1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <etotheipi@gmail.com>) id 1WMCLI-0002Xi-CT
for bitcoin-development@lists.sourceforge.net;
Sat, 08 Mar 2014 08:10:48 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.216.176 as permitted sender)
client-ip=209.85.216.176; envelope-from=etotheipi@gmail.com;
helo=mail-qc0-f176.google.com;
Received: from mail-qc0-f176.google.com ([209.85.216.176])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WMCLG-0001XZ-Lm
for bitcoin-development@lists.sourceforge.net;
Sat, 08 Mar 2014 08:10:48 +0000
Received: by mail-qc0-f176.google.com with SMTP id m20so5848541qcx.35
for <bitcoin-development@lists.sourceforge.net>;
Sat, 08 Mar 2014 00:10:41 -0800 (PST)
X-Received: by 10.224.71.209 with SMTP id i17mr26951094qaj.29.1394266241261;
Sat, 08 Mar 2014 00:10:41 -0800 (PST)
Received: from [192.168.1.85] (c-76-111-96-126.hsd1.md.comcast.net.
[76.111.96.126])
by mx.google.com with ESMTPSA id 30sm16638305qgt.4.2014.03.08.00.10.40
for <bitcoin-development@lists.sourceforge.net>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 08 Mar 2014 00:10:40 -0800 (PST)
Message-ID: <531AD080.40501@gmail.com>
Date: Sat, 08 Mar 2014 03:10:40 -0500
From: Alan Reiner <etotheipi@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: bitcoin-development@lists.sourceforge.net
References: <CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com>
In-Reply-To: <CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/alternative;
boundary="------------010407060002090009010908"
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(etotheipi[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WMCLG-0001XZ-Lm
Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC
addition? (Oracle protocol)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 08:10:48 -0000
This is a multi-part message in MIME format.
--------------010407060002090009010908
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
On 03/08/2014 01:55 AM, Edmund Edgar wrote:
> On 4 March 2014 14:07, Odinn Cyberguerrilla
> <odinn.cyberguerrilla@riseup.net
> <mailto:odinn.cyberguerrilla@riseup.net>> wrote:
>
> Nothing is safe.
>
>
> This is true. To rephrase, imagine I gave you an ECC public key
> <ed_pub>, you gave me back a public key <odinn_pub> of your own
> devising, then I paid some money to the address resulting from
> add_pubkeys(<ed_pub>,<odinn_pub>) [1]. Can anyone either:
>
> a) Think of a way that Odinn could make an <odinn_pub> such that they
> could spend the resulting money without having <ed_priv>.
> b) Opine, somewhat knowledgeably, that this probably wouldn't be an
> easy thing to do, and they wouldn't be alarmed to see people running
> software that did this kind of thing.
>
> [1] https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173
Consider that I see your public key <a_pub> before I create and send you
my public key <b_pub>.
I create a new keypair, <c_pub> with <c_priv> which I know (it can be
any arbitrary key pair). But I don't give you <c_pub>, I give you
<b_pub> = <c_pub> minus <a_pub> (which I can do because I've seen
<a_pub> before doing this).
Sure, I don't know the private key for <b_pub>, but it doesn't matter...
because what
<b_pub> + <a_pub> = <c_pub> (mine)
You have no way to detect this condition, because you don't know what
c_pub/c_priv I created, so you can only detect this after it's too late
(after I abuse the private key)
-Alan
--------------010407060002090009010908
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/08/2014 01:55 AM, Edmund Edgar wrote:<br>
<blockquote
cite="mid:CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On 4 March 2014 14:07, Odinn
Cyberguerrilla <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:odinn.cyberguerrilla@riseup.net"
target="_blank">odinn.cyberguerrilla@riseup.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Nothing
is safe.<br>
</blockquote>
<div><br>
</div>
<div>This is true. To rephrase, imagine I gave you an ECC
public key <ed_pub>, you gave me back a public key
<odinn_pub> of your own devising, then I paid some
money to the address resulting from
add_pubkeys(<ed_pub>,<odinn_pub>) [1]. Can
anyone either:</div>
<div><br>
</div>
<div>a) Think of a way that Odinn could make an
<odinn_pub> such that they could spend the resulting
money without having <ed_priv>.</div>
<div>b) Opine, somewhat knowledgeably, that this probably
wouldn't be an easy thing to do, and they wouldn't be
alarmed to see people running software that did this kind
of thing.</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173"
target="_blank">https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173</a><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Consider that I see your public key <a_pub> before I create
and send you my public key <b_pub>.<br>
<br>
I create a new keypair, <c_pub> with <c_priv> which I
know (it can be any arbitrary key pair). But I don't give you
<c_pub>, I give you <b_pub> = <c_pub> minus
<a_pub> (which I can do because I've seen <a_pub> before
doing this). <br>
<br>
Sure, I don't know the private key for <b_pub>, but it doesn't
matter... because what <br>
<br>
<b_pub> + <a_pub> = <c_pub> (mine)<br>
<br>
You have no way to detect this condition, because you don't know
what c_pub/c_priv I created, so you can only detect this after it's
too late (after I abuse the private key)<br>
<br>
-Alan<br>
</body>
</html>
--------------010407060002090009010908--
|