-
sarang
So I've been asked to participate in MCCVR (
magicalcryptoconference.com/2020-vr)
-
sarang
One activity will be joining a panel on the effectiveness of Bitcoin privacy
-
sarang
But I've also just been asked to give a talk for their privacy track
-
sarang
Any suggestions on specific topics that might be of interest to such an audience?
-
sarang
The coordinator initially had offered a suggestion (after I asked) to discuss Schnorr signatures and Taproot (as they apply to Bitcoin specifically), but I don't really think talking about Bitcoin "privacy technologies" is the best use of such a talk
-
sarang
Especially since the panel looks to be _entirely_ focused on Bitcoin privacy
-
sarang
I agreed to give a talk but mentioned that I'd think more about the best topic/scope to cover
-
kenshamir[m]
Brainstorming: something which may be interesting is the dichotomy between privacy and convenience
-
kenshamir[m]
Since it needs to be quite general and apply to bitcoin
-
sarang
Well, I don't think the topic necessarily needs to apply directly to Bitcoin
-
sarang
The coordinator said I could be "very creative" in what I want to present
-
sarang
She said the other current privacy-focused events will be the Bitcoin privacy panel and a panel/talk on P2EP/PayJoin
-
sarang
I wonder if it might be useful to discuss privacy tradeoffs using technologies _other_ than those intended specifically for Bitcoin protocol compliance/extension
-
sarang
But I do really like the idea of focusing on tradeoffs
-
kenshamir[m]
Personally, I’d like to hear about what you think the future will look like for privacy
-
kenshamir[m]
In general, it’s always interesting to hear what those who work in the field think the direction the field will be
-
sarang
I'd have to discuss it _not_ in the context of regulation
-
sarang
since who the heck knows what that might look like
-
sarang
But I see projects and protocols working toward establishing scaling for new nodes, differentiating based on trust requirements, and focusing a lot on high signer ambiguity and network-layer mitigations
-
sarang
I think the trust part will be an interesting differentiator... e.g. right now if you're willing to offload soundness to a single point of failure in a setup process, you can do interesting things with general proofs
-
sarang
If you aren't willing to do that (like in Monero), then you have to get creative and make a lot of tricky choices
-
sarang
Although perhaps the regulatory side is of interest as it applies to protocol development... you have projects like Zcoin and Zcash working on protocols where decisions on transparency and surveillance are influencing protocol decisions
-
sarang
and not in a good way, IMO
-
sarang
But I don't want to try and predict what exchanges and regulators will decide they want in 5 years...
-
kenshamir[m]
Yeah predicting what regulators will do, may not be interesting as I would expect your insight to be more related to the technology.
-
kenshamir[m]
The trust and succinctness trade off is very interesting. I’ve also wondered whether a trusted setup may be okay in most business usecases; maybe even a necessary stepping stone when trying to get traditional businesses to be more open.
-
kenshamir[m]
Also whether, the fact that you can update the SRS with SNARKs like PLONK, SONIC and Marlin is now sufficient enough. Maybe we could update it every year or so?
-
kenshamir[m]
That would counter the criticism, that the people who participated in the original SRS will be unknown in the future
-
kenshamir[m]
Would also be interesting to hear some call to actions in the talk; what can applied/theoretical cryptographers do now or in the long term to benefit the community
-
sarang
Sure, a trusted setup in a private or limited use case where there are already established trust profiles could make a lot of sense
-
sarang
The trouble comes from distributed cases where such trust is hard to come by, or undesirable as a design principle
-
sarang
FWIW I don't really know if the idea of updatable SRS really fixes things
-
sarang
If soundness is in question and leads to false proofs being of concern, does an update really solve anything?
-
sarang
I agree that it could be helpful for the "who were the original MPC participants" mythos that will arise long in the future
-
sarang
Do you happen to know any concrete data for SRS updates?
-
sarang
The last time I checked, the preprints in question never mentioned anything about update efficiency, which seemed sketchy to me at the time...
