On 03/08/2014 01:55 AM, Edmund Edgar wrote:
On 4 March 2014 14:07, Odinn Cyberguerrilla <odinn.cyberguerrilla@riseup.net> wrote:
Nothing is safe.

This is true. To rephrase, imagine I gave you an ECC public key <ed_pub>, you gave me back a public key <odinn_pub> of your own devising, then I paid some money to the address resulting from add_pubkeys(<ed_pub>,<odinn_pub>) [1]. Can anyone either:

a) Think of a way that Odinn could make an <odinn_pub> such that they could spend the resulting money without having <ed_priv>.
b) Opine, somewhat knowledgeably, that this probably wouldn't be an easy thing to do, and they wouldn't be alarmed to see people running software that did this kind of thing.

[1] https://github.com/vbuterin/pybitcointools/blob/master/pybitcointools/main.py#L173

Consider that I see your public key <a_pub> before I create and send you my public key <b_pub>.

I create a new keypair, <c_pub> with <c_priv> which I know (it can be any arbitrary key pair).  But I don't give you <c_pub>, I give you  <b_pub> = <c_pub> minus <a_pub> (which I can do because I've seen <a_pub> before doing this). 

Sure, I don't know the private key for <b_pub>, but it doesn't matter... because what

<b_pub> + <a_pub> = <c_pub> (mine)

You have no way to detect this condition, because you don't know what c_pub/c_priv I created, so you can only detect this after it's too late (after I abuse the private key)

-Alan