Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WMCyu-0001hA-0u for bitcoin-development@lists.sourceforge.net; Sat, 08 Mar 2014 08:51:44 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.192.172 as permitted sender) client-ip=209.85.192.172; envelope-from=edmund.edgar@gmail.com; helo=mail-pd0-f172.google.com; Received: from mail-pd0-f172.google.com ([209.85.192.172]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WMCys-0000Co-TZ for bitcoin-development@lists.sourceforge.net; Sat, 08 Mar 2014 08:51:43 +0000 Received: by mail-pd0-f172.google.com with SMTP id p10so5031925pdj.17 for ; Sat, 08 Mar 2014 00:51:37 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.66.145.166 with SMTP id sv6mr27644017pab.31.1394268697069; Sat, 08 Mar 2014 00:51:37 -0800 (PST) Sender: edmund.edgar@gmail.com Received: by 10.68.32.5 with HTTP; Sat, 8 Mar 2014 00:51:37 -0800 (PST) In-Reply-To: <531AD080.40501@gmail.com> References: <531AD080.40501@gmail.com> Date: Sat, 8 Mar 2014 17:51:37 +0900 X-Google-Sender-Auth: Xa0bVA9yfX-eNuDGUHrD-NP60p0 Message-ID: From: Edmund Edgar To: bitcoin-development@lists.sourceforge.net Content-Type: multipart/alternative; boundary=047d7b6783f6690f9504f4147a74 X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (edmund.edgar[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.192.172 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WMCys-0000Co-TZ Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Mar 2014 08:51:44 -0000 --047d7b6783f6690f9504f4147a74 Content-Type: text/plain; charset=UTF-8 On 8 March 2014 17:10, Alan Reiner wrote: > I create a new keypair, with which I know (it can be any > arbitrary key pair). But I don't give you , I give you = > minus (which I can do because I've seen before > doing this). > > Sure, I don't know the private key for , but it doesn't matter... > because what > > + = (mine) > > You have no way to detect this condition, because you don't know what > c_pub/c_priv I created, so you can only detect this after it's too late > (after I abuse the private key) > Thanks Alan and Forrest, that makes sense. So to salvage the situation in the original case, we have to make sure the parties exchange their public keys first, before they're allowed to see the public keys they'll be combining them with. -- -- Edmund Edgar Founder, Social Minds Inc (KK) Twitter: @edmundedgar Linked In: edmundedgar Skype: edmundedgar http://www.socialminds.jp Reality Keys @realitykeys ed@realitykeys.com https://www.realitykeys.com --047d7b6783f6690f9504f4147a74 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On 8= March 2014 17:10, Alan Reiner <etotheipi@gmail.com> wrote= :
=C2=A0
I create a new keypair, <c_pub> with <c_priv> which I know (it can be any arbitrary key pair).=C2=A0 But I don't give you <c_pub>, I give you=C2=A0 <b_pub> =3D <c_pub> minus <a_pub> (which I can do because I've seen <a_pub> befor= e doing this).=C2=A0

Sure, I don't know the private key for <b_pub>, but it doesn&= #39;t matter... because what

<b_pub> + <a_pub> =3D <c_pub> (mine)

You have no way to detect this condition, because you don't know what c_pub/c_priv I created, so you can only detect this after it's too late (after I abuse the private key)

Thanks Alan and Forrest, that makes sense. So to salvage the situat= ion in the original case, we have to make sure the parties exchange their p= ublic keys first, before they're allowed to see the public keys they= 9;ll be combining them with.=C2=A0

--
--=C2=A0
Edmund= Edgar
Founder, Social Minds Inc (KK)
Twitter: @edmunde= dgar
Linked In: edmundedgar
Skype: edmundedgar
http://www.social= minds.jp

Reality Keys
@realitykeys
--047d7b6783f6690f9504f4147a74--