Nxt source code flaw reports - page 16.

opticalcarrier

full member

Activity: 238

Merit: 100

Quote from: Come-from-Beyond on January 15, 2014, 05:32:23 AM

Quote from: wang_yan on January 15, 2014, 05:28:02 AM

Is anyone offering the service of creating an altcoin based on the algorithm of Nxt?

I'm launching a coin based on Nxt soon. It will use AM and Nxt blockchain. Sources will be written in JavaScript and completely open. (https://bitcointalksearch.org/topic/2-415580)

lol, you mean completely open to russian readers?

gimre

legendary

Activity: 866

Merit: 1002

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

The visible public account number (your public key) is a maximum of 20 digits, 64 bits, long (10 as in decimal).
Anyone heard of the "birth day attack" ? For you who have not, http://en.wikipedia.org/wiki/Birthday_attack.

I hope everyone here ;p

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

It's been repeated hundred of times already, your account is your PK, which is 256bits,
once you do first trasaction, you're safe.

CrazyEyes

full member

Activity: 137

Merit: 100

Quote from: pandaisftw on January 15, 2014, 05:47:33 AM

Quote from: CrazyEyes on January 15, 2014, 05:36:33 AM

Quote from: CIYAM on January 15, 2014, 05:34:50 AM

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

You haven't understood how "accounts" work in Nxt - once you have spent from an account (or forged a block) then your public key (256 bits) is being used to protect your account.

I am talking about the visible public key, which people transfer money too.

Humble regards
j0b

I am under the impression if someone registered their public key (by sending out a transaction, alias, etc), no one else could make another account with the same 20-digit visible key (ie. the client would return an error stating that account # is in use). Your account is still safe, of course, because it is protected by 256bits.

I have tried to find the function where you get rejected because of this, however i can not find it in the src of 0.4.8e

Humble regards

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: pandaisftw on January 15, 2014, 05:47:33 AM

I am under the impression if someone registered their public key (by sending out a transaction, alias, etc), no one else could make another account with the same 20-digit visible key (ie. the client would return an error stating that account # is in use). Your account is still safe, of course, because it is protected by 256bits.

Right. The other guy has to chose another passphrase.

pandaisftw

full member

Activity: 224

Merit: 100

Quote from: CrazyEyes on January 15, 2014, 05:36:33 AM

Quote from: CIYAM on January 15, 2014, 05:34:50 AM

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

You haven't understood how "accounts" work in Nxt - once you have spent from an account (or forged a block) then your public key (256 bits) is being used to protect your account.

I am talking about the visible public key, which people transfer money too.

Humble regards
j0b

I am under the impression if someone registered their public key (by sending out a transaction, alias, etc), no one else could make another account with the same 20-digit visible key (ie. the client would return an error stating that account # is in use). Your account is still safe, of course, because it is protected by 256bits.

CrazyEyes

full member

Activity: 137

Merit: 100

Quote from: Come-from-Beyond on January 15, 2014, 05:39:22 AM

Quote from: CrazyEyes on January 15, 2014, 05:36:33 AM

I am talking about the visible public key, which people transfer money too.

Humble regards
j0b

Birthday attack is not a problem if u use truly random passphrase. What odds to hit an already reserved account with 10 attempts?

One in ~10^18. I do not think that is an valid argument though.

Humble regards

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: CrazyEyes on January 15, 2014, 05:36:33 AM

I am talking about the visible public key, which people transfer money too.

Humble regards
j0b

Birthday attack is not a problem if u use truly random passphrase. What odds to hit an already reserved account with 10 attempts?

CrazyEyes

full member

Activity: 137

Merit: 100

Quote from: CIYAM on January 15, 2014, 05:34:50 AM

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

You haven't understood how "accounts" work in Nxt - once you have spent from an account (or forged a block) then your public key (256 bits) is being used to protect your account.

I am talking about the visible public key, which people transfer money too.

Humble regards
j0b

CIYAM

legendary

Activity: 1890

Merit: 1078

Ian Knowles - CIYAM Lead Developer

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

You haven't understood how "accounts" work in Nxt - once you have spent from an account (or forged a block) then your public key (256 bits) is being used to protect your account.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: CrazyEyes on January 15, 2014, 05:28:58 AM

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

Post here the link to ur thread when u create it, plz. I support all innovative cryptocoins.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: wang_yan on January 15, 2014, 05:28:02 AM

Is anyone offering the service of creating an altcoin based on the algorithm of Nxt?

