Search content
Sort by
Showing 20 of 77 results by altoz
Re: ChromaWallet (colored coins): issue and trade private currencies/stocks/bonds/..
I've played around with ChromaWallet quite a bit the last couple days - hopefully some of my experiences can be valuable.
I'm a bit confused as to what the current function of the color_set is.
I'm not sure if any of this was intentional, or otherwise what the development roadmap looks like, however I have a few solutions clanking around:
a color_set can be defined as:
- P2P trade A p2p trade (8c1926f2e3527153bf06e8ab2c8a417aad3d8e6cd993a4350efbb4050ab961fa) went unconfirmed for over 19 hours, according to blockchain.info. The transaction fee paid was 0.0001 BTC, a reddit post says that it should be 0.00028 BTC.
- P2P trade A p2p trade (f85b6213939c9cbc14538dd24838061179cac2485f50be20a974b819a85e5ee9) has multiple outputs to the sellers bitcoin address. Can provide more instances of this occuring. Buyer ends up overpaying for asset
- P2P trade It appears as if bids and asks are listed without clicking on the confirmation popup. Double clicking an order cancels it without confirmation as well.
- Balances A bitcoin address (1DMkN2dgTHvRYAPgtTZAFsZXKE6rUJDG9E) has a balance of 0.00824875 BTC according to ChromaWallet, and 0 BTC according to blockchain.info. The value displayed in ChromaWallet is the same value of the most recently spent input. I can provide the mainnet.wallet file if this would be useful.
- Balances Address balances are only displayed out to 7 decimal places
- P2P Below is a raw transaction that has an output of 0.00000001 BTC generated by a P2P trade
Code:
01000000021787722d5c520d47c657d2e75c2deb89fbfacd0636f489a30773867b96479769000000008a47304402201dc79a2d74a2e224a42fa693e9f698b8e582e9020bb5bb52cfb230f1ea8e0e29022051302901342fcda60cd57d241b54e2e55d584f17f830545fb81db467c469931c0141044a50c7c228678f2f5d06f55718341dfc55f3fa0e6f8b46b796920ff706ff125d0ddc851c41b5cd9123f67f2e03e6523b38ff6b6f2171a7a64fd554b2a6906c3b3300000033efa02dae9ee709eed8a41ad40219f04c7d8d38cfa20f920007bfc69f459db9000000008c4930460221009acf1529ef89d53dd993a54d9fd350c795fd76003fe2b66ef45bde6288d08db9022100d0cfdfbba1d661eda8d6b0bed9ebaeece649a1a407b5aae90a9761cdbbbe1d820141040043e689b453580b5e80e7b7122ad50b1a0e3df2f38726a897564b5212b1084ce4bb32a429634e66ccb00e2514dc293c73b55f92a8ef1eee807be4c98e7d5bc5ffffffff0570170000000000001976a91434da9a59604fb1852799a0fc09889752c6d8da0088ace0f80800000000001976a91476842dc7f32580144f6422e1d2e5ef876b334ab688ac2fdb0e00000000001976a914da3909b4d37d8202d3d91ffb71ee2797da14027588ac01000000000000001976a91486d2494f1c805be112e630120e902a6eea214f2e88ac00400000000000001976a91486d2494f1c805be112e630120e902a6eea214f2e88ac00000000
- P2P There are circumstances in which the client will say that I don't have enough money to fill an ask order. If I manually type out a bid that matches the ask, the trade will attempt to go through.
- Tiny outputs in P2P Small, however standard, outputs do not appear in the wallet (or blockchain.info) until the transaction is confirmed. It will appear as if the trade did not function until confirmation.
I'm a bit confused as to what the current function of the color_set is.
- txid The txid that is broadcast isn't necessarily the txid that is confirmed in a block.
- Block height The block height at which a transaction is confirmed is not known until it has actually been confirmed.
- Genesis identification If the assumption is made that only colored coin transactions are ordered, the color (even if undefined) of an output can by identified by "tracing" outputs back until the inputs are unmatched.
- Concensus on asset definition Giving a colored address may define an intent to receive colored coin generated by a specific transaction output, however there is not necessarily consensus on how the color of those coins is defined. See here (http://imgur.com/a/yRWwG) for an example of two assets in a single wallet that are defined by the same color_set that have different values and names.
- Colored coin recognition Colored addresses can coordinate intent between two parties to transact in colored coins generated in a specific transaction output, however cannot stop one from sending colored coin to an address that doesn't recognize colored coins.
