Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Speculation
Re: Gold collapsing. Bitcoin UP.
by
gmaxwell
on 28/06/2015, 06:00:31 UTC
Quote from: Odalv on June 27, 2015, 05:35:08 PM
Quote from: justusranvier on June 27, 2015, 05:20:20 PM
Quote from: Odalv on June 27, 2015, 05:12:22 PM
There may be bug (or luck to find some number) and then creating bitcoins out of nothing. And nobody can verify.
That is the risk - the scheme relies on the security of ECDSA to protect the currency supply.
We're already relying on ECDSA to protect our balances from overt theft, so I'm not sure how much it actually changes the security model to also rely on it to protect our balances from covert theft via counterfeiting.
The reason I'm interested in amount blinding is that my current project is working out a multi-step plan to kill graph analysis. With the right plan and without blinded amounts we can kill graph analysis, but with blinded amounts we can drive a stake through its heart to make sure it stays dead.
We are also using SHA-256 and RIPEMD-160 hashes to protect our balances. So even ECDSA is broken our balances can be safe and then ECDSA replaced.
Pray tell how you will replace ECDSA when the coins are already assigned to keys for it?  (and when everyone and their sister constantly reuses addresses). A compromise of CT would mean that it was feasible to find discrete logs in this group, with that, anyone who learned your public key could recover your private key.  There are scenarios where the hashing, absent any address reuse, helps  (e.g. say the discrete log finding takes weeks)-- but it's important to not exaggerate the gains.

But indeed it isn't the ~quite~ same.

It's perfectly possible to construct schemes for private values which are unconditionally sound; meaning that there is no cryptographic assumption behind their inflation resistance, and a cryptographic break would only result in a loss of privacy.  I had previously thought that it was necessarily the case that any such scheme would have to be less efficient; but I have since realized my original reasoning for that was incorrect; though I do not (yet) know of a way to construct an unconditionally sound scheme which is anywhere near as efficient as CT;  but finding one is on my TODO list (though it falls below other improvements for CT privacy and network security that I'm working on).