- Transaction - Bitcoin Wiki
- The Math Behind Bitcoin - CoinDesk
- Bitcoin - ECDSA signature - Delfr
- Bitcoin Elliptic Curve CryptoCoins Info Club
- Details of ECDSA Signatures • Coder's Errand

Permissionless = RenVM is an open protocol; meaning anyone can use RenVM and any project can build with RenVM. You don't need anyone's permission, just plug RenVM into your dApp and you have interoperability.

Decentralized = The nodes that power RenVM ( Darknodes) are scattered throughout the world. RenVM has a peak capacity of up to 10,000 Darknodes (due to REN’s token economics). Realistically, there will probably be 100 - 500 Darknodes run in the initial Mainnet phases, ample decentralized nonetheless.

Permissionless = https://github.com/renproject/ren-js

Decentralized = https://chaosnet.renproject.io/

SSS by itself is just a way of representing secret data (like numbers). sMPC is how to generate and work with that data (like equations). One of the things you can do with that work is produce a form of TSS (this is what RenVM does).

However, TSS is slightly different because it can also be done *without* SSS and sMPC. For example, BLS signatures don’t use SSS or sMPC but they are still a form of TSS.

So, we say that RenVM uses SSS+sMPC because this is more specific than just saying TSS (and you can also do more with SSS+sMPC than just TSS). Specifically, all viable forms of turning ECDSA (a scheme that isn’t naturally threshold based) into a TSS needs SSS+sMPC.

People often get confused about RenVM and claim “SSS can’t be used to sign transactions without making the private key whole again”. That’s a strange statement and shows a fundamental misunderstanding about what SSS is.

To come back to our analogy, it’s like saying “numbers can’t be used to write a book”. That’s kind of true in a direct sense, but there are plenty of ways to encode a book as numbers and then it’s up to how you interpret (how you *use*) those numbers. This is exactly how this text I’m writing is appearing on your screen right now.

SSS is just secret data. It doesn’t make sense to say that SSS *functions*. RenVM is what does the functioning. RenVM *uses* the SSSs to represent private keys. But these are generated and used and destroyed as part of sMPC. The keys are never whole at any point.

tBTC an only mint/burn lots of 1 BTC and requires an on-Ethereum SPV relay for Bitcoin headers (and for any other chain it adds). No real advantage trade-off IMO.

tBTC has a liquidation mechanism that means nodes can have their bond liquidated because of ETH/BTC price ratio. Advantage means users can get 1 BTC worth of ETH. Disadvantage is it means tBTC is kind of a synthetic: needs a price feed, needs liquid markets for liquidation, users must accept exposure to ETH even if they only hold tBTC, nodes must stay collateralized or lose lots of ETH. RenVM doesn’t have this, and instead uses fees to prevent becoming under-collateralized. This requires a mature market, and assumed Darknodes will value their REN bonds fairly (based on revenue, not necessarily what they can sell it for at current —potentially manipulated—market value). That can be an advantage or disadvantage depending on how you feel.

tBTC focuses more on the idea of a tokenized version of BTC that feels like an ERC20 to the user (and is). RenVM focuses more on letting the user interact with DeFi and use real BTC and real Bitcoin transactions to do so (still an ERC20 under the hood, but the UX is more fluid and integrated). Advantage of tBTC is that it’s probably easier to understand and that might mean better overall experience, disadvantage really comes back to that 1 BTC limit and the need for a more clunky minting/burning experience that might mean worse overall experience. Too early to tell, different projects taking different bets.

tBTC supports BTC (I think they have ZEC these days too). RenVM supports BTC, BCH, and ZEC (docs discuss Matic, XRP, and LTC).

-Both are vulnerable to oracle attacks

-REN federation failure results in loss or theft of all funds

-tBTC failures tend to result in frothy markets, but holders of tBTC are made whole

-REN quorum rotation is new crypto, and relies on honest deletion of old key shares

-tBTC rotates micro-quorums regularly without relying on honest deletion

-tBTC relies on an SPV relay

-REN relies on federation honesty to fill the relay's purpose

-Both are brittle to deep reorgs, so expanding to weaker chains like ZEC is not clearly a good idea

-REN may see total system failure as the result of a deep reorg, as it changes federation incentives significantly

-tBTC may accidentally punish some honest micro-federations as the result of a deep reorg

-REN generally has much more interaction between incentive models, as everything is mixed into the same pot.

-tBTC is a large collection of small incentive models, while REN is a single complex incentive model

The oracle situation is different with RenVM, because the fee model is what determines the value of REN with respect to the cross-chain asset. This is the asset is what is used to pay the fee, so no external pricing is needed for it (because you only care about the ratio between REN and the cross-chain asset).

RenVM does rotate quorums regularly, in fact more regularly than in tBTC (although there are micro-quorums, each deposit doesn’t get rotated as far as I know and sticks around for up to 6 months). This rotation involves rotations of the keys too, so it does not rely on honest deletion of key shares.

Federated views of blockchains are easier to expand to support deep re-orgs (just get the nodes to wait for more blocks for that chain). SPV requires longer proofs which begins to scale more poorly.

