Author

Topic: Satoshi Nakamoto signature algorithm (Read 1105 times)

newbie
Activity: 1
Merit: 0
December 29, 2015, 12:28:03 PM
#11
Guys, Satoshi or not aside, has anyone tried to judge the paper on it's merits?

After some digging I've found perhaps the only opinion on this paper for now, and it's from Bram Cohen himself: https://www.reddit.com/r/crypto/comments/3yhwwv/hash_tube_signature_scheme/cye6k29

Here's his take in full:
Quote
I think I know where he's going with this. There are three things going on here: A claim to being the original satoshi, a new-ish primitive and a method of using it. For the sake of clarity, I'll address these in reverse order.

What the author appears to want is a signature scheme which allows any other party to sign arbitrary values if it's used more than once. This provides some disincentive to double-spends, because it turns attempts at double-spends into things which can get stolen by miners. That doesn't block everything, because miners have to be co-consipirators in some double-spending schemes anyway, but it is something. It can also cause problems for adjusting fees with replace by fee, and even worse for transactions which you give up on because the fees are too high, thus rendering the original utxo completely unspendable.

This intention is speculative because of how the paper is truncated though. What I can comment on a bit better is the new-ish primitive. I believe that for signatures the public key should be the bottom of the hash tube, and the signature should consist of two of the three values at the top, followed by one for each of the layers below it until the bottom. The game here is that a verifier can calculate one of the values at each layer based on the two values they have from the previous layer, and which of the two unknown values on the new layer should be revealed is determined by a bit of the value to be hashed. If the value at the very bottom matches with the public key, the signature is accepted.

The clever thing about this is that if someone signs more than one thing, then at each layer of the tube there's a 1/2 chance that the two signatures combined give away all of the layers of the tube afterwards (The top layer at 2/3 is a bit special, and in practice would probably be hacked to be 1/2 for simplicity). If they differ at the very beginning that means that an attacker can literally sign anything.

Unfortunately there's a fairly good attack on this scheme. If you want to sign two things and make it hard for an attacker to sign anything with the result you can make a long-ish partial collision starting at the beginning. The longest such collision you can make is based on a birthday attack where you generate lots of semantically similar versions of the two things you're trying to both sign, sort both lists, and find the longest shared prefix. Because this is a birthday attack, it will generate on average a prefix whose length is about double the scale of the number of operations you did. Unfortunately someone trying to sign another arbitrary value will need to do a full reversal of the specific value you came up with, so this attack might be effective at getting away with solving two values rather than one. It doesn't work for more than two values though, and there may be a way of fixing it but one isn't coming immediately to mind (I only came across this an hour ago and haven't thought about this technique previously.)

I've thought about this problem before and came up with a much cruder but clearly effective technique, which is that rather than having to reveal half the preimage values you have to reveal 99% of them. That can make the signatures much larger, but there's a trick to fix that: Instead of each preimage value being chosen independently, they're all generated off a single root in a tree formation. When there's a long string of values whose preimage is to be included, instead of including them individually you give the branch which generated all of them. This optimization doesn't fix the time required to generate and verify signatures, but it does make them small again.

Both of these techniques completely break winternitz compression, so the signatures are larger than with the most size-optimized secure hash based signatures.

On the final question, of whether this is the original Satoshi: Absolutely not. The thinking about protocols as a whole is too muddled, the emphasis is too much on a new primitive, and the english is way too broken. That said, the author is clearly a very smart person. I've spent some time thinking about the core primitive which hash tubes are trying to make, and while hash tubes may have a serious problem they're a technique which I didn't think of and might have a simple fix and are a lot less ugly than the workable but yuck approach I came up with.

(this is my first post here, so sorry in advance if I unknowingly broke any rules).
legendary
Activity: 1904
Merit: 1074
December 29, 2015, 03:07:39 AM
#10
Woah, children, Satoshi is not real just like your bit coins.
At our bank we are going to integrate blockchain technology, it's gonna be used
and it's going to be real money not your virtual nonsense.

get a life

And when it fails, you will come back here and blame all of us. Stop trolling other people's threads with these pipe dreams. Bitcoin will always be the original idea and the rest will be

cheap copy cats. The banks should stop stealing other people's ideas, and come up with their own innovation and creativity, but it's clear that they have none.