I'm not sure if any of this was intentional, or otherwise what the development roadmap looks like, however I have a few solutions clanking around:
- Identification of the genesis output By identifying the genesis output as:
Code:
Output x of the transaction for which output y from transaction z is an input
a color_set can be defined as:
Code:
:::
- This allows the asset issuer to generate the color_set and address prefix before the genesis transaction is confirmed or even broadcast.[/li]
- Immutable color The inclusion of an additional parameter in a color_set can enable asset holders and wallets to verify that an asset definition is as described by the issuer. The new parameter is a hash that is representative of the color that is to be attributed to the colored coins described by the color_set in question. This parameter, along with an the inclusion of an "intent output" can immutably color coins and eliminate vulnerability caused by unauthorized asset redefinitions. Further, this inclusion enables a colored address to be verified as "on the same page" as the issuing identity.
[li]Intended color An additional output can be added to the genesis transaction that identifies an output, as defined by a color_set, as having been intentionally colored. If the additional output is generated using the color_set as a passphrase, wallets and asset holders can verify the genesis output independently and ensure the correct color_set. A genesis transaction that includes an "intent output" can also imply the asset issuer as the identity that signed the transaction. Identification of an issuing identity may help establish a framework for asset management, such as issuing additional units. A color_set could indicate the output index of the "intent output."[/li]
Hey LOL, killerstorm has asked me to look into the issue with the balance being different in ChromaWallet and on blockchain. Can you provide me with the mainnet.wallet file? You can PM me a convenient way for me to get it.
Re: WARNING: PAYPAL STARTED MASSIVE ACCOUNT BAN ON ANYTHING BITCOIN RELATED
I went through this whole thing. Paypal and eBay are supposedly two different entities. Paypal's CEO has been trying to reform their image as a seller-unfriendly service who closes accounts for no reason.
I'd say the best vector of getting things changed is flooding his twitter account asking why he's doing this. If there's a sustained outcry, I'm sure something will get done. My impression is that it's some mid-level guy that instituted the policy.
Here's his twitter account:
https://twitter.com/davidmarcus
#afraidofbitcoin?
I'd say the best vector of getting things changed is flooding his twitter account asking why he's doing this. If there's a sustained outcry, I'm sure something will get done. My impression is that it's some mid-level guy that instituted the policy.
Here's his twitter account:
https://twitter.com/davidmarcus
#afraidofbitcoin?
Re: Thinking about buying an April Cointerra unit for ~8 BTC? Take my bet instead.
Interesting Bet. gmaxwell, are you willing to change the bet to be X BTC to be equivalent to the current price of the miner ($5999)? 8 BTC is currently around $6700, so the odds skew as BTC price goes up.
I'm not interested at 8 BTC, but if the $6000 equivalent goes to 5 BTC and the difficulty stays roughly the same, I might be willing to take that bet, for example.
I'm willing to twiddle with the terms, though under alternative ones I'd probably want more than just the 8->5 changed. Keep in mind that changing exchange rates doesn't change the BTC I think it will produce much.I'm not interested at 8 BTC, but if the $6000 equivalent goes to 5 BTC and the difficulty stays roughly the same, I might be willing to take that bet, for example.
If BTC were to go to $10000 over-night and I thought it would stay there, I'd be buying April machines myself for 0.6BTC.
Exactly. So is there an upper limit for the $/BTC exchange rate at which you would take the bet? Something like "$6000 equivalent in BTC up to $/BTC rate of $X"? Also, if you can codify what the changes in the terms would be if the $/BTC rate did go higher, that would give me a better sense of when I would want to trigger such a bet.
Re: Thinking about buying an April Cointerra unit for ~8 BTC? Take my bet instead.
Interesting Bet. gmaxwell, are you willing to change the bet to be X BTC to be equivalent to the current price of the miner ($5999)? 8 BTC is currently around $6700, so the odds skew as BTC price goes up.
I'm not interested at 8 BTC, but if the $6000 equivalent goes to 5 BTC and the difficulty stays roughly the same, I might be willing to take that bet, for example.
I'm not interested at 8 BTC, but if the $6000 equivalent goes to 5 BTC and the difficulty stays roughly the same, I might be willing to take that bet, for example.
Luke-Jr, I've put you on my ignore list. I literally don't see anything you write. Please just leave and stop crapping my thread.
If you want to discuss things mano-a-mano, PM me.
If you want to discuss things mano-a-mano, PM me.
- Logins to websites without passwords, instead using a challenge/response mechanism like GPG auth.
- A consistent pseudonymous internet identity that can provably be the same across websites.
Here's an example walkthrough written by BunnyH.
Here is example walkthrought how it could be:
1) Go to website
2) Read a QR code on the main page with your smart phone application
After that, you are logged in with your bitcoin keys and username you chose when registered.
Registering:
1) Go to website
2) Click 'register'
3) Type in the username you want
4) Read a QR code on the main page with your smart phone application
After that, you are registered with bitcoin keys and username you chose.
Try it at http://cave.dy.fi. You can download an android application or simulate it with www-browser / copypaste.
This could be usefull to implement for loggin in to eligius?
My impression is that Luke-Jr isn't really interested in a new tech, more convenient though it may be.
zinv is the modulo inverse of z.
That is, z * zinv = 1 (identity element)
I believe you do this to get the actual modulo inverse
zinv = z ^ (p-2) mod p
You can find information on this here: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse
That is, z * zinv = 1 (identity element)
I believe you do this to get the actual modulo inverse
zinv = z ^ (p-2) mod p
You can find information on this here: http://en.wikipedia.org/wiki/Modular_multiplicative_inverse
II think bit message uses ECIES. I believe it's secure as long as you perform your key exchange ok and you're using a secure symmetric cryptography (I might be wrong). and I think ( but I don't know exactly what your program does) that you are using the same sort of ideas. You would probably be better off just implementing ECIES though.
I don't think your OP explained your system in enough detail so it may have been misunderstood. Also bear in mind that I'm quite often wrong about stuff.
I don't think your OP explained your system in enough detail so it may have been misunderstood. Also bear in mind that I'm quite often wrong about stuff.
I am using ECIES, I think. I would need a more experienced cryptographer to examine the code to make sure, but it's fairly straightforward. The shared secret gets exchanged securely using the same discrete logarithm problem. The shared secret then is plugged into a key derivation function which is used to make a cipher and an hmac for evaluating the checksum. The cipher then is used for encrypting and decrypting the message. And the checksum is checked to make sure the message arrived un-modified. That's how ECIES works, I think. That's at least what I tried to implement.
Yes, that's the way I thought you were doing it?
I don't understand the problem. I think they might have not understood that you were using the shared secret for symmetric encryption.
I don't understand the problem. I think they might have not understood that you were using the shared secret for symmetric encryption.
So are you saying gmaxwell's main objection doesn't apply? That by having a shared secret with symmetric encryption inside, the attacks don't reveal anything about the private key?
It is very much along those lines, yes.
Quote
I'm not sure exactly how your system works but I would have thought it should be possible to use ECDH to create a shared secret without compromising your secret key and use this in a symmetric encryption scheme (AES) without compromising the shared secret? Isn't this basically what is done in ECIES?
Can you elaborate on this? The shared secret is rP where r is a random nonce in the prime field F/p and P is the public key point. This is never transmitted, rG is. I'm not sure I understand how this compromises the secret key?
Quote
The private key is used in the creation of the shared secret but if this is done ok then using the shared secret in a secure symmetric system shouldn't compromise it in any way.
I may have misunderstood things but I don't see how the same private key is used for signing and encrypting - the shared secret used for encrypting isn't the private key of the bitcoin address is it??
I may have misunderstood things but I don't see how the same private key is used for signing and encrypting - the shared secret used for encrypting isn't the private key of the bitcoin address is it??
The private key is not used in the creation of the shared secret since the person encrypting has only the public key and computes the shared secret through a nonce.
No, the shared secret used for encryption is not the same as the private key used to sign the bitcoin address.
I may not have understood gmaxwell correctly, but I thought this was still a potential vulnerability as the private key is still used for decryption?
If I'm not mistaken, this is an attack that can be performed on any elliptical curve, not just secp256k1.
Not so, there are twist-secure curves like the one used by curve25519 where the points on the twist are equally secure.This might be true, but I still don't understand how useful such an attack would be. If the attack relies on sweeping the checksum, then having an impractically large checksum (2^128?) simply stops the attack.
Quote
The general statement cautioning against using the same keys for encryption and signing is because the parallel composition of signing and encryption is an unanalyzed construct. I might be able to take some signatures, combine them algebraically, ask for a decryption, and learn something about the private key as a result. Providing parallel access to the private key material, even if its via constructs which are separately accepted as cryptographically strong, voids the security proofs and deployment confidences, and surprising weaknesses have shown up in the past as a result of it. ... so it's generally considered a good practice to avoid it where possible.