Not sure what you mean by “one big pot”, but there are multiple quorums so the failure of one is isolated from the failures of others. For example, if there are 10 shards supporting BTC and one of them fails, then this is equivalent to a sudden 10% fee being applied. Harsh, yes, but not total failure of the whole system (and doesn’t affect other assets).

Would be interesting what RenVM would look like with lots more shards that are smaller. Failure becomes much more isolated and affects the overall network less.

Further, the amount of tBTC you can mint is dependent on people who are long ETH and prefer locking it up in Keep for earning a smallish fee instead of putting it in Compound or leveraging with dydx. tBTC is competing for liquidity while RenVM isn't.

A major advantage of Ren's specific usage of sMPC is that security can be regulated economically. All value (that's being interopped at least) passing through RenVM has explicit value. The network can self-regulate to ensure an attack is never worth it.

Profits of the Darknodes, and therefore security of the network, is based solely on the use of the network (this is what you want because your network does not make or break on things outside the systems control). In a system like tBTC there are liquidity issues because you need to convince ETH holders to bond ETH and this is an external problem. Maybe ETH is pumping irrespective of tBTC use and people begin leaving tBTC to sell their ETH. Or, that ETH is dumping, and so tBTC nodes are either liquidated or all their profits are eaten by the fact that they have to be long on ETH (and tBTC holders cannot get their BTC back in this case). Feels real bad man.

This cannot affect safety, because the first signature is still required. Any attack you wanted to do would still have to succeed against the “normal” part of the network. This can affect liveliness, because the semi-core could decide not to sign. However, the semi-core follows the same rules as normal shards. The signature is tolerant to 1/3rd for both safety/liveliness. So, 1/3rd+ would have to decide to not sign.

Members of the semi-core would be there under governance from the rest of our ecosystem. The idea is that members would be chosen for their external value. We’ve discussed in-depth the idea of L<3. But, if RenVM is used in MakerDAO, Compound, dYdX, Kyber, etc. it would be desirable to capture the value of these ecosystems too, not just the value of REN bonded. The semi-core as a second signature is a way to do this.

Imagine if the members for those projects, because those projects want to help secure renBTC, because it’s used in their ecosystems. There is a very strong incentive for them to behave honestly. To attack RenVM you first have to attack the Darknodes “as per usual” (the current design), and then somehow convince 1/3rd of these projects to act dishonestly and collapse their own ecosystems and their own reputations. This is a very difficult thing to do.

Worth reminding: the draft for this proposal isn’t finished. It would be great for everyone to give us their thoughts on GitHub when it is proposed, so we can keep a persistent record.

RenVM can be used to interoperate many different kinds of chains (anything using ECDSA, or naturally supporting lively threshold signatures) is a candidate to be included in RenVM. However, a centralised currency that has been bridged to a decentralised chain is not decentralised. The centralised entity that controls the currency might say “nothing transferred to/from this other chain will be honoured”. That’s a risk that you take with centralised currencies (take a look at the T&Cs for USDC for example).

The benefit of RenVM in these instances is to become a standard. Short-term, RenVM brings interoperability to some core chains. Medium-term, it expands that to other more interesting chains based on community demands. Long-term, it becomes the standard for how to implement interop. For example: you create a new chain and don’t worry about interop explicitly because you know RenVM will have your back. For centralised currencies this is still advantageous, because the issuing entity only has to manage one chain (theirs) but can still get their currency onto other chains/ecosystems.

From a technical perspective, the Darknodes just have to be willing to adopt the chain/currency.

Having time to fix the bug means that Darknodes may as well stick around and continue securing the network as best they can. Because their REN is at stake (as you put it) they’re incentivised to take any of the recommended actions and update their nodes as necessary.

This is also why it’s critical for the Greycore to exist in the early days of the network and why we are rolling out SubZero the way that we are. If such a bug becomes apparent (more likely in the early days than the later days), then the Greycore has a chance to react to it (the specifics of which would of course depend on the specifics of the bug). This becomes harder and slower as the network becomes more decentralised over time.

Not mcap, but the price of bonded Ren. Furthermore, the price will be determined by how much fees darknodes have collected. BTW, loongy could you unveil based on what profits ratio/apr the price will be calculated?

This is up to the Darknodes to governance softly. This means there isn’t a need for an explicit oracle. Darknodes assess L vs R individually and vote to increase fees to drive L down and drive R up. L is driven down by continue fees, whereas R is driven up by minting/burning fees.

Let X be the amount of REN used to voted, backed behind a Darknode and bonded for T time.

Let Y be the amount of time a Darknode has been active for.

Voting power of the Darknode could = Sqrt(Y) * Log(X + T)

Log(1,000,000,000) = ~21 so if you had every REN bonded behind you, your voting power would only be 21x the voting power of other nodes. This would force whales to either run Darknodes for a while and contribute actively to the ecosystem (or lock up their REN for an extended period for addition voting power), and would force exchanges to spread their voting out over many different nodes (giving power back to those running nodes). Obviously the exchange could just run lots of Darknodes, but they would have to do this over a long period of time (not feasible, because people need to be able to withdraw their REN).

