Comments (12)
small typo: i think is supposed to be
(also TIL about this hack for math in github, and... wat. why like this github?!)
this seems like a simpler blind signature scheme than randomizable signature scheme we discussed.
however, i do think double spending is still a problem:
- Alice obtains signatures for
(by registering one or more inputs, doesn't matter)
- Alice registers outputs for up to 6 different signatures, each with an unlinkable blinding factor
so i think we need some sort of accumulator for the blinding factors, and to prove that each sum is due to a combination of previously unused blinding factors, similar to zcash nullifiers.
as for range proofs - since these are Pedersen commitments isn't that exactly the same as what's used in confidential transactions?
from wabisabi.
Maybe this can be solved with some clever padding scheme...
Plan ZS could be to add a bunch of random sub-satoshi amounts, so the message space would be sufficiently large. In that case there can be number of commitments * 1 satoshi
error in the final sum, so we have to make sure it's handled properly in software.
from wabisabi.
Shouldn't also be requirement for the homomorphic commitment scheme be that rangeproofs can be applied to it, or it's always given?
It's somewhat outside the scope of this conversation, but resolving the double spending issue is also a requirement, but that may be possible to resolve later.
Now that I got to the end, isn't both of my issue got resolved, even the double spend? Since the blind sigs can only be used once we can verify that signatures aren't reused when we prove the sum!
from wabisabi.
Yeah, indeed! 120% agree! These are two crucial additional requirements.
- We need to prevent double-spending!
- The commitment scheme should also support some efficient range proof system!
from wabisabi.
sorry, that's not correct, since if alice reveals all the r
values the coordinator can subtract them to identify this behaviour. but alice can just generate 6 more commitments to value 0 and add them to each registration.
from wabisabi.
@nothingmuch just to confirm. Your conclusion is that double spending is prevented this way, too, right?
from wabisabi.
no, not without accumulators (but that should be a solved problem, zcash accomplishes it in a more complicated setting, and 2 of the divisible e-cash papers we shortlisted for review are based on accumulators and are likely to be a bit simpler than how zcash does it)
edit: i jumped to conclusion there, obviously accumulators are not the only way
from wabisabi.
Indeed. Thanks Yuval! Should be fixed now!
however, i do think double spending is still a problem:
This is a great and important observation! An important attack vector, we need to mitigate! I show below an easy fix!
so i think we need some sort of accumulator for the blinding factors, and to prove that each sum is due to a combination of previously unused blinding factors, similar to zcash nullifiers.
I think we do not even need that heavy cryptographic machinery, like accumuators. Don't forget that Simplicity is the ultimate design goal! Just a quick reminder that and
are generators in the used elliptic curve group
and only the coordinator knows the discrete logarithm between
and
, in other words they don't know
such that
. Maybe neither coordinator knows, the only important thing is that mixing participants should not know, otherwise they could cheat. The secret key of the coordinator is
, while the public key of the coordinator is
. Whenever a user would like to merge two UTXOs the user encloses the hashes of the UTXO values and coordinator's signatures on them:
. Since
is public, the coordinator can check whether
. Coordinator accepts each signatures only once, therefore double-spending is effectively and elegantly solved. Note that coordinator does not learn the underlying messages, coordinator only learns that these are valid signatures on the hashes of SOME message. However small message space might cause problems...
Still, we have other difficulties arising from the small message space, ie. coordinator knows that m is less than, say 10BTC, which amounts to Satoshi. Hence when the coordinator sees the hash of some message
, i.e.
, it could figure out simply the underlying message just by bruteforcing the exponent, put differently, solving the DLOG with a simple and efficient brute-force due to the constrained message space. Maybe this can be solved with some clever padding scheme...should think about this more!
as for range proofs - since these are Pedersen commitments isn't that exactly the same as what's used in confidential transactions?
They're the same, so it should not be a problem! :) We'll surely find appropriate range proof systems if we decide to use BLS with the modular exponentiation hash function
from wabisabi.
This is superb! You are right! I had a way more complicated solution in mind but yours is the most elegant and simplest we can come up with, I think!
from wabisabi.
Oh, actually just make the 0.1 and 0.01 satoshi decimal places constant zeros and then the software won't even need to care about it anymore.
from wabisabi.
something to consider that i thought I'd mention since it's now buried in the slack log:
suppose we align the amount so that the bottom ~128 bits of the m
are completely random and never represent a quantity more than say a millisatoshi (to prevent them summing to more than 1 sat), this means the top bits of m
would be strongly biased.
this bias in the field elements might mean that the coordinator could use e.g. lattice based attacks to uncover the amounts
from wabisabi.
Summary of this conversation: #5
Closing this issue, @nothingmuch's attack is addressed there.
from wabisabi.
Related Issues (20)
- Protocol: KVAC based HOT 15
- Pre-paying the coordinator fee HOT 7
- Archiving Old Readme.md HOT 1
- Quantifying CoinJoin inefficiencies HOT 20
- meta: issue cleanup HOT 1
- Post-Cryptographic Research HOT 3
- citations to footnotes HOT 1
- Clarifying the Balance Proof HOT 8
- Eliminate serial number attribute HOT 7
- improve notation for attributes HOT 1
- document structure improvements HOT 2
- Add explainer somewhere into this repo
- The Protocol HOT 34
- 3 path UX for sending with WabiSabi
- The section "Over-spending prevention by balance proof" doesn't make sense HOT 4
- Crypto Bikeshedding
- mitigate coordinator deanonymization attacks based on timing and data withholding HOT 4
- Amount Organization HOT 3
- Protocol docs - Input Registration HOT 1
- Security Proof Improvements HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wabisabi.