This is the more valid objection. There's the possibility of a vulnerability yet undiscovered. Obviously, RSA has had this vulnerability so it makes sense that caution is being taken with ECC.
That said, a good, deliberately slow key derivation function should be able to make the attack very expensive. 50000 rounds of sha512, for example (to make it future-proof, we could make the rounds of sha512 necessary some fraction of the network difficulty and provide a timestamp of when it occurred). Would something like that make this more viable?
Also, you mention that it's good practice to avoid it where possible. does that mean there are cases where it isn't avoidable and this does take place?
Quote
I'm disappointed to see that the conversation with Luke went unproductive there, he is responsible AFAIK the largest and longest standing use of bitcoin keys for identification/authentication purposes; which were one of your enumerated use cases. I actually asked him to come here and respond specifically to those use cases.
Honestly, I'm finding your comments far more helpful than his. He could be a genius for all I know, but I'm not interested in pedantic arguments about what "account" means.
Quote
Likewise, andytoshi has been active in the Bitcoin wizards channel where a lot of advanced cryptography is discussed for some time. He's not a sock of anyone, and negative tone is just going to discourage people from evaluating your system.
Sadly, I agree with you. Of course I have some share in that responsibility. Unfortunately, other than that first comment, I don't see anything of value in their other comments and I don't see much likelihood in there being any from them at this point. Life is too short to deal rudeness like that unless absolutely necessary.
Obviously, people are free to not evaluate the system. I think given the potential of the whole thing, I would be pretty disappointed if the only technical commentary I got was from you.
That said, thank you for your thoughts so far.
Andytoshi and luke-jr. Please leave this thread. I'm currently ignoring both of you and as far as I can tell you have nothing of substance to your remarks beyond Luke's first.
The problem is that you use the same private key for both signing and encryption. Bitmessage does not do this.
By using the same key for both signing and encryption and you being able to influence the input / read output there are certainly additional attack vectors. For example you could create an unsigned transaction and try tricking the other party into signing it like a normal message.
In the example you gave, wouldn't that be an attack vector that is available without any encryption? For example, using the challenge-verify mechanism that Luke-Jr showed above, you can use an unsigned transaction as the challenge and the user would sign it and send the signature to the malicious attacker. At what step does the attacker need the encrypt/decrypt part?
Works like a charm! Cool!
Quote
Thanks chriswilmer, for trying out coinmessage! Let me know if you have any suggestions to improve this library or to get others to incorporate it into their products. ~Jimmy
Awesome! Thanks for trying this!
altoz, I think your idea is great, and in general I am very supportive of developers and trying out new projects (even if they don't end up taking off for whatever reason)
I think luke-jr is being unnecessarily mean... I wouldn't take it personally
Thanks for the support. Thanks to the pointless exchange with Luke-Jr, I discovered what the "ignore" button is for!
Have you had a chance to look at the message I sent you?
Bitmessage keys are only used for encryption, not for signing. I tried talking atheros into it but to no avail 
Btw:Bitmessage does not have a blockchain.
IMHO the point is: Getting encryption right is difficult so don't complicate things any more than absolutely necessary.
Btw:Bitmessage does not have a blockchain.
IMHO the point is: Getting encryption right is difficult so don't complicate things any more than absolutely necessary.
Interesting, I didn't know they don't have a blockchain. Isn't there some large block of data that stores the encrypted messages there in some way, though?
I guess what I'm asking is, my project seems about as secure as bitmessage, just from what we're both doing with the secp256k1 curve. So if coinmessage is not considered secure, can bitmessage? If not, what am I missing?
Of course an address identifies an account. That's what the whole blockchain is, a list of accounts and who owns what.
If you're just going to troll, I'd rather you not do this on this thread.
http://download.wpsoftware.net/bitcoin/bitcoin-faq.pdfIf you're just going to troll, I'd rather you not do this on this thread.
Also accusing Luke-Jr of trolling is quite rich..
A user that just got out of newbie jail calling me anything is quite rich. One may suspect this could be Luke-Jr sock puppet.
Addresses aren't identities.
Let's not get pedantic. An address is something that can be used to identify an account, which could be used as an identity. That's how social security numbers, driver's licenses and the like work.An address does not identify an account.
Side note: social security numbers are also not to be used for identity purposes.
If you're just going to troll, I'd rather you not do this on this thread.
Addresses aren't identities.
Let's not get pedantic. An address is something that can be used to identify an account, which could be used as an identity. That's how social security numbers, driver's licenses and the like work.