-
sarang
-
sarang
The original ring signature scheme proposed in the CryptoNote whitepaper is on page 9 here:
cryptonote.org/whitepaper.pdf
-
sarang
It's not the same as the LSAG signature by Liu et al.
-
sarang
IIRC the Zero to Monero reference doesn't even address the older ring signature algorithm (but I'd need to check this)
-
peach34
Both the cryptonote whitepaper and the zero to monero document
-
peach34
-
peach34
-
peach34
Page 22 and 23
-
peach34
I'm concerned with the part where you close the ring ( r = q - ck in both documents)
-
peach34
k is the private key for the stealth address P that belong to the signer of the ring ( P =kG)
-
peach34
ie the same key used to sign the key image ( I=kH(P))
-
sarang
The notation you're using here seems inconsistent with the code, since that function uses `k` to mean what `q_s` is in the CN paper
-
sarang
`sec` in the function would be `x` in the CN paper
-
peach34
yes, sure. The notation is different everywhere
-
peach34
The principle is the same
-
sarang
But ok, carry on
-
peach34
yes, sec in the code should be x
-
sarang
(let's use the code's notation for clarity here, perhaps)
-
peach34
The same x in Image = x H(P)
-
peach34
P is the stealth address of the genuine input being spent
-
sarang
Yes, the discrete log of the public key and key image are the same
-
sarang
(relative to G and H(P), respectively)
-
peach34
const secret_key &sec passed into generate_ring_signature, comes from struct input_generation_context_data { keypair in_ephemeral; }; std::vector<input_generation_context_data> in_contexts;
-
peach34
in_contexts.push_back(input_generation_context_data());
-
peach34
That's all that happens
-
peach34
Where is the assignment to the x that we're speaking of
-
sarang
`x` isn't used in the code; I was trying to bridge the gap between the paper's notation and the code's notation
-
peach34
ie P=xG and I=xH(P)
-
peach34
i know
-
peach34
Ok , so
-
sarang
The signing-index public key is asserted to have the proper relationship to the secret key here:
github.com/monero-project/monero/bl…b/master/src/crypto/crypto.cpp#L535
-
sarang
-
peach34
in the code, the line sc_mulsub(&sig[sec_index].r, &sig[sec_index].c, &unwrap(sec), &k); is meant to be the line qs−csx modl in the whitepaper
-
sarang
yes
-
peach34
yes so what i'm asking is, the sec that is fed into the generate_ring_signature function, where is it set to x
-
peach34
it looks like it's just coming from a random ephemeral key generation inside src/cryptonote_core/cryptonote_tx_utils.cpp
-
peach34
lines 299 -319
-
peach34
and NOT the key x pertaining to P=xG and I=xH(P)
-
peach34
this is the only dealing with it before it's passed into generate_ring_signature:
-
peach34
struct input_generation_context_data { keypair in_ephemeral; }; std::vector<input_generation_context_data> in_contexts; uint64_t summary_inputs_money = 0; //fill inputs int idx = -1; for(const tx_source_entry& src_entr: sources) { ++idx; if(src_entr.real_output >= src_entr.outputs.size()) {
-
peach34
LOG_ERROR("real_output index (" << src_entr.real_output << ")bigger than output_keys.size()=" << src_entr.outputs.size()); return false; } summary_inputs_money += src_entr.amount; //key_derivation recv_derivation; in_contexts.push_back(input_generation_context_data());
-
peach34
My question ultimately is, where in src/cryptonote_core/cryptonote_tx_utils.cpp is the sec assigned to the private key corresponding to the public stealth key P
-
peach34
(x in the whitepaper)... it seems like it's just assigned a random ephemeral key instead during lines 299-319 in src/cryptonote_core/cryptonote_tx_utils.cpp before generate_ring_signature is called in the same scope
-
sarang
-
peach34
sorry i am checked out to an older version, dif lines i think
-
sarang
ah ok
-
peach34
ill find the bit i mean on master
-
peach34
same file, line 483
-
peach34
That's where generate_ring_signature is called
-
peach34
Ie it's called in the function scope of construct_tx_with_tx_key
-
sarang
Can you link to a GitHub line to ensure we're absolutely looking at the same thing?
