- Elliptic Curve Digital Signature Algorithm - Bitcoin Wiki
- Secp256k1 - Bitcoin Wiki
- Elliptic Curve Digital Signature Algorithm – BitcoinWiki
- How does ECDSA work in Bitcoin. ECDSA (‘Elliptical Curve ...
- Acceleration of ECDSA Verification with Endomorphism ...

Recently I've read about point addition in elliptic curves and the ECDSA and became curious about how it is applied in the bitcoin code.

I've learned that the main idea is, given a point P in the elliptic curve, the relation is:

**X = xP**, where **x** is the 256-bit integer number Private Key and **X** is the Public Key.

So, my questions are:

1 - How is the point P "chosen"? Is it the same everytime? Or is it randomized?

2 - How is X format defined? Do you just concatenate the x and y coordinates of P?

submitted by marcelo10fr1 to Bitcoin [link] [comments]
I've learned that the main idea is, given a point P in the elliptic curve, the relation is:

So, my questions are:

1 - How is the point P "chosen"? Is it the same everytime? Or is it randomized?

2 - How is X format defined? Do you just concatenate the x and y coordinates of P?

submitted by rulesforrebels to BinanceTrading [link] [comments] |

submitted by rulesforrebels to BinanceTrading [link] [comments] |

submitted by eragmus to Bitcoin [link] [comments] |

submitted by BitcoinAllBot to BitcoinAll [link] [comments] |

submitted by bitcoinagile to Bitcoin [link] [comments]

Hi Monero community!

Two months ago I posted a CCS for continuing my research on Monero Atomic Swaps. That research is now complete and I'm happy to present my results.

This post will be a summary of my research, but you can also find the whitepaper that describes the full protocol and all the details here.

## Shiny BTC/XMR Atomic Swap Protocol!

**We found it!** With the help of the MRL, my colleagues, and the community, we created the first (to our knowledge) protocol to atomically swap bitcoin and monero. And this resulting protocol is implementable today - no more obscure crypto!

### Why now? What changed?

When I started studying Monero for a Bitcoin/Monero atomic swap three and a half years ago, most of the swap protocols where based on 'Hash Time Locked Contract' (HTLC), something that we all know as non-existent on Monero. So the goal at the beginning of the project was to create an atomic swap where all the logic (timeouts, possible sequences of operation, secret disclosures, etc) is managed on the other chain: the Bitcoin chain.

The second difficulty with Monero and Bitcoin is their respective underlying cryptographic parameters: they don't share the same elliptic curve, they don't share the same signing algorithm; they have nothing in common! This makes the pair a bad candidate for other types of atomic swap that don't (solely) rely on HTLC.

In November 2018 we came up with a draft protocol that respects the above constraints. Thus, the protocol requires a specific type of zero-knowledge proof to be trustless: a hash pre-image zero-knowledge proof. This type of zkp is not wildly used in practice, if at all. Thus the protocol works in theory, but with some obscure crypto, making the protocol a bad candidate for an implementation.

In early 2020, after presenting the draft protocol at 36C3 in December 2019, I discovered, by reference from Sarang Noether (MRL), Andrew Poelstra's idea of doing a*discrete logarithm equality across group zero-knowledge proof of knowledge* (MRL-0010), meaning that we can prove some relations between elements in two different groups (two curves to simplify) and the paper by LLoyd Fournier on One-Time Verifiably Encrypted Signatures allowing secret disclosure with ECDSA.

With these two new (to me) cryptographic primitives, we were able to replace the previous zero-knowledge proof with a combination of the latter, making the protocol complete and practically feasible.

### How it works

As a broad overview (and simplified) the protocol work as follow:

### Next steps

The obvious next step would be to have a working implementation on mainnet, but a ready-to-use implementation that is also robust and safe-to-use requires a lot of engineering work. Furthermore, even though the cryptography is not too obscure, most of it still also lacks an implementation.

I'll post soon, if the community wants it, a CCS proposal to get my team and I to work on implementing this protocol, step by step, with the end goal of creating a working client/daemon for swapping Bitcoin and Monero. It would be very exciting to build that!

### Conclusion

Thanks to the MRL and its researchers for their help, the CCS team, and the community for its support!

I hope I fulfilled the community's expectations for my my first CCS - all feedback is appreciated.

submitted by h4sh3d to Monero [link] [comments]
Two months ago I posted a CCS for continuing my research on Monero Atomic Swaps. That research is now complete and I'm happy to present my results.

This post will be a summary of my research, but you can also find the whitepaper that describes the full protocol and all the details here.

The second difficulty with Monero and Bitcoin is their respective underlying cryptographic parameters: they don't share the same elliptic curve, they don't share the same signing algorithm; they have nothing in common! This makes the pair a bad candidate for other types of atomic swap that don't (solely) rely on HTLC.

In November 2018 we came up with a draft protocol that respects the above constraints. Thus, the protocol requires a specific type of zero-knowledge proof to be trustless: a hash pre-image zero-knowledge proof. This type of zkp is not wildly used in practice, if at all. Thus the protocol works in theory, but with some obscure crypto, making the protocol a bad candidate for an implementation.

In early 2020, after presenting the draft protocol at 36C3 in December 2019, I discovered, by reference from Sarang Noether (MRL), Andrew Poelstra's idea of doing a

With these two new (to me) cryptographic primitives, we were able to replace the previous zero-knowledge proof with a combination of the latter, making the protocol complete and practically feasible.

- The monero are locked in an address generated by both participants
- At the beginning, neither of the participants have the full control over the address; they both have half of the private key only
- With the cross group discrete logarithm equality zkp, both participants prove to each other that the address on the Bitcoin chain is related to the address on the Monero chain
- By means of Bitcoin scripts and ECDSA one-time verifiably encrypted signatures, one participant reveals to the other her partial private key by taking the bitcoin, allowing the other to take control over the monero

I'll post soon, if the community wants it, a CCS proposal to get my team and I to work on implementing this protocol, step by step, with the end goal of creating a working client/daemon for swapping Bitcoin and Monero. It would be very exciting to build that!

I hope I fulfilled the community's expectations for my my first CCS - all feedback is appreciated.

ECDSA can be broken, with enough computational power applied to the problem over time, for a single keypair.

If you use a new keypair for each transaction, it makes this attack exponentially hard for an attacker. Knowing the details of the RNG, makes it even easier.

In reality, there is no such thing as a true random number generator. That is the main flaw in elliptic curve cryptography. You can make it really hard, but you can never make it computationally impossible.

The security mechanism of bitcoin, is that it constantly moves, taking the goalpoasts with it. So all the work you might have done to break a single kepair, is immediately invalidated, by the utxo model, when those coins now are controlled by a new keypair. The attacker has to start over, from the beginning.

Velocity is important, in this security model. Which is why those who think an account based model on this system are ultimately doomed.

Cryptographic functions create a difficult, but not impossible problem.

Constant creation of new problems makes this a hard problem for attackers.

Store of value bullshit. Where you store bitcoin for years, and consolidate all your bitcoin into a single UTXO. If you are not using your bitcoin, you are opening yourself up to attack.

submitted by m_murfy to bitcoincashSV [link] [comments]
If you use a new keypair for each transaction, it makes this attack exponentially hard for an attacker. Knowing the details of the RNG, makes it even easier.

In reality, there is no such thing as a true random number generator. That is the main flaw in elliptic curve cryptography. You can make it really hard, but you can never make it computationally impossible.

The security mechanism of bitcoin, is that it constantly moves, taking the goalpoasts with it. So all the work you might have done to break a single kepair, is immediately invalidated, by the utxo model, when those coins now are controlled by a new keypair. The attacker has to start over, from the beginning.

Velocity is important, in this security model. Which is why those who think an account based model on this system are ultimately doomed.

Cryptographic functions create a difficult, but not impossible problem.

Constant creation of new problems makes this a hard problem for attackers.

Store of value bullshit. Where you store bitcoin for years, and consolidate all your bitcoin into a single UTXO. If you are not using your bitcoin, you are opening yourself up to attack.

As requested by estradata here: https://old.reddit.com/Bitcoin/comments/iylou9/what_are_some_of_the_latest_innovations_in_the/g6heez1/

It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.

## Computational vs Information-Theoretic

The dichotomy is between *computationally infeasible* vs *informationally-theoretic infeasible*. Basically:

For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you*just* need to build a table with 2^{256} entries and start from 0x0000000000000000000000000000000000000000000000000000000000000000 and so on. This is computationally infeasible, but not information-theoretic infeasible.

However, suppose you want to know what preimages, of*any* size, map to 256-bit hashes. Since the preimages can be of any size, after finishing with 256-bit preimages, you have to proceed to 257-bit preimages. And so on. And there is no size limit, so you will literally *never* finish. Even if you lived forever, you would not complete it. This is information-theoretic infeasible.

## Commitments

How does this relate to confidential transactions? Basically, every confidential transaction simply hides the value behind a homomorphic commitment. What is a homomorphic commitment? Okay, let's start with commitments. A commitment is something which lets you hide something, and later reveal what you hid. Until you reveal it, even if somebody has access to the commitment, they cannot reverse it to find out what you hid. This is called the "hiding property" of commitments. However, when you **do** reveal it (or "open the commitment"), then you cannot replace what you hid with some other thing. This is called the "binding property" of commitments.

For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").

## Homomorphic Commitments

A *homomorphic* commitment simply means that if I can do certain operations on preimages of the commitment scheme, there are certain operations on the commitments that would create similar ("homo") changes ("morphic") to the commitments. For example, suppose I have a magical function h() which is a homomorphic commitment scheme. It can hide very large (near 256-bit) numbers. Then if h() is homomorphic, there may be certain operations on numbers behind the h() that have homomorphisms after the h(). For example, I might have an operation <+> that is homomorphic in h() on +, or in other words, if I have two large numbers a and b, then h(a + b) = h(a) <+> h(b). + and <+> are different operations, but they are homomorphic to each other.

For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G. Elliptic curve operations exist where there is a <+> between points that is homomorphic on standard + on scalars, and a <*> between a scalar and a point that is homomorphic on standard * multiplication on scalars.

For example, suppose I have two large scalars a and b. I can use elliptic curve points as a commitment scheme: I can take a <*> G to generate a point A. It is hiding since nobody can learn what a is unless I reveal it (a and A can be used in standard ECDSA private-public key cryptography, with the scalar a as the private key and the point A as the public key, and the a cannot be derived even if somebody else knows A). Thus, it is hiding. At the same time, for a particular point A and standard generator point G, there is only one possible scalar a which when "multiplied" with G yields A. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.

Now, as mentioned there is a <+> operation on points that is homomorphic to the + operation on corresponding scalars. For example, suppose there are two scalars a and b. I can compute (a + b) <*> G to generate a particular point. But even if I don't know scalars a and b, but I do know*points* A = a <*> G and B = b <*> G, then I can use A <+> B to derive (a + b) <*> G (or equivalently, (a <*> G) <+> (b <*> G) == (a + b) <*> G). This makes points a homomorphic commitment scheme on scalars.

## Confidential Transactions: A Sketch

This is useful since we can easily use the near-256-bit scalars in SECP256K1 elliptic curves to easily represent values in a monetary system, and hide those values by using a homomorphic commitment scheme. We can use the hiding property to prevent people from learning the values of the money we are sending and receiving.

Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a*homomorphic* commitment scheme. Suppose I have a transaction that consumes an input value a and creates two output values b and c. That is, a = b + c, i.e. the sum of all inputs a equals the sum of all outputs b and c. But remember, with a homomorphic commitment scheme like elliptic curve points, there exists a <+> operation on points that is homomorphic to the ordinary school-arithmetic + addition on large numbers. So, confidential transactions can use points a <*> G as input, and points b <*> G and c <*> G as output, and we can easily prove that a <*> G = (b <*> G) <+> (c <*> G) if a = b + c, without revealing a, b, or c to anyone.

## Pedersen Commitments

Actually, we cannot just use a <*> G as a commitment scheme in practice. Remember, Bitcoin has a cap on the number of satoshis ever to be created, and it's less than 2^{53} satoshis, which is fairly trivial. I can easily compute all values of a <*> G for all values of a from 0 to 2^{53} and know which a <*> G corresponds to which actual amount a. So in confidential transactions, we cannot naively use a <*> G commitments, we need Pedersen commitments.

If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 2^{30} possibilities, which is fairly easy to grind. So what you do is that you "salt" a password by prepending a random string to it. You then hash the random string + password, and store the random string --- the salt --- together with the hash in your database. Then when somebody logs in, you take the password, prepend the salt, hash, and check if the hash matches with the in-database hash, and you let them log in. Now, with a hash, even if somebody copies your password database, the can't get the password. They're hashed. But with a salt, even techniques like rainbow tables make a hacker's life even harder. They can't hash a possible password and check every hash in your db for something that matches. Instead, if they get a possible password, they have to prepend *each* salt, hash, then compare. That greatly increases the computational needs of a hacker, which is why salts are good.

What a Pedersen commitment is, is a point a <*> H, where a is the actual value you commit to, plus <+> another point r <*> G. H here is a second standard generator point, different from G. The r is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G) to somebody, they can't grind all possible values of a and try to match it with your point --- they*also* have to grind r (just as with the password-salt example above). And r is much larger, it can be a true near-256-bit number that is the range of scalars in SECP256K1, whereas a is constrained to "reasonable" numbers of satoshi, which cannot exceed 21 million Bitcoins.

Now, in order to validate a transaction with input a and outputs b and c, you only have to prove a = b + c. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a, and you know a and r. The blockchain has an amount (a <*> H) <+> (r <*> G). In order to create the two outputs b and c, you just have to create two new r scalars such that r = r[0] + r[1]. This is trivial, you just select a new random r[0] and then compute r[1] = r - r[0], it's just basic algebra.

Then you create a transaction consuming the input (a <*> H) <+> (r <*> G) and outputs (b <*> H) <+> (r[0] <*> G) and (c <*> H) <+> (r[1] <*> G). You know that a = b + c, and r = r[0] + r[1], while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G) and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G). That is all that fullnodes have to validate, they just need to perform <+> operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.

## Computational Binding, Information-Theoretic Hiding

Like all commitments, Pedersen Commitments are binding and hiding.

However, there are really two kinds of commitments:

*what* got hidden behind the commitment.

But why?

Now, we have been using a and a <*> G as private keys and public keys in ECDSA and Schnorr. There is an operation <*> on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A, and know that A = a <*> G, but do not know a, I cannot derive a --- there is no operation between A G that lets me know a.

Actually there is: I "just" need to have so much time, space, and energy that I just start counting a from 0 to 2^{256} and find *which* a results in A = a <*> G. This is a computational limit: I don't have a spare universe in my back pocket I can use to do all those computations.

Now, replace a with h and A with H. Remember that Pedersen commitments use a "second" standard generator point. The generator points G and H are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H G such that I can learn h where H = h <*> G, though if I happen to have a spare universe in my back pocket I can "just" brute force it.

Suppose I*do* have a spare universe in my back pocket, and learn h = H G such that H = h <*> G. What can I do in Pedersen commitments?

Well, I have an amount a that is committed to by (a <*> H) <+> (r <*> G). But I happen to know h! Suppose I want to double my money a without involving Elon Musk. Then:

**That** is what we mean by computationally binding: if I can compute h such that H = h <*> G, then I can find another number which opens the same commitment. And of course I'd make sure that number is much larger than what I originally had in that address!

Now, the*reason* why it is "only" computationally binding is that it is information-theoretically hiding. Suppose somebody knows h, but has no money in the cryptocurrency. All they see are points. They can try to find what the original amounts are, but because any amount can be mapped to "the same" point with knowledge of h (e.g. in the above, a and 2 * a got mapped to the same point by "just" replacing the salt r with r - a * h; this can be done for 3 * a, 4 * a etc.), they cannot learn historical amounts --- the a in historical amounts could be *anything*.

The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h. They can multiply their money by any arbitrary factor with knowledge of h.

It is impossible to have*both* perfect hiding (i.e. historical amounts remain hidden even after a computational break) *and* perfect binding (i.e. you can't later open the commitment to a different, much larger, amount).

Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including*but not limited to* quantum breaks --- they allow arbitrary inflation.

## Changing The Tradeoffs with ElGamal Commitments

An ElGamal commitment is just a Pedersen commitment, but with the point r <*> G also stored in a separate section of the transaction.

This commits the r, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G) as ((2 * a) <*> H) <+> ((r - a * h) <*> G), because the (r - a * h) would not match the r <*> G sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.

But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G sitting in a separate section of the transaction, and grind r from 0 to 2^{256} to determine what r matches that point. Then from there, they can negate r to get (-r) <*> G and add it to the (a <*> H) <+> (r <*> G) to get a <*> H, and *then* grind that to determine the value a. With massive increases in computational ability --- including *but not limited to* quantum breaks --- an evil surveillor can see all the historical amounts of confidential transactions.

## Conclusion

This is the source of the tradeoff: either you design confidential transactions so in case of a quantum break, historical transactions continue to hide their amounts, but inflation of the money is now unavoidable, OR you make the money supply sacrosanct, but you potentially sacrifice amount hiding in case of some break, including but not limited to quantum breaks.

submitted by almkglor to Bitcoin [link] [comments]
It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.

- Something is
*computationally infeasible*if it could in theory be done, but you would not be able to build a practical computer to do it within the age of the universe and using only the power available in just one galaxy or thereabouts. - Something is
*informationally-theoretic infeasible*if even if you had any arbitrarily large amount of time, space, and energy, you cannot do it.

For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you

However, suppose you want to know what preimages, of

For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").

For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G. Elliptic curve operations exist where there is a <+> between points that is homomorphic on standard + on scalars, and a <*> between a scalar and a point that is homomorphic on standard * multiplication on scalars.

For example, suppose I have two large scalars a and b. I can use elliptic curve points as a commitment scheme: I can take a <*> G to generate a point A. It is hiding since nobody can learn what a is unless I reveal it (a and A can be used in standard ECDSA private-public key cryptography, with the scalar a as the private key and the point A as the public key, and the a cannot be derived even if somebody else knows A). Thus, it is hiding. At the same time, for a particular point A and standard generator point G, there is only one possible scalar a which when "multiplied" with G yields A. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.

Now, as mentioned there is a <+> operation on points that is homomorphic to the + operation on corresponding scalars. For example, suppose there are two scalars a and b. I can compute (a + b) <*> G to generate a particular point. But even if I don't know scalars a and b, but I do know

Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a

If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 2

What a Pedersen commitment is, is a point a <*> H, where a is the actual value you commit to, plus <+> another point r <*> G. H here is a second standard generator point, different from G. The r is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G) to somebody, they can't grind all possible values of a and try to match it with your point --- they

Now, in order to validate a transaction with input a and outputs b and c, you only have to prove a = b + c. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a, and you know a and r. The blockchain has an amount (a <*> H) <+> (r <*> G). In order to create the two outputs b and c, you just have to create two new r scalars such that r = r[0] + r[1]. This is trivial, you just select a new random r[0] and then compute r[1] = r - r[0], it's just basic algebra.

Then you create a transaction consuming the input (a <*> H) <+> (r <*> G) and outputs (b <*> H) <+> (r[0] <*> G) and (c <*> H) <+> (r[1] <*> G). You know that a = b + c, and r = r[0] + r[1], while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G) and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G). That is all that fullnodes have to validate, they just need to perform <+> operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.

However, there are really two kinds of commitments:

- computationally binding, information-theoretic hiding
- information-theoretic binding, computationally hiding

But why?

Now, we have been using a and a <*> G as private keys and public keys in ECDSA and Schnorr. There is an operation <*> on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A, and know that A = a <*> G, but do not know a, I cannot derive a --- there is no operation between A G that lets me know a.

Actually there is: I "just" need to have so much time, space, and energy that I just start counting a from 0 to 2

Now, replace a with h and A with H. Remember that Pedersen commitments use a "second" standard generator point. The generator points G and H are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H G such that I can learn h where H = h <*> G, though if I happen to have a spare universe in my back pocket I can "just" brute force it.