'''

1 Basic knowledge of cryptography 1.1 Basic knowledge of elliptic curves 1.1.1Elliptic curve profile Let denote a finite domain, an elliptic curve defined in it, actually this curve represented as a set of points, defines an operation on elliptic curve, and two points on the elliptic curve, a + = for the two point addition operation. The intersection of the line and the curve represented by the point, and the point on the elliptic curve of the symmetry. At this point, when = when, the intersection of the tangent and the curve is represented as the point on the axis of the elliptic curve. Thus, the Abel group is formed on the finite field (+ +), and the addition unit element is. 1.1.2 Signature algorithm Defines an elliptic curve called [()) and its base point, which is the order. For the curve @ (), make a public key pair, in which the private key is the public key and can be made public. Step1: first, using Hash function to calculate the plaintext message, the Hash function algorithm used MD5 algorithm or SHA-1 algorithm can calculate the plaintext message value = (Step2); then in the interval [1, and the private key a random integer as the signature of a range of 1]; Step3: calculation a public key =;Step4: = = K, where K is the abscissa of the public key and, if = 0, returns to Step2; Step5: = = Q/ (+), which is the private key of the sender A, and if = 0, returns to Step2; Step6: the sender A transmits the message signature (to) to the receiver B. The receiver receives the message signature (B,), the specific verification process to sign the message as follows: Step1: firstly, message signature and verification, i.e. whether it is in the interval [1, N1] positive integer range, if the signature does not comply with the signature of the message, that message signature received (,) is not a valid legal signature; Step2: according to the signature public key of the sender A, the sender A and the receiver B have the same Hash function digest value, and the digest value of the signed message is calculated (=); Step3: calculates the parameter value = Q/; Step4: calculates the parameter value = = Step5: calculates the parameter value = = Step6: calculates the parameter value = +; Step7: if = 0, the receiver B may deny the signature. Otherwise, calculate '= K', where K is the parameter A horizontal coordinate; a signature. The digital signature based on ECC, partly because this scheme can avoid the order operation in the inverse operation, so it is better than the signature scheme based on discrete logarithm algorithm should be simple; on the other hand it is because the calculation of the plaintext message () (,) than the calculation simple, so its speed Schnorr digital signature scheme is faster than. Therefore, the digital signature scheme based on elliptic curve cryptography has good application advantages in resisting attack security strength, key length, computation speed, computation cost and bandwidth requirement. 1.2 Threshold key sharing technology 1.2.1 Shamir Threshold key sharing concept Threshold key sharing technology solves the key security management problem. The design of modern cryptography system is that depends on the security of cryptosystem in the cryptographic key leakage means the lost security system, so the key management plays an important role in the research and design of security in cryptography. Especially when multiple stakeholders manage an account, the key of the account is trusted, and it is very difficult to distribute it safely to multi-party participants. To solve this problem, the Israeli cryptographer Shamir proposed Shamir (,) the concept of threshold secret sharing: the key is divided into portions assigned to participants, each participant to grasp a key share, only collect more than key share, can the key recovery. 1.2.2 Linear secret sharing mechanism Linear secret sharing is the generalization of Shamir threshold key sharing. Its essence is that both the primary key space, the sub key space and the random input set are linear spaces, and the key reconstruction function is linear. The formal definition is as follows: let be a finite domain, PI is a key access structure sharing system, is the main key space. We say that Pi is a linear key sharing system, if the following conditions are met: 1) sub key is linear space, namely for, constant B, the sub key space B cd. Remember - B, e (,) as the components of B CD vector space is received, this component is dependent on the primary key and the random number 2) each authorization set may obtain the master key by means of a linear combination of sub keys, that is, for any one delegate The right to set in, constant {b, e:, B, less than 1 and less than or equal to b}, such that for any master key and random number, All = KD and l /jejcd B, e, B (E, II). 1.2.3 Shamir Polynomial interpolation threshold secret sharing scheme Shamir combines the characteristics of polynomials over finite fields and the theory of Lagrange's reconstructed polynomial, designs a threshold key management scheme based on Lagrange interpolation polynomial, and the scheme is as follows 1.3 Secure multi-party computation 1.3.1 The background of secure multiparty computation With the rapid development of Internet, more and more applications require cooperative computing among network users. But because of privacy protection and data security considerations, the user does not want to participate in collaborative computing and other users to calculate data sharing, this problem leads to collaborative computing cannot be performed, which leads to efficient use and share some of the scenarios can not be difficult to achieve the cyber source. Secure multi-party computation (secure multi-party computation) makes this problem easy to solve, and it provides a theoretical basis for solving the contradiction between data privacy protection and collaborative computing. Secure multi-party computation is the theoretical foundation of distributed cryptography, and also a basic problem of distributed computing. Secure multi-party computation means that in a non trusted multi-user network, two or more users can cooperate with each other to execute a computing task without leaking their private input information. In brief, secure multi-party computation refers to a set of people, such as /...... Q, computing functions together safely,...... , q = (/),...... (Q). Where the input of this function is held by the participant secretly, the secret input of B is B, and after the calculation, B gets the output B. Here is the safety requirements of cheating participants even in some cases, to ensure the correctness of the calculated results, which is calculated after the end of each honest participant B can get the correct output of B, but also requires each participant to ensure confidentiality of input, namely each participant B (B, b) in addition. Don't get any other information. Secure multi-party computation has been rich in theoretical results and powerful tools. Although its practical application is still in its infancy, it will eventually become an indispensable part of computer security. 