waxwing on Nostr: Oh, very interesting! For some background for readers: the idea of using a ring ...
Oh, very interesting! For some background for readers: the idea of using a ring signature to sign code is to help the anonymity (in a limited set) of the author; not a crazy idea, by any means. However the vulnerability mentioned is what interests me here: because around 2016, shortly after the Confidential Transactions idea was published by Maxwell and Poelstra, the Monero devs got understandably excited, because the idea of an anonymizing cryptocurrency with plaintext amounts obviously isn't great. So their initial proposals to use Confidential Transactions contained flaws, and I think the first one was exactly the one mentioned here: usingn H(data)*G for the alternate basepoint. This is an incredibly bad failure because it 100% breaks the anonymity immediately (I won't explain to avoid boring people), and also because it's a very basic error. I believe it was Jonas Nick who read their paper and pointed it out, and also pointed at a second much more subtle but very serious flaw in a proposal they had. My memory may be failing me there, but anyway something along those lines happened, but it never got into the code of Monero the cryptocc. So yeah it's really interesting if it *did* get into this project and then went unnoticed/undeleted.
Published at
2025-03-25 23:14:03Event JSON
{
"id": "ddbe25f55e032744247a06c6f0b28118ac034562ad11b31b303b2931230273be",
"pubkey": "675b84fe75e216ab947c7438ee519ca7775376ddf05dadfba6278bd012e1d728",
"created_at": 1742944443,
"kind": 1,
"tags": [
[
"e",
"767d77eb1a0c0a767f211ef41666ba9a90f456060675368400d8cb4cca8e685c",
"",
"root"
],
[
"p",
"46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d"
]
],
"content": "Oh, very interesting! For some background for readers: the idea of using a ring signature to sign code is to help the anonymity (in a limited set) of the author; not a crazy idea, by any means. However the vulnerability mentioned is what interests me here: because around 2016, shortly after the Confidential Transactions idea was published by Maxwell and Poelstra, the Monero devs got understandably excited, because the idea of an anonymizing cryptocurrency with plaintext amounts obviously isn't great. So their initial proposals to use Confidential Transactions contained flaws, and I think the first one was exactly the one mentioned here: usingn H(data)*G for the alternate basepoint. This is an incredibly bad failure because it 100% breaks the anonymity immediately (I won't explain to avoid boring people), and also because it's a very basic error. I believe it was Jonas Nick who read their paper and pointed it out, and also pointed at a second much more subtle but very serious flaw in a proposal they had. My memory may be failing me there, but anyway something along those lines happened, but it never got into the code of Monero the cryptocc. So yeah it's really interesting if it *did* get into this project and then went unnoticed/undeleted.",
"sig": "faa9368bccf9108e099d23601d14b5d98428d071f6f931d71e101efc192bc8723c0c2e2f795a6817254895e266f006d95f2b94c3314e439ea6cdc54f2977998b"
}