Suppose I

Well, I have an amount a that is committed to by (a <*> H) <+> (r <*> G). But I happen to know h! Suppose I want to double my money a without involving Elon Musk. Then:

- (a <*> H) <+> (r <*> G)
- == (a <*> (h <*> G)) <+> (r <*> G)
- == ((a * h) <*> G) <+> (r <*> G); remember, <*> is
*also*homomorphic on multiplication *. - == ((a * h + a * h - a * h) <*> G) <+> (r <*> G); just add 0.
- == ((a * h + a * h) <*> G) <+> ((-a * h) <*> G) <+> (r <*> G)
- == ((2 * a * h) <*> G) <+> ((r - a * h) <*> G)
- == ((2 * a) <*> (h <*> G)) <+> ((r - a * h) <*> G)
- == ((2 * a) <*> H) <+> ((r - a * h) <*> G); TADA!! I doubled my money!

Now, the

The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h. They can multiply their money by any arbitrary factor with knowledge of h.

It is impossible to have

Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including

This commits the r, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G) as ((2 * a) <*> H) <+> ((r - a * h) <*> G), because the (r - a * h) would not match the r <*> G sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.

But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G sitting in a separate section of the transaction, and grind r from 0 to 2

Announcing v0.4.0 releases of these RustCrypto elliptic curve crates:

The major notable new features in these releases are:

# Elliptic Curve Diffie-Hellman

Key exchange protocol which establishes a shared secret between two parties.

# Elliptic Curve Digital Signature Algorithm

Pervasively used public-key scheme for authenticating messages.

# Notes on this release

These crates contain *experimental* pure Rust implementations of scalafield arithmetic for the respective elliptic curves (secp256k1, NIST P-256). These implementations are new, unaudited, and haven't received much public scrutiny. We have explicitly labeled them as being at a "USE AT YOUR OWN RISK" level of maturity.

That said, these implementations utilize the best modern practices for this class of elliptic curves (complete projective formulas providing constant time scalar multiplication).

In particular:

*EDIT: the version in the title is incorrect. The correct version is v0.4.0, unfortunately the title cannot be edited.*

submitted by bascule to rust [link] [comments]
- k256: secp256k1 (as used by Bitcoin, Ethereum, etc)
- GitHub: https://github.com/RustCrypto/elliptic-curves/tree/mastek256
- crates.io: https://crates.io/crates/k256
- docs.rs: https://docs.rs/k256/

- p256: NIST P-256 (as used by SSL/TLS, Bluetooth, etc)
- GitHub: https://github.com/RustCrypto/elliptic-curves/tree/mastep256
- crates.io: https://crates.io/crates/p256
- docs.rs: https://docs.rs/p256/

The major notable new features in these releases are:

- k256 docs (secp256k1)
- p256 docs (NIST P-256)
- Generic implementation

That said, these implementations utilize the best modern practices for this class of elliptic curves (complete projective formulas providing constant time scalar multiplication).

In particular:

- The k256 crate now implements optimized "lazy" field arithmetic based on the bitcoin-core/secp256k1 C library optimized for both 32-bit and 64-bit architectures.
- The p256 crate includes sidechannel-resistant scalar arithmetic optimized for creating signatures on embedded platforms and presently provides 64-bit scalafield arithmetic.

Good day, the price is going up to 0.3USDT.

ABCMint Second Foundation

ABCMint has been a first third-party organization that focuses on post-quantum cryptography research and technology and aims to help improve the ecology of ABCMint technology since 2018.

https://abcmintsf.com

https://abcmintsf.com/exchange

What is ABCMint?

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Cryptocurrencies and blockchain technology have attracted a significant amount of attention since 2009. While some cryptocurrencies, including Bitcoin, are used extensively in the world, these cryptocurrencies will eventually become obsolete and be replaced when the quantum computers avail. For instance, Bitcoin uses the elliptic curved signature (ECDSA). If a bitcoin user?s public key is exposed to the public chain, the quantum computers will be able to quickly reverse-engineer the private key in a short period of time. It means that should an attacker decide to use a quantum computer to decrypt ECDSA, he/she will be able to use the bitcoin in the wallet.

The ABCMint Foundation has improved the structure of the special coin core to resist quantum computers, using the Rainbow Multivariable Polynomial Signature Scheme, which is quantum resisitant, as the core. This is a fundamental solution to the major threat to digital money posed by future quantum computers. In addition, the ABCMint Foundation has implemented a new form of proof of arithmetic (mining) "ABCardO" which is different from Bitcoin?s arbitrary mining. This algorithm is believed to be beneficial to the development of the mathematical field of multivariate.

Rainbow Signature - the quantum resistant signature based on Multivariable Polynomial Signature Scheme

Unbalanced Oil and Vinegar (UOV) is a multi-disciplinary team of experts in the field of oil and vinegar. One of the oldest and most well researched signature schemes in the field of variable cryptography. It was designed by J. Patarin in 1997 and has withstood more than two decades of cryptanalysis. The UOV scheme is a very simple, smalls and fast signature. However, the main drawback of UOV is the large public key, which will not be conducive to the development of block practice technology.

The rainbow signature is an improvement on the oil and vinegar signature which increased the efficiency of unbalanced oil and vinegar. The basic concept is a multi-layered structure and generalization of oil and vinegar.

PQC - Post Quantum Cryptography

The public key cryptosystem was a breakthrough in modern cryptography in the late 1970s. It has become an increasingly important part of our cryptography communications network over The Internet and other communication systems rely heavily on the Diffie-Hellman key exchange, RSA encryption, and the use of the DSA, ECDSA or related algorithms for numerical signatures. The security of these cryptosystems depends on the difficulty level of number theory problems such as integer decomposition and discrete logarithm problems. In 1994, Peter Shor demonstrated that quantum computers can solve all these problems in polynomial time, which made this security issue related to the cryptosystems theory irrelevant. This development is known as the "post-quantum cryptography" (PQC)

In August 2015, the U.S. National Security Agency (NSA) released an announcement regarding its plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals for quantum-resistant algorithms. The deadline was November 30, 2017, which also included the rainbow signatures used for ABCMint.

submitted by WrapBeautiful to ABCMint [link] [comments]

ABCMint Second Foundation

ABCMint has been a first third-party organization that focuses on post-quantum cryptography research and technology and aims to help improve the ecology of ABCMint technology since 2018.

https://abcmintsf.com

https://abcmintsf.com/exchange

What is ABCMint?

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Cryptocurrencies and blockchain technology have attracted a significant amount of attention since 2009. While some cryptocurrencies, including Bitcoin, are used extensively in the world, these cryptocurrencies will eventually become obsolete and be replaced when the quantum computers avail. For instance, Bitcoin uses the elliptic curved signature (ECDSA). If a bitcoin user?s public key is exposed to the public chain, the quantum computers will be able to quickly reverse-engineer the private key in a short period of time. It means that should an attacker decide to use a quantum computer to decrypt ECDSA, he/she will be able to use the bitcoin in the wallet.

The ABCMint Foundation has improved the structure of the special coin core to resist quantum computers, using the Rainbow Multivariable Polynomial Signature Scheme, which is quantum resisitant, as the core. This is a fundamental solution to the major threat to digital money posed by future quantum computers. In addition, the ABCMint Foundation has implemented a new form of proof of arithmetic (mining) "ABCardO" which is different from Bitcoin?s arbitrary mining. This algorithm is believed to be beneficial to the development of the mathematical field of multivariate.

Rainbow Signature - the quantum resistant signature based on Multivariable Polynomial Signature Scheme

Unbalanced Oil and Vinegar (UOV) is a multi-disciplinary team of experts in the field of oil and vinegar. One of the oldest and most well researched signature schemes in the field of variable cryptography. It was designed by J. Patarin in 1997 and has withstood more than two decades of cryptanalysis. The UOV scheme is a very simple, smalls and fast signature. However, the main drawback of UOV is the large public key, which will not be conducive to the development of block practice technology.

The rainbow signature is an improvement on the oil and vinegar signature which increased the efficiency of unbalanced oil and vinegar. The basic concept is a multi-layered structure and generalization of oil and vinegar.

PQC - Post Quantum Cryptography

The public key cryptosystem was a breakthrough in modern cryptography in the late 1970s. It has become an increasingly important part of our cryptography communications network over The Internet and other communication systems rely heavily on the Diffie-Hellman key exchange, RSA encryption, and the use of the DSA, ECDSA or related algorithms for numerical signatures. The security of these cryptosystems depends on the difficulty level of number theory problems such as integer decomposition and discrete logarithm problems. In 1994, Peter Shor demonstrated that quantum computers can solve all these problems in polynomial time, which made this security issue related to the cryptosystems theory irrelevant. This development is known as the "post-quantum cryptography" (PQC)

In August 2015, the U.S. National Security Agency (NSA) released an announcement regarding its plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals for quantum-resistant algorithms. The deadline was November 30, 2017, which also included the rainbow signatures used for ABCMint.

Of all the options available at that time, he chose the one that met these criteria: Elliptic Curve Digital Signature Algorithm, or ECDSA.

At that time, native support for ECDSA was provided in OpenSSL, an open set of encryption tools developed by experienced cipher banks in order to increase the confidentiality of online communications. Compared to other popular schemes, ECDSA had such advantages as:

- Low demand for computing resources;
- Short key lengths.

ECDSA has two separate procedures for signing and verifying. Each procedure is an algorithm consisting of several arithmetic operations. The signature algorithm uses the private key, and the verification algorithm uses only the public key.

To use ECDSA, such protocol as Bitcoin must fix a set of parameters for the elliptic curve and its finite field, so that all users of the protocol know and apply these parameters. Otherwise, everyone will solve their own equations, which will not converge with each other, and they will never agree on anything.

For all these parameters, Bitcoin uses very, very large (well, awesomely incredibly huge) numbers. It is important. In fact, all practical applications of ECDSA use huge numbers. After all, the security of this algorithm relies on the fact that these values are too large to pick up a key with a simple brute force. The 384-bit ECDSA key is considered safe enough for the NSA's most secretive government service (USA).

Schnorr's signature takes the process of using “keys” to a new level. It takes only 64 bytes when it gets into the block, which reduces the space occupied by transactions by 4%. Since transactions with the Schnorr signature are the same size, this makes it possible to pre-calculate the total size of the part of the block that contains such signatures. A preliminary calculation of the block size is the key to its safe increase in the future.

Keep up with the news of the crypto world at CoinJoy.io Follow us on Twitter and Medium. Subscribe to our YouTube channel. Join our Telegram channel. For any inquiries mail us at [[email protected]](mailto:[email protected]).

So over a lunch conversation with a nocoiner I got what i thought sounded like a far fetched conspiracy theory, went a little like this... "Mmm yeah I reckon the NSA has a backdoor code that would allow them access to any private key simply by looking at the public key" ... I'm used to the "Bitcoin will be hacked" arguement but this seems to be on a different level.

