Topic: delete - page 83. (Read 165547 times)

That is not what I sent to smooth in private. I said the attacker could have sent the coins to recipient thus attacker would know P = xG = H(rA)+B, since the public key is (A,B) and sender of the tx chooses r.

https://cryptonote.org/whitepaper.pdf#page=7


They forgot that using my proposed de-anonymization algorithm i == s can be known, thus c is known.

So we have 2 unknowns x and q and 3 equations.


Duh! Did they really assume I am that stupid. Hubris is the source of many failures.


Thanks for dumping their condescending attitude in public. I guess you were hoping for revenge for the upthread exchange between you and I?

I aced college Linear Algebra in 1985. And I aced college Calculus I in night school at college while I was still in high school in 1983.

I sent my suggestion to smooth with the implied (from earlier discussion) caveat that I was not providing a complete analysis nor was I sure there is a vulnerability. So I was under no obligation to follow what "real mathematicians" do because I don't have skin in this game. I am not trying to prove myself in the math field. I was simply trying to help develop ideas for what could have any chance of being BCX's alleged exploit. It is not my role to take it further than that. I had already provided a real anonymity attack with pseudocode, thus this was off-the-cuff quick suggestion to smooth was purely me trying to help share ideas. Not to be used as fodder to insult me in public.


I didn't see that. Where is that written or it just an assumption? I noticed the requisite mod l are implied and not written. So this must be one of those typical things you are supposed to know and is not explicit?

But note above we have 3 equations and afaics only 2 unknowns.

I should have avoided the alcohol with my popcorn last night.

Anything fun happen? 

~BCX

You'll excuse the curt reply, but I'm just going to infodump from IRC, as we're quite tight on time -


[15:48:52] sarang: I can't prove a negative
[15:48:54] sarang: that's the trouble
[15:49:05] sarang: I can't say "there is no way to use three equations like that to recover x, here's proof"
[15:49:11] sarang: I can only say "there are no known ways to do so"
[15:49:36] sarang: The onus is on him. Unfortunately, if the world wants us to counter it with Magic Negative Proof, then they'll be disappointed
[15:50:37] sarang: But, let me review out loud
[15:50:45] sarang: We know I=xH(P) is one equation
[15:51:36] sarang: We know r=q-cx is another
[15:51:50] sarang: and we know x=H(aR)+b is a third
[15:52:00] sarang: You have, indeed, three equations for x
[15:52:19] sarang: How many unknowns is important here (though the security of ECDLP is important too)
[15:53:25] sarang: Unknowns are x itself, q, c, a, b, and technically r since it's indexed
[15:53:40] sarang: Given three equations and six unknowns, he can go right back to the drawing board
[15:56:43] sarang: So my answer to him would be that the private key is obscured in all cases by either the ECDLP or random affine goodness
[15:57:06] sarang: and that the three equations means that you STILL have three extra degrees of freedom
[15:57:41] sarang: and the degrees of freedom are carefully chosen from random distributions
[15:57:55] sarang: If he has an actual attack or a suggestion of how to reduce the parameter space, fine, share it
[15:58:21] sarang: But we don't spend our time proving negatives... we review carefully and hunt down any flaws we see that seem reasonable given our expertise
[15:59:42] sarang: If he wants to argue with linear algebra or the ECDLP, he can go right ahead
[15:59:48] sarang: Those are better listeners anyway
[16:00:28] sarang: We don't need to explain how linear algebra works anyway... it's assumed the whitepaper is written for someone who knows what all those little symbols mean
[16:02:56] sarang: Real mathematicians don't rub unknowns in people's faces. They point out flaws and offer constructive input
[16:06:31] sarang: Oh, and the equations use different base points, so you gain no benefit from a common base point

id laugh if price tanks so they make no money

The price swing in Stolli is not bothering BCX, that's for sure.  His problem is keeping his permanent clown hat dry the next time he collapses in the lonely pool of vomit, stolli, tears and piss he calls a bed.

he got at least 500 BTC of cheap Moneros to trade in 2 weeks time at double price. Or he wil hold to get 10 times profit soon. Who knows.
All this newbie accounts shilling and trolling and FUDing was his "friends in crime". Rich people, want to get richer.  Attack started a week or 2 ago and ended 2 days ago.

But thing is, they expected with all this effort they put in to get their Moneros at 0.001BTC.

That was a no show. Was hoping for some fun. Had popcorn ready too.
BCX is probably laughing at the price swing.

i have a new wallpaper now :p

My response:

https://bitcointalksearch.org/topic/m.8942201

agreed on both points

Please ask smooth for the last insight, because I didn't want to share it publicly until they have evaluated it and are ready to refute or fix it publicly. And you may read my upthread posts which revealed the terse formal details of the prior insights.

it was just a friendly advice but not out of fear that he or she would succeed... my faith in monero is stronger then ever, the only concern i have is this whole drama wastes our developers' time when they can spend it on other pending things and move things forward... well i guess "forced evolution" was meant to happen and this will bring profound long terms benefits to monero...     

No offence there, but is it possible to have a more formal explanation of what you have discovered.
Talking in blured shadow turns things understandable.

I can understand the math, to feel free to really enter into details.

Thanks you in advance !

That doesn't mean they don't have the expertise. They probably weren't looking at what I had the insight on. Now they can look because insight has been shared with them. I believe they only considered the two simultaneous equations, because that is what they were told to look at. Or they did see those extra equations and dismissed them as irrelevant for some reason.

Different people have different epiphanies at different times. I am out of practice on math because I don't use it in programming much. That was nearly 3 decades ago that I was in university. Cryptography gives me a chance to use it more, but I find that a lot of concepts slipped away from me over the years. Might be an age effect. They say our peak ability to discover new math is in our 20s or at most 30s. By 40s, we are reduced to being managers and teachers. I am trying to prove to myself this is not so and I pushing 50. Worsened by being out-of-practice, unlike for example Bruce Schneier.

Well you're way ahead of me.

If the mathematicians that looked over the CryptoNote whitepaper missed what you have found, does that mean that perhaps there are no other people who can actually look into this with any degree of expertise?

If so, the Monero team must approach the wider Cryptography community for assistance.

I wonder if we can pay Bruce Schneier to have a look? He might solve the issue in a heartbeat.

Cross-posting...


Are you qualified to evaluate an anonymity algorithm that isn't even adequately described?

http://neoscoin.com/whitepaper/neoscoin.pdf

http://www.coinssource.com/neoscoin-is-a-different-breed-of-digital-currency/

Afaik, Cloakcoin, Darkcoin, jl777's Telepods, BTCD, and this (Neocon) are all suffering in one way or another from serious Sybil or DoS (on the anonymity, e.g. see what is happening to Bitmessage now) vulnerabilities. Their algorithms are also continually being "refined" which means to me "changing".

If they ever formally and technically fully specify their algorithms, then I can evaluate if their algorithms can be de-anonymized. Based on past digging, I think that (de-anonymization via Sybil or DoS) is very likely.

I am not saying their experiments are not worthy. But they are experiments and not well specified (yet).

Add:

Will be useful to develop a whitepaper comparing CN anonymity to off chain anonymity. The recent insight I provided might be helpful for quantifying this comparison.

I can contribute to such a whitepaper.

https://bitcointalksearch.org/topic/m.8861544


That doesn't sound like stealing wallets by running a TW attack to reset the coinbase mining rewards, which is another way to erase wallets.

There is one possible interpretation where if it is possible to so mix up the txs with rings during the TW attack, so it makes it impossible to unwind it. But I doubt that is what he meant above.

Note my post yesterday that I sent a new math insight to the devs. I did not confirm anything, but I guess there is an extremely unlikely chance someone found a way to break private keys. I assume the mathematicians are looking at it.

Note the original title of this thread was saying I confirmed the exploit. And when I posted in this thread noting that there are two simultaneous equations, that is when BCX said "exactly" he must do the attack because presumably I revealed too much about the exploit.

The mathematicians showed the two simultaneous equations is equivalent to Diffie-Helman exchange thus not broken. I responded with a third simultaneous equations over an orthogonal number space (afaik multiplication and subtraction do not inhabit the same field). Since then I have discovered another similar insight which I informed the developers about. My current math abilities are such that I don't know if I can be of more assistance on that.

I really don't understand this attitude. If Monero can be killed by one dude, then it's not worth investing in.

Pleading for him to stop is illogical, BCX must push on and do his best, that way the Monero team can learn and become stronger.

Monero must be tested.

BCX has not proved his point, I see no attack thus far.

I want to see how this plays out.

wow.. serious amount of personal info here.. look BCX i don't know what your real motivation is unless you're serving other interests behind you... but just remember things like these don't get buried that easily, this shit will haunt you and you're now at a point where you can turn events to your favor and let community remember you in a good way or you can go full retard and face the consequences... don't pay attention to the trolls that provoke you, they're just using you to push their own shit.. i get it, you proved your point and got the community's attention but for fuck's sake put your skills and resources to good use for once and let community thank you for a long time..  

Except that his reputation is permanently slandered.

Are you forgetting that BCX said he had an exploit, sandbox tested too, that could steal funds from private keys?

Am I dumb, or is this not what a time warp attack is? Even if BCX succeeds in a time warp, his reputation is still ruined, because he lied.

I must be missing half the story.