1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <adam.back@gmail.com>) id 1UczWr-000375-6Z
for bitcoin-development@lists.sourceforge.net;
Thu, 16 May 2013 14:51:37 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 74.125.83.54 as permitted sender)
client-ip=74.125.83.54; envelope-from=adam.back@gmail.com;
helo=mail-ee0-f54.google.com;
Received: from mail-ee0-f54.google.com ([74.125.83.54])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1UczWb-0004I3-CD
for bitcoin-development@lists.sourceforge.net;
Thu, 16 May 2013 14:51:37 +0000
Received: by mail-ee0-f54.google.com with SMTP id e50so1902035eek.13
for <bitcoin-development@lists.sourceforge.net>;
Thu, 16 May 2013 07:51:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=x-received:date:from:to:cc:subject:message-id:references
:mime-version:content-type:content-disposition:in-reply-to
:user-agent:x-hashcash:x-hashcash:x-hashcash:x-hashcash;
bh=TPgjTSe1E0dvFnpv9PVtKBbP5UHf5Bs8NJhLRyrWX8I=;
b=U+CLm/Bfbzdq7WcHJJaHxUCFjGl7EJzEzIsz5vKc1ODGWuPC4B5Kf4w5TsBD4Tn5fU
ZCbN4F2mTvapIRjU1M691K7UA7krwMYMsCF0N0aSk5LUXx2kO3KQHJrFpwRl6mrtLgt3
NDWbBGc6qScGdDvAXPtWWP0VXvM9Q3UKGHU465utDFVkV1ZIA7JYGvKHTsAh1Tqvo9Fj
9Ezr2rQ2axlxWWKAU/Cqugeu5/SAssUxm8lMzN+pDnMNeKjuv5lv3R2rpx4ZsV0jInp3
eKC8xirbEKRs4gc2/WXUpYaMyw6ISg2meOos1cJ8CXK5NgsN3jC1sqeCcuIm1HDpgP6f
Gd0A==
X-Received: by 10.14.93.201 with SMTP id l49mr47903422eef.23.1368715874959;
Thu, 16 May 2013 07:51:14 -0700 (PDT)
Received: from netbook (c83-90.i07-21.onvol.net. [92.251.83.90])
by mx.google.com with ESMTPSA id
bn53sm11163473eeb.7.2013.05.16.07.51.13 for <multiple recipients>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Thu, 16 May 2013 07:51:14 -0700 (PDT)
Received: by netbook (Postfix, from userid 1000)
id 3E4332E0652; Thu, 16 May 2013 16:51:11 +0200 (CEST)
Received: by flare (hashcash-sendmail, from uid 1000);
Thu, 16 May 2013 16:51:09 +0200
Date: Thu, 16 May 2013 16:51:09 +0200
From: Adam Back <adam@cypherspace.org>
To: Gregory Maxwell <gmaxwell@gmail.com>
Message-ID: <20130516145109.GA18115@netbook.cypherspace.org>
References: <20130515111906.GA26020@savin>
<20130515114956.GA5863@netbook.cypherspace.org>
<5193825B.20909@lavabit.com>
<20130515162129.GB6156@netbook.cypherspace.org>
<20130515234030.GA17920@netbook.cypherspace.org>
<BF1C6C71-9EE5-4A2F-8B73-3E8F934A7CAE@gmail.com>
<CAAS2fgQP6mFb0izQxZcBwqBWdxKUiAy1sG23ScAZ+tEMvGU0WQ@mail.gmail.com>
<CANEZrP2dFi-3nZhYpaA9RfJ8N2e-GQ_YQtKMdnFfPx-9YLU6MA@mail.gmail.com>
<CAAS2fgQQk0Lhmon4FxK7NATDVkaY13DBmJgQk4riJLE1h_Ak0w@mail.gmail.com>
<20130516113222.GA16384@netbook.cypherspace.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20130516113222.GA16384@netbook.cypherspace.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 1:20:130516:gmaxwell@gmail.com::LNimIHwUVejqrbU+:0000000000000000000
0000000000000000000000001j+v
X-Hashcash: 1:20:130516:mike@plan99.net::1eSE9BQMc/jzRPav:001MdV
X-Hashcash: 1:20:130516:bitcoin-development@lists.sourceforge.net::xJCvlJ+sSW533
GaP:000000000000000000002wjX
X-Hashcash: 1:20:130516:adam@cypherspace.org::bGPbiIMHgNV21TP9:00000000000000000
0000000000000000000000003CbU
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(adam.back[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline
X-Headers-End: 1UczWb-0004I3-CD
Cc: "bitcoin-development@lists.sourceforge.net"
<bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] blind symmetric commitment for stronger
byzantine voting resilience (Re: bitcoin taint & unilateral revocability)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2013 14:51:37 -0000
More somewhat improved crypto stuff...
On Thu, May 16, 2013 at 01:32:22PM +0200, Adam Back wrote:
>I suggested fixed size committed coin spends [...]
>
>(blind-sender, auth-tag, encrypted-tx-commit)
>
>(pub key P = xG, G = base point)
>
> blind-sender = cP (public key EC multiplied by constant c)
> sig = ECDSA( cx, encrypted-tx-commit )
> encrypted-tx-commit = AES( K, tx-commit )
> K = random
>
>as K is random, knowledge of P if stored unencrypted does not allow
>committed spend-to-junk. To reveal to a recipient just send them P and K at
>each hop. (Same K each time, anyone on the committed coin spend chain can
>already chose to reveal at any time so no loss of security.)
Actually same K every time is not so hot, as then earlier in the committed
spend chain, can force a reveal for someone later. A clearer requirement is
that each person should only be able to reveal committed coin chains up to
the point of their direct involvement.
So that is easily fixable, just include the K for the input committed coin
in the encrypted-tx-commit, as above but:
encrypted-tx-commit = AES( K_i, K_{i-1} || tx-commit )
K_i = random
(different K for each spend).
And actually for symmetric encrypted variant the coin as specified was
already evaluatable with fixed size committed spend (of the last public key)
- I just didnt realize it in the previous mail: the input public key is
necessarily revealed when processing the decrypted tx-commit, allowing
identification and validation of the txin, and validation recursively back
to the first non-committed coin. With symmetric verification, the
limitation is one-use coin committed addresses (and inability to remove
spend to committed junk with public validation, though there is the tx fee
as a discouragement, it does bloat a recipients verification and so maybe
frustates SPV->SPV consumption of committed coins).
(blind-sender, auth-tag, encrypted-tx-commit)
blind-sender = SHA1( SHA256( 1, pub ) )
auth = HMAC-SHA256-128( K, encrypted-tx-commit )
encrypted-tx-commit = AES( K, tx-commit )
K = SHA-256( pub )
Adam
ps and it would be better and clearer to read also in terms of purpose of
hashes, to use a KDF like IEEE P1363 KDF2, or PKCS#5 PBKDF2 with 1
iteration, rather than adhoc hashes for key derivation.
|
