Didn't I just break your smallness proof?
Nope. This is a long time peer-reviewed proof, r cannot leak into x because of the equations the verifier checks. Please check literature for this.
What is the error in my math
x = 2b
r = -b
m = -b + 2cb
cb <= 2cb - b <= (2^t)b - 1
c <= (2^t) - 1
2(2^t)b - 3b = (2^t)b - 1 + (2^t)b - (3b - 1)
(2^t)b <= 3b - 1
t <= 1
c = 0
2b - b <= (2^t)b - 1
b <= (2^t)b - 1
t >= 1, b >= 1
Thus Sumcoin is broken and can't be fixed, i.e. [38] "ZK-proof of membership in a much-widened interval." only applies in the non-interactive context.
(If we add to the protocol, as we really should, that Vera
refuses to believe Peter if he employs more than S loop iterations,
then there is an acceptably small probability≈ 2−St
that the whole protocol will fail even if Peter is honest.)
Such interactive proofs can be converted to non-interactive. Then the hash limits the prover. If you can see some specific technicality that I've missed in the conversion, please let me know.
If prover can try over and over again, he can find an r, c, and x > b that solve the equation per the math above. By recursing the hash, you can require the prover to find those matching metrics over several proofs, where the guess was made once for all proofs. This can decrease the probability of guessing.
And why did you remove "3.6 Optional repeated application of smallness proof" from the new version of the paper?
This is about soundness, which with t=128 in CCT is already high enough, so repeated application is not required.
Please spend more time to verify your work, as it takes me some time to get through the messages.
High enough for what? Does t=128 for the NIZKP exceed the security provided by the curve for the discrete logarithm?
Hey I am verifying my work. If I've missed something, then point it out. If you don't want me to try, then just say it.
my recent idea to expose relative weights of the outputs
We don't want to reveal which output got most of the coins. That's kind of a big deal around here. Long term network analysis would reveal everything.
Did you find any other flaw in my idea? If not, then I will be very pleased because my idea does not require any NIZKP and thus doesn't incur the cryptographic issues thereof, e.g. doesn't require huge curves. Need to evaluate the tradeoffs. Does my idea have unconditional security against inflation? Note my idea still employs your clever fuzzbits.
I've already stated upthread that when combined with mixing (e.g. Cryptonote ring sigs), then the output which got most of the coins will be obscured by the downstream mixing. But more importantly, I posited that due to mixing it won't be possible to trace back to coinbase, then the magnitude of the transfer will be unknown. Receiving 99% of a dust transaction isn't that informational. It is also possible to split a supermajority output into multiple minority outputs (which in either case says nothing about whether the outputs are large or small if mixing has been correctly employed). However, I have now contemplated that even though the output commitments to the ring of a Cryptonote mix would obscure the uncommitted magnitudes from the public, the uncommitted magnitude would be known to every member of the ring unless it was reasonable to have multiple realistic magnitudes that mapped to the same committed value? This is a crucial question and I am not knowledgeable enough about the ECC math to answer it. Can you or someone clarify? If the commitment value can not represent a multitude of realistic uncommitted magnitudes, then Cryptonote mixing would reveal the values in my design but not in yours which doesn't reveal relative weights of the outputs.
Hiding values without mixing is insufficient anonymity, because coins would still be traceable which leads to spender identity analysis such as when change outputs are merged (as inputs) into a transaction.
I'd like to see an improvement to the two weakness of Cryptonote wherein the output values (or the derivative transactions) must be equal when mixing senders in a ring for a transaction input and the rings must be mandatory for each member in the ring (otherwise combinatorial analysis can unmask the rings in some scenarios...which afaik sadly is currently unimplemented in any Cryptonote coin). The former is inefficient and complicates wallets because when paying in for example non-powers-of-10 values with Monero, the transaction ends up being multiple transactions of powers-of-10.
So assuming the answer to my crucial question above is positive, homomorphic encryption of value (my or your design) would at least hide magnitudes of transactions so that mixing would not need to be used on every transaction and when mixing is used, there will be multitude of values that can mixed in any ring. Even if the answer is negative, employing homomorphic encryption of value with multiple inputs each a Cryptonote ring, could allow the sender to mix with unequal commitments for as long as every permutation of possibilities provided the same sum. However this latter strategy would violate the need to make rings mandatory for each member in the ring, yet permutations might overlap much less frequently so this might be an alternative strategy to mandatory mixing.
Homomorphic encryption of value could be used to obscure the values even when mixes are not employed. However if the values are revealed by upstream mixing then my idea wouldn't obscure anything (unless the mandatory rings are abandoned) thus I await the answer to my crucial question.
