl get someoens expert opinion
  6. 9:02 PM
  7. with regards to chandran signitures and the stealthsend whitepaper
  8. 9:02 PM
  9. which is here https://www.dropbox.com/s/do4urdefwoungjz/Steal...
  10. 9:03 PM
  11. im in a debate with their comunity over their devs claims that they ar not infact linkable/tracaeble in the way that paper implys can somebosy give me their presious time and give me their opinion?
  12. 9:03 PM
  13. sorry for my terible typing
  14. 9:05 PM
  15. currently i dont belive the dev is capable of implimenting chandran sigs in the way he is implying because they are not linkable/tracaeble
  16. 9:31 PM
  17. gmaxwell?
  18. 9:32 PM
  19. anyone lol
  20. 11:26 PM
  21. andytoshi
  22. longandshort: that wp certainly doesn't inspire confidence..
  23. 11:27 PM
  24. longandshort
  25. ikr
  26. 11:27 PM
  27. i just want another view because i cant seem to get thgourhg to the comunity here
  28. 11:27 PM
  29. and its an industry wide issue becasue it effects the rest of the anon networks that this coin damage user confidence ect ect balbla lol
  30. 11:28 PM
  31. andytoshi
  32. this nonce this is pretty clever
  33. 11:28 PM
  34. though it requires something like my and gmaxwell's output value blinding to work properly with output values..
  35. 11:29 PM
  36. longandshort
  37. right
  38. 11:29 PM
  39. andytoshi
  40. calling two nonces "O(0)" space is a weird use of the number 0..
  41. 11:29 PM
  42. longandshort
  43. they are implying that cryptonotes group sig will solve the unlinkable tracable issue
  44. 11:30 PM
  45. andytoshi
  46. is that right? i'm still perusing the nonce page..
  47. 11:30 PM
  48. longandshort
  49. my bad
  50. 11:30 PM
  51. i dont think its applicable
  52. 11:30 PM
  53. andytoshi
  54. wat "scrypt is low energy"
  55. 11:31 PM
  56. longandshort
  57. hah
  58. 11:31 PM
  59. sorry im tired tahst funny
  60. 11:31 PM
  61. Luke-Jr
  62. lol
  63. 11:31 PM
  64. longandshort
  65. gday luke
  66. 11:31 PM
  67. andytoshi
  68. longandshort: appears there is no mention of linkability at all in the wp
  69. 11:32 PM
  70. longandshort
  71. btw i have mancrush on you all just gonna put that out there thankyou all for your contributions
  72. 11:32 PM
  73. andytoshi
  74. :P very flattering
  75. 11:32 PM
  76. longandshort
  77. tis true
  78. 11:32 PM
  79. sipa
  80. andytoshi: O(0) implies that for some x, every input over x results in an output 0
  81. 11:33 PM
  82. Luke-Jr
  83. longandshort: btw, please don't make an altcoin for this :/
  84. 11:33 PM
  85. longandshort
  86. Luke-Jr lol
  87. 11:33 PM
  88. not a chance not even a chance mate
  89. 11:33 PM
  90. andytoshi
  91. sipa: for all ε exists L such that inputs > x are < ε no?
  92. 11:34 PM
  93. longandshort
  94. it is what im trying so hard right now to present to their toxic comunity it is impossible and vaporware
  95. 11:34 PM
  96. Luke-Jr
  97. longandshort: "Therefore, stealthsend will be a proof-of-work coin,"
  98. 11:34 PM
  99. longandshort
  100. right
  101. 11:34 PM
  102. 6 minute long blocktime
  103. 11:34 PM
  104. andytoshi
  105. other problems here are that they are using pairing-based crypto for signatures, it will take literally a thousand times as long to validate sigs as it does in bitcoin..
  106. 11:34 PM
  107. (iir)
  108. 11:34 PM
  109. iirc
  110. 11:35 PM
  111. Luke-Jr
  112. longandshort: oh, this isn't yours?
  113. 11:35 PM
  114. longandshort
  115. no
  116. 11:36 PM
  117. Luke-Jr im after more expert opinions to back up my claims that it is not possible what they are implying
  118. 11:36 PM
  119. they didnt know how to pick the correct paper
  120. 11:36 PM
  121. andytoshi
  122. well, i suspect it's possible ... given a pairing it should be easy to devise a key image
  123. 11:36 PM
  124. maybe not. i don't really wanna try :)
  125. 11:37 PM
  126. longandshort
  127. sub-linear traceable ring signatures could operate on the same principle as what they are implying, but chandran signatures aren't linkable / traceable
  128. 11:37 PM
  129. andytoshi
  130. but given the level of reasoning displayed in the wp, i don't think they'd be able to produce a provably-secure scheme with a key image
  131. 11:38 PM
  132. longandshort: right. but bytecoin sigs were based on a scheme by fujisaki/suzuki that wasn't linkable in a way that was usable for a cryptocurrency...but the cn people hacked it up a bit to get one that was
  133. 11:39 PM
  134. longandshort
  135. right with their group sigs
  136. 11:39 PM
  137. andytoshi
  138. ofc, hacking an already-linkable scheme to be linkable in a slightly different way is a much easier job than introducing linkability where there was none before. in particular, CN was able to reuse the FS security proof almost verbatim
  139. 11:39 PM
  140. longandshort
  141. but comes with bloat
  142. 11:39 PM
  143. andytoshi
  144. longandshort: a "group sig" has a trusted dealer/setup, a "ring sig" does not, are you using the right terminology?