-
kenshamir[m]
<sarang "If soundness is in question and "> Right, we have no way to check that soundness was not violated in the past. I think SHARKS was meant to fix it, but I have not heard about it for a year now
-
sarang
Yeah, there was some kind of presentation on it, but not even a preprint...
-
sarang
so it doesn't really exist :)
-
kenshamir[m]
<sarang "The last time I checked, the pre"> I’m not sure of concrete data, but to update the SRS it would be quite expensive since we would need to restart the MPC
-
sarang
And presumably all such data would need to be hauled around with the chain forever...
-
sarang
The idea seemed interesting as a theoretical construction
-
kenshamir[m]
In terms of efficiency, I think each participants takes about a day to generate the necessary data
-
sarang
but seemed really bizarre as something to build in practice for a distributed system...
-
kenshamir[m]
<sarang "And presumably all such data wou"> For the update I’m not sure, I think the chain would just need some sort of way to say “this is the new SRS”. If somehow the MPC could be done in a few minutes then my idea would make sense.
-
sarang
Right, but the SRS tend to be huge
-
sarang
and if you have a hundred updates, you need all of them
-
kenshamir[m]
<sarang "but seemed really bizarre as som"> Yeah for SHARKS, it would involve a bunch of logistics such as when to run the trustless verifier and what to do if a previously accepted proof was malicious. Especially if you have finality
-
sarang
Hooray for public CRS constructions :)
-
sarang
Here's a hash function; use it; there's your CRS
-
sarang
:D
-
kenshamir[m]
<sarang "and if you have a hundred update"> Oh I see, yeah there is no way to compress that data
-
kenshamir[m]
That’s a good point, I had not thought of the previous SRS for the chain.
-
kenshamir[m]
But I guess once you update the blocks where the SRS applies, the node can throw it away. Still downloading all of those SRSs is non-trivial
-
sarang
You can throw it away, but then you can't provide full-node capabilities to new nodes
-
sarang
So it seems like a nightmare for scaling when new nodes join
-
kenshamir[m]
Yeah, this is why I’m quite interested to see how HALO 2 solves their scaling problems
-
sarang
AFAIK they haven't said if/how it can even apply to transaction verification
-
sarang
The only demo code was for recursive PoW verification
-
kenshamir[m]
With the linear verifier, maybe there is a way to decrease complexity if the techniques all work
-
sarang
Well, there's the linear verifier, but also the entire concept of recursion, no?
-
kenshamir[m]
I guess the prover time would not be a major problem? Since the individual Tx proofs will not be that heavy?
-
sarang
No clue; AFAIK there are no benchmarks for this
-
sarang
I'm taking a "let's wait and see the code, and not press releases" approach
-
sarang
ECC claims they have internal work for this, but have not released it
-
sarang
So once again, goes back to trust profiles :)
-
kenshamir[m]
<sarang "Well, there's the linear verifie"> Yeah that too, I think there is always a delayed linear overheard with the recursion for the verifier, so it would be interesting to see how this is mitigated, as I believe it would need to be good enough to warrant replacing Groth16
-
sarang
Well, and I haven't seen anything about how to even structure a recursive construction that works with transactions in a meaningful way
-
sarang
So many questions
-
sarang
I hope it works
-
kenshamir[m]
Yeah same, I trust that there are some novel things being done, but I’m holding out until concrete numbers can be verified
-
sarang
Yeah, I was peeved to see the idea of "this is definitely solved" come out of discussion about their press release
-
sarang
It's definitely not publicly solved
-
kenshamir[m]
Yeah, I personally think that “solved” should be publicly verified
-
sarang
and the code they linked is very much WIP and, when I had checked, had no benchmarks relevant to a desired implementation
-
sarang
Sure, and presumably it would be
-
sarang
If they end up giving details, great
-
sarang
If not, it's a press release
-
kenshamir[m]
I think there is no choice but to give more details?
-
sarang
If they want to implement it? Of course
-
kenshamir[m]
Since claims have been made, details and numbers should presumably follow
-
sarang
IIRC they said details sometime this year (but not sure on that)
-
sarang
But until then, it's Schoedinger's Proving System
-
sarang
It has no state of existence until observed =p
-
kenshamir[m]
Even if they do not implement it, I think claims have been already made about things that are solved
-
kenshamir[m]
What do you think the right course of action should should have been?
-
kenshamir[m]
Wait until they had a paper and implementation?
-
kenshamir[m]
Updated paper*
-
sarang
Perhaps having technical discussions publicly?
-
sarang
There was also a modified license with restrictions, so I don't know if the nature of its license affected their decision to develop only internally
-
sarang
ECC seemed to be very concerned about other projects "scooping" this stuff
-
sarang
But I _definitely_ don't want to speak for them or try to figure out how they run their business...
-
sarang
that's certainly off topic for this channel
-
sarang
But perhaps it speaks to the usefulness of doing technical development openly
-
sarang
The downside is people misunderstanding the nature of works-in-progress, I suppose
-
sarang
But the upside is transparency and verifiability and having more eyes on tough problems
-
kenshamir[m]
<sarang "Perhaps having technical discuss"> Yeah very fair
-
sarang
To be fair, I've found that Zcash technical discussion historically _is_ done openly, usually on GitHub
-
sarang
and that's great for ease of access
-
sarang
This stuff with Halo 2 seemed bizarrely different in its approach
-
kenshamir[m]
Yeah I think the outrage was mainly due to; expectation
-
kenshamir[m]
Not outrage... questions
-
sarang
My utterly wild speculation is that it's to avoid other projects using the technology to gain some kind of advantage over the Zcash project, but this could be entirely not the case
-
sarang
Trying to figure out why private businesses make decisions seems a losing effort most of the time...
-
kenshamir[m]
This sound like the rationale conclusion. Another idea is that they were trying to usher in a way for open source projects to have an advantage over closed source projects
-
sarang
I think it'd be wild to see a full Bulletproofs-based implementation of something like the Sapling or Heartwood protocols
-
kenshamir[m]
I’m not proficient in licenses, so I couldn’t make heads or tails of it though
-
sarang
Yeah, me neither
-
sarang
There was some back-of-the-envelope stuff for Bulletproofs a while back, but I don't think anyone was crazy enough to actually build it =p
-
kenshamir[m]
I’m actually not 100% sure what the license would cover because Halo is not well defined in my head
-
sarang
Well, the code for sure... but you can't license math
-
sarang
at least, you're supposed to not be able to do that...
-
sarang
*coughRSAcough*
-
sarang
*coughSchnorrSignaturescough*
-
kenshamir[m]
So if I code up my own halo implementation, I can put it as MIT?
-
kenshamir[m]
Haha, I’m glad it’s frowned upon now
-
sarang
I am not a lawyer, but I'd think so
-
sarang
I mean, Halo is a technique for proof recursion
-
sarang
they didn't invent the underlying proving systems
-
sarang
nor could they license the math behind those
-
kenshamir[m]
I’ve also seen phrases such as “halo the commitment scheme”
-
sarang
Of course, by the time you get it coded, the restrictive license period would be over
-
sarang
Halo The Coloring Book!
-
sarang
Halo The Breakfast Cereal!
-
sarang
(Spaceballs reference...)
-
sarang
Merchandising: Where The Real Money From The Movie Is Made (tm)
-
sarang
"God willing, we'll all meet again in Halo 2: The Search For More Money"
-
sarang
Was there a new approach to commitment schemes in the original construction? I don't recall
-
kenshamir[m]
True, I guess it’s fine if that license does not affect MIT/Apache licenses
-
sarang
No idea :/
-
sarang
Hopefully some license experts can provide better analysis on the consequences of restrictive licenses
-
kenshamir[m]
I don’t recall either, but I might have missed something
-
sarang
I'm not a fan of technical topics being mixed with press and marketing messaging
-
sarang
it just makes everything muddled and confusing :(
-
sarang
Hopefully this project continues to improve on external messaging
-
sarang
this project == monero
-
sarang
kenshamir[m]: do you also follow Lelantus development at all?
-
kenshamir[m]
<sarang "kenshamir: do you also follow Le"> Not recently, I heard there was a bug found, or do I have the wrong protocol?
-
sarang
What bug?
-
sarang
I know they recently overhauled their security model to follow that of Zcash a bit closer
-
sarang
but I don't know if they ever really fixed some of the one-time addressing woes that we originally found
-
sarang
and I haven't been following their audit/deployment at all
-
kenshamir[m]
Oh wrong protocol, I think
-
kenshamir[m]
<sarang "I know they recently overhauled "> Was there a rationale for this?
-
sarang
I'm not sure
-
sarang
Perhaps to more broadly capture the entire nature of a transaction, and not just proof security
-
sarang
Since security of the proving system doesn't imply security of the overlying tx protocol?
-
kenshamir[m]
<sarang "Since security of the proving sy"> Yeah that makes sense
-
sarang
I'm really curious about what their batch processing times end up looking like
-
kenshamir[m]
I guess unless the statement being proven encapsulates the notion of a “Tx being spent” ?
-
sarang
The values in the preprint seem crazy good
-
kenshamir[m]
<kenshamir[m] "I guess unless the statement bei"> Actually I’m not sure
-
sarang
kenshamir[m]: their proof does capture that, but stuff like balance checking is outside the simple sigma protocol security definitions
-
kenshamir[m]
<sarang "The values in the preprint seem "> Did they have code?
-
sarang
Not at the time, but they recently released FOSS code
-
sarang
I don't think it had full benchmarks for batching, but I'm really curious
-
sarang
esp. since their anon sets are really large and you'd need to handle spending old funds too
-
sarang
I had a lot of questions on how all that would work
-
sarang
I think they were targeting something like 65K sets
-
sarang
Reminder that our weekly research meeting starts at 17:00 UTC
-
sarang
.time
-
monerobux
2020-09-16 - 16:05:07
-
sarang
good bot
-
kenshamir[m]
I’ll need to check out those numbers, didn’t really think that there were more improvements to be made
-
sarang
Might have to do with library choice?
-
sarang
And it's not clear how they compared for things like range proofs, point decodings, balance, etc.
-
sarang
but I'm really curious how Lelantus works out in practice at the scale they were targeting
-
kenshamir[m]
I have not been up to date with your work recently, were their numbers comparable?
-
sarang
In theory they should be
-
kenshamir[m]
For something like a conventional Tryptich proof <- sorry can’t spell
-
sarang
The verification structure of Triptych is _extremely_ similar to that of Lelantus
-
sarang
They're based on the same proving system
-
sarang
and both require range proofs
-
sarang
I think their bulletproofs will be a bit slower, but not by much (they use a variant of Pedersen commitments)
-
sarang
Hmm actually they might have the advantage by avoiding separate commitment points...
-
sarang
I need to check the verification routines
-
kenshamir[m]
Do they compare Triptych in their updated paper?
-
kenshamir[m]
@sarang btw were you able to draw any conclusions from your recent on these groth based proofs? Such as using one of them instead of MLSAG/CLSAG or is it still early days?
-
sarang
Looks like they did not compare to Triptych or Arcturus, but yeah, they _would_ still have an advantage by avoiding using separate amount commitments
-
sarang
However, they had to sacrifice one-time addressing security
-
sarang
that was a kicker
-
sarang
I think Groth/Kohlweiss-based protocols show a ton of promise
-
sarang
Big downside is multisig complexity due to the change in linking tag format
-
sarang
The only way I know to do it safely is using Paillier encryption, which requires arbitrary RSA groups
-
sarang
I do have proof-of-concept code in Python and in C++ for both Triptych and Arcturus for non-batch timing purposes
-
kenshamir[m]
<sarang "I do have proof-of-concept code "> Link?
-
kenshamir[m]
<sarang "The only way I know to do it saf"> Is this a show stopper?
-
kenshamir[m]
I’m guessing you don’t want to introduce the additional complexity
-
sarang
It's not a show-stopper, but needs to be carefully considered
-
sarang
esp. if it's intended for hardware devices to implement with low computational complexity
-
sarang
and there are some annoying proofs you need to do for optimal security with the Paillier-based schemes
-
sarang
-
sarang
-
sarang
-
sarang
-
sarang
Usual disclaimer that these were not written with production security in mind, and should not be deployed as is
-
sarang
The Python code does support batching, but isn't useful for timing purposes
-
sarang
Arcturus soundness also requires a non-standard hardness assumption
-
kenshamir[m]
Thanks for the link!
-
kenshamir[m]
<sarang "Arcturus soundness also requires"> Which one?
-
sarang
a new one
-
kenshamir[m]
Checking paper *
-
sarang
I haven't been able to reduce it to a standard assumption yet :(
-
sarang
Page 4, Definition 1
-
sarang
-
sarang
A reviewer claimed to have broken it, but their example didn't work (I don't think they read the definition carefully)
-
sarang
kenshamir[m]: if you're able to break the assumption, or reduce it to a known assumption, I would be unbelievably happy
-
sarang
Right now it's just this weird thing
-
sarang
I think it's a reasonable assumption, but it's totally untested
-
sarang
OK, we'll start our meeting momentarily
-
sarang
-
sarang
Let's get started!
-
sarang
First, greetings
-
sarang
hello
-
hyc
hey
-
h4sh3d[m]
Hello
-
Isthmus
Holla
-
sarang
On to the roundtable, where anyone is welcome to share research of interest
-
sarang
Who wishes to begin?
-
UkoeHB_
hi
-
UkoeHB_
not research, but it seems the hardfork protocol changes have been finalized
-
sarang
Indeed!
-
sarang
Binaries are set to be released, and the protocol upgrade will happen around October 17
-
UkoeHB_
CLSAG, fixed block rewards, and chain-data-based UTC timestamp timelocks
-
sarang
This gives users and other ecosystem participants a month to update
-
UkoeHB_
are the changes I know about
-
hyc
on that note, I've been running teh new stuff on testnet for about 2 weeks
-
sarang
Anything of note hyc?
-
hyc
nope, decidedly boring
-
sarang
Excellent
-
sarang
Ledger and Trezor teams are ready as well
-
sarang
So users of those devices should see a seamless transition, provided they keep their devices updated
-
sarang
Thanks to everyone who participated in the upgrade process
-
sarang
CLSAG was a particularly long road to walk...
-
h4sh3d[m]
What's the best resource to see what changed in the transaction serialization, regarding the hardfork (directly the code I imagine)?
-
h4sh3d[m]
So I can update the Rust library and include the new format
-
Isthmus
Ooh I didn't know that we had a Rustnero. Where does that repo live?
-
sarang
Good question h4sh3d[m]... I'm not sure there's something easier than examining the code, or perhaps something like the onion explorer source
-
h4sh3d[m]
-
Isthmus
Sweet, ty
-
h4sh3d[m]
sarang: ok, I'll check the code anyway then
-
sarang
Might also be worth pinging moneromooo as well
-
sarang
(ping)
-
sarang
I can get you the serialization for CLSAG signatures specifically, if that's useful
-
h4sh3d[m]
Yes, it is useful
-
sarang
-
h4sh3d[m]
Thanks
-
moneromooo
Oh hi
-
» moneromooo reads back
-
sarang
Er, that's my branch, so it's probably not fully up to date with the project master branch
-
sarang
whoops
-
moneromooo
Data format changes ? I can look that up, gimme a few minutes.
-
h4sh3d[m]
At least I have the right file with this
-
sarang
:D
-
sarang
Was there anything else that should be discussed related to the upgrade, now that it's been brought up?
-
moneromooo
Oh right, what sarang pointed to actually :)
-
sarang
:D
-
sarang
-
sarang
not my clone of it, which is probably a bit old
-
moneromooo
and the rct type is 5 for those. 4 for MLSAG.
-
sarang
Does anyone else wish to share research topics of interest?
-
Isthmus
-
sarang
Great!
-
sarang
Anything of note to which we should pay particular attention?
-
sarang
That link isn't for viewing
-
sarang
You'll need to access the read link from the share menu
-
sarang
It's different from the project URL
-
Isthmus
-
sarang
success
-
sarang
Any big recent changes of note?
-
sarang
<3 line numbers
-
h4sh3d[m]
I like 766 :D
-
Isthmus
Added the sections about pq-crypto and mitigations
-
sarang
No Oxford comma on L766?
-
sarang
tsk tsk
-
sarang
I had pointed out some issues to suraeNoether a while back, but they appear to have been addressed at first glance
-
sarang
Namely about having access to multiple outputs, which included some incorrect math
-
sarang
Isthmus: is there anything you'd like from this channel related to this new draft?
-
sarang
Particular review, etc.?
-
zkao
hello guys
-
sarang
Hi zkao
-
sarang
OK, well I suppose we can move on!
-
zkao
since we're on research paper review topic, we'd like to get the atomic swap paper more widely scrutinized, vtnerd did a good job so far, so it would be great if more eyes look into it carefully and drop questions, could some people in here give more feedback?
-
sarang
Can you summarize the comments from vtnerd?
-
zkao
-
h4sh3d[m]
-
zkao
he picked up on all the differences btwn traditional atomic swaps and h4sh3ds assymetrical one
-
sarang
Ah, there's more discussion there since I checked last; excellent
-
sarang
Thanks for linking this
-
zkao
his process of reading it and analysing it, made me feel like almost nobody tried to understand it yet
-
zkao
because other people should have spelled some of that stuff before
-
kenshamir[m]
<sarang "kenshamir: if you're able to bre"> Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption
-
zkao
except a few experts
-
kenshamir[m]
> <@freenode_sarang:matrix.org> kenshamir: if you're able to break the assumption, or reduce it to a known assumption, I would be unbelievably happy
-
kenshamir[m]
* Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption, or my maths is off
-
kenshamir[m]
* Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption, or my maths is off.. Ahh meeting in progress, can wait for it to end.
-
sarang
zkao: has the latest version of the preprint been posted to the IACR archive?
-
h4sh3d[m]
Yes
-
sarang
great
-
h4sh3d[m]
it's submitted, not yet published
-
h4sh3d[m]
I'll past a link as soon as it gets on the preprint server
-
sarang
When was it submitted?
-
sarang
They're usually pretty quick
-
h4sh3d[m]
today :D
-
sarang
Ah ok!
-
h4sh3d[m]
pretty quick < some days/weeks?
-
sarang
kenshamir[m]: I definitely want to know about this after the meeting :)
-
sarang
h4sh3d[m]: yeah, maybe delayed a few days, but generally not too bad
-
sarang
They're not as on top of things as arXiv for daily postings, it seems
-
zkao
i guess you should drop it in bitcoin-wizards after its in the prepint server
-
h4sh3d[m]
seems good yes
-
sarang
Are you not in that channel?
-
sarang
I can certainly link it there if you wish
-
h4sh3d[m]
I am in the channel, yes please! :D
-
sarang
OK :)
-
sarang
You can of course feel free to post it there if you prefer!
-
sarang
I don't have any particular sway in that channel
-
sarang
I have a few things to share
-
sarang
I did some review with suraeNoether on the post-quantum security draft
-
sarang
Worked on the Arcturus security model to make it more clear after its last review
-
sarang
Produced BP+ and BP Python updates to demonstrate additional hidden data embedding
-
Isthmus
Sorry, lost internet a few. Yea, Sarang had a lot of very helpful comments
-
sarang
Gave a presentation to a Chicago bitcoin group
-
sarang
And am participating in this week's ongoing ESORICS conference
-
sarang
Additionally, I've been asked to give an MCC talk soon relating to privacy
-
sarang
I think they presumed bitcoin-related privacy, but I think that's not useful
-
sarang
I welcome suggestions on particular topics you think might be of most use to that audience
-
sarang
Anyway, did anyone else wish to share research topics?
-
sarang
We're approaching the end of our scheduled hour
-
sarang
I do wish to note that I will not be requesting community funding after the end of this month
-
sarang
So any research meetings will need to be coordinated by someone else, if it's desired that they continue
-
zkao
the transaction graph of bitcoin is on the clear, even if scripts get hidden with taproot, so u could push the agenda that it is not good enough, on that conference
-
UkoeHB_
what will you be up next month, if I may ask?