1.3.2 Classification of secure multiparty computation protocols At present, secure multi-party computation protocols can be divided into four categories according to the different implementations: L secure multi-party computation protocol based on VSS sub protocol Most of the existing secure multi-party computation protocols adopt verifiable key sharing VSS (Verifiable Secret) (Sharing) the sub protocol is the basis of protocol construction, which is suitable for computing functions on any finite field. The finite field of arbitrary function can be expressed as the domain definition of addition and multiplication of the directed graph, so long as can secure computing addition and multiplication, we can calculate each addition and multiplication to calculate any function over finite fields. L secure multi-party computation protocol based on Mix-Match The secure multi-party computation protocol based on VSS sub protocol can compute arbitrary functions, but it can not efficiently calculate Boolean functions. Therefore, another secure multi-party protocol called Mix-Match is proposed. The basic idea of this protocol is that participants use secret sharing schemes to share the system's private key, and the system's public key is open. During the protocol, the participants randomly encrypt their own input public key y, then publish their own encryption results, and finally make all participants gain common output through Mix-Match. L secure multi-party computation protocol based on OT OT based secure multi-party computation protocol for computing arbitrary bit functions. It implements with "OT sub Protocol" and (and), or (or) "," (not) "three basic operations, then the arbitrary bit operation function is decomposed into a combination of three basic operations, finally by using iterative method to calculate the bit operation function. L secure multi-party computation based on homomorphic encryption Homomorphic encryption, secure multi-party computation can resist active attacks based on it is the idea of the selected atom is calculated, the calculation can be decomposed into a sequence of atomic computing allows arbitrary function and atomic calculation of input and output using homomorphic encryption, to get the final results in the encrypted state, only a specific set of participants will be able to the calculation results decrypted plaintext. 1.4 Introduction to ring signature In 2001, Rivest et al proposed a new signature technique, called Ring Signature, in the context of how to reveal the secret anonymously. Ring signature can be regarded as a kind of special group signature (Group Signature), because the establishment process need the trusted center and security group signature, often there are loopholes in the protection of anonymous (signer is traceable to the trusted center), group signature and ring signature in the foundation process in addition to the establishment of a trusted center and security. For the verifier, the signer is completely anonymous, so ring signature is more practical. Since the self ring signature was proposed, a large number of scholars have discovered its important value, such as elliptic curve, threshold and other ring signatures Volume design and development can be divided into four categories: 1. threshold ring signature 2. associated ring signature 3. revocable anonymous ring signature 4. deniable ring signature for block chain contract intelligent token transactions privacy, we use a linkable ring signature, in order to achieve privacy and prevent double problem. 2 A secure account generation scheme based on secure multi-party computation and threshold key sharing 2.1 Basic operations of secure multi-party computation The addition and multiplication, inverse element into three basic operations on the finite field, any computation can be decomposed into a sequence of the finite field addition and multiplication, inverse element, so long as to complete the three basic operations of multi-party computation, so the calculation process can be arbitrary finite domains through multi-party computation the basic operation to iterate the agreement. In this paper, we introduce a secure multi-party computation algorithm for finite fields based on secret sharing scheme based on Lagrange interpolation polynomial. 2.1.1 Addition In the secret sharing scheme based on Lagrange interpolation polynomial, the need to identify a polynomial, a shared secret is the constant term of this polynomial, and the secret share was value of this polynomial at a certain point. It is possible to set and share two secrets, the corresponding polynomials are w and X, and the secret share of participant B is b = w, B = X. In order to get the secret share of secret +, the participant B needs to construct a polynomial so that the constant of the polynomial is +, and B can be calculated. The construction process is as follows: B and B share a secret dreams and secrets, and the corresponding polynomial for W and X L = w + W / +. + W, oQ/oQ/ = {x + / +, +. X, oQ/oQ/ Might as well define = w + x = = w + x = B + B It was - 1 polynomial, and the constant term is +, for this polynomial in value * b = as + secret secret share Secure multi-party computation algorithm obtained by adding the above construction process: Addition of multi-party computation algorithms: secret, secret share, B, B output: Secret + secret share B 1)B = B + B 2.1.2 multiplication Set up two secrets, the corresponding polynomials are w and X, and the secret share of participant B is b = w, B = X. If the participants directly in the local computing B and B share a secret product, although the calculation after sharing secret is the constant term polynomials, but the degree of the polynomial is 2 (- 1), so the need to reduce the number of polynomial. The W and X share the secret share of the participant B, and the product of W and X is: Wx = w = x + / +. + (oQ/), (oQ/) Wx x = w, 1 = 1 + 1 = 2. Represented by matrices: - 1 When the upper coefficient matrix is written, it is obviously a nonsingular matrix, and the inverse matrix is denoted as Q/, which is a constant Number matrix. Remember (/, - - -, oQ/) is the first line of the matrix Q/, there are: /wx = 1 + - + - - oQ/wx, 2 - 1 Each participant randomly selected 2 - 1 - 1 - - - / polynomial, and, oQ/, to meet the requirements of B 0 = wx. Definition = "B, oQ/ Obviously: OQ/. 0 = b b 0 = /wx 1 + - - - 2 - 1 = oQ/wx +. B OQ/. = b b B Therefore, the secret is to share the secret and share the secret. A multi-party computation algorithm for multiplication 2.1.3 yuan inverse Set the secret of sharing, the corresponding polynomial is w, and the secret share of participant B is b = W. One yuan Inversion is refers to the participants by B B secret share calculation Q/ w (c) a secret share, but in the process of calculation Can not disclose, Q/ and secret share of the two. The calculation is as follows: Participant B selects the random number B, and selects the random polynomial B () to compute its secret share be = B () to the participant E. To accept all the secret share, e n = Q. Thus all participants share the same random number David - +q + = / s.. Using the multiplicative multi-party computation algorithm, the secret obtained by the secret share is calculated Share w, and sent to the other participants, so it can be recovered by using the Lagrange interpolation, we may assume that = . It is clear that the W - a Q/ C = n, i.e. Q/'s Secret share. 2.2 lock account generation scenarios The lock account generation scheme is an improvement on threshold key management scheme based on Lagrange interpolation polynomial. Its basic idea is that through the threshold secret sharing, all the authentication nodes generate a lock account in a centralized way, and each verification node has a share of the lock private key. This ensures that the lock account private key is distributed in the entire network in the form of the private key share, so it can be centralized management. 2.3 lock account signature scheme The lock account signature algorithm uses the ECDSA signature algorithm, because it is the current block chain project's mainstream signature algorithm, this choice can improve the system compatibility. In a locked account signature generation process, different from the original ECDSA signature algorithm, the private key and the random number to account is in the form of multi-party computation involved in ECDSA signature process; lock account signature verification process with the original ECDSA signature verification algorithm. Therefore, only the lock account signature generation process is described

