[Bitcoin-development] blind symmetric commitment for stronger byzantine voting resilience (Re: bitcoin taint & unilateral revocability)

Adam Back adam at cypherspace.org
Thu May 16 14:51:09 UTC 2013


More somewhat improved crypto stuff...

On Thu, May 16, 2013 at 01:32:22PM +0200, Adam Back wrote:
>I suggested fixed size committed coin spends [...]
>
>(blind-sender, auth-tag, encrypted-tx-commit)
>
>(pub key P = xG, G = base point)
>
>	blind-sender = cP (public key EC multiplied by constant c)
>	sig = ECDSA( cx, encrypted-tx-commit )
>	encrypted-tx-commit = AES( K, tx-commit )
>	K = random
>
>as K is random, knowledge of P if stored unencrypted does not allow
>committed spend-to-junk.  To reveal to a recipient just send them P and K at
>each hop.  (Same K each time, anyone on the committed coin spend chain can
>already chose to reveal at any time so no loss of security.)

Actually same K every time is not so hot, as then earlier in the committed
spend chain, can force a reveal for someone later.  A clearer requirement is
that each person should only be able to reveal committed coin chains up to
the point of their direct involvement.

So that is easily fixable, just include the K for the input committed coin
in the encrypted-tx-commit, as above but:

	encrypted-tx-commit = AES( K_i, K_{i-1} || tx-commit )
	K_i = random

(different K for each spend).

And actually for symmetric encrypted variant the coin as specified was
already evaluatable with fixed size committed spend (of the last public key)
- I just didnt realize it in the previous mail: the input public key is
necessarily revealed when processing the decrypted tx-commit, allowing
identification and validation of the txin, and validation recursively back
to the first non-committed coin.  With symmetric verification, the
limitation is one-use coin committed addresses (and inability to remove
spend to committed junk with public validation, though there is the tx fee
as a discouragement, it does bloat a recipients verification and so maybe
frustates SPV->SPV consumption of committed coins).

(blind-sender, auth-tag, encrypted-tx-commit)

         blind-sender = SHA1( SHA256( 1, pub ) )
         auth = HMAC-SHA256-128( K, encrypted-tx-commit )
         encrypted-tx-commit = AES( K, tx-commit )
         K = SHA-256( pub )

Adam

ps and it would be better and clearer to read also in terms of purpose of
hashes, to use a KDF like IEEE P1363 KDF2, or PKCS#5 PBKDF2 with 1
iteration, rather than adhoc hashes for key derivation.




More information about the bitcoin-dev mailing list