HackerTrans
TopNewTrendsCommentsPastAskShowJobs

somezero

140 karmajoined há 9 anos
my username at protonmail.com

Submissions

Bron-Crypto: A Go cryptography library focusing on MPC

github.com
1 points·by somezero·há 4 meses·0 comments

2-Adic Logarithms and Fast Exponentiation

kevinventullo.com
3 points·by somezero·ano passado·0 comments

comments

somezero
·há 10 dias·discuss
The entire argument is based on the definition of an “Incoherent cryptosystem”, which is too restrictive to be useful for cases that you want eg. Tor is also developed and distributed by Tor people and it is supposed to protect you against everyone, including the Tor people.
somezero
·há 9 meses·discuss
https://en.wikipedia.org/wiki/Prime_omega_function

https://en.wikipedia.org/wiki/Liouville_function
somezero
·há 10 meses·discuss
This is not just a funny joke, but also timely given the recent sanctions.

https://en.wikipedia.org/wiki/International_sanctions_agains...
somezero
·ano passado·discuss
FHE is simply the wrong tool here. FHE is for a central server operating on data held/known by another. They want MPC -multiple parties jointly computing on distributed data- and that’s fairly more efficient.
somezero
·ano passado·discuss
Gauss 2.0; He’s very prolific, very famous in the math community. In this context, he is noteworthy because he’s taking automated theorem proving seriously which destigmatizes it for other pure mathematicians.
somezero
·ano passado·discuss
Not sure simplicity of spec translates into simplicity of user code. This change is backward compatible and will allow things that previously were disallowed.
somezero
·há 2 anos·discuss
People [sadly] put a lot of "exotic" cryptography/distributed systems under the term "blockchain" eg. If you want to do byzantine agreement with sub quadratic message complexity, where do you look it up? If you want to do high throughput threshold signing, where do you look it up?

An allergic reaction to the term "blockchain" is to miss the forrest for the trees... and I would imagine the authors share the same point of view.
somezero
·há 2 anos·discuss
It’s all just bytes and hashes and alike at the bottom. Absolutely nothing magical. It is the abstractions over them that makes them esoteric, not the fundamental building blocks.

As to why your example isn’t zero-knowledge proof of knowledge of a password, it’s because hash of the same password is always the same thing. So what if someone copies the hashed password and passes it as their own? You say, sign something? But I can reuse the signature. You say, sign a random challenge? Okay, but what if, on the other side, the verifier (ie. the app) adaptively picks a challenge instead of randomly sampling it? … Continue this line of thought, and once you have the correct solution, simplify it and remove the unnecessary parts (eg. Signing something is too strong of a requirement) and you get something called Zero-Knowledge proof of knowledge out of an honest-verifier sigma protocol.

As for ZK proofs that are not proofs of knowledge, then the easiest way to think of it is an encrypted data structure like a database. Imagine the client wants to check whether an element is in some set on a server, where the server has an “encrypted” form of a set and can’t see what’s in it. How can the server check membership of an element and convince the client? That’s done with a ZK proof. You say what about Fully Homomorphic encryption? That’s also technically ZK… what’s not a ZK? For anything that you can’t write a simulator. What’s a simulator? Pick a cryptography textbook.
somezero
·há 2 anos·discuss
> zk signature schemes exist and are implied by the existence of one way functions and publicly verifiable nizk.

Almost. The result is from CRYPTO89 paper of Bellare and Goldwasser. They derive a signature scheme from a nizk. It is not known whether you can get a nizk from a signature scheme. Moreover, no signature scheme can be a ZK: https://crypto.stackexchange.com/questions/35177/is-using-di...
somezero
·há 2 anos·discuss
A signature is a PoK, but not ZK.
somezero
·há 3 anos·discuss
Sybil attacks [1] came out about a decade before the Red Balloons paper [2] or the DARPA Challenge itself [3]. It is proven in [1] that CA is necessary for a Sybil-proof system, which made people to talk about Sybil resistance eg [4] - all before Bitcoin or the DARPA challenge.

Unless I’m categorically missing something, Claims like network centralization is much less likely in a Sybil-proof system, is just plain wrong and confusing, to say the least, if discussed “formally” and “mathematically”.

[1] https://www.microsoft.com/en-us/research/publication/the-syb...

[2] https://arxiv.org/pdf/1111.2626.pdf

[3] https://en.wikipedia.org/wiki/DARPA_Network_Challenge?wprov=...

[4] https://link.springer.com/chapter/10.1007/978-3-540-85230-8_...
somezero
·há 3 anos·discuss
EdDSA signatures are not Schnorr signatures. A Schnorr signature is dlog proof made non interactive with fiat Shamir binded with the message, and that is equivalent/verifiable as an EdDSA signature, up to one time signing per message (as Schnorr is not deterministic)

EdDSA being deterministic, means it’s not Schnorr by definition.

The other difference of EdDSA is having a different keygen process: SHA512 then clamp the first 32 bytes (and this process breaks down all additive key derivation that’s nice to have) clamping is not the problem and you have to clear cofactors for Schnorr over that curve anyway, but it’s the hashing at the beginning that’s different and has nothing to do with cofactor clearing.

The other difference of EdDSA is not having a standardized verifier (keywords are “cofactored” and “cofactorless” verifier) and this breaks down another nice property of Schnorr signatures which is signature aggregation.

Overall the standards for EdDSA -unfortunately- still leave a lot to be desired.