Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

Note that one of the reasons why this is insecure is because EC point addition is invertible. EC-scalar multiplication is not, thus why EC Diffie-Hellman is secure even when this asymmetry exists. A good cryptosystem doesn't have strange restrictions, like "your public key can only be public some

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

Note that one of the reasons why this is insecure is because EC point addition is invertible. EC-scalar multiplication is not, thus why EC Diffie-Hellman is secure even when this timing asymmetry exists. A good cryptosystem doesn't have strange restrictions, like "your public key can only be publ

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

You can always use a secure multiparty computation algorithm to do it. https://en.wikipedia.org/wiki/Secure_multi-party_computation But those aren't the fastest algorithms in the world, and usually both participants needs to be online at the same time. I guess most people would prefer a two-step

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

Also the other limitation for ECDSA is that there is no known protocol to create a signture with a+b (where keys P=aG, Q=bG, R=P+Q=(a+b)G). without either a sending its private key to b or viceversa (or both to a third party). With Schnorr sigs you can do it, but the k^-1 term in ECDSA makes a (se

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

If both parties insist on seeing a hash of the other party's public key before they'll show their own public key, they can be sure that the public key is not chosen based on the public key they themselves presented. Although, I have to wonder, why not just use multisig? - Joel On 08.03.2014 10:5

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

On 8 March 2014 17:10, Alan Reiner wrote: > I create a new keypair, with which I know (it can be any > arbitrary key pair). But I don't give you , I give you = > minus (which I can do because I've seen before > doing this). > > Sure, I don't know the private key for , but it doesn't matt

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

On 03/08/2014 01:55 AM, Edmund Edgar wrote: > On 4 March 2014 14:07, Odinn Cyberguerrilla > > wrote: > > Nothing is safe. > > > This is true. To rephrase, imagine I gave you an ECC public key > , you gave me back a public key of your own > devising, the

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

On 4 March 2014 14:07, Odinn Cyberguerrilla wrote: > Nothing is safe. > This is true. To rephrase, imagine I gave you an ECC public key , you gave me back a public key of your own devising, then I paid some money to the address resulting from add_pubkeys(,) [1]. Can anyone either: a) Think of

Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

Nothing is safe. Take risks. Engage one trouble at a time. Perform unexpected actions. Observe the results. Rinse and repeat. Ignore the lions. They too shall pass. "Do not sleep under a roof. Carry no money or food. Go alone to places frightening to the common brand of men. Become a crimin

[Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)

Some people may have seen my service Reality Keys, which can perform a role a bit like an External State Oracle as described previously by Mike Hearn and others. (I like to think of it as a Certificate Authority for propositions, doing for facts what Verisign do for identities.) You register a poss