-
peach34
kk
-
peach34
-
sarang
-
sarang
-
sarang
That secret key is then used in generate_ring_signature as expected
-
peach34
Ah I see that:
-
peach34
keypair& in_ephemeral = in_contexts.back().in_ephemeral;
-
peach34
it's set to the memory address
-
peach34
I did not notice. Thanks for your help for making me realise that
-
sarang
Glad everything is clear now!
-
peach34
Sorry if this appeared as a time waste. I am going through all of Monero to make sure I know it all
-
peach34
I guess you probably get worse questions eh haha
-
sarang
Additional eyes on the code and math are always appreciated
-
sarang
especially since much of the code lacks clarifying comments
-
peach34
at least my math was on point, which gives me confidence
-
sarang
and the notation is often not consistent :/
-
peach34
Yeah ^ absolutely
-
peach34
Like there was no need to assign the memory address
-
peach34
in another variable
-
peach34
There are very few comments too yeah.
-
peach34
Thank you Sarang
-
sarang
No prob
-
needmonero90
peach34: are there any comments you could PR that would make this process easier for the next person to stumble across it?
-
peach34
Yeah probably. I'll do soon.
-
peach34
I have one other question
-
peach34
if for one stealth address created via P = H(rA)G+B, and spent using x =H(aR) + b
-
peach34
If a third party found out what a was, so they could compute H(aR) and also what x was, is it possible to work out b from x - H(aR)
-
peach34
ie, if somehow you leaked your private viewkey and the tx private key for a single tx, could someone work backwards to the private spendkey
-
sarang
If by "tx privkey" you mean "output privkey" (i.e. `x`) then yes
-
peach34
I do mean that
-
peach34
That is fascinating
-
peach34
So you're only as secure as any one of your tx private keys
-
moneromooo
The fuck ?
-
sarang
Yeah, it's been previously noted that the affine construction of the outputs leads to this
-
scoobybejesus
hm.. i was gonna say that didn't sound right
-
peach34
yes but the maths doesn't lie :P
-
sarang
If someone has access to a recipient's output private key and can construct the DH shared secret, they can recover the private spend key, yes
-
sarang
peach34: note that "tx privkey" and "output privkey" are _not_ the same thing
-
sarang
"tx privkey" would be the scalar `r` such that `R = rG`
-
peach34
yes i understand
-
sarang
ok
-
peach34
sorry i get the naming wrong, my colleague uses the opposite nomenclature
-
moneromooo
Ooooh, phew.
-
peach34
I mean x such that stealth address P = xG
-
sarang
Yes, that's the "output privkey"
-
moneromooo
That'd have been a massive problem given we told people to send the tx secret key to prove payment before.
-
moneromooo
So *that* is safe, right ? Give away both your view secret key and a tx secret key ?
-
sarang
Knowledge of a secret view key is roughly equivalent to knowledge of a tx secret key (for constructing DH shared secrets)
-
sarang
Passing around your output privkeys is a bad idea
-
sarang
That being said, IMO it's a much safer idea to prove knowledge of the tx secret key rather than give it away
-
sarang
i.e. using a Schnorr proof
-
sarang
(as has been discussed elsewhere)
-
peach34
correct yes^
-
peach34
signing with r rather than disclosing r
-
sarang
righto
-
» moneromooo notes that sarang did not say yes...
-
peach34
haha
-
sarang
?
-
sarang
Well, depends on what you're looking for
-
sarang
If I give away `r` as some kind of "proof", then that person could conduct the same "proof" by giving `r` away to someone else
-
moneromooo
Yes, that's fine. Can that person nick your monero ?
-
moneromooo
99% sure it's "no" after hte clarification of "tx private key" above, but I want to make sure.
-
sarang
Not without knowledge of either your spend private key or your output's private key
-
sarang
Otherwise any sender could steal funds
-
moneromooo
OK, thank you.
-
peach34
only with the output private key
-
peach34
subtract hash of(private view*R)
-
sarang
correct
-
sarang
peach34: if you have particular interest in the math behind signature constructions, have a look at CLSAG, a new construction that I worked on with collaborators
-
sarang
-
sarang
It has not yet been deployed
-
sarang
It's a modification of our current MLSAG signatures to save space and time
-
peach34
Awesome. I will save it and take a look some time
-
sarang
We're currently revising the security model in response to some reviewers
-
sarang
Any comments on the math/proofs would be appreciated
-
peach34
Many thanks
-
sarang
thanks for looking over that code
-
peach34
I will try and look at it . What is your background? Do you just do this for fun?
-
peach34
Or are you at a university?
-
sarang
I am not at a university, but I have a background in math
-
peach34
Right. I am from theoretical physics, but I only recently started learning cryptography.
-
sarang
It's a fascinating area of study
-
sarang
Particularly because provable security is so different from other types of proof
-
peach34
Do you do it for your day job too?
-
sarang
yes
-
peach34
Can I ask what you do?
-
sarang
I receive community funding to work on cryptography
-
needmonero90
From the Monero community, believe it or not :)
-
needmonero90
Our two researchers get paid quarterly.
-
peach34
So you actually work for Monero? Nice.
-
sarang
What's your interest? Trying to learn some applied cryptography for fun?
-
peach34
I work for another cryptocurrency. The name I can't mention :P
-
sarang
The Monero codebase is probably not the ideal venue for learning :/
-
sarang
ah ok
-
peach34
We like Monero though. We like the complexity.
-
sarang
ok
-
chameleon_es_bor
Is ristretto something that could be implemented for monero? It seems like it is just a safe way to encode/decode/hash to point/equate that avoids the cofactor issues...
-
sarang
It would have to be tied to the C++ code, and there would need to be assurances that existing point representations play nicely with things like hash inputs
-
chameleon_es_bor
in your opinion, would the complexity of adding it (if possible) outweigh any benefit?
-
sarang
That's not clear to me
-
peach34
Sarang, do you work full time for Monero?
-
sarang
Why?
-
peach34
Just wondering. You are clearly talented and are paid less / year than you would in the private sector for full time work
-
peach34
I wondered how much of your involvement is out of pure affinity for the system
-
sarang
I appreciate the compliment peach34
-
peach34
I am watching your video on youtube lol
-
sarang
Which video?
-
peach34
-
sarang
Ah, bulletproofs
-
peach34
I just looked up your background
-
peach34
I also did a bit of work on atomic clocks
-
peach34
:P
-
peach34
Did you ever work with University of Birmingham UK? Or read any research from them?
-
needmonero90
When did this channel turn into Monero-research-inquisition
-
peach34
lol
-
peach34
My apologies. It's just interesting to me that blockchain is full of physicists.
-
chameleon_es_bor
Thinkers like thinking.
-
needmonero90
[citation needed]
-
chameleon_es_bor
-
sarang
-___-
-
moneromooo
lol
-
peach34
sarang am I right in thinking that the output private key doesn't leave the hwdevice?
-
peach34
Doing so would be equivalent to leaking the wallet spendkey, as per out prior conversation
-
peach34
our*
-
peach34
sarang say I was doing a ring signature in accordance with
cryptonote.org/whitepaper.pdf at the bottom of page 9, and i never disclose x
-
peach34
What is the minimum amount of other information, if intercepted, that could help a third party calculate x?
-
peach34
say they somehow got all variables used right at the bottom for the various c_i and r_i
-
peach34
apart from x. Could they compute x
-
peach34
q_s - c_s*x = r I guess so right? (r-q)/c_s ?
-
peach34
well there is a modulus involved so it changes things slightly
-
peach34
Going to sleep will think about this tomorrow morning
-
peach34
my chat might be deleted too lol so i will ask again tomorrow.