Silk Road forums

one could stumble across it by accident like the guy earlier in the thread

he shouldn't go to prison for that, but under the laws of most countries he can be

btw when you say "nonce" i think of this https://en.wikipedia.org/wiki/Replay_attack

Quote from: kmfkewm on August 15, 2012, 08:21 am

Quote from: superbob4529 on August 15, 2012, 02:09 am

The first time I saw cp was on Freenet, and I remember how it made me feel. My heart was pumped, my body was shaking and I felt sick. For the first time I felt real disgust towards someone else and their values. It still makes me feel that way, even here on Tor.

But it's a hard line to draw. So it's ok for us to buy drugs, but not ok to buy weapons? Or it's ok to buy weapons just not ok to use them to hurt others? Or it's ok to hurt others, just not children? Who the fuck even knows...

I would be hesitant to put a filter or a censor on Tor, even though some things really do sicken me. But those same things might seem fine to someone else, just like buying these drugs seems ok to us, and might make someone else sick... I dunno it's a fine line i guess :/

The thing to keep in mind is that by looking at CP on Freenet you committed a crime equal to that of a pedophile who looks at CP on Freenet.

As well it should be.

The first time I saw cp was on Freenet, and I remember how it made me feel. My heart was pumped, my body was shaking and I felt sick. For the first time I felt real disgust towards someone else and their values. It still makes me feel that way, even here on Tor.

But it's a hard line to draw. So it's ok for us to buy drugs, but not ok to buy weapons? Or it's ok to buy weapons just not ok to use them to hurt others? Or it's ok to hurt others, just not children? Who the fuck even knows...

I would be hesitant to put a filter or a censor on Tor, even though some things really do sicken me. But those same things might seem fine to someone else, just like buying these drugs seems ok to us, and might make someone else sick... I dunno it's a fine line i guess :/

Creating the Mint

The mint chooses a prime, p, with (p − 1)/2 also prime, a generator, g, s.t.

g 2 = 1 (mod p)

and

g (p−1)/2 = 1 (mod p)

 and a random number, k,
k ∈ [0, (p − 1)/2)


Let G be the group generated by g.
The mint publishes
(g, p, g k (mod p))


Withdrawing a Coin
To withdraw a coin Alice picks a random x, the coin ID, from a sufficiently large
set that two equal values are unlikely to ever be generated2 , and calculates,
y = oneway(x)

 y should be in G; check that
1<y <p−1

We should avoid the trivial values 1 and -1, because their signatures are in-
dependent of k. Note that many one-way coin functions (including the one
presented here) provably never produce 1 or -1, but we include this condition
for completeness.

y (p−1)/2 = 1 (mod p)

If it is not, a new coin should be chosen. Note that great care must be take
if you want to choose a one-way function that guarantees membership of G -
certainly one attempt  led to disaster.

Alice chooses a random blinding factor b ∈ [0, (p − 1)/2) and sends yg b (the coin
request) to the mint. The mint debits Alice’s account and returns the blinded
signature,

m = (yg b )k (mod p)

Alice unblinds m, calculating the signature,

z = m(g k )−b = (yg b )k g −kb = y k g bk g −kb = y k (mod p)

The coin is then
c = (x, z)

Spending a Coin

To spend a coin, Alice simply gives the coin, c, to Bob. Bob then sends it to the
mint to be checked. The mint first ensures that x has not already been spent,
and that oneway(x) is in G and is not 1 or -1, then checks that z is a signature
for x (i.e. z = oneway(x)k (mod p)). The mint then records x as spent and
credits Bob’s account.


Unfortunately an attack on the anonymity of this protocol is possible. The mint
can mark a coin in a way that only it can detect, by signing it with k instead
of k. Then the unblinded “signature” is

z = (yg b )k g −bk = y k g b(k −k) (mod p)

When Bob submits c to the mint, then the mint calculates
y(zy −k )1/(k −k) = y(g b(k −k) )1/(k −k) = yg b (mod p)

The mint can then simply look up who sent yg b to it and thus learn Alice’s
identity.


One defence against this attack is to make the mint prove that it has signed
with k and not some other number. Since the mint must not reveal k, this proof
must be a zero-knowledge proof. Two possible zero-knowledge proofs are known
to me.

Given a coin request, yg b , the mint chooses a random number r s.t.

r ∈ [1, p − 1)

s.t. r is invertible modulo p − 1 (i.e. gcd(r, p − 1) = 1) and calculates
t = k/r (mod p − 1)

(p − 1 rather than p because r and t will be used as exponents modulo p). The
mint then sends Alice

Q = (yg b )r (mod p)
A = g r (mod p)


Alice then randomly demands one of r or t.
If Alice chose r, she verifies that

Q = (yg b )r (mod p)
A = g r (mod p)

If Alice chose t, she verifies that

At = g rt = g k (mod p)
Qt = (yg b )rt = (yg b )k = z (mod p)


Note that a mint that wants to cheat has a .5 chance of getting away with it each
time (by guessing whether the challenger will choose r or t and lying about Q
and A appropriately). Naturally, it is increasingly unlikely to get away with this
with each repetition. A suspicious challenger could always repeat the protocol
until the probability of cheating is low enough to make them happy.

No, I am more worried about one of us working for a LEA and installing an exploit into such a software on the client OR betraying data on transactions via the server by using a bait and switch. That is not an accusation, simply that this would clearly be an extremely affective way at undermining the black market using B$. Temptation beckons! A poisoned chalice it would surely be too for any such subscriber.

Perhaps I am spoiled with cryptographically assured trust systems like signed PGP, but it seems to me a real solution has not been yet purposed that doesn't depend on a lack of corruption among the developers. Not arguing for perfection here, just think it should be conceptualized differently to the way things are normally done. Blind mixes are fantastic idea, but only if they work as advertised without 'features'. How can one guarantee such a thing?

Quote from: kmfkewm on August 13, 2012, 09:40 pm

Chaum invented the first blind mix. The client software can verify that the signature is blind, so you really are not trusting anything other than the implementation of the client. Oh yeah, blind mix would need specialized client side software.

Must think further thoughts on this, I think it's going to get important ASAP to hold up the B$ system when LE openly starts to run operations to shut down or spy using the exchanges. It'll happen anyway, but it might as well be done right, obviously people would be super leery of installing software onto their computers that explicitly implicates them as blackmarket users of B$.

My biggest fear is that services that mix bitcoins turn out to be honey pots. Really hope there comes a way to mix them with security by design without needing to hope that the service is not a honey pot.