Code Monkey home page Code Monkey logo

Comments (10)

seresistvanandras avatar seresistvanandras commented on August 16, 2024 3

Lolll. Sorry! Shame on me! We need to reiterate the protocol! The chosen hash function allows arbitrary signature forgeries composed with BLS signatures. Kudos to @kobigurk

Specifically, if you have a valid signature $h^{mx}$ on message $m$, then you can forge signature on an arbitrary message $m^{*}$ by computing $(h^{mx})^{m^{-1}m^{}}=h^{m^{}x}$, which is a valid signature on $m^{*}$.

from wabisabi.

nothingmuch avatar nothingmuch commented on August 16, 2024 2

unfairly linear ;-)

from wabisabi.

MaxHillebrand avatar MaxHillebrand commented on August 16, 2024 1

We would like to have an enhanced Chaumian CoinJoin mixing protocol which allows mixing participants not only to mix to their own addresses, but potentially mix to an address belonging to another entity. This would allow users to use CoinJoins also for payments.

I don't think that the address is the main issue here. It is one of the issues, and in the case a round fails, we need to get a new address of the receiver somehow. So, it's not unsolved.

However, I think that it must be an arbitrary payment amount, different from the equal value denomination is the tricky part too, maybe this should be reflected.

from wabisabi.

seresistvanandras avatar seresistvanandras commented on August 16, 2024 1

I don't think that the address is the main issue here. It is one of the issues, and in the case a round fails, we need to get a new address of the receiver somehow. So, it's not unsolved.

I think, this is somewhat an orthogonal problem to the mixing protocol itself. Since we could assume that the sender can non-interactively derive multiple addresses for the recipient. So even if a round fails, a payment sender can create another fresh address for her recipient which she can use in the next round. Could we assume that sender and receiver use some key-derivation protocol or stealth addresses? Or is this a strong assumption Max, @nopara73 ?

However, I think that it must be an arbitrary payment amount, different from the equal value denomination is the tricky part too, maybe this should be reflected.

I'll update now the post above. Although I do think that what we call input UTXO splitting and merging essentially solves this very same problem you mentioned here. I did not articulate this well.

from wabisabi.

nothingmuch avatar nothingmuch commented on August 16, 2024 1

Reiterating some points from previous issues and slack:

  1. Do we actually require bilinearity? Isn't the linearity of Schnorr blind signatures sufficient? The main advantage seems to be lack of Wagner attack but this seems irrelevant since the number of signatures is limited.

  2. To prevent double spending how does the coordinator know the user only submits the unblinded signatures for originally submitted amounts, and not arbitrary combinations of unblinded signatures? For example if I have three registered amounts m_1, m_2, m_3, how does the coordinator detect that a malicious set of output registrations that double spends m_1: (H(m_1+m_2), \sigma_1\sigma_2), (H(m_1+m_3), \sigma_1\sigma_3), the two sums products of the signatures are distinct

  3. Are we convinced that bias in the amount values is not a concern for deanonymizing them? This is way over my head, but after reading a few abstracts about lattice attacks on elliptic curves, I think this is still a concern we must address since the coordinator knows quite a bit about the values, since the coordinator knows quite a bit about the top bits of the various messages both at input registration time and at output registration time. Does the argument rely on the fact that only the sums of the blinding factors is revealed?

from wabisabi.

nopara73 avatar nopara73 commented on August 16, 2024

If the round fails then the blame round starts with the exact same participants with the exact same inputs and exact same outputs. Don't assume stealth addresses and similar exotic stuff those didn't gain adoption even without the complexity of coinjoins.

from wabisabi.

nothingmuch avatar nothingmuch commented on August 16, 2024

$H(m)=h^m \mod p$

This should be $H(m)=h^m$ since $h^m$ is an element of the group, not a scalar (unless the mod is meant to be in the exponent, which doesn't really matter since the group is cyclic?)

from wabisabi.

seresistvanandras avatar seresistvanandras commented on August 16, 2024

$H(m)=h^m \mod p$

This should be $H(m)=h^m$ since $h^m$ is an element of the group, not a scalar (unless the mod is meant to be in the exponent, which doesn't really matter since the group is cyclic?)

Indeed! Good catch! Should be fixed now!

  1. Do we actually require bilinearity? Isn't the linearity of Schnorr blind signatures sufficient? The main advantage seems to be lack of Wagner attack but this seems irrelevant since the number of signatures is limited.

Later we should definitely explore the practicality of other blind signature schemes as well in this context.

  1. To prevent double spending how does the coordinator know the user only submits the unblinded signatures for originally submitted amounts, and not arbitrary combinations of unblinded signatures? For example if I have three registered amounts m_1, m_2, m_3, how does the coordinator detect that a malicious set of output registrations that double spends m_1: (H(m_1+m_2), \sigma_1\sigma_2), (H(m_1+m_3), \sigma_1\sigma_3), the two sums products of the signatures are distinct

This is a serious issue we should fix in the coming days!

  1. Are we convinced that bias in the amount values is not a concern for deanonymizing them? This is way over my head, but after reading a few abstracts about lattice attacks on elliptic curves, I think this is still a concern we must address since the coordinator knows quite a bit about the values, since the coordinator knows quite a bit about the top bits of the various messages both at input registration time and at output registration time. Does the argument rely on the fact that only the sums of the blinding factors is revealed?

I'm kind of convinced that lattice attack are not relevant here. Or would be computationally infeasible but it is definitely good that you brought up and let's not forget about it! Coordinator might guess 30 bits of the values or so but the remaining 200 bits or so (the subsatoshi values in the padding scheme) should be totally random, hence this attack is not a threat I would say.

from wabisabi.

nopara73 avatar nopara73 commented on August 16, 2024

This scheme could still work, since our double spending solution (the zero knowledge accumulator stuff I don'understand: https://eprint.iacr.org/2019/1255.pdf) not only prevents double spending, but also prevents the malleability issue @seresistvanandras thought ruins everything.

from wabisabi.

nopara73 avatar nopara73 commented on August 16, 2024

#30

from wabisabi.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.