Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Adam Back Profile picture
@adam3us
Sep 3, 2020 8 tweets 4 min read Read on X
TL;DR @gregoryneven et al proved 2-round musig insecure, we made 2-round work with deterministic nonces + bulletproof ZKP (2 round is good for usability). as SHA256 is CPU expensive @pwuille @n1ckler @real_or_random @yannickseurin designed Purify for low bulletproof complexity.
I thought it was a pretty neat and simple trick to disprove the impossibility by counter-example: make a bulletproof that the nonce is deterministic, cuts off wagner adaptive attack as there are no free variables left. hearing "impossible" led to "is that true, really?" question.
in fairness the impossibility proof, is presumably correct, just within model assumptions that this solution side-steps. 2-round is interesting for usability because it reduces interactivity in multi-party signatures, which might involve fetching hardware-wallet from safe 2x.
the optimized-for-bulletproof Purify keyed-PRF to reduce the verification complexity, and security proofs of that were the bulk of the work by DN paper authors, as a bulletproof of normal bitcoin HMAC-SHA256 deterministic nonce is a bigger proof, and maybe 45x slower to verify.
the proof is more nuanced "we prove none of the schemes can be proved secure without radically departing from currently known techniques. We show if the one-more discrete-log problem is hard, no algebraic reduction exists that proves any of these schemes secure" @real_or_random
usually when people find impossible to prove results, it's a hint your direction is not securable, plus here Neven et al also concretely broke the previous MuSig version. which says if you try to repair by adding complexity, you're unlikely to get to work with this approach.
so bulletproof + determinstic nonce is a radically different technique and different approach, so the proof scope does not apply. plus it's pleasingly simple and has a clear intuitive security argument. the bulk of the work was the DN authors with #Purity and making it efficient.
and there firstly design of #Purity keyed-PRF (aka KDF, commonly built with MAC like HMAC), optimization of bulletproof circuit complexity (45x smaller vs HMAC) and security proofs of Purity's PRF security. strong work in applied crypto. MuSig2 is a whole other story, to come!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Adam Back

Adam Back Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @adam3us

Adam Back Profile picture
Jun 8, 2023
"a security is first and foremost an ethical concept, which is why the legal concept even exists" -@allenf32
you're relying on company management or service opetators who have privileged information, and management discretion affecting your investment. they defacto could rob you
Cypherpunks like Wei Dai, Tim May, myself were interested in smart contracts, anonymous or pseudonymous commerce using reputations, good behavior bonds etc without the possibility for physical enforcement and smart contracts rather than court/arbitration process. A decade of alt
altcoin premines, ICOs, definitely, nft rug-pull exit scams shows empirically that was maybe optimistic. Self regulation, smart contracts, in theory preferable, in practice can it work in isolation? I think cypherpunks underestimated the casino use case with rug-pull incentive.
Read 5 tweets
Adam Back Profile picture
Feb 12, 2023
early this year i was curious of the claim "bitcoin 2x's per year on average". it checks: the decade jan 2013 - dec 2022 #bitcoin went up 2.036x/year (1200x in a decade). if that continues we'll cross $10mil/BTC and $200 tril market cap by end of next 2 halvenings, about 9 years.
$200 trillion is a @halfin 2009 #bitcoin market cap prediction number. it's a LOT, displaces a significant part of the store of value premiums in bonds, real estate monetary premium, gold, 60:40 stock portfolios, etc. some think adoption will slow, derivatives reduce volatility.
i'm not sure about the adoption slowing, nor the volatility reducing; there are other factors. the new cycle people who learn to hodl/stack, who over time make it their mission to buy and cold store a much #bitcoin as possible, even resorting to leverage (volatility creator).
Read 10 tweets
Adam Back Profile picture
Jan 21, 2023
what if gold miners agreed to "improve" it, selling gold plated lead as gold, wouldn't users have to follow? obviously no. yet for #bitcoin newcomers keep getting hung up on this. #bitcoin miners cannot change it, and it's more automatic: ever node assays and rejects digital lead
the crux of it is buyers know what they want: pure real gold, and real bitcoin. money is a technology and #bitcoin is better gold, digital gold with a huge network effect and investor history and conviction: buyers know they want real bitcoin, and they can tell the difference.
yes it's digital and digital scarcity is a new concept, but even aside from #bitcoin embodying the digital scarcity concept, you can't rewrite #bitcoin's history, lindy effect, network effect, battle scars, distribution of ownership, fair launch and user demand for real #bitcoin.
Read 4 tweets
Adam Back Profile picture
Dec 19, 2022
for first-seen-safe transactions, a current topic of discussion, I had proposed in 2013 #bitcoin-wizards IRC a different way to do it, based on an older concept called "limited show" credentials, an idea comes from electronic cash where you want to deter double-spending in an
offline electronic cash system (where people can spend device to device without being able to reach a server or the network), i think the same idea works for bitcoin, but with some new trade-offs. the idea is simple to understand - users could double-spend but if they do then
miners can take their money. so the double-spend attack degrades to one where you can only profitably do it in collusion with a miner, and that's not easy in the face of competing miners who you probably can't expect to collude, and just keep the double-spent funds.
Read 11 tweets
Adam Back Profile picture
Jul 4, 2022
@nic__carter @VitalikButerin It depends what purpose it works for. Don't forget the context, some PoS coin promoters spend time FUDding PoW to sell their coins, and go as far as to claim PoS is "better" than PoW, and we all know why PoW is needed. PoS fails at those reasons, and so doesn't work (for purpose)
@nic__carter @VitalikButerin Eg a central server "works" but it does not work as a basis for decentralised bearer money, without public audit, unilateral withdraw, fraud proofs and ability for users to fire, recover state and replace the server.
@nic__carter @VitalikButerin Further if even PoS was magically fixable (for purpose), it is still undesirable replicated the problems of fiat systems: the wealthy have over-sized policy influence, can and do bail out their friends, seize, freeze, those close to power gain favors etc.
Read 4 tweets
Adam Back Profile picture
Mar 19, 2022
@JasonPLowery @TheGuySwann That's sort of standard academic cryptography protocol / computational security game theory language though. Alice isn't going to point kinetic weapons at Mallory, she's going to erect the physical analog of an electrical force field which is nuke proof around her data and comms.
@JasonPLowery @TheGuySwann With cryptography in the digital domain there is an impenetrable asymmetric defense advantage. It's like everyone is walking around with a nuke proof personal force field. Stark opposite of physical domain which is composed of 99.999% soft targets vulnerable to asymmetric attack.
@JasonPLowery @TheGuySwann Now bitcoin smart contract/ signatures are asymmetrically secure, but transaction finality is unfortunately not, that is an economic mutual interest balance. Miners get paid to defend, and lose money by attacking, unless they can overwhelm everyone else. But if they overwhelm
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(