I'm launching a coin based on Nxt soon. It will use AM and Nxt blockchain. Sources will be written in JavaScript and completely open. (https://bitcointalksearch.org/topic/2-415580)

CrazyEyes

full member

Activity: 137

Merit: 100

The visible public account number (your public key) is a maximum of 20 digits, 64 bits, long (10 as in decimal).
Anyone heard of the "birth day attack" ? For you who have not, http://en.wikipedia.org/wiki/Birthday_attack.

With 64 bits, 1.8 * 10^19 there would be 1% probability of collision if 1.9 * 10^8 accounts exists in the network.
If however, 5.1*10^9, 5.1 billion (people/accounts) have been created there are a chance of 50% that someone
uses a password that generates the public visible key. Now there are 6.5*10^19 people on this small planet. If 7.2*10^19
people creates an account then there is a 75% probability of collision.

With the large amounts of bruteforce attacks in the network.. 1.8 * 10^19 public key digits is not enough.

I guess it is not my "birthday", (after some hinting) Wink

and i am not going too have my small investment stolen by some 16 year old script kiddie.
Therefore, im creating my own cryptocurrency, whos with me?

Regards
j0b

wang_yan

sr. member

Activity: 448

Merit: 250

Is anyone offering the service of creating an altcoin based on the algorithm of Nxt?

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: gimre on January 15, 2014, 04:33:44 AM

@CfB, just to check, are you looking at this thread:

https://bitcointalksearch.org/topic/ann-nxt-bounty-for-working-javascript-code-that-signs-and-verifies-signatures-404321

Thx, I'll look at it.

gimre

legendary

Activity: 866

Merit: 1002

@CfB, just to check, are you looking at this thread:

https://bitcointalksearch.org/topic/ann-nxt-bounty-for-working-javascript-code-that-signs-and-verifies-signatures-404321

gimre

legendary

Activity: 866

Merit: 1002

Quote from: Come-from-Beyond on January 15, 2014, 02:14:06 AM

Quote from: lr127 on January 14, 2014, 11:44:36 PM

Why the "getBaseTarget" is recalculated each time for the same (last) block? For simplicity?

Yes. This is a reference code.

also it costs almost 0, and it's easier just to recalculate it, than cache it somewhere
(you'd have to place it everywhere where lastBlock is altered)

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: lr127 on January 14, 2014, 11:44:36 PM

I have questions about the code sometimes. Which topic is better suited to these questions?

Ask them here.

Quote from: lr127 on January 14, 2014, 11:44:36 PM

Why the "getBaseTarget" is recalculated each time for the same (last) block? For simplicity?

Yes. This is a reference code.

Quote from: lr127 on January 14, 2014, 11:44:36 PM

How can I determine that I am in the wrong chain?

U can't, all that u need is just try to stick to the "longest" chain.

Quote from: lr127 on January 14, 2014, 11:44:36 PM

Why peers that send a lot of wrong transactions are not stored in the blacklist automatically?
I can send many not verified transactions to each peer and every time they process their (through POST and GET for public which brodcast them to some other peers).

Sending data is much expensive than receiving it. For example, asymmetric home links have higher bandwidth for downloading, dedicated servers don't pay for inbound traffic, etc.

lr127

newbie

Activity: 35

Merit: 0

Come-from-Beyond

I have questions about the code sometimes. Which topic is better suited to these questions?

Why the "getBaseTarget" is recalculated each time for the same (last) block? For simplicity?

How can I determine that I am in the wrong chain?

Why peers that send a lot of wrong transactions are not stored in the blacklist automatically?
I can send many not verified transactions to each peer and every time they process their (through POST and GET for public which brodcast them to some other peers).

ImmortAlex

hero member

Activity: 784

Merit: 501

Quote from: liyi3c on January 14, 2014, 01:15:55 PM

Quote from: ImmortAlex on January 14, 2014, 12:44:15 PM

Quote from: liyi3c on January 14, 2014, 11:42:52 AM

wait. not remember if someone mentioned this before.
from line 4552 to 4631.
If the attacker send infinite garbage blocks, futureBlocks will out of memory...

Remember that famous payloadLength=2147483647?...

what's that, 2^31 - 1?

Yes. Integer.MAX_VALUE. Maximum size of array.

gimre

legendary

Activity: 866

Merit: 1002