'''

klcchain

Go1dfish undelete link

unreddit undelete link

Author: klcchain

submitted by removalbot to removalbot [link] [comments]
1 Basic knowledge of cryptography 1.1 Basic knowledge of elliptic curves 1.1.1Elliptic curve profile Let denote a finite domain, an elliptic curve defined in it, actually this curve represented as a set of points, defines an operation on elliptic curve, and two points on the elliptic curve, a + = for the two point addition operation. The intersection of the line and the curve represented by the point, and the point on the elliptic curve of the symmetry. At this point, when = when, the intersection of the tangent and the curve is represented as the point on the axis of the elliptic curve. Thus, the Abel group is formed on the finite field (+ +), and the addition unit element is. 1.1.2 Signature algorithm Defines an elliptic curve called [()) and its base point, which is the order. For the curve @ (), make a public key pair, in which the private key is the public key and can be made public. Step1: first, using Hash function to calculate the plaintext message, the Hash function algorithm used MD5 algorithm or SHA-1 algorithm can calculate the plaintext message value = (Step2); then in the interval [1, and the private key a random integer as the signature of a range of 1]; Step3: calculation a public key =;Step4: = = K, where K is the abscissa of the public key and, if = 0, returns to Step2; Step5: = = Q/ (+), which is the private key of the sender A, and if = 0, returns to Step2; Step6: the sender A transmits the message signature (to) to the receiver B. The receiver receives the message signature (B,), the specific verification process to sign the message as follows: Step1: firstly, message signature and verification, i.e. whether it is in the interval [1, N1] positive integer range, if the signature does not comply with the signature of the message, that message signature received (,) is not a valid legal signature; Step2: according to the signature public key of the sender A, the sender A and the receiver B have the same Hash function digest value, and the digest value of the signed message is calculated (=); Step3: calculates the parameter value = Q/; Step4: calculates the parameter value = = Step5: calculates the parameter value = = Step6: calculates the parameter value = +; Step7: if = 0, the receiver B may deny the signature. Otherwise, calculate '= K', where K is the parameter A horizontal coordinate; a signature. The digital signature based on ECC, partly because this scheme can avoid the order operation in the inverse operation, so it is better than the signature scheme based on discrete logarithm algorithm should be simple; on the other hand it is because the calculation of the plaintext message () (,) than the calculation simple, so its speed Schnorr digital signature scheme is faster than. Therefore, the digital signature scheme based on elliptic curve cryptography has good application advantages in resisting attack security strength, key length, computation speed, computation cost and bandwidth requirement. 1.2 Threshold key sharing technology 1.2.1 Shamir Threshold key sharing concept Threshold key sharing technology solves the key security management problem. The design of modern cryptography system is that depends on the security of cryptosystem in the cryptographic key leakage means the lost security system, so the key management plays an important role in the research and design of security in cryptography. Especially when multiple stakeholders manage an account, the key of the account is trusted, and it is very difficult to distribute it safely to multi-party participants. To solve this problem, the Israeli cryptographer Shamir proposed Shamir (,) the concept of threshold secret sharing: the key is divided into portions assigned to participants, each participant to grasp a key share, only collect more than key share, can the key recovery. 1.2.2 Linear secret sharing mechanism Linear secret sharing is the generalization of Shamir threshold key sharing. Its essence is that both the primary key space, the sub key space and the random input set are linear spaces, and the key reconstruction function is linear. The formal definition is as follows: let be a finite domain, PI is a key access structure sharing system, is the main key space. We say that Pi is a linear key sharing system, if the following conditions are met: 1) sub key is linear space, namely for, constant B, the sub key space B cd. Remember - B, e (,) as the components of B CD vector space is received, this component is dependent on the primary key and the random number 2) each authorization set may obtain the master key by means of a linear combination of sub keys, that is, for any one delegate The right to set in, constant {b, e:, B, less than 1 and less than or equal to b}, such that for any master key and random number, All = KD and l /jejcd B, e, B (E, II). 