-
sarang
You mean if you know all the nonces? Sure, you could identify which nonces correspond to signature elements and recover the private key, akin to a Schnorr nonce leak
-
sarang
At that point, I suppose you either have a terrible RNG or the signing device is compromised
-
luigi1111
yeah this is normal schnorr stuff
-
luigi1111
get the nonce get the key same as it ever was
-
WhatDo
does monero use ed25519 for everything or are there other curves/etc used in various places?
-
luigi1111
everything crypto related in the blockchain. can't speak to any communication stuff
-
WhatDo
yes, that is what I meant. thanks
-
peach34
sarang did you see my question? I can't see the chat history
-
peach34
To anyone else just joining: bottom of page 9 on
cryptonote.org/whitepaper.pdf, If output private key x used to close the ring (r=q-cx mod l) was never exposed, but someone could access all of the other variables at the bottom of page 9, could they reverse engineer x
-
peach34
Could they just move the equation r =q-cx mod l around , given that they know all of r,q,c
-
peach34
suraeNoether
-
midipoet
peach34: i am pretty sure that both suraeNoether and sarang are not in GMT/Europe timezone, so may not be online for a few hours yet.
-
peach34
I thought so. Thanks
-
midipoet
peach34: out of curiosity, why can you not disclose what cryptocurrency you work for? seems slightly at odds with the open source nature of the sector/field.
-
peach34
Just company rules.
-
midipoet
so its a company rule that you can't tell anybody who you work for?
-
peach34
The field is not really that open source as you'd think either. Most of the best blockchain projects aren't on coinmarketcap.
-
peach34
Not in an informal setting, on a chatroom
-
midipoet
i understand that there are deployments of the technology that do not have a market traded token
-
midipoet
i am not sure how a research related cryptography IRC channel is informal.
-
midipoet
its not like the discussion is jokes and memes, is it?
-
» kayront hides the memes
-
kayront
<peach34> The field is not really that open source as you'd think either. Most of the best blockchain projects aren't on coinmarketcap. ---- I guess it depends how you define best. best to whom? if it's a super blockchain project being worked on in secrecy, by some company, my spidey sense somehow tells me that the financial privacy of the masses is probably not a design goal
-
peach34
The ones actually delivering value
-
peach34
How many on CMC have delivered anything that benefits anyone in any substantial way?
-
kayront
bitcoin, ethereum, monero
-
kayront
at the very least
-
peach34
There are some that have
-
kayront
99% of the rest is meaningless
-
peach34
I agree with monero and Eth but not really BTC
-
peach34
What is BTC doing for anyone?
-
kayront
well, it started this whole thing, and for many of us early birds it allowed us to transact outside the mainstream system until viable alternatives (monero) were ready
-
peach34
I appreciate it in that sense Kay
-
peach34
Of course I do
-
kayront
even today, since it has (sadly) wider impact than monero, it can be used for many things.. flights, hotels, servers, hosting, vpns, domains.. even pizzas, yes
-
kayront
xmr.to comes to mind
-
kayront
and then there's the whole ongoing research on lightning network, and then the fact that for most non-blockchain/crypto people, when they hear about the industry, it's usually bitcoin, so that attracts more people, some of which hopefully in due time realize the perilous lack of privacy there
-
kayront
not to say that there isn't interesting tech that could come from a corporate environment, don't get me wrong, but in my mind no matter how cool the tech might be, these will inevitable be used as tools for more control, not less, and therefore seem to run counter to the ideals of this whole thing
-
peach34
I'd rather pay for those things with fiat or XMR
-
kayront
i bet it's very nice for banks to use ripple or stellar or whatever they're planning to use these days, but then the bank is completely in control still, there is zero privacy, accounts can be shut down with the click of a very regulated button .. that's great, for the banker
-
kayront
not for me
-
peach34
Yeah, BTC is a lighthouse for the newcomers
-
kayront
<peach34> I'd rather pay for those things with fiat or XMR --> impossible to disagree there
-
kayront
xmr.to is a (great) hack to more or less hide the fact that if bitcoin adoption is nearly nonexistent, then monero adoption is a tiny speck of dust
-
kayront
it works, for now, but it would be unwise to exclusively rely on it forever ..
