Pages:
Author

Topic: Anonymous Atomic Swaps Using Homomorphic Hashing (Read 1120 times)

newbie
Activity: 14
Merit: 177
September 09, 2018, 10:24:04 AM
#29
@aliashraf

The paper is ready with the updates. I have uploaded it to SSRN, but the review can take anything from 1 to 14 days. If you require a copy sooner, please contact myself on the email on the original paper or empty[g] on the email provided above. I have sent him a copy of the paper that I have uploaded.
newbie
Activity: 7
Merit: 11
nice,
we are almost there...

if xn=P (x is not integer)
i suggest to put x < S < P-x to be sure about the unpredictability of the hash function

also i have read and investigated the subjects have been said in last posts from @johank and @aliashraf , i'm very excited about them and agree with the solution that have been proposed.

johank , you may want choose a 512 bits prime number as p instead of 256 bits for making sure that the reduction of search space needed for brute force attack due the collisions is not that important, but i think even a 256 bits would do for this date we are in.

i also like to hear from you about the operation stage and if you are gonna code the program and etc. i would love to help the coding as much as i can.

about your honorable offer, unlike aliashraf i am new and searching for a name and i would be glad to be mentioned on the paper but i think the credit mainly is for you.
you can contact me at [email protected]
legendary
Activity: 1456
Merit: 1175
Always remember the cause!
@johank
From my side, all the credits go to you though @empty[g]'s contribution was very helpful  , thanks anyway.  Smiley

And you are right Lagrange's theorem definitively proves the rate of collisions being bounded by n and choosing a properly small n (I suggest 6) with a large prime p will make it computationally infeasible to find a collision.

I have to emphasis on using n>>2 to mitigate heuristic attacks. Once you have finished  the final version, please keep me informed, we should take care of implementation issues next.



newbie
Activity: 14
Merit: 177
@aliashraf

I have updated the paper that I wrote with all the details we have discussed. It summarizes it all together. I will be uploading it soon. As you and empty[g] have provided valuable insights I wish to add you as authors. If you wish to allow this please email me your names and the email I should include and I will update the paper to reflect this.

Regarding the impact of collisions on the homomorphic hashing I included the following in the paper to discuss this:

Quote
The presence of collisions has implications for the homomorphic feature of the proposed hash function. Specifically a hash can have more than one secret. This implies that equation 7 can have multiple solutions.
If Alice is able to determine two secrets that have the same hash, she can use the one to generate hashes and sums to send to Bob, but use the other secret to unlock the coins Bob sent to her. This will stop Bob from being able to solve equation 5 correctly and unable to claim his coins. After a time delay Alice will then claim the coins.
This increases the requirement for a large search space. An attacker must not be able to determine any of the secrets that generate the same hash except using brute force.

A large search space is required, but also when choosing n and p to have collisions there should be no obvious double roots to a collision, e.g n = 2, p = 13, s1 = 4, h1 = 3, s2 = 9, h2 = 3 where -4 mod 13 = 9 => -s1 mod p = s2 when n = 2

If you want to find out more about the upper bound of the collisions, please look at Lagrange's Theorem on congruence of polynomials under modulo a prime. I also discuss this in the paper.
legendary
Activity: 1456
Merit: 1175
Always remember the cause!
@johank

If you are right about the number of collisions having an upper bound of n, choosing n slightly bigger is more appropriate to have more discontinuities and jumps hence more resistance to heuristic attacks  like what I suggested primarily up-thread.

For example putting n = 6 with a search space of 2255/3 height, is practically the same as 255 for n=2, both being computationally hard and won't be broken in real time.

I think it is time for you (or @empty[g]) to put everything together once again and give a solid mathematical presentation and proof of the homomorphic hash function:   h(s)=sn mod p

I'm not convinced about the collision rate to be n by the way.
newbie
Activity: 14
Merit: 177
@aliashraf

I agree with what you said. Yes, if (p-1) mod n = 0, it will not be reversible, and I agree that it seems if it is not reversible there are collisions.
We therefore want something with collisions, but as little as possible. This also means that n can be even.

It terms of the collision rate, I think I can help with that.

For h1 = h2

s1n - s2n mod p = 0

If p is prime then it has at most n roots

=> for a hash h, there are at most n secrets that create that hash.