-
sarang
I have yet to finalize anything specific
-
sarang
OK, well, I suppose we can adjourn then
-
sarang
Thanks to everyone for joining today
-
hyc
thanks for running the meeting
-
sarang
kenshamir[m]: would be very interested in the details around that hardness assumption
-
zkao
thank you for hosting
-
h4sh3d[m]
Thanks everyone
-
TheCharlatan
applause to sarang
-
kenshamir[m]
<sarang "kenshamir: would be very interes"> Just looked over it again, and I'm quite excited to be proven wrong, since it will be an opportunity to learn
-
sarang
If it's possible to reduce the assumption to knowledge of the DL of G w.r.t H then that's great
-
kenshamir[m]
I have two ideas, will say the first one
-
sarang
Since those are assumed to have no known DL relation
-
-
» sarang fetches a pad and pen
-
kenshamir[m]
Is this correct so fatr?
-
kenshamir[m]
* Is this correct so far?
-
-
-
sarang
n=1 looks fine, with appropriate variable renaming
-
-
kenshamir[m]
I then say that we can use this A to solve the DL of H wrt to G. If we set R to H or Q to be G.
-
kenshamir[m]
Can you spot an error?
-
sarang
incorrect in that last paste
-
sarang
The second condition is `y*(H-x*G) == 0`
-
sarang
The last condition should be `x*Q != H`
-
sarang
The point is that the way the indexing appears in the first two bulleted sums of the definition are "reversed" in a sense
-
kenshamir[m]
Ahh right
-
kenshamir[m]
updating *
-
-
kenshamir[m]
sarang: What about the "I then say that we can use this A to solve the DL of H wrt to G. If we set R to H or Q to be G." part?
-
-
sarang
Can you write that out as a wrapped security game?
-
sarang
just for clarity
-
sarang
i.e. the DL player receives `G` and `H` and needs to return the DL
-
sarang
and passes things into the dual-target player
-
kenshamir[m]
Ahh right, yep
-
sarang
I think it's also important to identify the nature of the set parameter `n`
-
sarang
Being able to pass in zero values, e.g., may suffice for arbitrary `n`
-
kenshamir[m]
<sarang "I think it's also important to i"> Good point, I think the second idea deals with n=2 which may generalise to arbitrary n. Will need to check it again though
-
sarang
Yeah, hopefully this approach is more straightfoward than I've been making it
-
kenshamir[m]
I think I might have something mistaken, but not sure what
-
-
-
kenshamir[m]
The Dual Target game is modified slightly, so that instead of the Challenger choosing a random G, H. It is now the G, H from the DL game
-
sarang
Sure, the DL player takes on the role of the dual-target challenger in a wrapped game
-
sarang
So it provides the dual-target player's input and receives its output, and can do what it wishes with them
-
-
kenshamir[m]
If the adversary sets H_k == xG. Then x will need to be the DL of H wrt to G
-
kenshamir[m]
sarang: does that work?
-
kenshamir[m]
My second idea was to show that if the adversary tries to cancel out each term, then he will need to know the DL of multiple pairs of random group elements which I think would be harder than the DL.
-
kenshamir[m]
I used the fact that no matter what group element the adversary chooses, as long as it is not the identity. When we multiply by the challengers random _mu_ value, or _y_ in the case above, the element can be seen as random too.
-
kenshamir[m]
Assuming a group of prime order
-
-
-
kenshamir[m]
This is assuming the first part works
-
kenshamir[m]
Have to head off now, let me know if you find any errors in the logic
-
sarang
kenshamir[m]: sorry, have been watching a livestreamed privacy talk
-
sarang
kenshamir[m]: if I'm reading it right, I don't think that approach works
-
sarang
The DL player can manipulate the inputs it sends to the dual-target player, but it can't change how that player operates internally
-
sarang
It can only receive its outputs, and use the fact that the dual-target player can win with some advantage