-
peach34
Different projects have their place. Blockchain is being used in supply chain management, medicine, national security etc
-
kayront
so I hear, but none of these alternative use cases inspire any confidence (to me).. that could also be because I'm mostly interested in digital cash though
-
kayront
happy to see research into such things though, don't get me wrong.. more power to everyone if it works as people seem to want it to
-
gingeropolous
blocks without work i presume
-
sarang
peach34: if you knew all the nonces for that construction, you could trivially recover the key (just like you could in a Schnorr signature)
-
peach34
sarang I thought as much. But if say the attacker got everything apart from q_s, and x at the bottom of p9 on
cryptonote.org/whitepaper.pdf
-
peach34
We could write r = q-cx as r = q' - c' (where we've 'divided' by c for the primed values)
-
peach34
sorry I meant r' = q' -x
-
sarang
I don't really under what circumstances that could happen
-
peach34
If an attacked never gets hold of q, x, there are l solutions for x that satisfy the equation
-
sarang
FWIW knowing all nonces except the signing-index nonce leaks the signing index (if such a weird leak could happen)
-
peach34
Correct, but here I'm interested in x only
-
sarang
I don't think I'm fully following you
-
peach34
Lets say I don't care if an attacker knows the signing index
-
sarang
Sure, they only want the signing key
-
peach34
correct
-
peach34
If they were to get everything except q_s and x, could they derive x from the other variables/values
-
peach34
I think not, because we're closing the loop with r = q -cx, if they only know r,c, but not q_s and x, we can rewrite r = q -cx as r' = q'-x
-
peach34
by dividing through by the known quantity c
-
peach34
beings as q' and x are unknown, this equation has L solutions where L is the size of the finite field
-
sarang
Yes, this reduces to the same nonce-based problem underlying Schnorr
-
peach34
That is what I thought
-
sarang
And provided your scalars are chosen well, guessing the nonce is just as hard as guessing the private key
-
peach34
So as long as q_s and x are kept secret ( and therefore the calculation of r = q - cx), an attacker cannot recover x?
-
sarang
In fact, you're computationally better off just guess-and-checking the private key
-
sarang
This assumes no external information, uniformly random selection of nonces and private key, etc.
-
sarang
I also don't recall what signer ambiguity model that construction uses
-
sarang
So you may or may not have to consider whether non-signing ring members are corrupted
-
peach34
Yep exactly that
-
peach34
'guessing the nonce is just as hard as guessing the private key'
-
peach34
exactly, as I said r' = q' - x has L solutions
-
sarang
^ provided they were both chosen uniformly at random
-
sarang
The method for generating nonces should be just as good as that for generating private keys, which may not be the case in practice
-
peach34
^ just using the random32_unbiased function in Monero
-
peach34
random scalar{random32_unbiased()}
-
peach34
Also, the inability to determine x without q_s, this applies to all ringsizes (including =1) right
-
moneromooo
Parenthetically, if it matters here, ring size 1 is impossible with ringct. It can only be done with original ring signatures.
-
peach34
I'm just considering original sigs
-
peach34
For the originals, presumably x still can't be computed without q_s for ringsize =1
-
sarang
correct
-
peach34
Thanks a lot
-
sarang
`n=1` is effectively a reduction to a Schnorr signature with the added linear combination for key image construction
-
sarang
Research meeting today at 17:00 UTC (about an hour from now)
-
suraeNoether
howdy everyone
-
sarang
Hey
-
» suraeNoether sips coffee
-
suraeNoether
good morning, monerians
-
suraeNoether
okay well let's get going I guess
-
suraeNoether
Meeting agenda here:
-
suraeNoether
-
suraeNoether
to begin with the obvious: GREETINGS!
