public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* Re: [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)
@ 2014-03-08  6:55 Edmund Edgar
  2014-03-08  8:10 ` Alan Reiner
  0 siblings, 1 reply; 10+ messages in thread
From: Edmund Edgar @ 2014-03-08  6:55 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 963 bytes --]

On 4 March 2014 14:07, Odinn Cyberguerrilla <odinn.cyberguerrilla@riseup.net
> wrote:

> Nothing is safe.
>

This is true. To rephrase, imagine I gave you an ECC public key <ed_pub>,
you gave me back a public key <odinn_pub> of your own devising, then I paid
some money to the address resulting from add_pubkeys(<ed_pub>,<odinn_pub>)
[1]. Can anyone either:

a) Think of a way that Odinn could make an <odinn_pub> such that they could
spend the resulting money without having <ed_priv>.
b) Opine, somewhat knowledgeably, that this probably wouldn't be an easy
thing to do, and they wouldn't be alarmed to see people running software
that did this kind of thing.

[1]
https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173

-- 
Edmund Edgar
Founder, Social Minds Inc (KK)
Twitter: @edmundedgar
Linked In: edmundedgar
Skype: edmundedgar
http://www.socialminds.jp

Reality Keys
@realitykeys
ed@realitykeys.com
https://www.realitykeys.com

[-- Attachment #2: Type: text/html, Size: 1899 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread
* [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol)
@ 2014-03-04  2:59 Edmund Edgar
  2014-03-04  5:07 ` Odinn Cyberguerrilla
  0 siblings, 1 reply; 10+ messages in thread
From: Edmund Edgar @ 2014-03-04  2:59 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 2735 bytes --]

Some people may have seen my service Reality Keys, which can perform a role
a bit like an External State Oracle as described previously by Mike Hearn
and others. (I like to think of it as a Certificate Authority for
propositions, doing for facts what Verisign do for identities.) You
register a possible outcome with us, we publish a public key for "yes" and
another for "no", and once the outcome happens or fails to happen, we
publish the appropriate private key.

A few people have been asking for advice on the best way to use our keys to
make m-of-n contracts, where each party locks up their stake in a
transaction, then the winner gets their private key from Reality Keys and
uses it to release the funds. Peter Todd suggested what seems like a very
nice way to do this without needing non-standard transactions or refund
transactions. I've had a go at implementing it and it seems to work, but I
don't know enough about this to distinguish the ECC bit of it from magic,
so I'm wondering if people who do understand it could comment on whether
it's a safe thing to be doing.

What I'm trying to do here is to combine the public key of each party with
the public key of the outcome they're representing, eg I make a public key
with:
 <alice-pub> + <reality-key-yes-pub>
...and another with:
 <bob-pub> + <reality-key-no-pub>

That goes into a 1/2 P2SH address (in the simplest possible case), which is
spendable by one of Alice or Bob after the outcome occurs with either:
 <alice-priv> + <reality-key-yes-priv>
...or
 <bob-priv> + <reality-key-no-priv>

I'm making the transaction with add_pubkeys, then spending it with
add_privkeys, both from:
https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173

What's worrying my superstitious mind is that knowing <reality-key-no-pub>
before he has to produce <bob-pub>, I'm wondering if there's something Bob
could do with <bob-pub> to intentionally weaken the resulting (<bob-pub> +
<reality-key-no-pub>) so that he could sign a transaction with it without
needing to know <reality-key-no-priv>.

My example script (and specifically the bit that's scaring me) is here:
https://github.com/edmundedgar/realitykeys-examples/blob/master/realitykeysdemo.py#L247

PS. I hope I'm not too far off-topic. Peter Todd suggested it might be
worth talking about here as it potentially has implications for other
protocols. If people prefer to respond at bitcointalk instead, we've been
discussing it here:
https://bitcointalk.org/index.php?topic=260898.60

-- 
Edmund Edgar
Founder, Social Minds Inc (KK)
Twitter: @edmundedgar
Linked In: edmundedgar
Skype: edmundedgar
http://www.socialminds.jp

Reality Keys
@realitykeys
ed@realitykeys.com
https://www.realitykeys.com

[-- Attachment #2: Type: text/html, Size: 3805 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2014-03-08 23:13 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-08  6:55 [Bitcoin-development] Is this a safe thing to be doing with ECC addition? (Oracle protocol) Edmund Edgar
2014-03-08  8:10 ` Alan Reiner
2014-03-08  8:51   ` Edmund Edgar
2014-03-08 10:37     ` Joel Kaartinen
2014-03-08 17:41       ` Adam Back
2014-03-08 18:15         ` Natanael
2014-03-08 23:13       ` Alan Reiner
2014-03-08 20:30     ` Alan Reiner
  -- strict thread matches above, loose matches on Subject: below --
2014-03-04  2:59 Edmund Edgar
2014-03-04  5:07 ` Odinn Cyberguerrilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox