Math Behind Bitcoin and Elliptic Curve Cryptography ...

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply)

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) submitted by Piterst to Bitcoin [link] [comments]

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply)

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) submitted by Piterst to CryptoCurrency [link] [comments]

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply)

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) submitted by Piterst to btc [link] [comments]

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply)

Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) submitted by ABitcoinAllBot to BitcoinAll [link] [comments]

[CCS Results] Monero Atomic Swaps research

Hi Monero community!
Two months ago I posted a CCS for continuing my research on Monero Atomic Swaps. That research is now complete and I'm happy to present my results.
This post will be a summary of my research, but you can also find the whitepaper that describes the full protocol and all the details here.

Shiny BTC/XMR Atomic Swap Protocol!

We found it! With the help of the MRL, my colleagues, and the community, we created the first (to our knowledge) protocol to atomically swap bitcoin and monero. And this resulting protocol is implementable today - no more obscure crypto!

Why now? What changed?

When I started studying Monero for a Bitcoin/Monero atomic swap three and a half years ago, most of the swap protocols where based on 'Hash Time Locked Contract' (HTLC), something that we all know as non-existent on Monero. So the goal at the beginning of the project was to create an atomic swap where all the logic (timeouts, possible sequences of operation, secret disclosures, etc) is managed on the other chain: the Bitcoin chain.
The second difficulty with Monero and Bitcoin is their respective underlying cryptographic parameters: they don't share the same elliptic curve, they don't share the same signing algorithm; they have nothing in common! This makes the pair a bad candidate for other types of atomic swap that don't (solely) rely on HTLC.
In November 2018 we came up with a draft protocol that respects the above constraints. Thus, the protocol requires a specific type of zero-knowledge proof to be trustless: a hash pre-image zero-knowledge proof. This type of zkp is not wildly used in practice, if at all. Thus the protocol works in theory, but with some obscure crypto, making the protocol a bad candidate for an implementation.
In early 2020, after presenting the draft protocol at 36C3 in December 2019, I discovered, by reference from Sarang Noether (MRL), Andrew Poelstra's idea of doing a discrete logarithm equality across group zero-knowledge proof of knowledge (MRL-0010), meaning that we can prove some relations between elements in two different groups (two curves to simplify) and the paper by LLoyd Fournier on One-Time Verifiably Encrypted Signatures allowing secret disclosure with ECDSA.
With these two new (to me) cryptographic primitives, we were able to replace the previous zero-knowledge proof with a combination of the latter, making the protocol complete and practically feasible.

How it works

As a broad overview (and simplified) the protocol work as follow:
If the swap succeeds, A reveals to B, and if the swap is cancelled, B reveals to A. (We have a third scenario explained in the paper to force reaction and avoid deadlock.)

Next steps

The obvious next step would be to have a working implementation on mainnet, but a ready-to-use implementation that is also robust and safe-to-use requires a lot of engineering work. Furthermore, even though the cryptography is not too obscure, most of it still also lacks an implementation.
I'll post soon, if the community wants it, a CCS proposal to get my team and I to work on implementing this protocol, step by step, with the end goal of creating a working client/daemon for swapping Bitcoin and Monero. It would be very exciting to build that!

Conclusion

Thanks to the MRL and its researchers for their help, the CCS team, and the community for its support!
I hope I fulfilled the community's expectations for my my first CCS - all feedback is appreciated.
submitted by h4sh3d to Monero [link] [comments]

Why do WIF-compressed private keys exist?

I am reading Andreas' Mastering Bitcoin (great book btw) and got to the section where compressed and uncompressed public keys are explained (pages71-74). I have a question that I don't find an answer for, maybe someone here can help - might be a little too technical though.
If I understood correctly, the public keys are just (x,y) coordinates of the elliptic curve generated from the private key. Now there's two versions, the original version where the entire x and y coordinates are shown (04... public keys) and the newer version where the y is calculated from y² mod p=(x³+7) and are either 02... or 03... depending on whether it represents the positive or negative y.
All good. However, in order for wallets to know if they should search for the addresses generated from hashing the compressed or the uncompressed versions of the public key when importing a private key, the book says two types of private key formats were developed to represent what type of public key should be obtained from it. This way, if the private key imported looks like 5... the wallet knows it should create 04... public keys (uncompressed) and if the private key looks like K... it knows it should look for adresses derived from 02... or 03... public keys.
My question is - why do we need to show whether the addresses used came from a compressed or uncompressed public keys, IN the private key? I mean, can't we use a single standard private key format and have the wallet just create both versions of public keys to check in which one there's any funds? It would take what, a couple more minutes to check the balance?
Hope the question makes sense haha thanks!!
submitted by Jack1602 to Bitcoin [link] [comments]

Bitcoin (BTC)A Peer-to-Peer Electronic Cash System.

Bitcoin (BTC)A Peer-to-Peer Electronic Cash System.
  • Bitcoin (BTC) is a peer-to-peer cryptocurrency that aims to function as a means of exchange that is independent of any central authority. BTC can be transferred electronically in a secure, verifiable, and immutable way.
  • Launched in 2009, BTC is the first virtual currency to solve the double-spending issue by timestamping transactions before broadcasting them to all of the nodes in the Bitcoin network. The Bitcoin Protocol offered a solution to the Byzantine Generals’ Problem with a blockchain network structure, a notion first created by Stuart Haber and W. Scott Stornetta in 1991.
  • Bitcoin’s whitepaper was published pseudonymously in 2008 by an individual, or a group, with the pseudonym “Satoshi Nakamoto”, whose underlying identity has still not been verified.
  • The Bitcoin protocol uses an SHA-256d-based Proof-of-Work (PoW) algorithm to reach network consensus. Its network has a target block time of 10 minutes and a maximum supply of 21 million tokens, with a decaying token emission rate. To prevent fluctuation of the block time, the network’s block difficulty is re-adjusted through an algorithm based on the past 2016 block times.
  • With a block size limit capped at 1 megabyte, the Bitcoin Protocol has supported both the Lightning Network, a second-layer infrastructure for payment channels, and Segregated Witness, a soft-fork to increase the number of transactions on a block, as solutions to network scalability.

https://preview.redd.it/s2gmpmeze3151.png?width=256&format=png&auto=webp&s=9759910dd3c4a15b83f55b827d1899fb2fdd3de1

1. What is Bitcoin (BTC)?

  • Bitcoin is a peer-to-peer cryptocurrency that aims to function as a means of exchange and is independent of any central authority. Bitcoins are transferred electronically in a secure, verifiable, and immutable way.
  • Network validators, whom are often referred to as miners, participate in the SHA-256d-based Proof-of-Work consensus mechanism to determine the next global state of the blockchain.
  • The Bitcoin protocol has a target block time of 10 minutes, and a maximum supply of 21 million tokens. The only way new bitcoins can be produced is when a block producer generates a new valid block.
  • The protocol has a token emission rate that halves every 210,000 blocks, or approximately every 4 years.
  • Unlike public blockchain infrastructures supporting the development of decentralized applications (Ethereum), the Bitcoin protocol is primarily used only for payments, and has only very limited support for smart contract-like functionalities (Bitcoin “Script” is mostly used to create certain conditions before bitcoins are used to be spent).

2. Bitcoin’s core features

For a more beginner’s introduction to Bitcoin, please visit Binance Academy’s guide to Bitcoin.

Unspent Transaction Output (UTXO) model

A UTXO transaction works like cash payment between two parties: Alice gives money to Bob and receives change (i.e., unspent amount). In comparison, blockchains like Ethereum rely on the account model.
https://preview.redd.it/t1j6anf8f3151.png?width=1601&format=png&auto=webp&s=33bd141d8f2136a6f32739c8cdc7aae2e04cbc47

Nakamoto consensus

In the Bitcoin network, anyone can join the network and become a bookkeeping service provider i.e., a validator. All validators are allowed in the race to become the block producer for the next block, yet only the first to complete a computationally heavy task will win. This feature is called Proof of Work (PoW).
The probability of any single validator to finish the task first is equal to the percentage of the total network computation power, or hash power, the validator has. For instance, a validator with 5% of the total network computation power will have a 5% chance of completing the task first, and therefore becoming the next block producer.
Since anyone can join the race, competition is prone to increase. In the early days, Bitcoin mining was mostly done by personal computer CPUs.
As of today, Bitcoin validators, or miners, have opted for dedicated and more powerful devices such as machines based on Application-Specific Integrated Circuit (“ASIC”).
Proof of Work secures the network as block producers must have spent resources external to the network (i.e., money to pay electricity), and can provide proof to other participants that they did so.
With various miners competing for block rewards, it becomes difficult for one single malicious party to gain network majority (defined as more than 51% of the network’s hash power in the Nakamoto consensus mechanism). The ability to rearrange transactions via 51% attacks indicates another feature of the Nakamoto consensus: the finality of transactions is only probabilistic.
Once a block is produced, it is then propagated by the block producer to all other validators to check on the validity of all transactions in that block. The block producer will receive rewards in the network’s native currency (i.e., bitcoin) as all validators approve the block and update their ledgers.

