waxwing @waxwing@x0f.org

A very special #bitcoin event!

I've migrated my gist on RIDDLE to https://reyify.com/blog/riddle because of the dumpster fire that is github's LaTeX parsing implementation.

Comments can still go on the gist: https://gist.github.com/AdamISZ/51349418be08be22aa2b4b469e3be92f

#bitcoin #cryptography

New blog post; prove that a commitment commits to 1 or 0:

https://reyify.com/blog/commit-to-a-bit

This is the second out of a series of 3 (or 4 or 5, not sure) shorter blog posts focusing on condensed ring signatures and creating tokens from them.

#cryptography

(Another addendum: I don't know why this wasn't obvious to me yesterday, but the difference between this case and the Schnorr sig case is obvious: the latter is claiming a relation between the original commitment (pubkey), and a message. The former is making a claim *about the intrinsic properties of the original commitment*. So not freezing that starting value invalidates the claim, whereas in Schnorr, the corresponding 'false' claims that can be made, are meaningless.)

(btw correction, if I read the reasoning correct, it's not 'any value you like', it's 'a random value in under the group order' which is still a break of the system).

(Btw as per blog post there were apparently one or two actual implementations that had this vulnerability. Note that this is *another* instance of 'if you did this in a cryptocurrency you could completely invalidate inflation control, because of one slight ambiguity in an academic paper'. I think this is the *third* such instance, or maybe even more).

.. but it's still worth fixing the key in the F-S challenge, just to make the security proofs that much more watertight.

But it turns out in Bulletproofs the absence of prefixing *completely invalides the range proof*!

And it seems that because of language in the paper that vaguely says 'do the F-S challenge without the commitment' (section 4.4), i.e. there is no 'commitment-prefixing', you can backsolve the commitment to be to any value you like.

(2/2)

This story strongly relates to "key prefixing":

https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/

The ambiguity is that the Fiat Shamir transform is conceptually 'hash the transcript of the conversation up to the challenge'; but where does the conversation *start*?

In basic Schnorr you can "forge" signatures on e.g. unpredictable keys, if you don't key-prefix (i.e. you don't start the conversation with the public key), which isn't important *most* of the time, ... (1/2)
#cryptography

Github's equation rendering in markdown is proving somewhere between janky and unusable.

Ping @nothingmuch what is 'org mode' as per https://github.com/nothingmuch/org-math-test/blob/main/README.org ? (discovered it while searching for comments about this issue).

New short blog post giving an answer to a homework question I set in the conference in London :)

https://reyify.com/blog/homework-answer-advancing-2022

As noted I'm writing this now because it leads into something I'll probably blog about this new linkable ring sig/RIDDLE/credentials thing I've been looking into. It's fairly involve so breaking it up into pieces.

#cryptography #bitcoin

Interesting summary of recent Lightning dev meeting, about future developments:

https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-June/003600.html

#bitcoin #lightning