1.2.3 Shamir Polynomial interpolation threshold secret sharing scheme Shamir combines the characteristics of polynomials over finite fields and the theory of Lagrange's reconstructed polynomial, designs a threshold key management scheme based on Lagrange interpolation polynomial, and the scheme is as follows 1.3 Secure multi-party computation 1.3.1 The background of secure multiparty computation With the rapid development of Internet, more and more applications require cooperative computing among network users. But because of privacy protection and data security considerations, the user does not want to participate in collaborative computing and other users to calculate data sharing, this problem leads to collaborative computing cannot be performed, which leads to efficient use and share some of the scenarios can not be difficult to achieve the cyber source. Secure multi-party computation (secure multi-party computation) makes this problem easy to solve, and it provides a theoretical basis for solving the contradiction between data privacy protection and collaborative computing. Secure multi-party computation is the theoretical foundation of distributed cryptography, and also a basic problem of distributed computing. Secure multi-party computation means that in a non trusted multi-user network, two or more users can cooperate with each other to execute a computing task without leaking their private input information. In brief, secure multi-party computation refers to a set of people, such as /...... Q, computing functions together safely,...... , q = (/),...... (Q). Where the input of this function is held by the participant secretly, the secret input of B is B, and after the calculation, B gets the output B. Here is the safety requirements of cheating participants even in some cases, to ensure the correctness of the calculated results, which is calculated after the end of each honest participant B can get the correct output of B, but also requires each participant to ensure confidentiality of input, namely each participant B (B, b) in addition. Don't get any other information. Secure multi-party computation has been rich in theoretical results and powerful tools. Although its practical application is still in its infancy, it will eventually become an indispensable part of computer security. 1.3.2 Classification of secure multiparty computation protocols At present, secure multi-party computation protocols can be divided into four categories according to the different implementations: L secure multi-party computation protocol based on VSS sub protocol Most of the existing secure multi-party computation protocols adopt verifiable key sharing VSS (Verifiable Secret) (Sharing) the sub protocol is the basis of protocol construction, which is suitable for computing functions on any finite field. The finite field of arbitrary function can be expressed as the domain definition of addition and multiplication of the directed graph, so long as can secure computing addition and multiplication, we can calculate each addition and multiplication to calculate any function over finite fields. L secure multi-party computation protocol based on Mix-Match The secure multi-party computation protocol based on VSS sub protocol can compute arbitrary functions, but it can not efficiently calculate Boolean functions. Therefore, another secure multi-party protocol called Mix-Match is proposed. The basic idea of this protocol is that participants use secret sharing schemes to share the system's private key, and the system's public key is open. During the protocol, the participants randomly encrypt their own input public key y, then publish their own encryption results, and finally make all participants gain common output through Mix-Match. L secure multi-party computation protocol based on OT OT based secure multi-party computation protocol for computing arbitrary bit functions. It implements with "OT sub Protocol" and (and), or (or) "," (not) "three basic operations, then the arbitrary bit operation function is decomposed into a combination of three basic operations, finally by using iterative method to calculate the bit operation function. L secure multi-party computation based on homomorphic encryption Homomorphic encryption, secure multi-party computation can resist active attacks based on it is the idea of the selected atom is calculated, the calculation can be decomposed into a sequence of atomic computing allows arbitrary function and atomic calculation of input and output using homomorphic encryption, to get the final results in the encrypted state, only a specific set of participants will be able to the calculation results decrypted plaintext. 1.4 Introduction to ring signature In 2001, Rivest et al proposed a new signature technique, called Ring Signature, in the context of how to reveal the secret anonymously. Ring signature can be regarded as a kind of special group signature (Group Signature), because the establishment process need the trusted center and security group signature, often there are loopholes in the protection of anonymous (signer is traceable to the trusted center), group signature and ring signature in the foundation process in addition to the establishment of a trusted center and security. For the verifier, the signer is completely anonymous, so ring signature is more practical. Since the self ring signature was proposed, a large number of scholars have discovered its important value, such as elliptic curve, threshold and other ring signatures Volume design and development can be divided into four categories: 1. threshold ring signature 2. associated ring signature 3. revocable anonymous ring signature 4. deniable ring signature for block chain contract intelligent token transactions privacy, we use a linkable ring signature, in order to achieve privacy and prevent double problem. 2 A secure account generation scheme based on secure multi-party computation and threshold key sharing 2.1 Basic operations of secure multi-party computation The addition and multiplication, inverse element into three basic operations on the finite field, any computation can be decomposed into a sequence of the finite field addition and multiplication, inverse element, so long as to complete the three basic operations of multi-party computation, so the calculation process can be arbitrary finite domains through multi-party computation the basic operation to iterate the agreement. In this paper, we introduce a secure multi-party computation algorithm for finite fields based on secret sharing scheme based on Lagrange interpolation polynomial. 2.1.1 Addition In the secret sharing scheme based on Lagrange interpolation polynomial, the need to identify a polynomial, a shared secret is the constant term of this polynomial, and the secret share was value of this polynomial at a certain point. It is possible to set and share two secrets, the corresponding polynomials are w and X, and the secret share of participant B is b = w, B = X. In order to get the secret share of secret +, the participant B needs to construct a polynomial so that the constant of the polynomial is +, and B can be calculated. The construction process is as follows: B and B share a secret dreams and secrets, and the corresponding polynomial for W and X L = w + W / +. + W, oQ/oQ/ = {x + / +, +. X, oQ/oQ/ Might as well define = w + x = = w + x = B + B It was - 1 polynomial, and the constant term is +, for this polynomial in value * b = as + secret secret share Secure multi-party computation algorithm obtained by adding the above construction process: Addition of multi-party computation algorithms: secret, secret share, B, B output: Secret + secret share B 1)B = B + B 2.1.2 multiplication Set up two secrets, the corresponding polynomials are w and X, and the secret share of participant B is b = w, B = X. If the participants directly in the local computing B and B share a secret product, although the calculation after sharing secret is the constant term polynomials, but the degree of the polynomial is 2 (- 1), so the need to reduce the number of polynomial. The W and X share the secret share of the participant B, and the product of W and X is: Wx = w = x + / +. + (oQ/), (oQ/) Wx x = w, 1 = 1 + 1 = 2. Represented by matrices: - 1 When the upper coefficient matrix is written, it is obviously a nonsingular matrix, and the inverse matrix is denoted as Q/, which is a constant Number matrix. Remember (/, - - -, oQ/) is the first line of the matrix Q/, there are: /wx = 1 + - + - - oQ/wx, 2 - 1 Each participant randomly selected 2 - 1 - 1 - - - / polynomial, and, oQ/, to meet the requirements of B 0 = wx. Definition = "B, oQ/ Obviously: OQ/. 0 = b b 0 = /wx 1 + - - - 2 - 1 = oQ/wx +. B OQ/. = b b B Therefore, the secret is to share the secret and share the secret. A multi-party computation algorithm for multiplication 2.1.3 yuan inverse Set the secret of sharing, the corresponding polynomial is w, and the secret share of participant B is b = W. One yuan Inversion is refers to the participants by B B secret share calculation Q/ w (c) a secret share, but in the process of calculation Can not disclose, Q/ and secret share of the two. The calculation is as follows: Participant B selects the random number B, and selects the random polynomial B () to compute its secret share be = B () to the participant E. To accept all the secret share, e n = Q. Thus all participants share the same random number David - +q + = / s.. Using the multiplicative multi-party computation algorithm, the secret obtained by the secret share is calculated Share w, and sent to the other participants, so it can be recovered by using the Lagrange interpolation, we may assume that = . It is clear that the W - a Q/ C = n, i.e. Q/'s Secret share. 2.2 lock account generation scenarios The lock account generation scheme is an improvement on threshold key management scheme based on Lagrange interpolation polynomial. Its basic idea is that through the threshold secret sharing, all the authentication nodes generate a lock account in a centralized way, and each verification node has a share of the lock private key. This ensures that the lock account private key is distributed in the entire network in the form of the private key share, so it can be centralized management. 2.3 lock account signature scheme The lock account signature algorithm uses the ECDSA signature algorithm, because it is the current block chain project's mainstream signature algorithm, this choice can improve the system compatibility. In a locked account signature generation process, different from the original ECDSA signature algorithm, the private key and the random number to account is in the form of multi-party computation involved in ECDSA signature process; lock account signature verification process with the original ECDSA signature verification algorithm. Therefore, only the lock account signature generation process is described

