Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Alan Reiner
On 03/08/2014 01:55 AM, Edmund Edgar wrote: > On 4 March 2014 14:07, Odinn Cyberguerrilla > > wrote: > > Nothing is safe. > > > This is true. To rephrase, imagine I gave you an ECC public key > , you gave me back a public key of your own > devising, the

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Edmund Edgar
On 8 March 2014 17:10, Alan Reiner wrote: > I create a new keypair, with which I know (it can be any > arbitrary key pair). But I don't give you , I give you = > minus (which I can do because I've seen before > doing this). > > Sure, I don't know the private key for , but it doesn't matt

Re: [Bitcoin-development] Instant / contactless payments

2014-03-08 Thread Jan Vornberger
On Thu, Mar 06, 2014 at 02:39:52PM +, Alex Kotenko wrote: > Not sure if you've seen it, but here is how we do NFC right now > http://www.youtube.com/watch?v=DGOMIG9JUY8 with XBTerminal. Very interesting, thanks for sharing! Are the two devices on the same wifi network in the demo? In my experi

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Joel Kaartinen
If both parties insist on seeing a hash of the other party's public key before they'll show their own public key, they can be sure that the public key is not chosen based on the public key they themselves presented. Although, I have to wonder, why not just use multisig? - Joel On 08.03.2014 10:5

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Adam Back
Also the other limitation for ECDSA is that there is no known protocol to create a signture with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G). without either a sending its private key to b or viceversa (or both to a third party). With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a (se

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Natanael
You can always use a secure multiparty computation algorithm to do it. https://en.wikipedia.org/wiki/Secure_multi-party_computation But those aren't the fastest algorithms in the world, and usually both participants needs to be online at the same time. I guess most people would prefer a two-step

[Bitcoin-development] New IRC name: aschildbach

2014-03-08 Thread Andreas Schildbach
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just renamed myself on IRC (freenode) to aschildbach. The old name was Goonie. I will most likely only use the new name from now on, at least for Bitcoin-related purposes (-: -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECA

Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys

2014-03-08 Thread Gustav Simonsson
While there is no mention of virtualization in the side-channel article, the FLUSH+RELOAD paper [1] mentions virtualization and claims the clflush instruction works not only towards processes on the same OS, but also against processes in a separate guest OS if executed on the host OS (type 2 hyperv

Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys

2014-03-08 Thread Luke-Jr
On Wednesday, March 05, 2014 4:21:52 PM Kevin wrote: > How can we patch this issue? No need, it is not an issue for Bitcoin. Properly used, there is only ever one signature per public key. Luke -- Subversion Kills Produ

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Alan Reiner
Note that one of the reasons why this is insecure is because EC point addition is invertible. EC-scalar multiplication is not, thus why EC Diffie-Hellman is secure even when this timing asymmetry exists. A good cryptosystem doesn't have strange restrictions, like "your public key can only be publ

[Bitcoin-development] Bitcoin wiki is down

2014-03-08 Thread Tom Geller
Just an FYI: The Bitcoin wiki (https://en.bitcoin.it) is down. Is there a communication procedure or point person for such things? --- Tom Geller * Oberlin, Ohio * 415-317-1805 Writer/Presenter * http://www.tomgeller.com articles, marketing, videos, user guides,

Re: [Bitcoin-development] Bitcoin wiki is down

2014-03-08 Thread Gregory Maxwell
On Sat, Mar 8, 2014 at 12:59 PM, Tom Geller wrote: > Just an FYI: The Bitcoin wiki (https://en.bitcoin.it) is down. > > Is there a communication procedure or point person for such things? This works. The wiki is in the process of changing control/operation. Nothing to fear.

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

2014-03-08 Thread Alan Reiner
Note that one of the reasons why this is insecure is because EC point addition is invertible. EC-scalar multiplication is not, thus why EC Diffie-Hellman is secure even when this asymmetry exists. A good cryptosystem doesn't have strange restrictions, like "your public key can only be public some

Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys

2014-03-08 Thread Gregory Maxwell
On Sat, Mar 8, 2014 at 11:34 AM, Luke-Jr wrote: > On Wednesday, March 05, 2014 4:21:52 PM Kevin wrote: >> How can we patch this issue? > No need, it is not an issue for Bitcoin. > Properly used, there is only ever one signature per public key. Security shouldn't depend on perfect use. There are