-
suraeNoether
This is our weekly MRL research meeting, where we discuss the progress (or lack thereof) from the previous week, papers we are interested in reading, projects we are intersted in working on, and we hear from whichever MRL contributors happen to be online at the moment
-
sarang
A lot of thought has been going into the CLSAG security model lately, with a few different ideas floating around to define linkable anonymity in a way that makes sense, or is common to other work
-
sarang
suraeNoether: you had been looking into corruption oracles that would be compatible with the Backes definition
-
sarang
and I had been looking at modifications to Backes that would not require such an oracle
-
suraeNoether
woops, internet hiccup
-
suraeNoether
okay, so since no one else appears to be here, let's chat CLSAG
-
suraeNoether
so, the reviewers got back to us with some comments on CLSAG: we used a novel definition of anonymity/ambiguity because previous definitions lacked some of what we were looking for, and one of the reveiwers pointed us to a paper we weren't aware of at the time when we wrote the paper
-
suraeNoether
this paper has a banging definition of linkable anonymity, and so we began adapting the proof
-
suraeNoether
unfortunately, the way that security proofs in crypto often go is something like this: "If a solver of this problem X here exists, I am going to put that algorithm into a blackbox and turn it into Y, some solver of a cryptographically hard problem."
-
» needmonero90 sidles in and takes a seat in the back corner of the room
-
suraeNoether
that way, any problem we assume to be cryptographically hard can be relied upon as a foundation of hardness: if i can show that an algorithm that can break linkable anonymity exists and that implies that algorithm can also break the discrete logarithm problem, then i'm good to go because the DL problem is thought to be hard
-
suraeNoether
unfortunately, the bangin definition of linkability in Backes (here:
eprint.iacr.org/2019/196.pdf page 25)
-
suraeNoether
this definition appeared to have a contradiction with our proof method: the black box algorithm X needs to be able to corrupt keys, and so the algorihtm Y has to be able to simulate key corruption, and the specific order in which things were occurring in the proof was causing some problems
-
suraeNoether
i spent the weekend thinking about the problem, and I solved the issue: the linkability definition in Backes' has corruption oracle access and target key selection occurring simultaneously in step 3
-
suraeNoether
this allows us to restrict oracle access to the adversary only before they select their target keys
-
suraeNoether
this resolves the issue entirely: the solver Y can simulate key corruption, I think, since things are happening in this order
-
suraeNoether
sarang's initial idea was to split the key spaces up inside the algorithm Y so that X can only corrupt keys from the challenge set, but I wasn't convinced such a method could work, but because of this ordering of events, I think it can work
-
sarang
In what way? It presents the key universe first
-
suraeNoether
so, the order in which things happen is this:
-
suraeNoether
Y receives a bunch of DDH triple challenges. Y then simulates a bunch more Y-generated DDH triples, to which Y knows the ground truth. Y then sends X the union of these two sets of keys. X outputs a corruption set and two target keys; Y can cleanly abort if X outputs any keys it doesn't know the secret keys to (the proper DDH challenge triples), and respond to the DDH game by flipping coins.
-
suraeNoether
otherwise, X outputs two proper challenge keys and a set of corruption keys known by Y
-
suraeNoether
the sizes of these two sets indicate the probability of these two events, but if Y gains a non-negligible advantage this way, it'll translate through the probabilities; it just requires that we track the probabilities of success of this game very carefully and be very careful with our conditional probabilities to avoid Monty Hall-style spurious results
-
sarang
OK, so you're relying on aborting unless both (a) the corruption set is all challenger-created; and (b) the target pair are both true DDH
-
suraeNoether
yes, and we can bound the probabilities at which these occur
-
sarang
Seems that `Y` will abort very frequently
-
suraeNoether
*shrug* unless it aborts with probability greater than 1-negl(), the proof will still work
-
suraeNoether
consider it this way: if i give you a non-negligible advantage to solving the DLP for 1 in every 10 keys, or 1 in every 10,000 keys, DLP is essentially broken
-
suraeNoether
so, that's my "big result" from last week, but over the weekend I was thinking about hte CLSAG proof while working on my matching code, and i'm expecting a push with a script that produces a small sample exploration of parameter space later today
-
sarang
Would this be parameterized by the size of the corruption and DDH sets separately?