=> brute force search space is reduced to 1/n of its original size

for n = 2

all primes will yield (p-1) mod 2 = 0, it will be reversible and I suspect have collisions (at most 2 per hash)

and the search space will only halve.
legendary
Activity: 1456
Merit: 1175
Always remember the cause!
@johank
I think we are not done with your proposal yet, despite your suggested inverse attack which is based on finding at least one pair of (t,m) such that (p-1)*t+1=n.m or m = ((p-1)*t + 1)/n and using m to find s=h(s)m mod p.

You can note that the equation has no integer roots if p-1 mod n = 0  or (p-1)/n = k
((p-1)*t+1)/n = m    ==>   (p-1)*t/n + 1/n = m    ==>   m= kt+1/n
so if we choose p and n such that n divides p-1 the hash function h(s) = sn mod p is irreversible.

Now here is another interesting  problem:
For a prime number p and an odd number n, when such a number m can not be found to commit an inverse attack on h it seems that we have a hash function with collision! For example with n= 3 and p = 13 there is no m and inverse function but we have collision!

I suggest that analysing the collision rate may still imply good enough security for large prime numbers.
newbie
Activity: 14
Merit: 177
Hi

For those following this thread, here is a proof that this hash can be broken

Using Eulers totient function it is known that

sphi(p) = 1 (mod p)

Raising to a power t using modular arithmetic yields

sphi(p).t = 1 (mod p)

Multiplying by s

s(phi(p).t + 1) = s (mod p)

Therefore if a secret s was raised to a power n to hash, then the hash can be undone by raising to such a power m so that

phi(p).t + 1 = n.m

(phi(p).t + 1)/n = m

Examples:

p = 11
n = 3

phi(p) = 10
t = 2

phi(p).t + 1 = 21

m = 7

s21 mod 11 = s mod 11 (you can easily verify this numerically)

for example

s = 9

s3 mod 11 = 3 = h

h7 mod 11 = 9 = s

This proof is holds for s < p. If s > p then it does not hold, but then collisions become unavoidable as k.p + 1 and (k+1).p + 1 will result in the same hash.

At this point one probably will have to change the hash function to h = gs mod p ( where g is some fixed generator number)

(The problem with this hash function is that it can be computationally intensive)

This would change this attack to a brute force attack that has to solve

hm = 1 (mod p)

which would mean

gs.m = 1 (mod p)

And then they would have to use brute force to solve

s = phi(p).t/m

with no remainder

ie phi(p).t mod m = 0

I am not sure how hard this would be
newbie
Activity: 7
Merit: 11
Hi

Just thought I might share this. It is a simple attack, that the following proof shows will not work

h = sn mod p

Assume an attacker want to find a power m such that

hm mod p = s

=> s = s(n.m) mod p

=> s(n.m) - s = 0 (mod p)

The attacker would have to solve the above congruence.

Using the theorem from my previous post, this implies that the congruence can be factorized to yield

s.(s(n.m-1) - 1)

This yields roots s = 0, s = 1 and possibly s = -1 for all values of n and m

Therefore for s > 1 there are no values of m that can be used to determine the pre-image s from the hash h.

i think your answer to this attack is right, maybe not complete but right.
it is not possible to determine a 'm' that works regardless of 's' with only having h(s)
i don't see how collisions effect this.

-----------

also don't be disappointed with collisions problem, i have found 46337 as a prime number without collisions for n=3 with brute force
i suggest that if you can find a way to determine if a prime number has collisions or not WITHOUT brute force the problem is solved.(as we need a large number that denies the possibility of brute force and it is not wise to determine itself with brute force  Grin )
newbie
Activity: 14
Merit: 177
Hi

I agree with your assessment. I verified that there are collisions for n=3 and p = 1291. My mistake lies in assuming

(s1(n-1) + s1(n-2).s2 + ... + s1.s2(n-2) + s2(n-1))

in
Quote
(1)

if n is odd

= (s1- s2).(s1(n-1) + s1(n-2).s2 + ... + s1.s2(n-2) + s2(n-1))

= (s1 - s2).q(s1)

=> 1 root s1 = s2

=> no collisions

has no roots mod p.

This is incorrect.

For example

s12 + s1.s2 + s22 mod 1291

has roots.

Therefore you are correct that p would have to have a specific value to allow/disallow collisions.

The problem is my previous proof regarding an attack on the system

hm mod p = s

where

h = sn mod p

is also incorrect.

Specifically an attack could succeed if there are no collisions for a specific value of m

Basically by raising the hash to the correct power, the secret can be discovered.

