There's a pretty detailed proposal of a privacy-preserving L2 solution for Zcash, called BOLT (https://z.cash/blog/bolt-private-payment-channels/). The original paper is at https://eprint.iacr.org/2016/701 , and there's…
Disabling SharedArrayBuffer is just stopping the most obvious method of exploitation; it's by no means a fix. Expect a slew of papers over the next few years on other methods of exploitation from JS.
But you don't detect that one case where you are actually compromised. You dismiss it like you do all the false positives. At best, when you get pwned you think back to having dismissed the key change warning and know…
The legacy codebase issue we are lamenting there is just that the code inherited from Bitcoin is in C++. It's of course possible to interface between C++ and Rust, and that's what we're intending to do in future. It…
As far as I know we've never claimed that the distribution is flat or that the "effective anonymity" is equivalent to a uniform distribution over prior notes (I certainly didn't claim that). One of the advantages of…
Note that the number of prior shielded transactions (not the proportion, and not the value) is what is actually relevant to the privacy of new shielded transactions. Roughly speaking, the privacy you get with Zcash is…
Zcash, for example, is built with `-Werror` (edit: not `-Wall`, but we're working on that). So this is absolutely feasible on a Bitcoin-derived codebase.
No, that is not the bug. See Ian Miers' comments.
I'm not aware of any proof that Borromean signatures, relied on by CT, are secure assuming only ECDLP. There is certainly no such proof in the paper https://github.com/Blockstream/borromean_paper/blob/master/b... .…
This isn't a subtle or difficult-to-find case. It's a case of "why the heck would anyone write code like that, in any language, in the first place?" The only language-level abstraction needed to avoid this particular…
Just to clarify, the code that was duplicated per denomination is not part of libzerocoin itself, it's in main.cpp. I'm not sure who wrote it; it may or may not have been part of the academic prototype Ian refers to. In…
The crypto used in Confidential Transactions, or any implementation of it, does not only rely on ECDLP. There's plenty of scope for potential protocol or implementation errors. (The Zcoin issue, remember, is an…
There are ways to significantly reduce the cost of zk proof verification by batching (that are compatible with the existing Zcash protocol without a fork).
Fixed in Zcash 1.0.3. (They were always "working", despite the bugs that were recently fixed. You can see plenty of successful z-address transactions on the blockchain.)
The concern in that last sentence seems misplaced; there is no relation between proportion of monetary base held by an attacker, and proportion of mining power held by an attacker.
Basically yes. Strictly speaking privacy also relies on assumptions about Curve25519 (with a Blake2b-based key derivation function) and ChaCha20, but those are standard and uncontroversial.
It's a bit more complicated than that. The main responsibility for implementing connection layer unlinkability lies with Tor (if you use Zcash over Tor, which we will aim to provide good support for), but how effective…
Of course they've had to pay. In the case of the investors, they've had to pay cash up-front to fund the development of Zcash. In the case of other shareholders of Zerocoin Electric Coin Company, they've had to pay for,…
I don't actually see any assertions on this thread by natdempk or tptacek claiming that TextSecure is "trustworthy" and/or "solid". Did I miss something? My own opinion is that both strong cryptographic and security…
The scopes had a great deal of overlap; although we (Least Authority) didn't consider the iOS client at all, the rest of iSec's audit has essentially the same scope as ours. The point I was trying to highlight is how…
Actually I strongly suggest reading these in conjunction with iSec's issues 12 through 16, because each team spotted some details that the other missed.
Findings iSEC-RFACC0114-1 and iSEC-RFACC0114-3. (2 out of the 17 vulnerabilities found by iSec, of varying severity.)
This issue (or one with very similar effect) was also found by the Least Authority audit: https://github.com/cryptocat/cryptocat/issues/607 (The 'issue E' that it references is…
I was one of the auditors for Least Authority. Just wanted to add that this audit was really fun to do! If you have the necessary experience and are part of a good team, security auditing is a fantastic job. -- Daira…
There's a pretty detailed proposal of a privacy-preserving L2 solution for Zcash, called BOLT (https://z.cash/blog/bolt-private-payment-channels/). The original paper is at https://eprint.iacr.org/2016/701 , and there's…
Disabling SharedArrayBuffer is just stopping the most obvious method of exploitation; it's by no means a fix. Expect a slew of papers over the next few years on other methods of exploitation from JS.
But you don't detect that one case where you are actually compromised. You dismiss it like you do all the false positives. At best, when you get pwned you think back to having dismissed the key change warning and know…
The legacy codebase issue we are lamenting there is just that the code inherited from Bitcoin is in C++. It's of course possible to interface between C++ and Rust, and that's what we're intending to do in future. It…
As far as I know we've never claimed that the distribution is flat or that the "effective anonymity" is equivalent to a uniform distribution over prior notes (I certainly didn't claim that). One of the advantages of…
Note that the number of prior shielded transactions (not the proportion, and not the value) is what is actually relevant to the privacy of new shielded transactions. Roughly speaking, the privacy you get with Zcash is…
Zcash, for example, is built with `-Werror` (edit: not `-Wall`, but we're working on that). So this is absolutely feasible on a Bitcoin-derived codebase.
No, that is not the bug. See Ian Miers' comments.
I'm not aware of any proof that Borromean signatures, relied on by CT, are secure assuming only ECDLP. There is certainly no such proof in the paper https://github.com/Blockstream/borromean_paper/blob/master/b... .…
This isn't a subtle or difficult-to-find case. It's a case of "why the heck would anyone write code like that, in any language, in the first place?" The only language-level abstraction needed to avoid this particular…
Just to clarify, the code that was duplicated per denomination is not part of libzerocoin itself, it's in main.cpp. I'm not sure who wrote it; it may or may not have been part of the academic prototype Ian refers to. In…
The crypto used in Confidential Transactions, or any implementation of it, does not only rely on ECDLP. There's plenty of scope for potential protocol or implementation errors. (The Zcoin issue, remember, is an…
There are ways to significantly reduce the cost of zk proof verification by batching (that are compatible with the existing Zcash protocol without a fork).
Fixed in Zcash 1.0.3. (They were always "working", despite the bugs that were recently fixed. You can see plenty of successful z-address transactions on the blockchain.)
The concern in that last sentence seems misplaced; there is no relation between proportion of monetary base held by an attacker, and proportion of mining power held by an attacker.
Basically yes. Strictly speaking privacy also relies on assumptions about Curve25519 (with a Blake2b-based key derivation function) and ChaCha20, but those are standard and uncontroversial.
It's a bit more complicated than that. The main responsibility for implementing connection layer unlinkability lies with Tor (if you use Zcash over Tor, which we will aim to provide good support for), but how effective…
Of course they've had to pay. In the case of the investors, they've had to pay cash up-front to fund the development of Zcash. In the case of other shareholders of Zerocoin Electric Coin Company, they've had to pay for,…
I don't actually see any assertions on this thread by natdempk or tptacek claiming that TextSecure is "trustworthy" and/or "solid". Did I miss something? My own opinion is that both strong cryptographic and security…
The scopes had a great deal of overlap; although we (Least Authority) didn't consider the iOS client at all, the rest of iSec's audit has essentially the same scope as ours. The point I was trying to highlight is how…
Actually I strongly suggest reading these in conjunction with iSec's issues 12 through 16, because each team spotted some details that the other missed.
Findings iSEC-RFACC0114-1 and iSEC-RFACC0114-3. (2 out of the 17 vulnerabilities found by iSec, of varying severity.)
This issue (or one with very similar effect) was also found by the Least Authority audit: https://github.com/cryptocat/cryptocat/issues/607 (The 'issue E' that it references is…
I was one of the auditors for Least Authority. Just wanted to add that this audit was really fun to do! If you have the necessary experience and are part of a good team, security auditing is a fantastic job. -- Daira…