-
suraeNoether
i think you can just parameterize it by the ratio of the sizes of those two sets
-
sarang
(I would assume so, to be able to get the bounds)
-
suraeNoether
but yes
-
suraeNoether
now that i've taken up 20 minutes explaining "yes, your idea from last week works, sarang, and here is why, although the bounds will be super weak..."
-
sarang
heh
-
sarang
Well, I've been working on security models for CLSAG but also on getting a form of key aggregation formalized into Triptych code, analysis numbers, and its preprint
-
sarang
Now that we've settled on Backes being a good definition for linkable anonymity, I want to add that to the ring signature definitions that Groth used, so as to extend it to the linkable case
-
sarang
What I liked about how Groth did it was that it took advantage of the underlying proving system being a sigma protocol (SHVZK, etc.)
-
suraeNoether
oh that's interesting
-
suraeNoether
also i'm considering going back to thring signatures to write a better linkable anonymity proof; if i do, it'll probably be a blog post
-
sarang
Unforgeability in the Groth case isn't quite as clean, but it's not bad
-
sarang
(uses special soundness)
-
suraeNoether
okay, well I have no questions
-
suraeNoether
and it appears to be quiet
-
suraeNoether
holiday times
-
sarang
Ya
-
suraeNoether
i'll be traveling next monday, so i will likely miss our meeting
-
sarang
OK, no problem
-
suraeNoether
if we can reschedule for tuesday next week or wednesday, that'd be better for me
-
suraeNoether
and probably half of the lurkers
-
sarang
Worth noting that the conference submission deadline is coming very soon
-
sarang
Would be nice to get CLSAG submitted there if the proof revisions (and other much smaller edits) are good to go
-
sarang
Deadline is November 30; next rolling deadline is February 29
-
suraeNoether
okay, thanks. i'm pretty sure clsag will be gtg for Nov30
-
sarang
I'm on the fence about reducing the details for LSAG/MLSAG as examples
-
sarang
but I'm not opposed to it
-
sarang
I like having the details as background, and for comparison to the construction of CLSAG
-
sarang
What we _could_ do is reduce the amount of material that covers the specific constructions, and instead note the differences in security model
-
sarang
which also would highlight the improvements
-
sarang
(we should also include a note thanking the anonymous reviewers)
-
sarang
Thoughts on that suraeNoether ?
-
sarang
suraeNoether must have stepped away
-
sarang
Well, I shall continue work on papers and proofs then
-
suraeNoether
woops, sorry, I thought we wrapped it. :P i'm still around, though. re: reduced details, sarang, I'm thinking of just throwing the deets into an appendix
-
suraeNoether
appendices are such a helpful trick, and it's something you never need to exploit until you start writing 20+ page papers :P
-
sarang
Advantage to doing that over just a citation?
-
suraeNoether
i'm trying to put myself in the position of the reviewer who interpreted some of the applications of CLSAG as "made up," who maybe is skeptical of other protocols, doesn't want to go find the other citation and try to figure it out by context. it makes the paper more self-contained without making the body itself bigger... but this is, itself, just an illusion from publishing papers on literal paper
-
suraeNoether
we can consider it more deeply if we get rejected again :P
-
sarang
I do think that more clearly discussing the changes to security model would be useful
-
sarang
It shows that the improvements are also to the underlying proofs
-
sarang
If you like, I can include the edits prior to the appendixes
-
sarang
and we can get that definition/proof updated, since you already have some edits there
-
sarang
What say you, suraeNoether ?
-
sarang
I want to avoid conflicting edits, which would be a pain
-
suraeNoether
Yes that's my game plan today
-
sarang
I mean, should I continue the non-appendix edits presently?
-
sarang
(would that avoid edit conflicts)
-
suraeNoether
Oh I misunderstood. No, I am in the midst
-
suraeNoether
I'd rather you work on triptych for now tbh
-
sarang
no problem