[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] scritcash?

From: Jeff Burdges
Subject: Re: [Taler] scritcash?
Date: Mon, 9 Dec 2019 23:43:32 +0100

I think scrit looks amateur hour honestly.

In particular, the paper they cite for "blind ECDSA” signatures is only the 
most superficial outline of the two classical blind signature constructions: 
RSA and Schnorr, note *not* ECDSA.  

It’s clear scrit means the old blind Schnorr signature when they say blind 
ECDSA.  Blind Schnorr requires like three round trips, which complicates your 
protocol over RSA, but whatever.

Worse, Wagner’s algorithm (2002) provides a forgery attack against these blind 
Schnorr signatures, meaning scrit coins can be forged.  Concretely, you can 
extract 16 coins from 15 withdrawals with a computational complexity like 2^55, 
not sure the optimal attacks though.  A satisfactory fix was only announced 
this year:  https://eprint.iacr.org/2019/877.pdf

Interestingly the blind Schnorr fix vaguely resembles Taler’s refresh, so it 
works out like making withdrawal as complex as refresh, and then adding the 
extra round trip required by Schnorr to both, not ideal but doable and it’d 
reduce Taler's computational costs.


Just fyi ECDSA is a cluster fuck that cryptographers hate.  We’ve only started 
producing “interesting” constructions like blind signatures using ECDSA 
recently, primarily for use on bitcoin, ethereum, etc.  
https://eprint.iacr.org/2018/660.pdf  And insecure combinations should exist, 
meaning these scheme’s compossibility often sucks.

> On 9 Dec 2019, at 21:49, sva <address@hidden> wrote:
> Dear all,
> I haven't read through it yet, but sounds interesting - also I think a
> great deal of those two guys who are behind it, so I kindly ask you to
> check it out! https://github.com/scritcash
> "Scrit does not use a blockchain, sidechain, or statechain. There are no
> chains in Scrit ;)" https://twitter.com/scritcash
> Whitepaper:
> https://github.com/scritcash/scrit-whitepaper/blob/master/scrit-whitepaper.pdf
> Regards,
> sva.

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]