  145. 11:39 PM
  146. i think, "group signature" is never interesting here :)
  147. 11:40 PM
  148. longandshort
  149. sorry i am tired they keep pointing me to 4.1 of the cn paper https://cryptonote.org/whitepaper.pdf
  150. 11:41 PM
  151. andytoshi
  152. section 4.1 says what i just said :)
  153. 11:41 PM
  154. longandshort
  155. we dot think they have the right paper for what they want to achive
  156. 11:41 PM
  157. yes
  158. 11:41 PM
  159. andytoshi
  160. well, they definitely don't, as you say these sublinear-size ringsigs are not usable as is
  161. 11:41 PM
  162. longandshort
  163. almost to the "T" :)
  164. 11:42 PM
  165. andytoshi
  166. and if they care about efficiency pairings should be dismissed out of hand, nobody will be able to validate this blockchain
  167. 11:42 PM
  168. longandshort
  169. so do you guys think that wp is doable
  170. 11:42 PM
  171. yeah
  172. 11:42 PM
  173. Luke-Jr
  174. andytoshi: well, they already think scrypt is low energy.. :p
  175. 11:42 PM
  176. andytoshi
  177. :P
  178. 11:43 PM
  179. longandshort
  180. thast what im thinking with unlinkle/tacable its just going to be a doublespend spreee
  181. 11:43 PM
  182. andytoshi
  183. longandshort: i don't think it's actually impossible, no
  184. 11:43 PM
  185. longandshort
  186. luke you love scrypt don't you
  187. 11:43 PM
  188. fess up
  189. 11:44 PM
  190. Luke-Jr
  191. longandshort: for passphrases maybe
  192. 11:44 PM
  193. longandshort
  194. andytoshi yes sorry i actually do hate using such an absolute almost imposible imo for them
  195. 11:45 PM
  196. their code is ported form everythign else and they have an sms relay thats it and have put up this wp and a hard date for somethign they seem to be encouraging people to bet on
  197. 11:45 PM
  198. its not doable and will prolly burn in flames imo i just want other expert opinion
  199. 11:46 PM
  200. andytoshi
  201. longandshort: you are correct to be suspicious, i don't think they have or are able to do what they claim
  202. 11:46 PM
  203. certainly the wp does not give an hint as to a mechanism for doing so, but does hint that they are confused
  204. 11:47 PM
  205. longandshort
  206. yeah, i think they have allowed themselves time to research but havent quite got there yet
  207. 11:47 PM
  208. andytoshi
  209. ...but if i wanted a stupidly slow BRS-like scheme with sqrt(N)-sized sigs, i would be able to do it...
  210. 11:47 PM
  211. longandshort
  212. and have kind of chosen it out of default becuaese there is nothing they can pport
  213. 11:47 PM
  214. sure
  215. 11:47 PM
  216. stupidly slow exacly solves non but in an inefficient way
  217. 11:48 PM
  218. it wont scale either will it
  219. 11:48 PM
  220. thanks i really apreciate yrou time i really really do
  221. 11:49 PM
  222. andytoshi
  223. :P thx for the nonce idea
  224. 11:49 PM
  225. longandshort
  226. i apologise for my typing im kind of..well im not good at it so thanks for taking me seriosuly i do have a genuin conern
  227. 11:49 PM
  228. lol
  229. 11:49 PM
  230. np
  231. 11:49 PM
  232. andytoshi
  233. why can't you type well? non-native speaker?
  234. 11:50 PM
  235. longandshort
  236. im australian belive it or not
  237. 11:51 PM
  238. im not really sure i cant spell or type well or puncuate
  239. 11:51 PM
  240. im highly dyslexic
  241. 11:51 PM
  242. kanzure
  243. intoxicated kangaroo, i'm calling it now
  244. 11:51 PM
  245. longandshort
  246. lol thats what it looks like dosnt it
  247. 11:55 PM
  248. how can i tip you guys can i have your addresses please andytoshi , Luke-Jr sipa
  249. 11:55 PM
  250. andytoshi
  251. longandshort: for my part, don't worry about it :)
  252. 11:55 PM
  253. btw i think these chandran sigs have a trusted setup that allows forgery by the setting up party..
  254. 11:56 PM
  255. longandshort
  256. right how so
  257. 11:56 PM
  258. sorry wrong chat
  259. 11:57 PM
  260. andytoshi thanks thats nice of you :)
  261. 11:59 PM
  262. andytoshi
  263. yeah, they do, i think these are totally unsuitable for a cryptocurrency actually
  264. October 10th, 2014
  265. 12:00 AM
  266. longandshort
  267. right
  268. 12:00 AM
  269. do you have a source for that or its your conclusion?
  270. 12:00 AM
  271. andytoshi
  272. because even if you introduce linkability somehow, this CRS thing still lets the system setup forge signatures
  273. 12:00 AM
  274. longandshort: well, in the chandran et al paper they say that forgery is possible by a maliciously generated reference string
  275. 12:01 AM
  276. but say "no big deal, the CRS generator is just always implicitly in every ring"
  277. 12:02 AM
  278. longandshort
  279. yeah no biggie right :P
  280. 12:02 AM
  281. andytoshi
  282. yeah :P but even ignoring the fact that this is a big deal actually, if you want any sort of linkable scheme this will be a serious problem because the forged sigs won't be exculpable
  283. 12:02 AM
  284. meaning, the malicious CRS generator could use other people's key images undetectably
  285. 12:03 AM
  286. longandshort
  287. ewww
  288. 12:03 AM
  289. andytoshi
  290. oh, ignore "exculpable", that is related but irrelavent ... "trusted party can use two different key images" means the scheme is not linkable
  291. 12:04 AM
  292. end of story
  293. 12:04 AM
  294. longandshort
  295. .
  296. 12:05 AM
  297. andytoshi
  298. (ofc, i am just speculating on what a "linkable" modification of this chandranian signature scheme would look like, i don't have one to point at)
  299. 12:06 AM
  300. but if you could make a linkable scheme which didn't suffer this flaw, then you could easily tweak it to remove the CRS dependence from the old one, i.e. produce a sublinear size non-CRS ringsig, which i think has never been done..
  301. 12:06 AM
  302. longandshort
  303. sure i get that its intresting and no there dosn't seem to be one thats what im concerned about i don't think they have the ability/skillset to do so certainly don't have the history to prove they can
  304. 12:06 AM
  305. right
  306. 12:08 AM
  307. but its doable in a fassion but it dosnt seem like something you just cook up in a month!
  308. 12:08 AM
  309. nor does it seem like a viable option to begin with certainly not if you are creating a completly new chain
  310. 12:09 AM
  311. andytoshi
  312. maybe it's doable. i didn't realize earlier that there was a CRS assumption that would have to be removed
  313. 12:09 AM
  314. so now i'm unsure.
  315. 12:14 AM
  316. longandshort
  317. so your overall opinion in a nutshell master andytoshi?
  318. 12:15 AM
  319. because i appreciate the opinion and rate it highly im extremely concerned here tbh but am willing to give benifit of a doubt if there really is much
  320. 12:16 AM
  321. andytoshi
  322. longandshort: i like the nonce trick :) as for this wp corresponding to something, at best it is just hot air
  323. 12:16 AM
  324. longandshort
  325. perosnally i cant seem them pulling it off nor do i think its a viable option to be proposing
  326. 12:16 AM
  327. andytoshi
  328. if they say "they are starting research" then they will realize quickly it is doomed and stop it
  329. 12:17 AM
  330. or they might try the peercoin thing where they have a point of trust and just sweep it under the rug in all PR..
  331. 12:17 AM
  332. longandshort
  333. sure thats what i figure i dont think they are really set to start untill next week®
  334. 12:17 AM
  335. right yes the point of trust...
  336. 12:19 AM
  337. thanks for your time i really appreciate your expert opinions enjoy the nounce trick :)
  338. 12:25 AM
  339. TrollsRoyce
  340. nice discussion here. it reminds me of a scene from Aliens: http://www.youtube.com/watch?v=dsx2vdn7gpY
  341. 12:26 AM
  342. “Game Over Man, GAME OVER!“
  343. 12:26 AM
  344. xD
  345. 1:33 AM
  346. gmaxwell
  347. well if there is a CRS assumption then there are lots of plain accumulator options.
  348. 1:34 AM
  349. longandshort
  350. can you elaborate gmaxwell
  351. 1:35 AM
  352. gmaxwell
  353. CRS (usually) means there is a trusted setup. Generally in this space we consider trusted setup to be a serious killer. If you're willing to tolerate a trusted setup there are many possibilities.
  354. 1:35 AM
  355. (not just this approach)
  356. 1:36 AM
  357. longandshort
  358. sure thast kinda what the anon crowd are trying to move away form right trust
  359. 1:36 AM
  360. but sure its an option great
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top