'''

klcchain

Go1dfish undelete link

unreddit undelete link

Author: klcchain

Dear Bitcoin devs,

I am the author of OCaml-bitcoin [1], a library offering an OCaml

interface

to the official Bitcoin client API. For those who may be unfamiliar

with it,

OCaml is one of those functional programming languages with a very rich

and

expressive type system [2]. Given its emphasis on safety, its

industrial

users are disproportionally found in the aerospace and financial

sectors.

Now, OCaml programmers care a lot about types, because experience has

taught them that deep down most programming errors are just type errors.

From this stems my request: please consider defining more precisely the

type

information associated with each API call in the JSON-RPC reference [3].

To give you a better idea of what I'm talking about, please take a look

at

the API offered by OCaml-bitcoin [4], and the associated type

definitions

[5] (note that these have not been updated for Bitcoin Core 0.10 yet).

I've created the type definitions from information gathered from the

Bitcoin

wiki and from looking at the Bitcoin Core source-code. I wouldn't be

surprised

if it contains errors, because neither the source-code nor the wiki is

very

precise about the actual types being used. As an example, consider type

hexspk_t ("hex representation of script public key"). Is this really

the

same type used in both signrawtransaction and createmultisig?

Improving this situation would pose a minimal burden on bitcoin devs:

all

that would be required is defining the precise set of types used in the

RPC

API, and annotating the RPC calls either in the source-code itself or in

the

API reference documentation. It would make writing bindings such as

mine

far easier and less error prone, and it would have the added advantage

of

better documenting the Bitcoin Core source-code itself.

Also, note that it is not necessary to extend this request to the deep

data structures returned by some API calls. Consider for instance the

gettransaction function of the OCaml-bitcoin API: it returns the raw

JSON

object without any attempt to process it. This is because that's a

fairly

niche facility, and the bindings would balloon in size if I were to

process

every single large return object. Instead, the bindings take the more

pragmatic stance of only processing the parameters and return results

where

a strong type discipline is imperative.

When I raised this issue on IRC a number of questions were posed.

What follows is my attempt to answer them:

Q: What does it matter, if JSON only has a tiny set of types?

A: JSON being the serialisation format is irrelevant. The client

bindings

know that even if a public ECDSA key is serialised as a string, itdoes

not stop being a public ECDSA key, and should only be used where apublic

ECDSA key is expected.Q: What does it matter if the types are not even distinguished in the

C++

source of Bitcoin Core?A: That is unfortunate, because it opens the door to bugs caused by

type

errors. Moreover, even if the C++ source is "stringly-typed" anddoes

not enforce a strong type discipline, that does not mean that thetypes

are not there. Even if a public and private key are bothrepresented

as strings, can you use one where the other is expected? If not,then

they actually have different types!Q: Isn't this a maintenance nightmare, given the changes to Bitcoin

core?

A: Actually, the most burdensome part is what motivated this message:

keeping track of the types used. If the Bitcoin API reference were more precise, keeping the bindings up-to-date would be trivial and even mechanical, because the API is now fairly stable.Thank you very much for your attention, and for all the work you guys

put

into Bitcoin development. It is much appreciated and not acknowledged

often enough!

Best regards,

Dario Teixeira

[1] https://github.com/darioteixeira/ocaml-bitcoin

[2] http://ocaml.org/learn/description.html

[3] https://bitcoin.org/en/developer-reference#bitcoin-core-apis

[4] http://ocaml-bitcoin.forge.ocamlcore.org/apidoc/Bitcoin.ENGINE.html

[5] http://ocaml-bitcoin.forge.ocamlcore.org/apidoc/Bitcoin.html

Q&A for Bitcoin crypto-currency enthusiasts. Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.. Visit Stack Exchange Currently Bitcoin uses secp256k1 with the ECDSA algorithm, though the same curve with the same public/private keys can be used in some other algorithms such as Schnorr. secp256k1 was almost never used before Bitcoin became popular, but it is now gaining in popularity due to its several nice properties. Most commonly-used curves have a random structure, but secp256k1 was constructed in a ... To understand why, we first note that and are at most 256-bit long values by definition of bitcoin’s ECDSA. However: However: bitcoin’s implementation requires that the most significant bit in the binary representation of and be equal to As a result, if either or have a bit length that is a multiple of 8 i.e., of the form for , then a most significant 0 byte is added. Back to ECDSA and bitcoin. A protocol such as bitcoin selects a set of parameters for the elliptic curve and its finite field representation that is fixed for all users of the protocol. Bitcoin puts the current compact-format target and the arbitrary-precision "extraNonce" number there, which increments every time the Nonce field in the block header overflows. Outputs can be anything, but Bitcoin creates one exactly like an IP address transaction. The extranonce contributes to enlarge the domain for the proof of work function. Miners can easily modify nonce (4byte), timestamp ...

[index] [50875] [38030] [4454] [16621] [1322] [32302] [15649] [14314] [1985] [11321]

Get an additional $10 in Bitcoins from Coinbase when purchasing through my referral link http://fredyen.com/get/Bitcoins Here is a quick beginner's guide on ... Elliptic Curve Digital Signature Algorithm ECDSA Part 10 Cryptography Crashcourse - Duration: 35:32. Dr. Julian Hosp - Blockchain, Krypto, Bitcoin 5,773 views It is a full client used by bitcoin nodes that create the bitcoin network. Through the changes to Bitcoin Core, its developers make changes to the underlying bitcoin protocol. As of 2017, Bitcoin ... By definition difficulty is a parameter that bitcoin and other cryptocurrencies use to keep the average time between blocks steady as the network's hash power changes. Therefore, as the prominence ... In the above video, I set some parameters that I use to define investment bubbles, and super bubbles. I then discuss my view on Bitcoin and where it falls among my definitions.