Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Archival
Re: delete
by
fluffypony
on 24/09/2014, 14:24:03 UTC
Quote from: TheFascistMind on September 24, 2014, 09:21:07 AM
My response:

https://bitcointalk.org/index.php?topic=789978.msg8942201#msg8942201

You'll excuse the curt reply, but I'm just going to infodump from IRC, as we're quite tight on time -


[15:48:52] sarang: I can't prove a negative
[15:48:54] sarang: that's the trouble
[15:49:05] sarang: I can't say "there is no way to use three equations like that to recover x, here's proof"
[15:49:11] sarang: I can only say "there are no known ways to do so"
[15:49:36] sarang: The onus is on him. Unfortunately, if the world wants us to counter it with Magic Negative Proof, then they'll be disappointed
[15:50:37] sarang: But, let me review out loud
[15:50:45] sarang: We know I=xH(P) is one equation
[15:51:36] sarang: We know r=q-cx is another
[15:51:50] sarang: and we know x=H(aR)+b is a third
[15:52:00] sarang: You have, indeed, three equations for x
[15:52:19] sarang: How many unknowns is important here (though the security of ECDLP is important too)
[15:53:25] sarang: Unknowns are x itself, q, c, a, b, and technically r since it's indexed
[15:53:40] sarang: Given three equations and six unknowns, he can go right back to the drawing board
[15:56:43] sarang: So my answer to him would be that the private key is obscured in all cases by either the ECDLP or random affine goodness
[15:57:06] sarang: and that the three equations means that you STILL have three extra degrees of freedom
[15:57:41] sarang: and the degrees of freedom are carefully chosen from random distributions
[15:57:55] sarang: If he has an actual attack or a suggestion of how to reduce the parameter space, fine, share it
[15:58:21] sarang: But we don't spend our time proving negatives... we review carefully and hunt down any flaws we see that seem reasonable given our expertise
[15:59:42] sarang: If he wants to argue with linear algebra or the ECDLP, he can go right ahead
[15:59:48] sarang: Those are better listeners anyway
[16:00:28] sarang: We don't need to explain how linear algebra works anyway... it's assumed the whitepaper is written for someone who knows what all those little symbols mean
[16:02:56] sarang: Real mathematicians don't rub unknowns in people's faces. They point out flaws and offer constructive input
[16:06:31] sarang: Oh, and the equations use different base points, so you gain no benefit from a common base point