From limited numerical simulation it seems that if there are no collisions, then a specific value om m exist for all s

If collisions are possible, then this attack is not possible. The downside is then that it might make a brute force
attack easier

I am therefore going to remove the paper from SSRN, as this is a major problem.

newbie
Activity: 7
Merit: 11
Hi

Hopefully this expanded proof of no collisions works. Please let me know if I have made any mistakes.


hi
i think it is still wrong  Grin

i can't find out what did you do wrong exactly in math, so i just say why i think the result is wrong.
about the math: i think you did a mistake that you get here : "Then we have to find the roots of s1n - s2n"

i repeat what i said before once : "the board of the function is limited from 0 to P-1 and as a result, the talk of no collisions is meaningless out of a limited range for s, and you have mentioned s


in general when a function is modulating it would have collisions unless we set a range on the input (here 's')
any argue with no declaration on range of s for no collisions should be false.

also i have written a simple c program that with brute force checks if there is collisions(i can share it if you ask me nice Wink   )

for every prime number less than 10,000 as P
for every number less than the P is being tested as S

for n=3 the largest number as p with no collisions was "1289"
for n=5 the largest number as p with no collisions was "73"

it shows that there are prime numbers that will give you collisions and there are ones that would not.
-------------------------------------------------------
also sorry for not being on time as i promised in previous post

newbie
Activity: 14
Merit: 177
Hi

Just thought I might share this. It is a simple attack, that the following proof shows will not work

h = sn mod p

Assume an attacker want to find a power m such that

hm mod p = s

=> s = s(n.m) mod p

=> s(n.m) - s = 0 (mod p)

The attacker would have to solve the above congruence.

Using the theorem from my previous post, this implies that the congruence can be factorized to yield

s.(s(n.m-1) - 1)

This yields roots s = 0, s = 1 and possibly s = -1 for all values of n and m

Therefore for s > 1 there are no values of m that can be used to determine the pre-image s from the hash h.
newbie
Activity: 7
Merit: 11
Hi

Hopefully this expanded proof of no collisions works. Please let me know if I have made any mistakes.

I use the following theorem

as soon as i got the time i have something to share with you, but for now let me say i think there should be more conditions on P.
i would try to update this post and tell you more in next 24 hours.
newbie
Activity: 14
Merit: 177
Hi

Hopefully this expanded proof of no collisions works. Please let me know if I have made any mistakes.

I use the following theorem

Theorem 9.5 Let p be a prime. The non-congruent numbers a1; a2; : : : ; ak are
roots of the polynomial congruence f(x) = 0 (mod p) if and only if there exist
two integral polynomials q(x) and r(x) such that
f(x) = (x - a1).(x - a2) . . . (x - ak).q(x) + p.r(x)
and deg r(x) < k.

The proof is available at www2.math.uu.se/~astrombe/talteori2016/lindahl2002.pdf

h1 = s1n mod p
h2 = s2n mod p

For collisions h1 = h2 and s1 != s2

Therefore determine roots of

(s1n - s2n) = 0 (mod p)

This is equivalent to

s1n - s2n = t.p

So for completeness sake we can find the roots of

(s1n - s2n - t.p) = 0 (mod p)

Applying the above theorem, we can set r(s1) = t

Then we have to find the roots of s1n - s2n

There are three possibilities:

1) n is odd
2) n is even and has no odd factors
3) n is even and has odd factors

-------------------------

(1)

if n is odd

= (s1 - s2).(s1(n-1) + s1(n-2).s2 + ... + s1.s2(n-2) + s2(n-1))

= (s1 - s2).q(s1)

=> 1 root s1 = s2

=> no collisions

-------------------------

(2)

n is even

= (s1(n/2) - s2(n/2)).(s1(n/2) + s2(n/2))

n/2 is even

= (s1(n/4) - s2(n/4)).(s1(n/4) + s2(n/4)).(s1(n/2) + s2(n/2))

n/m is 2

= (s12 - s22).q(s1)

= (s1 - s2).(s1 + s2).q(s1)

=> 2 roots s1 = s2 and s1 = -s2

=> has collisions

-------------------------

(3)

n is even

= (s1(n/2) - s2(n/2)).(s1(n/2) + s2(n/2))

n/2 is even

= (s1(n/4) - s2(n/4)).(s1(n/4) + s2(n/4)).(s1(n/2) + s2(n/2))

n/m is odd

= (s1(n/m) - s2(n/m)).(s1(n/m) + s2(n/m)).q'(s1)

= (s1 - s2).(s1(n/m-1) + ... + s2(n/m-1)).(s1 + s2).(s1(n/m-1) - s1(n/m-2).s2 + ... - s1.s2(n/m-2) + s2(n/m-1)).q'(s1)

=> at least 2 roots s1 = s2 and s1 = -s2

=> has collisions

-------------------------

Therefore to assure no collisions, n has to be odd and p must be a prime.