Thoughts? It's a new one for me for sure and not sure how to answer it....

submitted by hungdoge to Bitcoin [link] [comments]
Thoughts? It's a new one for me for sure and not sure how to answer it....

There is no known way that quantum computers can break SHA256 (only the signing elliptic curve/ECDSA). So

There is a larger discussion on upgrading bitcoin, the fact that quantum computers are not even close to being able to crack ECDSA, etc. But I'm just going to leave it at what I said above.

The fud campaigns on quantum computing has been organized by traders half a dozen times over the past 5 years at the end of consolidation triangles, which is exactly what happened this time.

This month, what strikes us most is the proliferation of Rust cryptography, and especially zero-knowledge proof, projects. Even blockchains that aren’t primarily implemented in Rust are increasingly looking to Rust for their crypto. So many of these are springing up that we’ve lost track, so we spent some time doing a survey of the world of Rust crypto and zero-knowledge proofs, and what we found kind of blew us away! For Rust blockchain developers there are an overwhelming number of choices for their crypto building blocks. Here are some of them.

*using* Rust, few of the top projects are *primarily implemented in* Rust (the exception being Crypto.com). Yet, of course.

This month Rust-behemoth Polkadot launched their mainnet. Congrats to Parity and Polkadot contributors.

https://rustinblockchain.org/newsletters/2020-06-03-zk-rustups/

submitted by Aimeedeer to rust [link] [comments]
- Rust-crypto-specific GitHub orgs
- rustcrypto: lots of well-maintained, basic crypto primitives and abstractions
- dalek-cryptography: mature ed25519 and zkp implementations
- zkcrypto maintains a number of zero-knowledge crates used by multiple projects, bellman, ff, pairing, group, jubjub, bls12_381.
- SCIPR Lab has several zero-knowledge Rust projects, zexe, for decentralized private computation (paper), poly-commit, for polynomial commitments, marlin, for the Marlin SNARK (paper), and ripp, for proofs of inner pairing products (paper)
- KZen-networks is another organization filled with Rust crypto, dedicated to threshold cryptography, multi-party-ecdsa, curv, multi-party-schnorr, class, white-city, and more.

- Non-Rust blockchains using Rust for security and other purposes
- 0xProject/OpenZKP. A ZKP implementation by 0x Network.
- algorand/pointproofs. An implementation of Algorand’s Pointproofs: Aggregating Proofs for Multiple Vector Commitments (paper).
- Stellar has a separate Rust blockchain, Slingshot, built on a zero-knowledge VM, ZkVM, and containing several other interesting in-tree Rust crypto projects.
- dusk-network, a blockchain written in Go, has multiple Rust crypto projects, phoenix, a ZK transaction model, Poseidon252, a hash function, and many more. It apears that they support smart contracts written in Rust.
- Golem. A non-Rust blockchain with a large number of Rust projects, including gMorph, a homomorphic encryption library, and several WASM-related projects. Their yagna project looks like it might be a reimplementation of Golem in Rust.
- Tendermint, another Go blockchain, also has many Rust crypto and security projects.
- Komodo, uses Rust for their cross-chain AtomixDEX matchmaking network.
- IOTA is developing some new projects in Rust.
- Input-Output HK, contributors to Cardano and Ethereum Classic, have multiple Rust projects in Rust, including jormungandr, a Rust blockchain that appears to be an implementation of Cardano in Rust.
- The Ethereum community has many projects in Rust, as does Zcash, and there exist Bitcoin implementations in Rust.

This month Rust-behemoth Polkadot launched their mainnet. Congrats to Parity and Polkadot contributors.

https://rustinblockchain.org/newsletters/2020-06-03-zk-rustups/

Of all the options available at that time, he chose the one that met these criteria: Elliptic Curve Digital Signature Algorithm, or ECDSA.

At that time, native support for ECDSA was provided in OpenSSL, an open set of encryption tools developed by experienced cipher banks in order to increase the confidentiality of online communications. Compared to other popular schemes, ECDSA had such advantages as:

- Low demand for computing resources;
- Short key lengths.

ECDSA has two separate procedures for signing and verifying. Each procedure is an algorithm consisting of several arithmetic operations. The signature algorithm uses the private key, and the verification algorithm uses only the public key.

To use ECDSA, such protocol as Bitcoin must fix a set of parameters for the elliptic curve and its finite field, so that all users of the protocol know and apply these parameters. Otherwise, everyone will solve their own equations, which will not converge with each other, and they will never agree on anything.

For all these parameters, Bitcoin uses very, very large (well, awesomely incredibly huge) numbers. It is important. In fact, all practical applications of ECDSA use huge numbers. After all, the security of this algorithm relies on the fact that these values are too large to pick up a key with a simple brute force. The 384-bit ECDSA key is considered safe enough for the NSA's most secretive government service (USA).

Schnorr's signature takes the process of using “keys” to a new level. It takes only 64 bytes when it gets into the block, which reduces the space occupied by transactions by 4%. Since transactions with the Schnorr signature are the same size, this makes it possible to pre-calculate the total size of the part of the block that contains such signatures. A preliminary calculation of the block size is the key to its safe increase in the future.

Keep up with the news of the crypto world at CoinJoy.io Follow us on Twitter and Medium. Subscribe to our YouTube channel. Join our Telegram channel. For any inquiries mail us at [[email protected]](mailto:[email protected]).