The blockchain

Block production

The Bitcoin protocol utilizes the Merkle tree data structure in order to organize hashes of numerous individual transactions into each block. This concept is named after Ralph Merkle, who patented it in 1979.
With the use of a Merkle tree, though each block might contain thousands of transactions, it will have the ability to combine all of their hashes and condense them into one, allowing efficient and secure verification of this group of transactions. This single hash called is a Merkle root, which is stored in the Block Header of a block. The Block Header also stores other meta information of a block, such as a hash of the previous Block Header, which enables blocks to be associated in a chain-like structure (hence the name “blockchain”).
An illustration of block production in the Bitcoin Protocol is demonstrated below.

https://preview.redd.it/m6texxicf3151.png?width=1591&format=png&auto=webp&s=f4253304912ed8370948b9c524e08fef28f1c78d

Block time and mining difficulty

Block time is the period required to create the next block in a network. As mentioned above, the node who solves the computationally intensive task will be allowed to produce the next block. Therefore, block time is directly correlated to the amount of time it takes for a node to find a solution to the task. The Bitcoin protocol sets a target block time of 10 minutes, and attempts to achieve this by introducing a variable named mining difficulty.
Mining difficulty refers to how difficult it is for the node to solve the computationally intensive task. If the network sets a high difficulty for the task, while miners have low computational power, which is often referred to as “hashrate”, it would statistically take longer for the nodes to get an answer for the task. If the difficulty is low, but miners have rather strong computational power, statistically, some nodes will be able to solve the task quickly.
Therefore, the 10 minute target block time is achieved by constantly and automatically adjusting the mining difficulty according to how much computational power there is amongst the nodes. The average block time of the network is evaluated after a certain number of blocks, and if it is greater than the expected block time, the difficulty level will decrease; if it is less than the expected block time, the difficulty level will increase.

What are orphan blocks?

In a PoW blockchain network, if the block time is too low, it would increase the likelihood of nodes producingorphan blocks, for which they would receive no reward. Orphan blocks are produced by nodes who solved the task but did not broadcast their results to the whole network the quickest due to network latency.
It takes time for a message to travel through a network, and it is entirely possible for 2 nodes to complete the task and start to broadcast their results to the network at roughly the same time, while one’s messages are received by all other nodes earlier as the node has low latency.
Imagine there is a network latency of 1 minute and a target block time of 2 minutes. A node could solve the task in around 1 minute but his message would take 1 minute to reach the rest of the nodes that are still working on the solution. While his message travels through the network, all the work done by all other nodes during that 1 minute, even if these nodes also complete the task, would go to waste. In this case, 50% of the computational power contributed to the network is wasted.
The percentage of wasted computational power would proportionally decrease if the mining difficulty were higher, as it would statistically take longer for miners to complete the task. In other words, if the mining difficulty, and therefore targeted block time is low, miners with powerful and often centralized mining facilities would get a higher chance of becoming the block producer, while the participation of weaker miners would become in vain. This introduces possible centralization and weakens the overall security of the network.
However, given a limited amount of transactions that can be stored in a block, making the block time too longwould decrease the number of transactions the network can process per second, negatively affecting network scalability.

3. Bitcoin’s additional features

Segregated Witness (SegWit)

Segregated Witness, often abbreviated as SegWit, is a protocol upgrade proposal that went live in August 2017.
SegWit separates witness signatures from transaction-related data. Witness signatures in legacy Bitcoin blocks often take more than 50% of the block size. By removing witness signatures from the transaction block, this protocol upgrade effectively increases the number of transactions that can be stored in a single block, enabling the network to handle more transactions per second. As a result, SegWit increases the scalability of Nakamoto consensus-based blockchain networks like Bitcoin and Litecoin.
SegWit also makes transactions cheaper. Since transaction fees are derived from how much data is being processed by the block producer, the more transactions that can be stored in a 1MB block, the cheaper individual transactions become.
https://preview.redd.it/depya70mf3151.png?width=1601&format=png&auto=webp&s=a6499aa2131fbf347f8ffd812930b2f7d66be48e
The legacy Bitcoin block has a block size limit of 1 megabyte, and any change on the block size would require a network hard-fork. On August 1st 2017, the first hard-fork occurred, leading to the creation of Bitcoin Cash (“BCH”), which introduced an 8 megabyte block size limit.
Conversely, Segregated Witness was a soft-fork: it never changed the transaction block size limit of the network. Instead, it added an extended block with an upper limit of 3 megabytes, which contains solely witness signatures, to the 1 megabyte block that contains only transaction data. This new block type can be processed even by nodes that have not completed the SegWit protocol upgrade.
Furthermore, the separation of witness signatures from transaction data solves the malleability issue with the original Bitcoin protocol. Without Segregated Witness, these signatures could be altered before the block is validated by miners. Indeed, alterations can be done in such a way that if the system does a mathematical check, the signature would still be valid. However, since the values in the signature are changed, the two signatures would create vastly different hash values.
For instance, if a witness signature states “6,” it has a mathematical value of 6, and would create a hash value of 12345. However, if the witness signature were changed to “06”, it would maintain a mathematical value of 6 while creating a (faulty) hash value of 67890.
Since the mathematical values are the same, the altered signature remains a valid signature. This would create a bookkeeping issue, as transactions in Nakamoto consensus-based blockchain networks are documented with these hash values, or transaction IDs. Effectively, one can alter a transaction ID to a new one, and the new ID can still be valid.
This can create many issues, as illustrated in the below example:
  1. Alice sends Bob 1 BTC, and Bob sends Merchant Carol this 1 BTC for some goods.
  2. Bob sends Carols this 1 BTC, while the transaction from Alice to Bob is not yet validated. Carol sees this incoming transaction of 1 BTC to him, and immediately ships goods to B.
  3. At the moment, the transaction from Alice to Bob is still not confirmed by the network, and Bob can change the witness signature, therefore changing this transaction ID from 12345 to 67890.
  4. Now Carol will not receive his 1 BTC, as the network looks for transaction 12345 to ensure that Bob’s wallet balance is valid.
  5. As this particular transaction ID changed from 12345 to 67890, the transaction from Bob to Carol will fail, and Bob will get his goods while still holding his BTC.
With the Segregated Witness upgrade, such instances can not happen again. This is because the witness signatures are moved outside of the transaction block into an extended block, and altering the witness signature won’t affect the transaction ID.
Since the transaction malleability issue is fixed, Segregated Witness also enables the proper functioning of second-layer scalability solutions on the Bitcoin protocol, such as the Lightning Network.

Lightning Network

Lightning Network is a second-layer micropayment solution for scalability.
Specifically, Lightning Network aims to enable near-instant and low-cost payments between merchants and customers that wish to use bitcoins.
Lightning Network was conceptualized in a whitepaper by Joseph Poon and Thaddeus Dryja in 2015. Since then, it has been implemented by multiple companies. The most prominent of them include Blockstream, Lightning Labs, and ACINQ.
A list of curated resources relevant to Lightning Network can be found here.
In the Lightning Network, if a customer wishes to transact with a merchant, both of them need to open a payment channel, which operates off the Bitcoin blockchain (i.e., off-chain vs. on-chain). None of the transaction details from this payment channel are recorded on the blockchain, and only when the channel is closed will the end result of both party’s wallet balances be updated to the blockchain. The blockchain only serves as a settlement layer for Lightning transactions.
Since all transactions done via the payment channel are conducted independently of the Nakamoto consensus, both parties involved in transactions do not need to wait for network confirmation on transactions. Instead, transacting parties would pay transaction fees to Bitcoin miners only when they decide to close the channel.
https://preview.redd.it/cy56icarf3151.png?width=1601&format=png&auto=webp&s=b239a63c6a87ec6cc1b18ce2cbd0355f8831c3a8
One limitation to the Lightning Network is that it requires a person to be online to receive transactions attributing towards him. Another limitation in user experience could be that one needs to lock up some funds every time he wishes to open a payment channel, and is only able to use that fund within the channel.
However, this does not mean he needs to create new channels every time he wishes to transact with a different person on the Lightning Network. If Alice wants to send money to Carol, but they do not have a payment channel open, they can ask Bob, who has payment channels open to both Alice and Carol, to help make that transaction. Alice will be able to send funds to Bob, and Bob to Carol. Hence, the number of “payment hubs” (i.e., Bob in the previous example) correlates with both the convenience and the usability of the Lightning Network for real-world applications.

Schnorr Signature upgrade proposal

Elliptic Curve Digital Signature Algorithm (“ECDSA”) signatures are used to sign transactions on the Bitcoin blockchain.
https://preview.redd.it/hjeqe4l7g3151.png?width=1601&format=png&auto=webp&s=8014fb08fe62ac4d91645499bc0c7e1c04c5d7c4
However, many developers now advocate for replacing ECDSA with Schnorr Signature. Once Schnorr Signatures are implemented, multiple parties can collaborate in producing a signature that is valid for the sum of their public keys.
This would primarily be beneficial for network scalability. When multiple addresses were to conduct transactions to a single address, each transaction would require their own signature. With Schnorr Signature, all these signatures would be combined into one. As a result, the network would be able to store more transactions in a single block.
https://preview.redd.it/axg3wayag3151.png?width=1601&format=png&auto=webp&s=93d958fa6b0e623caa82ca71fe457b4daa88c71e
The reduced size in signatures implies a reduced cost on transaction fees. The group of senders can split the transaction fees for that one group signature, instead of paying for one personal signature individually.
Schnorr Signature also improves network privacy and token fungibility. A third-party observer will not be able to detect if a user is sending a multi-signature transaction, since the signature will be in the same format as a single-signature transaction.

4. Economics and supply distribution

The Bitcoin protocol utilizes the Nakamoto consensus, and nodes validate blocks via Proof-of-Work mining. The bitcoin token was not pre-mined, and has a maximum supply of 21 million. The initial reward for a block was 50 BTC per block. Block mining rewards halve every 210,000 blocks. Since the average time for block production on the blockchain is 10 minutes, it implies that the block reward halving events will approximately take place every 4 years.
As of May 12th 2020, the block mining rewards are 6.25 BTC per block. Transaction fees also represent a minor revenue stream for miners.
submitted by D-platform to u/D-platform [link] [comments]

Part 5. I'm writing a series about blockchain tech and possible future security risks. This is the fifth part of the series talking about an advanced vulnerability of BTC.

The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part.
Part 1, what makes blockchain reliable?
Part 2, The mathematical concepts Hashing and Public key cryptography.
Part 3, Quantum resistant blockchain vs Quantum computing.
Part 4A, The advantages of quantum resistance from genesis block, A
Part 4B, The advantages of quantum resistance from genesis block, A

Why BTC is vulnerable for quantum attacks sooner than you would think.
Content:
The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”
Already exposed public keys.
Hijacking transactions.
Hijacks during blocktime
Hijacks pre-blocktime.
MITM attacks

- Why BTC is vulnerable for quantum attacks sooner than you would think. -

Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns.
Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity.
The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.”
In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key.
If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way:
You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key).
Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G".
So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to.
As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds.
Already exposed public keys.
But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:
In total, about 36% of all BTC are on addresses with exposed public keys Of which about 20% is on lost addresses. and here
Hijacking transactions.
But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made.
Here it is important to understand two things:
1.) How is a transaction sent?
The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address.
When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender.
That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key.
Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node.
2.) How is a transaction confirmed/ fulfilled and registered on the blockchain?
After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes.
If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet.
1: during the time the transaction is sent from the sender to the nodes
2: during the time the nodes verify the transaction. (The blocktime)
Hijacks during blocktime
This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction:
https://arxiv.org/pdf/1710.10377.pdf
"(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.)
So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack.
Hijacks pre-blocktime.
The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack.
So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper.
Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner.
Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key.
That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains.
MITM attacks
An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now.
When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.
submitted by QRCollector to CryptoTechnology [link] [comments]

Utopia, 1984 Group, bad PR, 1984 Group and [NetStalkers] media garbage

Utopia, 1984 Group, bad PR, 1984 Group and [NetStalkers] media garbage
What would you understand immediately reading my post, I do not want to throw mud at the program or the team of 1984. I just want to explain to everyone that you need to look for advantages in everything and bring the matter to a logical conclusion. And the most important thing is to be committed to your work. And if you choose any product, you must be faithful to it to the end. Be the captains who are to the end with the ship, not the rats running from it.

Hello
In today's post, I would like to tell an interesting story that there is really worthwhile software in the world, what marketing is wrong, and how it is bad to turn to wrong media personalities. Of course, most people know about it. But I think this should be publicly shown, maybe for many and will be useful in the future.

But every cloud has a silver lining. In any case, I think this will be a good stress test for the web. So I can say that even if a bad PR company gives a good result.

Let's start from the very beginning, namely from the software Utopia and the 1984 Group. Of course, little is known about them; more precisely, practically nothing is known. But there is a brief information about her. All of course taken only from the official beta of the portal and block hackology
Spoiler for compact post) About Utopia ecosystem
Utopia – Anti 1984 Ecosystem
Utopia is a decentralized peer-to-peer network, With Utopia you can send instant text and voice messages, transfer files, create group chats and channels, send emails and conduct a private discussion. Currently Utopia is an application for Windows, iOS and Linux which offers all the features within one application. Utopia users get on their ‘Utopia ecosystem‘ as the application also provides a built-in Idyll browser to view websites within Utopia peer-to-peer network . Utopia comes with a Cryptocurrency which is called ‘Crypton‘ and is Proof-of-Stake. uWallet allows you to store,transfer your Crypton(CRP) or even create vouchers and credit cards, Utopia Network includes Utopia Name System (UNS) which is a decentralized registry of names that are impossible to expropriate, freeze or corrupt by 3rd-party as no one has control over the system rather its self-governed by rules set in place which are applicable to everyone.

Register yourself as a Beta Tester, Contributor or a Promoter. Each category gets to enjoy the ecosystem while the rewards vary (reward system will be explained shortly).
Utopia ecosystem is a culmination of multi-year effort by a group of technology enthusiasts dedicated to freedom of self-expression and privacy. We call ourselves a 1984 Group. Among us there are top-notch professionals in almost every IT field, such as cryptographic, software, networking engineers and many more. This has been a long and challenging journey. After all this had never been done before! Finally, we present an ecosystem that will change the way World communicates and handles financial transactions. Utopia brief taken from their official website. Mentioning ‘financial transactions’ makes one wonder that Bitcoin was also disrupting the conventional financial system
Lets Explore Utopia and all the features in detail. please note as this is a beta application many of the features might change in future or some even get removed.
Utopia Encryption
Each user participates in transmission of network data but only the recipient can decrypt the data. Advanced encryption ensures interception-proof communication channel to all Utopia users. All communication is secure and protected by Curve25519 high-speed elliptic curve cryptography while local storage is encrypted by 256-bit AES. Big Brother is no longer watching you!
Installing Utopia
Once you register on the Beta Portal you have to download Utopia Application. After installing the application you will be given a Hardware ID and a Private Key, these keys are required to activate your beta license which can be done from the Activation Page. Please keep in mind that your beta portal website login credentials are not linked with Utopia Application and you can have a different username for the app and the website. Once you activate the license your utopia account will be tied with your beta portal account. A step by step procedure for easy understanding of the activation procedure:
Register at Utopia Beta Portal
Download Utopia software
Install the program by following simple instructions on installation wizard
Run Utopia and Create your account. You will be provided with Public Key and Hardware ID. Those are needed to activate your Utopia software
Login to your account
Click on JOIN BETA
Agree to the Rules and click SUBMIT
Click on NEW ACTIVATION and Enter Public Key and Hardware ID
Click ADD
Now your Utopia is activated and you are ready to test it

https://preview.redd.it/gq8brrk1rmc31.jpg?width=880&format=pjpg&auto=webp&s=02a96016755765dfef53309eb78a4abf0011d9c6
Utopia Dashboard
Utopia is a feature-rich platform that is specifically designed to protect privacy of communication, confidentiality and security of personal data. It was created for privacy-conscious public who believe that privacy is paramount. Utopia is a decentralized network, with no central server involved in data transmission or storage. The network is supported by people who use it’s many high quality features.

https://preview.redd.it/w2nhvx54rmc31.jpg?width=1366&format=pjpg&auto=webp&s=d5f7a958c67ca46ba2c2d34489c83579c0d18d0b
The first glimpse we get of the application is at the Dashboard which has navigational menu for easy access to all of its many features for us to explore, use and report bugs while it is in beta testing phase.

uMail (Utopia Mail)
uMail is a secure alternative to classic e-mail. uMail can be sent to Utopia users that are in your contact list for now. uMail has all functionality of email localized to Utopia ecosystem. No servers are used for mail transmission or storage. uMail account, that is created by default when you join the Utopia network, enables unlimited messaging and attachment storage. Utopia ecosystem encryption guarantees the security of mail transmission and storage. Your uMail, as an internal part of Utopia, cannot be blocked or seized.

https://preview.redd.it/8q7ljch6rmc31.jpg?width=1366&format=pjpg&auto=webp&s=2bcc4896fa74bb5d2ca23c4c9414fcd4d015ab41


All those who value their data privacy would find this useful including activists and journalists knowing that their data is going straight to the designated user and no 3rd party can intercept their data. Currently the limit set for the attachments is 100 MB but as per the team it may be increased in future.

uWallet (Utopia Wallet)
All financial functionality can be found in Utopia built-in uWallet. uWallet allows you to make and accept payments denominated in Utopia cryptocurrency ‘Crypton‘, accept payments at your website, pay by Crypto Cards without revealing your Identity or bill fellow Utopia users for your services. With uWallet you can store value in Cryptons, receive mining rewards, use uVouchers, request payments and accept payments using the built-in API.


Utopia Mining – Crypton
Utopia has an inbuilt cryptocurrency called Crypton (CRP), which is proof-of-stake therefore a modest machine can also be used to mine cryptons through the GUI based Utopia application or with terminal based Mining bot which comes with the application.

https://preview.redd.it/aadlqb8crmc31.jpg?width=814&format=pjpg&auto=webp&s=2a100b98b2d912898d1b4a316f05f999846ab7b1


Utopia rewards users that support the ecosystem through Mining by emission of new Cryptons. When you run your Utopia software or bot you will receive your share of collective reward. Mining does not slow your computer down and is environmentally friendly. You may also run a number of bots at several servers or computers to multiply the Crypton mining speed.

https://preview.redd.it/2yktqfkermc31.jpg?width=1024&format=pjpg&auto=webp&s=c099c8439d25ea1e95682c14116d812f85180dc6


uNS (Utopia Naming System)
Utopia has introduced uNS (Utopia Naming System) which is a unique naming system and independent from the conventional Domain Naming System. DNS is subject to pressure and censorship from less than prefect international laws. Domains can be revoked or suspended due to multiple reasons, such as non-response to WhoIS inquiry or other register policies, non-payment, government actions and so on.
uNS, in contrast, is a truly decentralized non-censored registry hosted by Utopia Network participants with no expiration dates, renewal fees, suspensions and revocations. There is only one rule: First come, First served.

https://preview.redd.it/pfwstp5grmc31.jpg?width=1024&format=pjpg&auto=webp&s=1e282b2ad57f61ae3e4a114e75a96e20f7fc3a73


uNS registered name should be unique. You may register as many uNS registered names as you want while registration is not free and costs are paid in crypton:
Single letter uNS costs 1000 CRP
Two letter uNS costs 500 CRP
Three letter uNS costs 5 CRP
Four letter or more costs 0.1 CRP

Miscellaneous Features
Making Groups, Adding users, Chatting and Emailing, Sending Mails and Mining Cryptons might be the highlights but Utopia claims to be an ecosystem therefore they had to incorporate many more features so that users of Utopia ecosystem do not feel the need to go out of the system. List of other useful features within the Utopia Application are listed
Packet Forwarding : uNS Manager lists option of ‘Packet Forwarding’ which is an internal system allowing any utopian user to host a website which can be accessed by the Idyll browser, the naming system of the website is explained above, if you register hackology uNS you can make a website and it will open when you visit http://hackology/ and that is it. This option allows to tunnel any kind of data between users in ecosystem, making possible to host different types of resources including websites inside Utopia Network. At the time of writing few fellow Utopia users made Utopia sites which can be accessed at http://trade/ and at http://crystalforest

https://preview.redd.it/1z5pbk8jrmc31.jpg?width=1024&format=pjpg&auto=webp&s=03d088e681d00b7c65610a0672ade07f593fb62b


File Manager : All files which are sent or received in Utopia can be accessed from the builtin file manager which also includes an image viewer. As of now the file transfers are limited to 100MB.
Voice Notes : Utopia also supports sending and receiving of Voice messages which you can send to those who are added with you.
Dark Theme : The program comes in standard theme but how can they miss out a Dark Theme for the privacy savvy ? Users can opt for dark theme by going to Tools > Settings > Interface and selecting the ‘Dark Space‘ theme
Utopia API : Utopia comes with a comprehensive API for users to incorporate in their own projects. For instance, using API you can accept payments denominated in Crypton at your website, automatically manage your channels, send instant messages and much more. To get started once you enable the API you can also access the API documentation.
Network Fee Structure : Utopia provides us with an option to view all the network enforced fee and they are updated live on the network as the fee structure changes, thus one can stay updated with the current fee structure. You can access the Network Fee from uWallet > Treasury Data > Network Fee

https://preview.redd.it/62ofvlrormc31.jpg?width=1024&format=pjpg&auto=webp&s=9ab0ecd8eda8f17290f1e10afd23c67ec828ecb5
Game : Utopia also supports in-app games which can be played in multiplayer, as of writing there is a working Chess game.


You can find more about Utopia on Hackology Blog.

Well, now I want to say personally my opinion after using Utopia.

It is very difficult to judge a product at the beta test stage, but at the moment I can highlight both the pros and cons of both the program and the team that develops it. I want to notice that this is my subjective opinion and you can or may not share it. So, let's begin:

Advantages:
  1. In principle, everything is really anonymous, as far as can be judged really using this software.
  2. Non-indexable channels (If you make it private and hide it from the search) at least we tested it inside the ecosystem. To find even by keywords is not real
  3. Non-indexable pages that you create. If you do not have a direct link, find a site even in the global search is not possible
  4. Easy mining of krypton. Even the weakest computers do not load, very comfortable
  5. Convenient system of anonymity of user information (Without exchange of public keys, even the avatar will not work)
  6. An easy-to-learn interface that arrived to us from 2004 (Old School will understand and appreciate)
  7. In fact, it reminds the decentralized Internet and may well become such with the proper development
  8. Inside the ecosystem there are no labels and notions of who is who, which simplifies the interaction within it
  9. Intervention from outside is at least very difficult, tried methods known to us, failed
  10. Indeed similar to a decentralized ecosystem.
  11. The team quickly fix problems
  12. Availability of detailed and collapsible instructions to all APIs within the ecosystem

There are many advantages and if I list everything, the post will be unrealistically large, therefore I have identified the main ones, and everyone after use must decide for himself what he liked.

And now about the shortcomings, they will be more likely related to common problems than specifically to the software or the command:

  1. Many functions that will have to be mastered by yourself, almost 0 guides
  2. The reaction of the team to the problems through the support leaves much to be desired
  3. The presence of bugs (not critical and absolutely, just not pleasant, both visually and in use)
  4. Not the right choice of PR company to promote software
  5. The team is known for development but is not good friends with product promotion.
  6. Localization, while only English (Well, this is a lesser problem)
  7. Absence of the familiar function (for example, attached videos and the like)
  8. All traffic from the site, even if you put it on the UPU goes through you, and in fact it denies anonymity. Why is this a disadvantage? Not only which VPS will agree that you would put Utopia, because the software scans the ports, which is forbidden without identification on most of the UPU. This is problem. If you put on the UPU, of course, the ends will not come to you, but if Utopia is on your car and the site is on the UPU, all site traffic will go through your public IP, which does not promise any anonymity.

While this is the most powerful problems of utopia, there may be more petty, but it is really not significant.


And now let's talk about NetStalkers, and here they are, because in the title they are.

The fact is that the 1984 Group bought advertising from this media team. I’ll say right away that I have nothing against the truly existing NetStalkers movement, now it concerns only the YouTube media community. So, having bought advertising from this wretched, deceitful and hypocritical community, Utopi had problems, because lovers of free-mining mining, children and inadequacies from all over the CIS and their usefulness were even zero, rushed into the software, moreover, all this garbage put a system on the blades because of spam, a huge amount of spam for which the 1984 Group was not ready. This is actually a terrible move.

Our small team very much hopes that this team can still draw conclusions from this, since only we worked, we chose the most adequate and interested contingent for this software from the CIS and we hope that in the future we will continue to cooperate with them.

If you like this post, I will continue to conduct similar topics and develop these areas, perhaps I will write guides on Utopia and will support this direction.

At the moment, because of the bad PR campaigns from the media slag community, the CIS, they no longer approve traffic, however, it’s even embarrassing to say that it’s from the CIS because such a manifestation of our community leaves much to be desired and even shows us adequate people in extremely bad light .


With you was MrHarr1son I was glad for you to try. If there are comments, or add something, write. I will be glad to discuss.
Our telegrams channels:
https://t.me/utopianews
https://t.me/hiddenthems
https://t.me/antinetstalkers (New channel created for fight with garbage media community)
Link to beta portal https://beta.u.is/
submitted by MrHarr1son to u/MrHarr1son [link] [comments]

What's the f*****ng benefit of the reactivated OP_Codes?

Nobody explained what we can do with the soon to be reactivated OP_Codes for Bitcoin Cash, and nobody explained why we need them. It's a fact that there are risks associated with them, and there is no sufficient testing of these risks by independent developers, nor is there a sufficient explanation why they carry no risk. BitcoinABC developers, explain yourselves, please.
Edit: Instead of calling me a troll, please answer the question. If not, ask someone else.
Edit Edit: tomtomtom7 provided a resfreshing answer on the question:
https://www.reddit.com/btc/comments/7z3ly4/to_the_people_who_thing_we_urgently_need_to_add/dulkmnf/
The OP_Codes were disabled because bugs were found, and worry existed that more bugs could exist.
They are now being re-enabled with these bugs fixed, with sufficient test cases and they will be put through thorough review.
These are missing pieces in the language for which various use cases have been proposed over the years.
The reason to include these, is because all developers from various implementations have agreed that this is a good idea. No objections are raised.
Note that this does not mean that all these OP_Codes will make it in the next hardfork. This is obviously uncertain when testing and reviewing is still being done.
This is not yet the case for OP_GROUP. Some objection and questions have been raised which takes time to discuss and time to come to agreement. IMO this is a very healthy process.
Another good comment is here
https://www.reddit.com/btc/comments/7z49at/whats_the_fng_benefit_of_the_reactivated_op_codes/dullcek/
One precise thing: Allowing more bitwise logical operators can (will) yield smaller scripts, this saves data on the blockchain, the hex code gets smaller.
Here is a detailled answer. I did not goe through it if it is satisfying, but at least it is a very good start, Thank you silverjustice.
But further, if you want specific advantages for some of these, then I recommend you check out the below from the scaling Bitcoin conference:
opcodes are very useful, such as in for example with CAT you can do tree signatures even if you have a very complicated multisig design using CAT you could reduce that size to log(n) size. It would be much more compact. Or with XOR we could do some kind of deterministic random number generator by combining secret values from different parties so that nobody could cheat. They could combine and generate a new random number. If people think-- ... we could use LEFT to make weaker hash. These opcodes were re-enabled in sidechain elements project. It's a sidechain from Bitcoin Core. We can reintroduce these functions to bitcoin.
The other problem are the ... numeric operations which were disabled by Satoshi. There's another problem. Which is that the range of values accepted by script is limited and confused because the CScript.. is processed at ..... bit integers internally. But to these opcodes it's only 32 bits at most. So it's quite confusing. The other problem is that we have this.. it requires 251 encode or calculate or manipulate this number. So we need at least 52 bits. But right now it is only 32 bits. So the proposal is to expand the valid input range to 7 bytes which would allow 56 bits. And it limits the maximum size to 7 bytes so we could have the same size for inputs and outputs. For these operations, we could re-enable them within these safe limits. It would be safe for us to have these functions again.
The other problem is that we currently cannot commit to additional scripts. In the original design of bitcoin, we could have script operations inside of the signature. But the problem is that the signature is not covered by the signature itself. So any script in the scriptSig is modifiable by any third party in the network. For example, if we tried to do a CHECKSIG operation in the signature, people could simply replace it with an OP_0 and invalidate the transaction. This is a bypass of the.. signature check in the scriptSig. But actually this function is really useful, for example, we can do... delegation, people could add additional scripts to a new UTXO without first spending it. So people could do something like let's say to let their son spend their coin within a year if it is not first spent otherwise.. and also, people, talk about replay protection. So we have some ohter new opcode like pushing the blockhash to the stack, with this function we could have replay protection to make sure the transaction is valid only in a specified blockchain.
So the proposal is that in the future the CHECKSIG should have the ability to sign additional script and to execute these scripts. And finally the other problem is that the script has limited access to different parts of the transaction. There is only one type of operation that allowed to investigate different parts of the transaction, which is CHECKSIG and CHECKMULTISIG. But it is very limited. There are sighash limitations here... there are only 6 types of sighash. The advantage of doing this is that it's very compact and could use only one byte to indicate which component to sign. But the problem is that it's inflexible. The meaning of this sighash is set at the beginning and you can't change it. You need a new witness version to have another checksig. And the other problem is that the sighash can be complex and people might make mistakes so Satoshi made this mistake in the sighash design such as the well-known bug in validation time and also the SIGHASH_SINGLE bug. It's not easy to prevent.
The proposal is that we might have the next generation of sighash (sighashv2) to expand to two bytes, allow it to cover different parts of the transaction and allow people to choose which components they would like to sign. This would allow more flexibility and hopefully not overly complicated. But still this is probably not enough for more flexible design.
Another proposal is OP_PUSHTXDATA which pushes the value of different components of a transaction to the stack. It's easy to implement, for example, we could just push the scriptpubkey of the second output to the stack, okay. So it is actually easier to implement. We could do something more than just... because we have sighash, we could check where something is equal to the specified value. But if we could push the value, like the value of an output to the stack, then we could use other operations like more than or less than and then we could do something like checking whether the value of output x must be at least y bitcoin, which is a fixed value.
There are some other useful functions like MAST which would allow for more compact scripts by hiding the other unexecuted branches. There's also aggregation that would allow n-of-n multisig to be reduced to a single signature and so on. In the elements project, they implemented CHECKSIGFROMSTACK where they don't check the transaction structure but instead they verify a message on the stack. So it could be some message like not bitcoin maybe, perhaps cross-chain swap, or another bitcoin UTXO. And also we might have some elliptic curve point addition and operations which are also useful in lightning network design.
Here are some related works in progress. If you are interested in this topic, I would like to encourage you to join our discussions because it's a very active topic. jl2012 bip114 MAST, maaku's MBV, luke-jr or version-1 witness program, Simplicity, etc.
so you have your script template the amount value and there is a block impactor beause we have the sha chain whih allows you to hae the hashes.. we can hae that errortate constant beause you need the HTLC chashes, to properly reoke the prior states and if you an't do that then you can't onstruct the redeem script. Right now it ineeds a signature for eery state, you need all the HTLCs, it needs the netowrk erification state, and there's another cool thing you can do with which is like trap door erification and you can include it in the transaction itself and there can be a alsue where there is some margin for it.. Which make sit powerful, and then you can make it more private with these constructs. We only have a few minutes left, we can cover this.
One furthe rthing is that in the transformation, we have privacy issue because we need to keep going forward, we need to have hte private state, so there's a history of this in the ages in the past, the current one used replications, which was one of the cool things about lightning. We used to have deckman signatures we had a sequence value of like 30 days, we did an update, we had to switch sides then we make it 29 then 27 etc. You can only broadcast the most recent state because otherwise the other party can transact the other transaction. If you start with 30 days then you can only do about 30 bidirectiona lswitches. Then there was cdecker's payment channels where you have a root tree and every time you need to- you had two payment channels, you had to rebalance htem and then it's on your part of the channel you can reset the channel state. You can do 30 this way, you have another tree, you can do it that way, and then there's a new version of it in the indefinite lifetime... by keeping the transaction in CSV, the drawback on that paproahc because you have al arge validation tree, in the worst cas eyou have 8 or 10 on the tree, and then you nee dfor the prior state and then you do the 12 per day, and every time you have to make a state, you have to revoke the preimage from the prior state, this is cool because if they ever broadcast the entire state, eahc one has the caluse so that you can draw the entire money in the event o f a violation. There are some limitations for doing more complex verifications and you have this log(n) state that you have to deal with ehen you deal with that.
We're going to do the key power on the stack to limit key verifications on this main contract. this is all composable. You can do discreet log contracts. You can now check signtures on arbitrary messages. You can sign a message nad then we can enforce structure on the messages themselves. Right now you need to have sequene numbers. So each state we are going to increment the sequence numbers. So you give me a siequence number on that state. On the touputs we have a commitment ot the sequence number and the value r. So people on chain will know that how many places we did in that itself. The ool part about this is that because we have a seq number then I have the one if it's highest neough. Then I am opening that commitment to say this is state 5 and I present to you a new signed ommitment and open that as well, that's in a validation state. The cool things is that you only need one of those m. So we have to some auxiliary state, and each time I have a new state I an drop the old state. I have a signed commitment to revoke the prior state. This is a ibg deal beause the state is much smaller. Currently we require you to fwe use a state mahcine on state 2, and it also has implications for verifications and watch tower
So on lightning, there's this technique itself- it's timelocks CSV value and if you can't react within that value then you can't go to court and enforce judgement on this attacker. So the watchtower is a requirement, you delegate the state watching to the watchtower. They know which channels you're watching. You send some initial points, like a script template. For every one you send the signautre and the verification state. They can use the verification stat ethat collapses into a log(n) tree, you can basically use state where you send half the txids, you can decrypt this in... some time.
submitted by Der_Bergmann to btc [link] [comments]

My Intern Experience

My Intern Experience
Shreemoon Rajbhandari
My Intern Experience
During my time as an undergraduate, one of the key experiences recommended is to do an internship. Gaining work experience as an intern overseas will improve a skill set in my area of interest. Working somewhere as culturally different and economically significant as China is a talking point in any interviews. There are many reasons that made me choose to do an internship in China. Definitively the best part of the experience has been living out of your comfort zone. Encountering new situations and experiences, that increase my self awareness, my capabilities and also to discover my weaknesses.
Over the past 2 years, we have seen many digital currencies/cryptocurrencies being introduced globally.These have added the aspect of using this financial ecosystem to eventually solve social issues. This could be the application of Blockchain technology in areas like logistics/supply chain to food security. Eventually, there would be many more areas where blockchain and related technology developers would be needed. It's emerging to change the way we solve the many roadblocks that we face.
Blockchain is considered to be one of the most trending topics. This is the right time for me to learn about the technology and start implementing. Blockchain is a notion that can be implemented directly or indirectly to any sector as such. Only two months prior, I had a minimal amount of knowledge about blockchain innovation, and my insight into blockchain comprised distinctly of an obscure comprehension of bitcoin and cryptographic money all in all.
During my internship, I was given investigation material to help assemble my base comprehension of Loopring and the blockchain innovation that it depends on. In the wake of beginning at Loopring, I have been given significantly more prominent chance to learn. While my comprehension of blockchain is still new, it has improved extensively since my first day at the organisation.
In this post, I would like to talk about two cryptographic methods aiming to give privacy to blockchain technology ; the zk-SNARKS and zk-STARKS protocols are two significant examples. We will look into their advantages and disadvantages, comparison between two protocols, and conclusion.
ZK-SNARKS vs ZK-STARKS
Along with the countless benefits of the Internet from which we can benefit, when we use it for social media or business company purposes, privacy is at greater risk. Approximately 90 million of Facebook users information were damaged by Cambridge Analytical data. The Wall Street stated that “ this is just the beginning, and the results are expected to grow”. The Equifax data breach revealed information on social media channels from private users. Thus, birth dates were exposed to the majority of the populations. Due to the Uber hack, data from over 55 million customers were also shared and exposed.
Privacy has consistently been seen as a valuable element within the cryptocurrency community. There is always a growing focus on improving privacy within the cryptocurrency space. Bitcoin, Ethereum, Litecoin and many other cryptocurrencies are all actively searching for the most convenient approaches to increase their security. It is the antecedent to fungibility, which is vital for a broadly used form of money. Additionally, most crypto-asset holders do not want their transaction history to be completely public to the world. Among the different cryptographic methods aiming to give privacy to blockchain technology; the zk-SNARK and zk-STARKS protocols are two main significant examples.
Two leading technologies today offer their cryptocurrencies - Monero and zcash— and strive to address protection issues. Monero uses the technology of Ring Confidential Signature. By contrast, Z-Cash uses zk-SNARK( Zero-Knowledge transparent knowledge argument), a technology that provides the ability to conduct anonymous transactions.
In recent years, zk-SNARKS has exploded as the most promising technology to solve blockchain privacy. It is a technology derived from proofs of zero-knowledge, a type of proof that anyone with a verification key can check this “proof” without disclosing the information itself. If the statement holds, a verifier will be convinced by a correct proof. If the statement is false, it is true that no prover can convince a verified statement.
zk-SNARK stands for :
- Zero-knowledge : if the statement is true, there is nothing the verifier learns beyond the fact that the statement is true.
- Succinct : The proof size needs to be small enough in a few milliseconds to be verified.
- Non-interactive :Only one set of information is sent to the verifier for verification, therefore there is no back and forth communication between the prover and verifier.
- Argument of Knowledge : A computationally soundproof: soundness runs counter to a prover leveraging polynomial-time, i.e. limited computing. Also, Without access to the witness (the private input needed to prove the statement), the evidence can not be constructed.
zk-SNARKS aims to provide fast, scalable solutions to ensure financial security. Therefore, transaction encryption is possible.When zk-SNARK is applied to a cryptocurrency, it implies you can conceal the majority of the transaction data information. This incorporates the sender address, collector address, just as the transaction sum amount. zk-SNARKS enables us to shroud the majority of this data information, while likewise enabling the system to affirm and verify the transactions. It amplifies security while maintaining consensus. In the realm of blockchain, it is one of the most exceptional blockchain level protection innovation being used.
With the launch of version 3.0, Loopring’s decentralised protocol solution struck a noteworthy milestone in early May- adding off-chain scaling and fee optimisation using zk-SNARKs. Low fees, liquidity, transparency and security are the key goal of the loopring solution. Loopring says the new Loopring 3.0 based zk-SNARK will increase trade speeds and on-chain activity efficiency tenfold. The data previously stored on-chain in Loopring 3.0 is now stored off-chain in a Merkle tree and then used as required in zk-SNARKS, updating the tree.
Be that as it may, there are a few issues with zk-SNARKS. The main problem has been the need for a trusted setup. zk-SNARKS rely on a permission private key. This essentially undermines the entire purpose of decentralised public blockchain. By introducing the need to trust a person rather than code, you threaten the entire concept of trustlessness. In theory, a prover with sufficient computational power could create fake proofs, and this is one of the reasons why many consider quantum computers as a threat to zk-SNARKs (and blockchain systems).
Last year zk-SNARKS were incorporated on a MIT Tech Review list of the top 10 Breakthrough Technologies of 2018 among AI advancements. zk-SNARKS allows both a tremendous speedup in verifying the correctness of a computation while at the same time it hides the private details from prying eyes. Some of the potential uses citied in MIT article were verifying you’re over 18 without having to share your date of birth, and providing you have a enough money in your back account as collateral without having to give away account details like your exact balance. It establishes trust which you need to interact on the blockchain. Zk-SNARK proofs are as of now being used on Zcash, on JP Morgan Pursue's blockchain-based payment system, and as an approach to safely validate customers to servers.
The more developed version of zk-SNARKS is called zk-STARKS which stands for :
Zero-Knowledge
Scalable
Transparent
Argument of Knowledge
zk-STARKS verifications are currently being touted as the better than ever form of the convention, tending to a considerable lot of the past disadvantages of zk-SNARKs. It has demonstrated an approach to accomplish a similar degree of privacy as zk-SNARKS without the requirement for the trusted setup. Starks are practically superior to Snarks as they require weaker crypto suppositions, they don't require a trusted setup and are post-quantum resistant. zk-SNARKs are based on Elliptic-Curve Cryptography, which is susceptible to advances in Quantum-Computers. zk-STARKs, on the other hand are Post-Quantum system meaning that even if Quantum-computers become powerful and ubiquitous they will not have an advantage, compared to classical computers, in breaking zk-STARKs. Anyway they have a noteworthy downside, as in the proof being too enormous. Their problem is their storage requirements. STARKs are doubly scalable, which means the proof verification is exponentially faster than the original computation’s time but the drawback is the size of the proof they create being too large, possibly 2 or 3 orders of magnitude more than those produced by zk-SNARKs. One example : StarkWare solves the inherent problems of scalability and privacy of blockchains. Using STARK technology, they generate a full proof-stack to produce and verify computer integrity tests. They utilise STARKs to batch transactions into a single proof that is verified on Ethereum. Matt Taylor states that the present iteration of StarkDEX demonstrates the viability of using STARKs for the scalability of Layer-2 by showing a substantial rise in the amount of blockchain transaction.
The idea of zk-STARKS was proposed by Eli-Ben Sasson, a professor at the Technion-Israel institute of Technology. zk-STARKS provide proofs that can be verified a lot quicker than zk-SNARKS. At the present time, Z-cash and Ethereum are on the whole considering to utilize zk-STARKS. zk-STARKS have solved the trusted setup issue. They have totally expel the requirement for multiple parties to create the private key required for the string. Rather everything needed to produce the proofs is public and the verifications are generated from arbitrary numbers. zk-STARKS actually removed the necessity in zk-SNARKS for unbalanced cryptography and rather utilizes the hash fuctions like those found in Bitcoin mining. In addition, they ought to have longer timeframe of realistic usability as far as their crytographic resilience than zk-SNARKS. However, there are some impediment of zk-STARKS, the main issue with zk-STARKS is their size. The verifications it uses are basically too enormous to use in many blockchains as they stand. As indicated by Vitalik Buterin, zk-STARKS will result in proofs of a couple of hundreds kilobytes versus the 288 bytes seen in zk-SNARKS.