As soon as I have a chance I will update the paper with these details.
newbie
Activity: 14
Merit: 177
@empty[g]

I understand the point you are trying to make. I had not considered that issue. That is why I prefer sharing work on these forums
as you get people  looking at your work which you do not come across in daily life. Your input is much appreciated.

I will consider the point you made and will see if I can find a solution. If you do find a solution I would appreciate if you share it.

Regards

Johan
newbie
Activity: 7
Merit: 11
Hi

I've written a paper entitled: "Anonymous Atomic Swaps Using Homomorphic Hashing". It is available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3235955.

Hi,
I have read the paper several times and after so much thinking about it i still can't understand your proof of 'no collisions', and i can't see a reason for proofing it, i think if we don't have a high chance of collisions that would be enough.
About the proof its self; as i see it, you can't use rule of signs when you are using modular math.
s1n-s2n=0 (mod p) means s1n-s2n=kp where k is a member of Integers numbers, so for a fixed s1 not only s2 but k would be a variable.
also the board of the function is limited from 0 to P-1 and as a result, the talk of no collisions is meaningless out of a limited range for s, and you have mentioned s

maybe i'm just wrong, please tell me if i am.

legendary
Activity: 1456
Merit: 1175
Always remember the cause!

Quote
It is not possible to do a cross-chain atomic swap with only two transactions because you need at least one transaction on each chain, and the first transaction on each chain can be invalidated by publishing a conflicting transaction alongside it.
I doubt it. Using this proposal:

Alice issues tx1 on aliceChain sending m aliceCoins to Bob hash-locked with H(s1) after privately handing Bob (t, H(s1), H(s2))  

Bob does the same by issuing tx2 on bobCahin hash-locked with H(s2), AFTER tx1 is confirmed on aliceChain.

Now Alice should wait for tx2 to get confirmed before spending its outpoint and Bob should wait for Alice spending tx2 (and revealing s2) to be able to calculate s1 = t-s2 and spend tx1's outpoint.

 

I count four transactions in what you described.
Actually, the spend transactions are not part of the protocol itself because both parties would be able to do it as regular transactions for other purposes but if you feel more comfortable counting this way, I've no objections.


full member
Activity: 179
Merit: 151
-

Quote
It is not possible to do a cross-chain atomic swap with only two transactions because you need at least one transaction on each chain, and the first transaction on each chain can be invalidated by publishing a conflicting transaction alongside it.
I doubt it. Using this proposal:

Alice issues tx1 on aliceChain sending m aliceCoins to Bob hash-locked with H(s1) after privately handing Bob (t, H(s1), H(s2))  

Bob does the same by issuing tx2 on bobCahin hash-locked with H(s2), AFTER tx1 is confirmed on aliceChain.

Now Alice should wait for tx2 to get confirmed before spending its outpoint and Bob should wait for Alice spending tx2 (and revealing s2) to be able to calculate s1 = t-s2 and spend tx1's outpoint.

 

I count four transactions in what you described.
newbie
Activity: 14
Merit: 177
Hi vlad.gelfer

You are correct, you can use EC. Specifically the proposal by Andrew Poelstra is a manner to use Schnorr signatures on EC curves to achieve this. From what I have learnt they approaches achieves something very similar. The main differences are that this proposal would use 2 transactions and Andrew's would use 4 and that there is already a BIP in the works to make Schnorr signatures part of Bitcoin.

What I am interested in seeing is what else the Scriptless Script's of Andrew can achieve. As for this proposal, the following example is another type of transaction that it could be applied to (as discussed in previous post):
Quote
1) Alice generates a secret s1 and Bob generates a secret s2;
2) they both hash their secrets to generate h1 and h2;
3) they sum the hashes to generate ht
4) They can now use this ht in a transaction
5) If either s1 or s2 is revealed the other party can determine st which is the pre-image of ht.

Hope this answers your question
newbie
Activity: 1
Merit: 1
Hi johank!

I really like the idea.
So you're talking about the homomorphic hashing functions. But why not just use the elliptic-curve arithmetics? Indeed this is what it is - one-way homomorphic transformation.

Am I misunderstanding something?
Thanks in advance.
Pages:
Jump to: