Topic: in which anonymint can't understand winternitz (Read 1455 times)

I can't calculate a logic wherein you can simultaneously understand what I wrote and logically use the word "no" in that context. I never stated that it is not less computation and space than the hash ladder. Rather I left it as an open question in that I specifically stated I needed to investigate that first. In the above quote, I was stating that Winternitz computes some additional codewords (more computation) to decrease the space, but I wasn't yet sure if that tradeoff of computation vs. space was more efficient than computing the hash ladder with a decreased w and needed to investigate first. There are two variables computation and space and without investigating it was an open question in my mind as to whether the computation was more expensive in Winternitz. After I understood it entirely, I realized the computation and space were both less.

Normally I don't wish to be so anally pedantic on the logic in casual discussion, but I was just reacting to what I perceived to your demeanor (perhaps I was mistaken, I am not sure).

The misunderstanding above is because apparently you expect that I will not speak until I have thoroughly understood every possible aspect of a technology. Rather being a broad person, I wade into new things and can't go deep on every one. I have to try to gauge which ones are worth my time to dive into. In this case, I was overloaded with multitasking. As it turned out, Winternitz is quite simple and it would have been more efficient had I applied the 30 minutes initially to fully digest it. But often it is not the case with research papers, it can send one down a rabbit hole of cited papers. Note I did see the t = t1 + t2 on first quick perusal and basically ignored it, because I (was in a rush and) didn't quickly see any English text mention of the opposing ladder leg. Rather the understanding (in that citation at least, and the [10] citation is not a paper I could pull up on Google) was all buried in the math of the Winternitz algorithm. Turns out the math is very easy and quick to digest.

This is the reason I haven't replied to your comments about G in the NSA and ECC thread, because I need to digest then formulate a more holistic deep understanding of the math therein to comment meaningfully. So for the moment I've left it as "number theoretic risks" without being specific about G in the curve used versus other curve parameter methodologies. I don't doubt that your understanding is correct within some context, rather to holistically understand the assumptions involved better in characterizing whether parameter choices are really constrained, e.g. if the constraints themselves are not well constrained and arbitrary. Thus I am intuitively uncomfortable with it, especially a big industry consortium designed curve. One assumption I make about math is the potential for discovery of structure which is currently unknown, that renders prior arguments invalid. In any case, I feel much better about Lamport and I don't think the space issue is a problem if other counter measures are taken in the holistic design (devil in the details of course).


Thank you. I will try to proceed from that new assumption (nothing personal).

Yes, you wrote that and I understood what you wrote— but that precisely what I was saying no to, it's actually less computation _and_ less space.

[As far as the ranting about thread moves, we were having an extensive sidebar about hash based signature in a months old thread that was very clearly about _ECC_, thats all. Nothing personal.]

The title of this thread ("in which anonymint can't understand winternitz") that you created when you moved all the discussion above this post from where it was, is a reflection of your desire to insult and politicize all technical discussion.

It is indicative of the asshole that you are. As I told you in a private message, Vaseline works.

The word "can't" is logically incorrect. Proof is below.


"No" is logically incorrect. Hey pompous asshole (with the patience of a quark) learn to read. I wrote that Winternitz trades some more computation for decreased space (as compared to the hash ladders scheme we were discussing). I also wrote that I would have to study more to see if this computation was more efficient than decreasing w in the hash ladder scheme.


I am very busy on other matters and didn't immediately put full concentration into that issue until you challenged my understanding which was based on a very quick perusal of the cited research. After looking closely for about 30 minutes, I understood.

I suppose you still have an ax to grind because I blew gaping logical holes in your CoinJoin proposal.

Don't you have any real work to do? Pitiful.

Unlike you, I don't put all my concentration into watching this forum every waking moment, nor do I put all my mental energy into cryptography all the time. Do you want others to piss on you with the same disdain when you approach a topic not in the field or domain knowledge to which you are so engrossed and dedicated to for significant portion of your life. I would hope you could appreciate the concept that people with broader skill sets (yet expert enough) can often kick the business pants off the nerds who are too narrowly focused, especially nerds like you who don't know how to interact amicably with those possessing broader (and less deep) domain knowledge.

It seems perhaps your personal evaluation of your self-worth derives from pummeling ad hominem (as opposed to non-personally directed pummeling in the market with implementation) with your domain knowledge. This is a psychological disease known as insecurity.

WTF, do you want a star on your forehead?

The true leaders of a community relish in virtues such as sharing, teaching, encouraging, etc..

Normally I would be thanking you for injecting the obscure Winternitz signature compression into this discussion since it nearly doubles the compression compared the hash ladder scheme I was aware of. But you just can't help stop yourself from being deliberately as condescending as possible.

I momentarily contemplated reporting this to other moderators and proprietors of the forum. But it simply isn't worth my time. I have more important things to do.

No, it requires less computation (than the bidirectional enumeration) and much less space for normal choices of parameters. There are a couple additional codewords (usually two for normal parameters) but all the codewords are half the size of that ladder proposal.

Okay I see that (but I didn't digest the math yet as to your claim that it provides the same protection), there are more than n/w codewords because t = t1 + t2.

So this is just trading more computation for space. The hash ladder can do this by increasingdecreasing w.

I need to study more to see if one is more efficient than the other.

I see only a single pair (and not two pairs of) secret and verification key(s) generated for each chunk of w bits:

http://www.e-reading.ws/bookreader.php/135832/Post_Quantum_Cryptography.pdf#page=45

Thus as far as I can see there is no "hash ladder" with two legs for each chunk.

You see incorrectly.

Er, as far as I can see there is no protection in Winternitz against signing a different message which has a chunk value greater than the one revealed in the signature.

http://crypto.stackexchange.com/questions/8979/winternitz-one-time-signature

Thus there is potential theft due to a double-spend.

The hash ladder I linked to provides this protection, because each "rung" (sic, i.e. leg) accumulates in the opposite direction.

Uh, it's called  a Winternitz signature. Google it.

There is a generalization that trades computation for space that I helped elucidate:

http://en.wikipedia.org/wiki/Lamport_signature#Short_keys_and_signature

I like lamport a lot— and first proposed we someday add some form of it to Bitcoin back in 2011... though straight up lamport's single use-ness is a major liability (e.g. say you need to resign an input to add fees later, maybe a couple times… oops, compromised your key).

The space overhead is really considerable— even when using Winternitz compression, to the point that it couldn't be a replacement for bread and butter transactions, but I think it would be nice to support.