**Bitcoin (BTC)**is a peer-to-peer cryptocurrency that aims to function as a means of exchange that is independent of**any central authority**. BTC can be transferred electronically in a secure, verifiable, and immutable way.- Launched in 2009, BTC is the
**first virtual currency to solve the double-spending**issue by timestamping transactions before broadcasting them to all of the nodes in the Bitcoin network. The Bitcoin Protocol offered a solution to the Byzantine Generals’ Problem**with a****blockchain****network structure, a notion first created by****Stuart Haber and W. Scott Stornetta in 1991****.** **Bitcoin’s whitepaper**was published**pseudonymously in 2008**by an individual, or a group, with the pseudonym**“Satoshi Nakamoto”**, whose underlying identity**has still not been verified**.- The Bitcoin protocol uses an
**SHA-256d-based Proof-of-Work (PoW) algorithm**to reach network consensus. Its network has a target block time of 10 minutes and a maximum supply of 21 million tokens, with a decaying token emission rate. To prevent fluctuation of the block time, the network’s block difficulty is re-adjusted through an algorithm based on the past 2016 block times. - With a block size limit capped at 1 megabyte, the Bitcoin Protocol has supported both the
**Lightning Network**, a second-layer infrastructure for payment channels, and**Segregated Witness**, a soft-fork to increase the number of transactions on a block, as solutions to network scalability.
https://preview.redd.it/s2gmpmeze3151.png?width=256&format=png&auto=webp&s=9759910dd3c4a15b83f55b827d1899fb2fdd3de1 ## 1. What is Bitcoin (BTC)?**Bitcoin**is a peer-to-peer cryptocurrency that aims to function as a means of exchange and is independent of any central authority. Bitcoins are transferred electronically in a secure, verifiable, and immutable way.- Network validators, whom are often referred to as
**miners**, participate in the SHA-256d-based Proof-of-Work consensus mechanism to determine the next global state of the blockchain. - The Bitcoin protocol has a
**target block time of 10 minutes**, and a maximum supply of 21 million tokens. The only way new bitcoins can be produced is when a block producer generates a new valid block. - The protocol has a token emission rate that halves every 210,000 blocks, or approximately every 4 years.
- Unlike public blockchain infrastructures supporting the development of decentralized applications (Ethereum), the Bitcoin protocol is primarily used only for payments, and has only very limited support for smart contract-like functionalities (Bitcoin “Script” is mostly used to create certain conditions before bitcoins are used to be spent).
## 2. Bitcoin’s core featuresFor a more beginner’s introduction to Bitcoin, please visit Binance Academy’s guide to Bitcoin.## Unspent Transaction Output (UTXO) modelA UTXO transaction works like cash payment between two parties: Alice gives money to Bob and receives change (i.e., unspent amount). In comparison, blockchains like Ethereum rely on the account model.https://preview.redd.it/t1j6anf8f3151.png?width=1601&format=png&auto=webp&s=33bd141d8f2136a6f32739c8cdc7aae2e04cbc47 ## Nakamoto consensusIn the Bitcoin network,anyone can join the network and become a bookkeeping service provider i.e., a validator. All validators are allowed in the race to become the block producer for the next block, yet only the first to complete a computationally heavy task will win. This feature is called Proof of Work (PoW).The probability of any single validator to finish the task first is equal to the percentage of the total network computation power, or hash power, the validator has. For instance, a validator with 5% of the total network computation power will have a 5% chance of completing the task first, and therefore becoming the next block producer. Since anyone can join the race, competition is prone to increase. In the early days, Bitcoin mining was mostly done by personal computer CPUs.As of today, Bitcoin validators, or miners, have opted for dedicated and more powerful devices such as machines based on Application-Specific Integrated Circuit (“ASIC”).Proof of Work secures the network as block producers must have spent resources external to the network (i.e., money to pay electricity), and can provide proof to other participants that they did so. With various miners competing for block rewards, it becomes difficult for one single malicious party to gain network majority (defined as more than 51% of the network’s hash power in the Nakamoto consensus mechanism). The ability to rearrange transactions via 51% attacks indicates another feature of the Nakamoto consensus: the finality of transactions is only probabilistic.Once a block is produced, it is then propagated by the block producer to all other validators to check on the validity of all transactions in that block. The block producer will receive rewards in the network’s native currency (i.e., bitcoin) as all validators approve the block and update their ledgers. ## The blockchain## Block productionThe Bitcoin protocol utilizes the Merkle tree data structure in order to organize hashes of numerous individual transactions into each block. This concept is named after Ralph Merkle, who patented it in 1979.With the use of a Merkle tree, though each block might contain thousands of transactions, it will have the ability to combine all of their hashes and condense them into one, allowing efficient and secure verification of this group of transactions. This single hash called is a Merkle root, which is stored in the Block Header of a block. The Block Header also stores other meta information of a block, such as a hash of the previous Block Header, which enables blocks to be associated in a chain-like structure (hence the name “blockchain”).An illustration of block production in the Bitcoin Protocol is demonstrated below. https://preview.redd.it/m6texxicf3151.png?width=1591&format=png&auto=webp&s=f4253304912ed8370948b9c524e08fef28f1c78d ## Block time and mining difficultyBlock time is the period required to create the next block in a network. As mentioned above, the node who solves the computationally intensive task will be allowed to produce the next block. Therefore,block time is directly correlated to the amount of time it takes for a node to find a solution to the task. The Bitcoin protocol sets a target block time of 10 minutes, and attempts to achieve this by introducing a variable named mining difficulty.Mining difficulty refers to how difficult it is for the node to solve the computationally intensive task. If the network sets a high difficulty for the task, while miners have low computational power, which is often referred to as “hashrate”, it would statistically take longer for the nodes to get an answer for the task. If the difficulty is low, but miners have rather strong computational power, statistically, some nodes will be able to solve the task quickly.Therefore, the 10 minute target block time is achieved by constantly and automatically adjusting the mining difficulty according to how much computational power there is amongst the nodes. The average block time of the network is evaluated after a certain number of blocks, and if it is greater than the expected block time, the difficulty level will decrease; if it is less than the expected block time, the difficulty level will increase.## What are orphan blocks?In a PoW blockchain network, if the block time is too low, it would increase the likelihood of nodes producingorphan blocks, for which they would receive no reward. Orphan blocks are produced by nodes who solved the task but did not broadcast their results to the whole network the quickest due to network latency.It takes time for a message to travel through a network, and it is entirely possible for 2 nodes to complete the task and start to broadcast their results to the network at roughly the same time, while one’s messages are received by all other nodes earlier as the node has low latency.Imagine there is a network latency of 1 minute and a target block time of 2 minutes. A node could solve the task in around 1 minute but his message would take 1 minute to reach the rest of the nodes that are still working on the solution. While his message travels through the network, all the work done by all other nodes during that 1 minute, even if these nodes also complete the task, would go to waste. In this case, 50% of the computational power contributed to the network is wasted.The percentage of wasted computational power would proportionally decrease if the mining difficulty were higher, as it would statistically take longer for miners to complete the task. In other words, if the mining difficulty, and therefore targeted block time is low, miners with powerful and often centralized mining facilities would get a higher chance of becoming the block producer, while the participation of weaker miners would become in vain. This introduces possible centralization and weakens the overall security of the network.However, given a limited amount of transactions that can be stored in a block, making the block time too longwould decrease the number of transactions the network can process per second, negatively affecting network scalability.## 3. Bitcoin’s additional features## Segregated Witness (SegWit)Segregated Witness, often abbreviated asSegWit, is a protocol upgrade proposal that went live in August 2017.SegWit separates witness signatures from transaction-related data. Witness signatures in legacy Bitcoin blocks often take more than 50% of the block size. By removing witness signatures from the transaction block, this protocol upgrade effectively increases the number of transactions that can be stored in a single block, enabling the network to handle more transactions per second. As a result, SegWit increases the scalability of Nakamoto consensus-based blockchain networks like Bitcoin and Litecoin.SegWit also makes transactions cheaper. Since transaction fees are derived from how much data is being processed by the block producer, the more transactions that can be stored in a 1MB block, the cheaper individual transactions become. https://preview.redd.it/depya70mf3151.png?width=1601&format=png&auto=webp&s=a6499aa2131fbf347f8ffd812930b2f7d66be48e The legacy Bitcoin block has a block size limit of 1 megabyte, and any change on the block size would require a network hard-fork. On August 1st 2017, the first hard-fork occurred, leading to the creation of Bitcoin Cash (“BCH”), which introduced an 8 megabyte block size limit.Conversely, Segregated Witness was a soft-fork: it never changed the transaction block size limit of the network. Instead, it added an extended block with an upper limit of 3 megabytes, which contains solely witness signatures, to the 1 megabyte block that contains only transaction data. This new block type can be processed even by nodes that have not completed the SegWit protocol upgrade.Furthermore, the separation of witness signatures from transaction data solves the malleability issue with the original Bitcoin protocol. Without Segregated Witness, these signatures could be altered before the block is validated by miners. Indeed, alterations can be done in such a way that if the system does a mathematical check, the signature would still be valid. However, since the values in the signature are changed, the two signatures would create vastly different hash values.For instance, if a witness signature states “6,” it has a mathematical value of 6, and would create a hash value of 12345. However, if the witness signature were changed to “06”, it would maintain a mathematical value of 6 while creating a (faulty) hash value of 67890. Since the mathematical values are the same, the altered signature remains a valid signature. This would create a bookkeeping issue, as transactions in Nakamoto consensus-based blockchain networks are documented with these hash values, or transaction IDs. Effectively, one can alter a transaction ID to a new one, and the new ID can still be valid. This can create many issues, as illustrated in the below example: - Alice sends Bob 1 BTC, and Bob sends Merchant Carol this 1 BTC for some goods.
- Bob sends Carols this 1 BTC, while the transaction from Alice to Bob is not yet validated. Carol sees this incoming transaction of 1 BTC to him, and immediately ships goods to B.
- At the moment, the transaction from Alice to Bob is still not confirmed by the network, and Bob can change the witness signature, therefore changing this transaction ID from 12345 to 67890.
- Now Carol will not receive his 1 BTC, as the network looks for transaction 12345 to ensure that Bob’s wallet balance is valid.
- As this particular transaction ID changed from 12345 to 67890, the transaction from Bob to Carol will fail, and Bob will get his goods while still holding his BTC.
witness signatures are moved outside of the transaction block into an extended block, and altering the witness signature won’t affect the transaction ID.Since the transaction malleability issue is fixed, Segregated Witness also enables the proper functioning of second-layer scalability solutions on the Bitcoin protocol, such as the Lightning Network.## Lightning NetworkLightning Network is asecond-layer micropayment solution for scalability.Specifically, Lightning Network aims to enable near-instant and low-cost payments between merchants and customers that wish to use bitcoins. Lightning Network was conceptualized in a whitepaper by Joseph Poon and Thaddeus Dryja in 2015. Since then, it has been implemented by multiple companies. The most prominent of them include Blockstream, Lightning Labs, and ACINQ.A list of curated resources relevant to Lightning Network can be found here. In the Lightning Network, if a customer wishes to transact with a merchant, both of them need to open a payment channel, which operates off the Bitcoin blockchain (i.e., off-chain vs. on-chain). None of the transaction details from this payment channel are recorded on the blockchain, and only when the channel is closed will the end result of both party’s wallet balances be updated to the blockchain. The blockchain only serves as a settlement layer for Lightning transactions.Since all transactions done via the payment channel are conducted independently of the Nakamoto consensus, both parties involved in transactions do not need to wait for network confirmation on transactions. Instead, transacting parties would pay transaction fees to Bitcoin miners only when they decide to close the channel.https://preview.redd.it/cy56icarf3151.png?width=1601&format=png&auto=webp&s=b239a63c6a87ec6cc1b18ce2cbd0355f8831c3a8 One limitation to the Lightning Network is that it requires a person to be online to receive transactions attributing towards him. Another limitation in user experience could be that one needs to lock up some funds every time he wishes to open a payment channel, and is only able to use that fund within the channel.However, this does not mean he needs to create new channels every time he wishes to transact with a different person on the Lightning Network. If Alice wants to send money to Carol, but they do not have a payment channel open, they can ask Bob, who has payment channels open to both Alice and Carol, to help make that transaction. Alice will be able to send funds to Bob, and Bob to Carol. Hence, the number of “payment hubs” (i.e., Bob in the previous example) correlates with both the convenience and the usability of the Lightning Network for real-world applications. ## Schnorr Signature upgrade proposalElliptic Curve Digital Signature Algorithm (“ECDSA”) signatures are used to sign transactions on the Bitcoin blockchain.https://preview.redd.it/hjeqe4l7g3151.png?width=1601&format=png&auto=webp&s=8014fb08fe62ac4d91645499bc0c7e1c04c5d7c4 However, many developers now advocate for replacing ECDSA with Schnorr Signature. Once Schnorr Signatures are implemented, multiple parties can collaborate in producing a signature that is valid for the sum of their public keys. This would primarily be beneficial for network scalability. When multiple addresses were to conduct transactions to a single address, each transaction would require their own signature. With Schnorr Signature, all these signatures would be combined into one. As a result, the network would be able to store more transactions in a single block.https://preview.redd.it/axg3wayag3151.png?width=1601&format=png&auto=webp&s=93d958fa6b0e623caa82ca71fe457b4daa88c71e The reduced size in signatures implies a reduced cost on transaction fees. The group of senders can split the transaction fees for that one group signature, instead of paying for one personal signature individually.Schnorr Signature also improves network privacy and token fungibility. A third-party observer will not be able to detect if a user is sending a multi-signature transaction, since the signature will be in the same format as a single-signature transaction.## 4. Economics and supply distributionThe Bitcoin protocol utilizes the Nakamoto consensus, and nodes validate blocks via Proof-of-Work mining. The bitcoin token was not pre-mined, and has a maximum supply of 21 million. The initial reward for a block was 50 BTC per block. Block mining rewards halve every 210,000 blocks. Since the average time for block production on the blockchain is 10 minutes, it implies that the block reward halving events will approximately take place every 4 years.As of May 12th 2020, the block mining rewards are 6.25 BTC per block. Transaction fees also represent a minor revenue stream for miners. |

There is no known way that quantum computers can break SHA256 (only the signing elliptic curve/ECDSA). So

There is a larger discussion on upgrading bitcoin, the fact that quantum computers are not even close to being able to crack ECDSA, etc. But I'm just going to leave it at what I said above.

Price? Who gives a shit about price when Lightning Network development is a lot more interesting?????

One thing about LN is that because there's no need for consensus before implementing things, figuring out the status of things is quite a bit more difficult than on Bitcoin. In one hand it lets larger groups of people work on improving LN faster without having to coordinate so much. On the other hand it leads to some fragmentation of the LN space, with compatibility problems occasionally coming up.

The below is just a smattering sample of LN stuff I personally find interesting. There's a bunch of other stuff, like splice and dual-funding, that I won't cover --- post is long enough as-is, and besides, some of the below aren't as well-known.

Anyway.....

# "eltoo" Decker-Russell-Osuntokun

Yeah the exciting new Lightning Network channel update protocol!

## Advantages

## Myths

## Disadvantages

# Multipart payments / AMP

Splitting up large payments into smaller parts!

## Details

## Advantages

## Disadvantages

# Payment points / scalars

Using the magic of elliptic curve homomorphism for fun and Lightning Network profits!

Basically, currently on Lightning an invoice has a payment hash, and the receiver reveals a payment preimage which, when inputted to SHA256, returns the given payment hash.

Instead of using payment hashes and preimages, just replace them with payment points and scalars. An invoice will now contain a payment point, and the receiver reveals a payment scalar (private key) which, when multiplied with the standard generator point G on secp256k1, returns the given payment point.

This is basically Scriptless Script usage on Lightning, instead of HTLCs we have Scriptless Script Pointlocked Timelocked Contracts (PTLCs).

## Advantages

## Disadvantages

# Pay-for-data

Ensuring that payers cannot access data or other digital goods without proof of having paid the provider.

In a nutshell: the payment preimage used as a proof-of-payment is the decryption key of the data. The provider gives the encrypted data, and issues an invoice. The buyer of the data then has to pay over Lightning in order to learn the decryption key, with the decryption key being the payment preimage.

## Advantages

## Disadvantages

# Stuckless payments

No more payments getting stuck somewhere in the Lightning network without knowing whether the payee will ever get paid!

(that's actually a bit overmuch claim, payments still can get stuck, but what "stuckless" really enables is that we can now safely run another*parallel* payment attempt until any one of the payment attempts get through).

Basically, by using the ability to add points together, the payer can enforce that the payee can only claim the funds if it knows two pieces of information:

*in parallel*, unlike the current situation where we must wait for an attempt to fail before trying another route. The payer only needs to ensure it generates different acknowledgment scalars for each payment attempt.

Then, if at least one of the payment attempts reaches the payee, the payee can then acquire the acknowledgment scalar from the payer. Then the payee can acquire the payment. If the payee attempts to acquire multiple acknowledgment scalars for the same payment, the payer just gives out one and then tells the payee "LOL don't try to scam me", so the payee can only acquire a single acknowledgment scalar, meaning it can only claim a payment once; it can't claim multiple parallel payments.

## Advantages

## Disadvantages

# Non-custodial escrow over Lightning

The "acknowledgment" scalar used in stuckless can be reused here.

The acknowledgment scalar is derived as an ECDH shared secret between the payer and the escrow service. On arrival of payment to the payee, the payee queries the escrow to determine if the acknowledgment point is from a scalar that the escrow can derive using ECDH with the payer, plus a hash of the contract terms of the trade (for example, to transfer some goods in exchange for Lightning payment). Once the payee gets confirmation from the escrow that the acknowledgment scalar is known by the escrow, the payee performs the trade, then asks the payer to provide the acknowledgment scalar once the trade completes.

If the payer refuses to give the acknowledgment scalar even though the payee has given over the goods to be traded, then the payee contacts the escrow again, reveals the contract terms text, and requests to be paid. If the escrow finds in favor of the payee (i.e. it determines the goods have arrived at the payer as per the contract text) then it gives the acknowledgment scalar to the payee.

## Advantages

## Disadvantages

# Payment decorrelation

Because elliptic curve points can be added (unlike hashes), for every forwarding node, we an add a "blinding" point / scalar. This prevents multiple forwarding nodes from discovering that they have been on the same payment route. This is unlike the current payment hash + preimage, where the same hash is used along the route.

In fact, the acknowledgment scalar we use in stuckless and escrow can simply be the sum of each blinding scalar used at each forwarding node.

## Advantages

## Disadvantages

submitted by almkglor to Bitcoin [link] [comments]
One thing about LN is that because there's no need for consensus before implementing things, figuring out the status of things is quite a bit more difficult than on Bitcoin. In one hand it lets larger groups of people work on improving LN faster without having to coordinate so much. On the other hand it leads to some fragmentation of the LN space, with compatibility problems occasionally coming up.

The below is just a smattering sample of LN stuff I personally find interesting. There's a bunch of other stuff, like splice and dual-funding, that I won't cover --- post is long enough as-is, and besides, some of the below aren't as well-known.

Anyway.....

- Solves "toxic waste" problem. In the current Poon-Dryja update protocol, old state ("waste") is dangerous ("toxic") because if your old state is acquired by your most hated enemy, they can use that old state to publish a stale unilateral close transaction, which your counterparty must treat as a theft attempt and punish you, causing you to lose funds. With Decker-Russell-Osuntokun old state is not revoked, but is instead gainsaid by later state: instead of actively punishing old state, it simply replaces the old state with a later state.
- Allows multiple participants in the update protocol. This can be used as the update protocol for a channel factory with 3 or more participants, for example (channels are not practical for multiple participants since the loss of any one participants makes the channel completely unuseable; it's more sensible to have a multiple-participant factory that splits up into 2-participant channels). Poon-Dryja only supports two participants. Another update protocol, Decker-Wattenhofer, also supports multiple participants, but requires much larger locktimes in case of a unilateral close (measurable in weeks, whereas Poon-Dryja and Decker-Russell-Osuntokun can be measured in hours or days).
- It uses nLockTime in a very clever way.

- No, it does not solve the "watchtower needed" problem. Decker-Russell-Osuntokun
*still*requires watchtowers if you're planning to be offline for a long time.- What might be confused is that it was
*initially*thought that watchtowers under Decker-Russell-Osuntokun could be made more efficient by having the channel participant update a single "slot" in the watchtower, rather than having to consume one "slot" per update in Poon-Dryja. However, the existence of the "poisoned blob" attack by ZmnSCPxj means that having a replaceable "slot" is risky if the other participant of the channel can spoof you. And the safest way to prevent spoofing somebody is to identify that somebody --- but now that means the watchtower can surveill the activities of somebody it has identified, losing privacy.

- What might be confused is that it was

- Requires base layer change --- SIGHASH_NOINPUT / SIGHASH_ANYPREVOUT. This is still being worked out and may potentially not reach Bitcoin anytime soon.
- Determining costs of routes is somewhat harder, and may complicate routefinding algorithms. In particular: every channel today has a "CLTV Delta", a number of blocks by which the total maximum delay of the payment is increased. This maximum delay is the maximum amount of time by which an outgoing payment can be locked, and needs to be reduced for UX purposes. Decker-Russell-Osuntokun will also add a "CSV minimum", a number of blocks, which must be smaller than the delay of an HTLC going through the channel. Current routefinding algos are good at minimizing a summed-up cost (like the "CLTV Delta") so the "CSV minimum" may require discovering / developing new routefinding algos.
- Due to the "CSV minimum" above, existing nodes that don't understand Decker-Russell-Osuntokun cannot reliably route over Decker-Russell-Osuntokun channels, as they might not impose this minimum properly.

- There are at least three variants of multipart payments: Original, Base, and High.
- Original is the original AMP proposed by Lightning Labs. It sacrifices proof-of-payment in order to allow each path to have a different payment hash. This is done by having the payer use a derivation scheme to generate each part's payment preimage from a seed, then having the split the seed (using secret sharing) to each part. The receiver can only reconstruct the seed if all parts reach it.
- Base simply uses the same payment hash for all routes. This retains proof-of-payment (i.e. an invoice is undeniably signed by the receiver, including a payment hash in the invoice; public knowledge of the payment preimage is proof that the receiver has in fact received money, and any third party can be convinced of this by being shown the signed invoice and the preimage). The receiver
*could*just take one part of the payment and then claim to be underpaid by the payer and then deny service, but claiming any one part is enough to publish the payment preimage, creating a proof-of-payment: so the receiver can provably be made liable, even if it took just one part, thus the incentive of the receiver is to only take in the payment once all parts have arrived to it. - High requires elliptic curve points / scalars. It combines both Original and Base, retaining proof-of-payment (sacrificed by Original) and ensuring cryptographically-secure waiting for all parts (rather than the mere economically-incentivized of Base). This is done by using elliptic curve homomorphism to addition of scalars to add together the payer-provided preimage (really scalar) of Original with the payee-provided preimage (really scalar) of Base.

- Better expected reliability. Channels are limited by capacity. By splitting up into many smaller payments, you can fit into more channels and be more likely to successfully reach the payee.
- Capacity on mutiple of your channels can be used to pay. Currently if you have 0.05BTC on one channel and 0.05BTC on another channel, you can't pay 0.06BTC without first rebalancing your channels (and paying fees for the rebalance first, whether the payment succeeds or not). With multipart you can now combine the capacities of multiple of your channels, and only pay fees for combining them if the payment pushes through.
- Wumbo payments (oversized payments) come "for free" without having to be explicitly supported by the nodes of the network: you just split up wumbo payments into parts smaller than the wumbo limit.

- Multipart will have higher fees. Part of the feerate of each channel is a flat-rate fee. Going through multiple paths means paying more of this flat-rate fee.
- It's not clear how to split up payments. Heuristics for payment splitting have to be derived and developed and tested.

Basically, currently on Lightning an invoice has a payment hash, and the receiver reveals a payment preimage which, when inputted to SHA256, returns the given payment hash.

Instead of using payment hashes and preimages, just replace them with payment points and scalars. An invoice will now contain a payment point, and the receiver reveals a payment scalar (private key) which, when multiplied with the standard generator point G on secp256k1, returns the given payment point.

This is basically Scriptless Script usage on Lightning, instead of HTLCs we have Scriptless Script Pointlocked Timelocked Contracts (PTLCs).

- Enables a shit-ton of improvements: payment decorrelation, stuckless payments, noncustodial escrow over Lightning (the Hodl Hodl Lightning escrow is custodial, read the fine print), High multipart.
- It's the same coolness that makes Schnorr Signatures cool. ECDSA, despite being based on elliptic curves, is not cool because the hash-the-nonce operation needed to prevent it from infringing Schnorr's
patent also prevents ECDSA from using the cool elliptic curve homomorphism of addition over scalars.*fatherfucking*

- Requires Schnorr on Bitcoin layer.
- Actually, we can work with 2p-ECDSA without waiting for Schnorr. We get back the nice elliptic curve homomorphism by passing the ECDSA nonce through another cryptosystem, Paillier. This gets us the ability to do Scriptless Script. I think it has only 80-bits security because of going through Paillier though.
- Basically the conundrum is: we could implement 2p-ECDSA now, hope we never have to test the 80-bit security anytime soon, then switch to Schnorr with 128-bit security later (which means reimplementing a bunch of things, because the calculations are different and the data that needs to be exchanged between channel participants is
different between the 2p-ECDSA and Schnorr). Reimplementing is painful and is more dev work. If we don't implement with 2p-ECDSA now, though, we will be delaying all the nice elliptic curve goodness (stuckless, noncustodial escrow, payment decorrelation) until Bitcoin gets Schnorr.*very*

- Basically the conundrum is: we could implement 2p-ECDSA now, hope we never have to test the 80-bit security anytime soon, then switch to Schnorr with 128-bit security later (which means reimplementing a bunch of things, because the calculations are different and the data that needs to be exchanged between channel participants is
- Elliptic curve discrete log problem is theoretically quantum-vulnerable. If we can't find a qunatum-resistant homomorphic construction, we'll have to give up the advantages (payment decorrelation, stuckless payments, noncustodial escrow over Lightning) we got from using elliptic curve points and go back to boring old hashes.

In a nutshell: the payment preimage used as a proof-of-payment is the decryption key of the data. The provider gives the encrypted data, and issues an invoice. The buyer of the data then has to pay over Lightning in order to learn the decryption key, with the decryption key being the payment preimage.

- Enables data providers to sell data. This could be sensors, livestreams, blogs, articles, whatever.

- There's no scheme to determine if the data provider is providing actually-useful data. The data-provider could just stream https://random.org for example. This is a potentially-impossible problem. Even if the data-provider provides a "sample" of the data, and is able to derive some proof that the sample is indeed a true snippet of the encrypted data, the
*rest*of the data outside of the sample might just be random junk.

(that's actually a bit overmuch claim, payments still can get stuck, but what "stuckless" really enables is that we can now safely run another

Basically, by using the ability to add points together, the payer can enforce that the payee can only claim the funds if it knows two pieces of information:

- The payment scalar corresponding to the payment point in the invoice signed by the payee.
- An "acknowledgment" scalar provided by the payer to the payee via another communication path.

Then, if at least one of the payment attempts reaches the payee, the payee can then acquire the acknowledgment scalar from the payer. Then the payee can acquire the payment. If the payee attempts to acquire multiple acknowledgment scalars for the same payment, the payer just gives out one and then tells the payee "LOL don't try to scam me", so the payee can only acquire a single acknowledgment scalar, meaning it can only claim a payment once; it can't claim multiple parallel payments.

- Can safely run multiple parallel payment attempts as long as you have the funds to do so.

- Needs payment point + scalar

The acknowledgment scalar is derived as an ECDH shared secret between the payer and the escrow service. On arrival of payment to the payee, the payee queries the escrow to determine if the acknowledgment point is from a scalar that the escrow can derive using ECDH with the payer, plus a hash of the contract terms of the trade (for example, to transfer some goods in exchange for Lightning payment). Once the payee gets confirmation from the escrow that the acknowledgment scalar is known by the escrow, the payee performs the trade, then asks the payer to provide the acknowledgment scalar once the trade completes.

If the payer refuses to give the acknowledgment scalar even though the payee has given over the goods to be traded, then the payee contacts the escrow again, reveals the contract terms text, and requests to be paid. If the escrow finds in favor of the payee (i.e. it determines the goods have arrived at the payer as per the contract text) then it gives the acknowledgment scalar to the payee.

- True non-custodial escrow: the escrow service never holds any funds.

- Needs payment point + scalar.

In fact, the acknowledgment scalar we use in stuckless and escrow can simply be the sum of each blinding scalar used at each forwarding node.

- Privacy! Multiple forwarding nodes cannot coordinate to try to uncover the payer and payee of each payment.

- Needs payment point + scalar.

Permissionless = RenVM is an open protocol; meaning anyone can use RenVM and any project can build with RenVM. You don't need anyone's permission, just plug RenVM into your dApp and you have interoperability.

Decentralized = The nodes that power RenVM ( Darknodes) are scattered throughout the world. RenVM has a peak capacity of up to 10,000 Darknodes (due to REN’s token economics). Realistically, there will probably be 100 - 500 Darknodes run in the initial Mainnet phases, ample decentralized nonetheless.

Permissionless = https://github.com/renproject/ren-js

Decentralized = https://chaosnet.renproject.io/

SSS by itself is just a way of representing secret data (like numbers). sMPC is how to generate and work with that data (like equations). One of the things you can do with that work is produce a form of TSS (this is what RenVM does).

However, TSS is slightly different because it can also be done *without* SSS and sMPC. For example, BLS signatures don’t use SSS or sMPC but they are still a form of TSS.

So, we say that RenVM uses SSS+sMPC because this is more specific than just saying TSS (and you can also do more with SSS+sMPC than just TSS). Specifically, all viable forms of turning ECDSA (a scheme that isn’t naturally threshold based) into a TSS needs SSS+sMPC.

People often get confused about RenVM and claim “SSS can’t be used to sign transactions without making the private key whole again”. That’s a strange statement and shows a fundamental misunderstanding about what SSS is.

To come back to our analogy, it’s like saying “numbers can’t be used to write a book”. That’s kind of true in a direct sense, but there are plenty of ways to encode a book as numbers and then it’s up to how you interpret (how you *use*) those numbers. This is exactly how this text I’m writing is appearing on your screen right now.

SSS is just secret data. It doesn’t make sense to say that SSS *functions*. RenVM is what does the functioning. RenVM *uses* the SSSs to represent private keys. But these are generated and used and destroyed as part of sMPC. The keys are never whole at any point.

tBTC an only mint/burn lots of 1 BTC and requires an on-Ethereum SPV relay for Bitcoin headers (and for any other chain it adds). No real advantage trade-off IMO.

tBTC has a liquidation mechanism that means nodes can have their bond liquidated because of ETH/BTC price ratio. Advantage means users can get 1 BTC worth of ETH. Disadvantage is it means tBTC is kind of a synthetic: needs a price feed, needs liquid markets for liquidation, users must accept exposure to ETH even if they only hold tBTC, nodes must stay collateralized or lose lots of ETH. RenVM doesn’t have this, and instead uses fees to prevent becoming under-collateralized. This requires a mature market, and assumed Darknodes will value their REN bonds fairly (based on revenue, not necessarily what they can sell it for at current —potentially manipulated—market value). That can be an advantage or disadvantage depending on how you feel.

tBTC focuses more on the idea of a tokenized version of BTC that feels like an ERC20 to the user (and is). RenVM focuses more on letting the user interact with DeFi and use real BTC and real Bitcoin transactions to do so (still an ERC20 under the hood, but the UX is more fluid and integrated). Advantage of tBTC is that it’s probably easier to understand and that might mean better overall experience, disadvantage really comes back to that 1 BTC limit and the need for a more clunky minting/burning experience that might mean worse overall experience. Too early to tell, different projects taking different bets.

tBTC supports BTC (I think they have ZEC these days too). RenVM supports BTC, BCH, and ZEC (docs discuss Matic, XRP, and LTC).

-Both are vulnerable to oracle attacks

-REN federation failure results in loss or theft of all funds

-tBTC failures tend to result in frothy markets, but holders of tBTC are made whole

-REN quorum rotation is new crypto, and relies on honest deletion of old key shares

-tBTC rotates micro-quorums regularly without relying on honest deletion

-tBTC relies on an SPV relay

-REN relies on federation honesty to fill the relay's purpose

-Both are brittle to deep reorgs, so expanding to weaker chains like ZEC is not clearly a good idea

-REN may see total system failure as the result of a deep reorg, as it changes federation incentives significantly

-tBTC may accidentally punish some honest micro-federations as the result of a deep reorg

-REN generally has much more interaction between incentive models, as everything is mixed into the same pot.

-tBTC is a large collection of small incentive models, while REN is a single complex incentive model

The oracle situation is different with RenVM, because the fee model is what determines the value of REN with respect to the cross-chain asset. This is the asset is what is used to pay the fee, so no external pricing is needed for it (because you only care about the ratio between REN and the cross-chain asset).

RenVM does rotate quorums regularly, in fact more regularly than in tBTC (although there are micro-quorums, each deposit doesn’t get rotated as far as I know and sticks around for up to 6 months). This rotation involves rotations of the keys too, so it does not rely on honest deletion of key shares.

Federated views of blockchains are easier to expand to support deep re-orgs (just get the nodes to wait for more blocks for that chain). SPV requires longer proofs which begins to scale more poorly.

Not sure what you mean by “one big pot”, but there are multiple quorums so the failure of one is isolated from the failures of others. For example, if there are 10 shards supporting BTC and one of them fails, then this is equivalent to a sudden 10% fee being applied. Harsh, yes, but not total failure of the whole system (and doesn’t affect other assets).

Would be interesting what RenVM would look like with lots more shards that are smaller. Failure becomes much more isolated and affects the overall network less.

Further, the amount of tBTC you can mint is dependent on people who are long ETH and prefer locking it up in Keep for earning a smallish fee instead of putting it in Compound or leveraging with dydx. tBTC is competing for liquidity while RenVM isn't.

A major advantage of Ren's specific usage of sMPC is that security can be regulated economically. All value (that's being interopped at least) passing through RenVM has explicit value. The network can self-regulate to ensure an attack is never worth it.

Profits of the Darknodes, and therefore security of the network, is based solely on the use of the network (this is what you want because your network does not make or break on things outside the systems control). In a system like tBTC there are liquidity issues because you need to convince ETH holders to bond ETH and this is an external problem. Maybe ETH is pumping irrespective of tBTC use and people begin leaving tBTC to sell their ETH. Or, that ETH is dumping, and so tBTC nodes are either liquidated or all their profits are eaten by the fact that they have to be long on ETH (and tBTC holders cannot get their BTC back in this case). Feels real bad man.

This cannot affect safety, because the first signature is still required. Any attack you wanted to do would still have to succeed against the “normal” part of the network. This can affect liveliness, because the semi-core could decide not to sign. However, the semi-core follows the same rules as normal shards. The signature is tolerant to 1/3rd for both safety/liveliness. So, 1/3rd+ would have to decide to not sign.

Members of the semi-core would be there under governance from the rest of our ecosystem. The idea is that members would be chosen for their external value. We’ve discussed in-depth the idea of L<3. But, if RenVM is used in MakerDAO, Compound, dYdX, Kyber, etc. it would be desirable to capture the value of these ecosystems too, not just the value of REN bonded. The semi-core as a second signature is a way to do this.

Imagine if the members for those projects, because those projects want to help secure renBTC, because it’s used in their ecosystems. There is a very strong incentive for them to behave honestly. To attack RenVM you first have to attack the Darknodes “as per usual” (the current design), and then somehow convince 1/3rd of these projects to act dishonestly and collapse their own ecosystems and their own reputations. This is a very difficult thing to do.

Worth reminding: the draft for this proposal isn’t finished. It would be great for everyone to give us their thoughts on GitHub when it is proposed, so we can keep a persistent record.

The issues of privacy of electronic currency faced researchers and developers for a long time, long before Bitcoin. In 1991, Tatsuaki Okamoto and Kazuo Ohta from the NTT research laboratory (Japan's largest telecommunications company) introduced 6 criteria for an ideal e-currency, including privacy: "relationship between the user and his purchases must be untraceable by anyone". Nicholas van Saberhagen, an anonymous author behind the work on the CryptoNote protocol, which formed the basis of Monero, in December 2012 summarized these 6 criteria to two specific properties:

None of the other properties are characteristic of Bitcoin, since all transactions are broadcasted publicly. Of course, by the time this work was written, various tumblers made it possible to combine outputs of several transactions and send them through some intermediate address. Also, by that time, some protocols based on the zero-knowledge proof were known, but at that time such evidence was large enough to make them impractical to use.

What was proposed to tackle the issues: firstly, each transaction was signed on behalf of the group, not the individual, as in BTC. To do this, we used the option of an electronic digital signature called "Ring Signature" (further development of the so-called "Group Signature"). However, when implementing a completely anonymous ring signature, a (very high) probability of double spending of coins arose, and therefore the so-called

Essentially, although it's certainly worth noting that the CryptoNote implementation used a different scheme of elliptical curves (EdDSA instead of ECDSA, as a result, an elliptic curve with a different equation was used, etc.).

You know how it happens: everything seems to be there, but something is missing. The problem with the original CryptoNote protocol was that the user balances were not hidden, and thus, it was possible to analyze the blockchain and deanonymize the members of the group who signed the transaction. An additional problem with hiding balances is that with simple encryption of balances, it is not possible to reach a consensus on whether coins were produced from the thin air or not.

To solve this problem, the developer Shen Noether from Monero Research Lab proposed the use of the Pederson Commitment, which allows the prover to calculate the obligation for the amount without disclosing it and being unable to change it.

Short explanation from Monero Wiki:

As long as the encrypted output amounts created, which include an output for the recipient and a change output back to the sender, and the unencrypted transaction fee is equal to the sum of the inputs that are being spent, it is a legitimate transaction and can be confirmed to not be creating Monero out of thin air.

Thus, it is possible to obtain a ring confidential transaction (hence the name). And, the inquisitive reader will ask, what is wrong this time?

The problem is one, but twofold. On the one hand, the size of the transaction increases with RingCT, which does not have the best effect on scalability and transaction fees. Besides, again, due to the large size of the signature, the number of possible subscribers

03/Jan/2009

10 Minutes

10,000 BTC Pizza

2016 Blocks

21 Million

210,000 Blocks

51% Attack

Address

Altcoin

Antonopoulos

Asic

Asic Boost

Base58

Batching

Bech32

Bit

Bitcoin Cash

Bitcoin Improvement Proposal (BIP)

Bitcoin SV

Bitmain

Block

Block height

Block reward

Blockchain

Blockexplorer

Bloom Filter

Brain Wallet

Buidl

Change Address

Child pays for parent (CPFP)

Coinbase (not the exchange)

CoinJoin

Coinmarketcap (CMC)

Colored Coin

Confirmation

Consensus

Custodial Wallet

Craig Wright

David Kleinman

Difficulty

Difficulty adjustment

Difficulty Target

Dogecoin

Dorian Nakamoto

Double spend

Elliptic Curve Digital Signature Algorithm (ECDSA)

Ethereum

Faketoshi

Fork

Full Node

Gavin Andresen

Genesis Block

Getting goxed

Halving

Hard Fork

Hardware Wallet

Hash

Hashing

Hierarchical Deterministic (HD) Wallet

Hodl

Hot Wallet

Initial Coin Offering (ICO)

Initial Exchange Offering (IEO)

Ledger

Light Node

Lightning

Litecoin

Locktime

Mainnet

Malleability

Master Private Key

Master Public Key

Master Seed

mBTC

Mempool

Merkle Tree

Mining

Mining Farm

Mining Pool

Mixing

MtGox

Multisig

Nonce

Not your keys,...

Opcode

Orphan block

P2PKH

P2SH

Paper Wallet

Peers

Pieter Wuille

Premining

Private key

Proof of Stake (PoS)

Proof of Work (PoW)

Pruning

Public key

Pump'n'Dump

Replace by Fee (RBF)

Ripemd160

Roger Ver

sat

Satoshi Nakamoto

Schnorr Signatures

Script

Segregated Witness (Segwit)

Sha256

Shitcoin

Sidechain

Signature

Signing

Simplified Payment Verification (SPV)

Smart Contract

Soft Fork

Stratum

Syncing

Testnet

Transaction

Transaction Fees

TransactionId (Txid)

Trezor

User Activated Soft Fork (UASF)

Utxo

Wallet Import Format (WIF)

Watch-Only Address

Whitepaper

List obviously not complete. Suggestions appreciated.

Refs:

https://bitcoin.org/en/developer-glossary https://en.bitcoin.it/wiki/Main_Page https://www.youtube.com/channel/UCgo7FCCPuylVk4luP3JAgVw https://www.youtube.com/useaantonop

submitted by PolaT1x to Bitcoin [link] [comments]
10 Minutes

10,000 BTC Pizza

2016 Blocks

21 Million

210,000 Blocks

51% Attack

Address

Altcoin

Antonopoulos

Asic

Asic Boost

Base58

Batching

Bech32

Bit

Bitcoin Cash

Bitcoin Improvement Proposal (BIP)

Bitcoin SV

Bitmain

Block

Block height

Block reward

Blockchain

Blockexplorer

Bloom Filter

Brain Wallet

Buidl

Change Address

Child pays for parent (CPFP)

Coinbase (not the exchange)

CoinJoin

Coinmarketcap (CMC)

Colored Coin

Confirmation

Consensus

Custodial Wallet

Craig Wright

David Kleinman

Difficulty

Difficulty adjustment

Difficulty Target

Dogecoin

Dorian Nakamoto

Double spend

Elliptic Curve Digital Signature Algorithm (ECDSA)

Ethereum

Faketoshi

Fork

Full Node

Gavin Andresen

Genesis Block

Getting goxed

Halving

Hard Fork

Hardware Wallet

Hash

Hashing

Hierarchical Deterministic (HD) Wallet

Hodl

Hot Wallet

Initial Coin Offering (ICO)

Initial Exchange Offering (IEO)

Ledger

Light Node

Lightning

Litecoin

Locktime

Mainnet

Malleability

Master Private Key

Master Public Key

Master Seed

mBTC

Mempool

Merkle Tree

Mining

Mining Farm

Mining Pool

Mixing

MtGox

Multisig

Nonce

Not your keys,...

Opcode

Orphan block

P2PKH

P2SH

Paper Wallet

Peers

Pieter Wuille

Premining

Private key

Proof of Stake (PoS)

Proof of Work (PoW)

Pruning

Public key

Pump'n'Dump

Replace by Fee (RBF)

Ripemd160

Roger Ver

sat

Satoshi Nakamoto

Schnorr Signatures

Script

Segregated Witness (Segwit)

Sha256

Shitcoin

Sidechain

Signature

Signing

Simplified Payment Verification (SPV)

Smart Contract

Soft Fork

Stratum

Syncing

Testnet

Transaction

Transaction Fees

TransactionId (Txid)

Trezor

User Activated Soft Fork (UASF)

Utxo

Wallet Import Format (WIF)

Watch-Only Address

Whitepaper

List obviously not complete. Suggestions appreciated.

Refs:

https://bitcoin.org/en/developer-glossary https://en.bitcoin.it/wiki/Main_Page https://www.youtube.com/channel/UCgo7FCCPuylVk4luP3JAgVw https://www.youtube.com/useaantonop

Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure that funds can only be spent by their rightful owners.. A few concepts related to ECDSA: private key: A secret number, known only to the person that generated it.A private key is essentially a randomly generated number. We also saw that bitcoin’s ECDSA uses the secp256k1 elliptic curve. The following python variables specify the parameters of this curve: p_dec denotes the decimal value of the order of the underlying finite field. G_dec corresponds to the decimal coordinates modulo p_dec of the base point G. Recently I've read about point addition in elliptic curves and the ECDSA and became curious about how it is applied in the bitcoin code. I've learned that the main idea is, given a point P in the elliptic curve, the relation is: X = xP, where x is the 256-bit integer number Private Key and X is the Public Key. So, my questions are: Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure the effective and secure control of ownership of funds.. A few concepts related to ECDSA: private key: A secret number, known only to the person that generated it.A private key can be a randomly generated number but in 2019 most wallets use deterministic key schemes derived from BIP 0032. Bitcoin core developers of Bitcoin reimplemented the ECDSA based on secp256k1 in the libsep256k1 project, where the secp256k1 curve was deeply optimized and the constant implementation was ...

[index] [13587] [14357] [16312] [26524] [9586] [21999] [15527] [6119] [10638] [27779]

Getting the ECDSA Z Value from a Bitcoin Single Input Transaction - Duration: 6:43. ... Breaking ECDSA (Elliptic Curve Cryptography) - rhme2 Secure Filesystem v1.92r1 (crypto 150) - Duration: 8:19 ... This is part 11 of the Blockchain tutorial explaining how the generate a public private key using Elliptic Curve. In this video series different topics will ... We are going to recover a ECDSA private key from bad signatures. Same issue the Playstation 3 had that allowed it to be hacked. -=[ 🔴 Stuff I use ]=- → Micro... Bitcoin is a cryptocurrency that uses elliptic curves in the ECDSA. Since cryptosystems often require some form of arithmetic to encode and decode informatio... Learn more advanced front-end and full-stack development at: https://www.fullstackacademy.com Elliptic Curve Cryptography (ECC) is a type of public key crypt...