The Difference Between zk-STARKS and zk-SNARKS.

https://preview.redd.it/k1fap29yd4m31.png?width=411&format=png&auto=webp&s=769ef7be2646a2d0ac31a5334f7e7249e2e2e246

Source : The Medium - Coinmonks
The complexity of communication : With the computation’s expanded complexity, the zk-SNARKS communication complexity also increases linearly, whereas zk-STARKs develops in the opposite direction and grows slowly as the computation size grows.The graph above shows that the communication required by the zk-STARKs to complete the calculation rises much slower than zk-snarks as the underlying evidence increases in complexity.

Source : The Medium - Coinmonks
The complexity of the verifier : zk-STARKs slightly widening with the development in computation size. On the other side, for confirmation evidence, zk-SNARKs requires less time than zk-STARKs. zk-STARKs, for instance need up to 100 ms to verify and zk-SNARKs need only up to 10ms. The graph above illustrates the the time taken by the zk-STARK to verify an evidence rises very slowly compared to the zk-SNARK as the underlying evidence increases in complexity.

Overall these two protocols have excellent potential in the cryptocurrency globe and can be a breakthrough avenue for mainstream implementation. Both conventions are truly needed steps to protect our privacy.


Reference
https://www.technologyreview.com/lists/technologies/2018/
https://www.google.co.uk/amp/s/themerkle.com/mit-review-acclaims-zk-snarks-but-zk-starks-may-steal-the-show/amp/
https://ethereum.stackexchange.com/questions/59145/zk-snarks-vs-zk-starks-vs-bulletproofs-updated
https://www.binance.vision/blockchain/zk-snarks-and-zk-starks-explained?amp=1
https://applicature.com/blog/blockchain-technology/can-zk-snarks-and-zk-starks-solve-privacy-issues
https://eprint.iacr.org/2018/046.pdf
https://medium.com/coinmonks/zk-starks-create-verifiable-trust-even-against-quantum-computers-dd9c6a2bb13d
https://blog.0xproject.com/starkdex-bringing-starks-to-ethereum-6a03fffc0eb7
submitted by Shreemoon to loopringorg [link] [comments]

Groestlcoin 6th Anniversary Release

Introduction

Dear Groestlers, it goes without saying that 2020 has been a difficult time for millions of people worldwide. The groestlcoin team would like to take this opportunity to wish everyone our best to everyone coping with the direct and indirect effects of COVID-19. Let it bring out the best in us all and show that collectively, we can conquer anything.
The centralised banks and our national governments are facing unprecedented times with interest rates worldwide dropping to record lows in places. Rest assured that this can only strengthen the fundamentals of all decentralised cryptocurrencies and the vision that was seeded with Satoshi's Bitcoin whitepaper over 10 years ago. Despite everything that has been thrown at us this year, the show must go on and the team will still progress and advance to continue the momentum that we have developed over the past 6 years.
In addition to this, we'd like to remind you all that this is Groestlcoin's 6th Birthday release! In terms of price there have been some crazy highs and lows over the years (with highs of around $2.60 and lows of $0.000077!), but in terms of value– Groestlcoin just keeps getting more valuable! In these uncertain times, one thing remains clear – Groestlcoin will keep going and keep innovating regardless. On with what has been worked on and completed over the past few months.

UPDATED - Groestlcoin Core 2.18.2

This is a major release of Groestlcoin Core with many protocol level improvements and code optimizations, featuring the technical equivalent of Bitcoin v0.18.2 but with Groestlcoin-specific patches. On a general level, most of what is new is a new 'Groestlcoin-wallet' tool which is now distributed alongside Groestlcoin Core's other executables.
NOTE: The 'Account' API has been removed from this version which was typically used in some tip bots. Please ensure you check the release notes from 2.17.2 for details on replacing this functionality.

How to Upgrade?

Windows
If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer.
OSX
If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), run the dmg and drag Groestlcoin Core to Applications.
Ubuntu
http://groestlcoin.org/forum/index.php?topic=441.0

Other Linux

http://groestlcoin.org/forum/index.php?topic=97.0

Download

Download the Windows Installer (64 bit) here
Download the Windows Installer (32 bit) here
Download the Windows binaries (64 bit) here
Download the Windows binaries (32 bit) here
Download the OSX Installer here
Download the OSX binaries here
Download the Linux binaries (64 bit) here
Download the Linux binaries (32 bit) here
Download the ARM Linux binaries (64 bit) here
Download the ARM Linux binaries (32 bit) here

Source

ALL NEW - Groestlcoin Moonshine iOS/Android Wallet

Built with React Native, Moonshine utilizes Electrum-GRS's JSON-RPC methods to interact with the Groestlcoin network.
GRS Moonshine's intended use is as a hot wallet. Meaning, your keys are only as safe as the device you install this wallet on. As with any hot wallet, please ensure that you keep only a small, responsible amount of Groestlcoin on it at any given time.

Features

Download

iOS
Android

Source

ALL NEW! – HODL GRS Android Wallet

HODL GRS connects directly to the Groestlcoin network using SPV mode and doesn't rely on servers that can be hacked or disabled.
HODL GRS utilizes AES hardware encryption, app sandboxing, and the latest security features to protect users from malware, browser security holes, and even physical theft. Private keys are stored only in the secure enclave of the user's phone, inaccessible to anyone other than the user.
Simplicity and ease-of-use is the core design principle of HODL GRS. A simple recovery phrase (which we call a Backup Recovery Key) is all that is needed to restore the user's wallet if they ever lose or replace their device. HODL GRS is deterministic, which means the user's balance and transaction history can be recovered just from the backup recovery key.

Features

Download

Main Release (Main Net)
Testnet Release

Source

ALL NEW! – GroestlcoinSeed Savior

Groestlcoin Seed Savior is a tool for recovering BIP39 seed phrases.
This tool is meant to help users with recovering a slightly incorrect Groestlcoin mnemonic phrase (AKA backup or seed). You can enter an existing BIP39 mnemonic and get derived addresses in various formats.
To find out if one of the suggested addresses is the right one, you can click on the suggested address to check the address' transaction history on a block explorer.

Features

Live Version (Not Recommended)

https://www.groestlcoin.org/recovery/

Download

https://github.com/Groestlcoin/mnemonic-recovery/archive/master.zip

Source

ALL NEW! – Vanity Search Vanity Address Generator

NOTE: NVidia GPU or any CPU only. AMD graphics cards will not work with this address generator.
VanitySearch is a command-line Segwit-capable vanity Groestlcoin address generator. Add unique flair when you tell people to send Groestlcoin. Alternatively, VanitySearch can be used to generate random addresses offline.
If you're tired of the random, cryptic addresses generated by regular groestlcoin clients, then VanitySearch is the right choice for you to create a more personalized address.
VanitySearch is a groestlcoin address prefix finder. If you want to generate safe private keys, use the -s option to enter your passphrase which will be used for generating a base key as for BIP38 standard (VanitySearch.exe -s "My PassPhrase" FXPref). You can also use VanitySearch.exe -ps "My PassPhrase" which will add a crypto secure seed to your passphrase.
VanitySearch may not compute a good grid size for your GPU, so try different values using -g option in order to get the best performances. If you want to use GPUs and CPUs together, you may have best performances by keeping one CPU core for handling GPU(s)/CPU exchanges (use -t option to set the number of CPU threads).

Features

Usage

https://github.com/Groestlcoin/VanitySearch#usage

Download

Source

ALL NEW! – Groestlcoin EasyVanity 2020

Groestlcoin EasyVanity 2020 is a windows app built from the ground-up and makes it easier than ever before to create your very own bespoke bech32 address(es) when whilst not connected to the internet.
If you're tired of the random, cryptic bech32 addresses generated by regular Groestlcoin clients, then Groestlcoin EasyVanity2020 is the right choice for you to create a more personalised bech32 address. This 2020 version uses the new VanitySearch to generate not only legacy addresses (F prefix) but also Bech32 addresses (grs1 prefix).

Features

Download

Source

Remastered! – Groestlcoin WPF Desktop Wallet (v2.19.0.18)

Groestlcoin WPF is an alternative full node client with optional lightweight 'thin-client' mode based on WPF. Windows Presentation Foundation (WPF) is one of Microsoft's latest approaches to a GUI framework, used with the .NET framework. Its main advantages over the original Groestlcoin client include support for exporting blockchain.dat and including a lite wallet mode.
This wallet was previously deprecated but has been brought back to life with modern standards.

Features

Remastered Improvements

Download

Source

ALL NEW! – BIP39 Key Tool

Groestlcoin BIP39 Key Tool is a GUI interface for generating Groestlcoin public and private keys. It is a standalone tool which can be used offline.

Features

Download

Windows
Linux :
 pip3 install -r requirements.txt python3 bip39\_gui.py 

Source

ALL NEW! – Electrum Personal Server

Groestlcoin Electrum Personal Server aims to make using Electrum Groestlcoin wallet more secure and more private. It makes it easy to connect your Electrum-GRS wallet to your own full node.
It is an implementation of the Electrum-grs server protocol which fulfils the specific need of using the Electrum-grs wallet backed by a full node, but without the heavyweight server backend, for a single user. It allows the user to benefit from all Groestlcoin Core's resource-saving features like pruning, blocks only and disabled txindex. All Electrum-GRS's feature-richness like hardware wallet integration, multi-signature wallets, offline signing, seed recovery phrases, coin control and so on can still be used, but connected only to the user's own full node.
Full node wallets are important in Groestlcoin because they are a big part of what makes the system be trust-less. No longer do people have to trust a financial institution like a bank or PayPal, they can run software on their own computers. If Groestlcoin is digital gold, then a full node wallet is your own personal goldsmith who checks for you that received payments are genuine.
Full node wallets are also important for privacy. Using Electrum-GRS under default configuration requires it to send (hashes of) all your Groestlcoin addresses to some server. That server can then easily spy on your transactions. Full node wallets like Groestlcoin Electrum Personal Server would download the entire blockchain and scan it for the user's own addresses, and therefore don't reveal to anyone else which Groestlcoin addresses they are interested in.
Groestlcoin Electrum Personal Server can also broadcast transactions through Tor which improves privacy by resisting traffic analysis for broadcasted transactions which can link the IP address of the user to the transaction. If enabled this would happen transparently whenever the user simply clicks "Send" on a transaction in Electrum-grs wallet.
Note: Currently Groestlcoin Electrum Personal Server can only accept one connection at a time.

Features

Download

Windows
Linux / OSX (Instructions)

Source

UPDATED – Android Wallet 7.38.1 - Main Net + Test Net

The app allows you to send and receive Groestlcoin on your device using QR codes and URI links.
When using this app, please back up your wallet and email them to yourself! This will save your wallet in a password protected file. Then your coins can be retrieved even if you lose your phone.

Changes

Download

Main Net
Main Net (FDroid)
Test Net

Source

UPDATED – Groestlcoin Sentinel 3.5.06 (Android)

Groestlcoin Sentinel is a great solution for anyone who wants the convenience and utility of a hot wallet for receiving payments directly into their cold storage (or hardware wallets).
Sentinel accepts XPUB's, YPUB'S, ZPUB's and individual Groestlcoin address. Once added you will be able to view balances, view transactions, and (in the case of XPUB's, YPUB's and ZPUB's) deterministically generate addresses for that wallet.
Groestlcoin Sentinel is a fork of Groestlcoin Samourai Wallet with all spending and transaction building code removed.

Changes

Download

Source

UPDATED – P2Pool Test Net

Changes

Download

Pre-Hosted Testnet P2Pool is available via http://testp2pool.groestlcoin.org:21330/static/

Source

submitted by Yokomoko_Saleen to groestlcoin [link] [comments]

I'm writing a series about blockchain tech and possible future security risks. This is the third part of the series introducing Quantum resistant blockchains.

Part 1 and part 2 will give you usefull basic blockchain knowledge that is not explained in this part.
Part 1 here
Part 2 here
Quantum resistant blockchains explained.
- How would quantum computers pose a threat to blockchain?
- Expectations in the field of quantum computer development.
- Quantum resistant blockchains
- Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain?
- Conclusion
The fact that whatever is registered on a blockchain can’t be tampered with is one of the great reasons for the success of blockchain. Looking ahead, awareness is growing in the blockchain ecosystem that quantum computers might cause the need for some changes in the cryptography that is used by blockchains to prevent hackers from forging transactions.
How would quantum computers pose a threat to blockchain?
First, let’s get a misconception out of the way. When talking about the risk quantum computers could pose for blockchain, some people think about the risk of quantum computers out-hashing classical computers. This, however, is not expected to pose a real threat when the time comes.
This paper explains why: https://arxiv.org/pdf/1710.10377.pdf "In this section, we investigate the advantage a quantum computer would have in performing the hashcash PoW used by Bitcoin. Our findings can be summarized as follows: Using Grover search, a quantum computer can perform the hashcash PoW by performing quadratically fewer hashes than is needed by a classical computer. However, the extreme speed of current specialized ASIC hardware for performing the hashcash PoW, coupled with much slower projected gate speeds for current quantum architectures, essentially negates this quadratic speedup, at the current difficulty level, giving quantum computers no advantage. Future improvements to quantum technology allowing gate speeds up to 100GHz could allow quantum computers to solve the PoW about 100 times faster than current technology.
However, such a development is unlikely in the next decade, at which point classical hardware may be much faster, and quantum technology might be so widespread that no single quantum enabled agent could dominate the PoW problem."
The real point of vulnerability is this: attacks on signatures wherein the private key is derived from the public key. That means that if someone has your public key, they can also calculate your private key, which is unthinkable using even today’s most powerful classical computers. So in the days of quantum computers, the public-private keypair will be the weak link. Quantum computers have the potential to perform specific kinds of calculations significantly faster than any normal computer. Besides that, quantum computers can run algorithms that take fewer steps to get to an outcome, taking advantage of quantum phenomena like quantum entanglement and quantum superposition. So quantum computers can run these certain algorithms that could be used to make calculations that can crack cryptography used today. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks and https://eprint.iacr.org/2017/598.pdf
Most blockchains use Elliptic Curve Digital Signature Algorithm (ECDSA) cryptography. Using a quantum computer, Shor's algorithm can be used to break ECDSA. (See for reference: https://arxiv.org/abs/quant-ph/0301141 and pdf: https://arxiv.org/pdf/quant-ph/0301141.pdf ) Meaning: they can derive the private key from the public key. So if they got your public key (and a quantum computer), then they got your private key and they can create a transaction and empty your wallet.
RSA has the same vulnerability while RSA will need a stronger quantum computer to be broken than ECDSA.
At this point in time, it is already possible to run Shor’s algorithm on a quantum computer. However, the amount of qubits available right now makes its application limited. But it has been proven to work, we have exited the era of pure theory and entered the era of practical applications:
So far Shor's algorithm has the most potential, but new algorithms might appear which are more efficient. Algorithms are another area of development that makes progress and pushes quantum computer progress forward. A new algorithm called Variational Quantum Factoring is being developed and it looks quite promising. " The advantage of this new approach is that it is much less sensitive to error, does not require massive error correction, and consumes far fewer resources than would be needed with Shor’s algorithm. As such, it may be more amenable for use with the current NISQ (Noisy Intermediate Scale Quantum) computers that will be available in the near and medium term." https://quantumcomputingreport.com/news/zapata-develops-potential-alternative-to-shors-factoring-algorithm-for-nisq-quantum-computers/
It is however still in development, and only works for 18 binary bits at the time of this writing, but it shows new developments that could mean that, rather than a speedup in quantum computing development posing the most imminent threat to RSA and ECDSA, a speedup in the mathematical developments could be even more consequential. More info on VQF here: https://arxiv.org/abs/1808.08927
It all comes down to this: when your public key is visible, which is always necessary to make transactions, you are at some point in the future vulnerable for quantum attacks. (This also goes for BTC, which uses the hash of the public key as an address, but more on that in the following articles.) If you would have keypairs based on post quantum cryptography, you would not have to worry about that since in that case not even a quantum computer could derive your private key from your public key.
The conclusion is that future blockchains should be quantum resistant, using post-quantum cryptography. It’s very important to realize that post quantum cryptography is not just adding some extra characters to standard signature schemes. It’s the mathematical concept that makes it quantum resistant. to become quantm resistant, the algorithm needs to be changed. “The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm. Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm, many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat.” https://en.wikipedia.org/wiki/Post-quantum_cryptography
Expectations in the field of quantum computer development.
To give you an idea what the expectations of quantum computer development are in the field (Take note of the fact that the type and error rate of the qubits is not specified in the article. It is not said these will be enough to break ECDSA or RSA, neither is it said these will not be enough. What these articles do show, is that a huge speed up in development is expected.):
When will ECDSA be at risk? Estimates are only estimates, there are several to be found so it's hard to really tell.
The National Academy of Sciences (NAS) has made a very thourough report on the development of quantum computing. The report came out in the end of 2018. They brought together a group of scientists of over 70 people from different interconnecting fields in quantum computing who, as a group, have come up with a close to 200 pages report on the development, funding, implications and upcoming challenges for quantum computing development. But, even though this report is one of the most thourough up to date, it doesn't make an estimate on when the risk for ECDSA or RSA would occur. They acknowledge this is quite impossible due to the fact there are a lot of unknowns and due to the fact that they have to base any findings only on publicly available information, obviously excluding any non available advancements from commercial companies and national efforts. So if this group of specialized scientists can’t make an estimate, who can make that assessment? Is there any credible source to make an accurate prediction?
The conclusion at this point of time can only be that we do not know the answer to the big question "when".
Now if we don't have an answer to the question "when", then why act? The answer is simple. If we’re talking about security, most take certainty over uncertainty. To answer the question when the threat materializes, we need to guess. Whether you guess soon, or you guess not for the next three decades, both are guesses. Going for certain means you'd have to plan for the worst, hope for the best. No matter how sceptical you are, having some sort of a plan ready is a responsible thing to do. Obviously not if you're just running a blog about knitting. But for systems that carry a lot of important, private and valuable information, planning starts today. The NAS describes it quite well. What they lack in guessing, they make up in advice. They have a very clear advice:
"Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough—and the time frame for transitioning to a new security protocol is sufficiently long and uncertain—that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster."
Another organization that looks ahead is the National Security Agency (NSA) They have made a threat assessment in 2015. In August 2015, NSA announced that it is planning to transition "in the not too distant future" (statement of 2015) to a new cipher suite that is resistant to quantum attacks. "Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy." NSA advised: "For those partners and vendors that have not yet made the transition to Suite B algorithms, we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition.” https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography#cite_note-nsa-suite-b-1
What these organizations both advice is to start taking action. They don't say "implement this type of quantum resistant cryptography now". They don't say when at all. As said before, the "when" question is one that is a hard one to specify. It depends on the system you have, the value of the data, the consequences of postponing a security upgrade. Like I said before: you just run a blog, or a bank or a cryptocurrency? It's an individual risk assesment that's different for every organization and system. Assesments do need to be made now though. What time frame should organisationds think about when changing cryptography? How long would it take to go from the current level of security to fully quantum resistant security? What changes does it require to handle bigger signatures and is it possible to use certain types of cryptography that require to keep state? Do your users need to act, or can al work be done behind the user interface? These are important questions that one should start asking. I will elaborate on these challenges in the next articles.
Besides the unsnswered question on "when", the question on what type of quantum resistant cryptography to use is unanswered too. This also depends on the type of system you use. The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography. NIST is running a competition right now that should end up in one or more standards for quantum resistant cryptography. The NIST competition handles criteria that should filter out a type of quantum resistant cryptography that is feasable for a wide range of systems. This takes time though. There are some new algorithms submitted and assessing the new and the more well known ones must be done thouroughly. They intend to wrap things up around 2022 - 2024. From a blockchain perspective it is important to notice that a specific type of quantum resistant cryptography is excluded from the NIST competition: Stateful Hash-Based Signatures. (LMS and XMSS) This is not because these are no good. In fact they are excelent and XMSS is accepted to be provable quantum resistant. It's due to the fact that implementations will need to be able to securely deal with the requirement to keep state. And this is not a given for most systems.
At this moment NIST intends to approve both LMS and XMSS for a specific group of applications that can deal with the statefull properties. The only loose end at this point is an advice for which applications LMS and XMSS will be adviced and for what applications it is discouraged. These questions will be answered in the beginning of april this year: https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments This means that quite likely LMS and XMSS will be the first type of standardized quantum resistant cryptography ever. To give a small hint: keeping state, is pretty much a naturally added property of blockchain.
Quantum resistant blockchains
“Quantum resistant” is only used to describe networks and cryptography that are secure against any attack by a quantum computer of any size in the sense that there is no algorithm known that makes it possible for a quantum computer to break the applied cryptography and thus that system.
Also, to determine if a project is fully quantum resistant, you would need to take in account not only how a separate element that is implemented in that blockchain is quantum resistant, but also the way it is implemented. As with any type of security check, there should be no backdoors, in which case your blockchain would be just a cardboard box with bulletproof glass windows. Sounds obvious, but since this is kind of new territory, there are still some misconceptions. What is considered safe now, might not be safe in the age of quantum computers. I will address some of these in the following chapters, but first I will elaborate a bit about the special vulnerability of blockchain compared to centralized systems.
Why is it easier to change cryptography for centralized systems such as banks and websites than for blockchain?
Developers of a centralized system can decide from one day to the other that they make changes and update the system without the need for consensus from the nodes. They are in charge, and they can dictate the future of the system. But a decentralized blockchain will need to reach consensus amongst the nodes to update. Meaning that the majority of the nodes will need to upgrade and thus force the blockchain to only have the new signatures to be valid. We can’t have the old signature scheme to be valid besides the new quantum resistant signature scheme. Because that would mean that the blockchain would still allow the use of vulnerable, old public- and private keys and thus the old vulnerable signatures for transactions. So at least the majority of the nodes need to upgrade to make sure that blocks which are constructed using the old rules and thus the old vulnerable signature scheme, are rejected by the network. This will eventually result in a fully upgraded network which only accepts the new post quantum signature scheme in transactions. So, consensus is needed. The most well-known example of how that can be a slow process is Bitcoin’s need to scale. Even though everybody agrees on the need for a certain result, reaching consensus amongst the community on how to get to that result is a slow and political process. Going quantum resistant will be no different, and since it will cause lesser performance due to bigger signatures and it will need hardware upgrades quite likely it will be postponed rather than be done fast and smooth due to lack of consensus. And because there are several quantum resistant signature schemes to choose from, agreement an automatic given. The discussion will be which one to use, and how and when to implement it. The need for consensus is exclusively a problem decentralized systems like blockchain will face.
Another issue for decentralized systems that change their signature scheme, is that users of decentralized blockchains will have to manually transfe migrate their coins/ tokens to a quantum safe address and that way decouple their old private key and activate a new quantum resistant private key that is part of an upgraded quantum resistant network. Users of centralized networks, on the other hand, do not need to do much, since it would be taken care of by their centralized managed system. As you know, for example, if you forget your password of your online bank account, or some website, they can always send you a link, or secret question, or in the worst case they can send you mail by post to your house address and you would be back in business. With the decentralized systems, there is no centralized entity who has your data. It is you who has this data, and only you. So in the centralized system there is a central entity who has access to all the data including all the private accessing data, and therefore this entity can pull all the strings. It can all be done behind your user interface, and you probably wouldn’t notice a thing.
And a third issue will be the lost addresses. Since no one but you has access to your funds, your funds will become inaccessible once you lose your private key. From that point, an address is lost, and the funds on that address can never be moved. So after an upgrade, those funds will never be moved to a quantum resistant address, and thus will always be vulnerable to a quantum hack.
To summarize: banks and websites are centralized systems, they will face challenges, but decentralized systems like blockchain will face some extra challenges that won't apply for centralized systems.
All issues specific for blockchain and not for banks or websites or any other centralized system.
Conclusion
Bitcoin and all currently running traditional cryptocurrencies are not excluded from this problem. In fact, it will be central to ensuring their continued existence over the coming decades. All cryptocurrencies will need to change their signature schemes in the future. When is the big guess here. I want to leave that for another discussion. There are enough certain specifics we can discuss right now on the subject of quantum resistant blockchains and the challenges that existing blockchains will face when they need to transfer. This won’t be an easy transfer. There are some huge challenges to overcome and this will not be done overnight. I will get to this in the next few articles.
Part 1, what makes blockchain reliable?
Part 2, The two most important mathematical concepts in blockchain.
Part 4A, The advantages of quantum resistance from genesis block, A
Part 4B, The advantages of quantum resistance from genesis block, B
Part 5, Why BTC will be vulnerable sooner than expected.
submitted by QRCollector to CryptoTechnology [link] [comments]

Electronic cash like bitcoin explained for developers Bitcoin 101 Elliptic Curve Cryptography Part 5 The Magic of Signing & Verifying The Math Behind Bitcoin - Elliptic Curves Elliptic Curve Cryptography Overview - YouTube Elliptic Curve Cryptography Tutorial - Understanding ECC ...

How does it Compare to the Bitcoin Elliptic Curve? It is hard to believe that in bitcoin things could ever become as bad as above. In bitcoin arguably, there is maybe no reason to panic yet, no efficient attack is known, nobody is yet quite sure if this curve could be broken. There just some vague very academic shortcut attacks and definite suspicion and a further more precise stronger ... Home Bitcoin For Beginners Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) Math Behind Bitcoin and Elliptic Curve Cryptography (Explained Simply) September 7, 2018 admin Bitcoin For Beginners 21. Elliptic curve cryptography is the backbone behind bitcoin technology and other crypto currencies, especially when it comes to to protecting your digital assets. Subscribe to ... Elliptic curve cryptography is the backbone behind bitcoin technology and other crypto currencies, especially when it comes to to protecting your digital assets. So in todays video we will look at the math behind elliptic curve cryptography and how it protects your private key. ===== Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure that funds can only be spent by their rightful owners.. A few concepts related to ECDSA: private key: A secret number, known only to the person that generated it.A private key is essentially a randomly generated number. /r/btc was created to foster and support free and open Bitcoin discussion, Bitcoin news, and exclusive AMA (Ask Me Anything) interviews from top...

[index] [30798] [4743] [51304] [46398] [28796] [7453] [49922] [24828] [1862] [26922]

Electronic cash like bitcoin explained for developers

Vídeo original: https://youtu.be/iB3HcPgm_FI Welcome to part four in our series on Elliptic Curve Cryptography. I this episode we dive into the development o... Learn more advanced front-end and full-stack development at: https://www.fullstackacademy.com Elliptic Curve Cryptography (ECC) is a type of public key crypt... Bitcoin 101 Elliptic Curve Cryptography Part 5 The Magic of Signing & Verifying ... Elliptic Curve Cryptography, A ... Digital Signatures and Signing transactions explained - Duration: 8:04 ... John Wagnon discusses the basics and benefits of Elliptic Curve Cryptography (ECC) in this episode of Lightboard Lessons. Check out this article on DevCentra... Demonstration of Elliptic Curve Diffie-Hellman key exchange described in article https://trustica.cz/2018/05/17/elliptic-curve-diffie-hellman-key-exchange/ s...

#