Back to the topic on hand... The real Satoshi would sign his work with his PGP key... otherwise it's just fake or a cheap effort to ride on the back of his fame.
sr. member
Activity: 343
Merit: 254
From The New World
December 29, 2015, 01:21:14 AM
#9
The case for a creator from a journalistic standpoint  is great. For the people that are using it and working on BTC  it is irrelevant. However, when I heard Satoshi say "I am not Dorian Nakamoto". I was excited for a moment but questioned if it really was him.
sr. member
Activity: 341
Merit: 250
December 28, 2015, 05:38:22 PM
#8
I know how silly this might seem, especially that I felt rather dumb, ...

Yes, I hate to burst your bubble, but anyone can create an account with the name satoshinakamoto2015. For the record, I am not Satoshi Nakamoto.

right...real satoshi wouldn't have been lame enough to string along a paper one page at a time like that

If the real Satoshi wanted to publish a paper he would sign it with his PGP key, or a Bitcoin address associated with him. By signing it he would remain anonymous but leave no doubt who the author of the paper was. After the Australian fake Satoshi drama he wouldn't publish something and leave people guessing if it was really published by him.
legendary
Activity: 1456
Merit: 1018
HoneybadgerOfMoney.com Weed4bitcoin.com
December 28, 2015, 05:22:17 PM
#7
I know how silly this might seem, especially that I felt rather dumb, ...

Yes, I hate to burst your bubble, but anyone can create an account with the name satoshinakamoto2015. For the record, I am not Satoshi Nakamoto.

right...real satoshi wouldn't have been lame enough to string along a paper one page at a time like that
legendary
Activity: 2296
Merit: 2262
BTC or BUST
December 28, 2015, 05:10:57 PM
#6
I am not Satoshi Nakamoto.

Hmmm.... Just what I'd expect the real Satoshi to say...
newbie
Activity: 1
Merit: 0
December 28, 2015, 04:41:33 PM
#5
I know how silly this might seem, especially that I felt rather dumb, ...

Yes, I hate to burst your bubble, but anyone can create an account with the name satoshinakamoto2015. For the record, I am not Satoshi Nakamoto.
legendary
Activity: 1456
Merit: 1018
HoneybadgerOfMoney.com Weed4bitcoin.com
December 28, 2015, 03:50:51 PM
#4
its not satoshi.. your just trying to drum up some free advertisments for your website by claiming a white paper is an "exclusive" news worthy thing..

by the way. im not tempted to look on your site. due to your sad and transparent methods of lies and tricks to get viewers..
if the white paper is any good im sure it will be available elsewhere later, and thats where i would read it.. elsewhere.

so im sorry but doing ethically negative tactics to get viewers is just ruining your rep. you have proved you make up stories, and your only 2 weeks old..

may your website never get fame and you learn a hard lesson about dodgy tactics..




what an asinine thing to say...jeez where does my site stand in comparison???
hero member
Activity: 1106
Merit: 521
December 28, 2015, 10:17:35 AM
#3
Ladies , ladies, calm down, Christmas is just over and its nearly a new year........ Grin
legendary
Activity: 4424
Merit: 4794
December 28, 2015, 09:44:49 AM
#2
its not satoshi.. your just trying to drum up some free advertisments for your website by claiming a white paper is an "exclusive" news worthy thing..

by the way. im not tempted to look on your site. due to your sad and transparent methods of lies and tricks to get viewers..
if the white paper is any good im sure it will be available elsewhere later, and thats where i would read it.. elsewhere.

so im sorry but doing ethically negative tactics to get viewers is just ruining your rep. you have proved you make up stories, and your only 2 weeks old..

may your website never get fame and you learn a hard lesson about dodgy tactics..

sr. member
Activity: 689
Merit: 269
December 28, 2015, 09:13:06 AM
#1
I know how silly this might seem, especially that I felt rather dumb, after publishing page 1 of the “Hash Tube Signature Scheme” paper, which is claimed to be written by Satoshi Nakamoto a few days ago. However, I have just received page 2 of the same paper and checked its content to make sure it was unique, and unique it was after checking its content via Copyscape and reasoning its info according to my own experience and educational background.

It all sounds strange, especially that Bitcoin News Channel is less than 2 weeks old. Why did the sender choose us for publishing his/her paper? My confusion is growing madly, but I will have to share the part of page 2 that included description of the process of hash tube construction with you all. Here we go:


http://bitcoinnewschannel.com/2015/12/27/page-2-of-the-hash-tube-signature-scheme-credited-to-satoshi-nakamoto/
Jump to: