Announcing Serai: A new decentralized exchange for Bitcoin, Ethereum, and Monero.
https://t.co/ys8x8DzEum
Join us on Discord to participate in building the most usable decentralized and secure exchange! https://t.co/jJ0o2uPY5k
I will be presenting Trout++: Robust Asynchronous Two-Round ECDSA for Arbitrary Thresholds at NIST's TCPT2 event tomorrow. NIST has already uploaded our preview writeup, and I've uploaded the conference paper to our open GitHub repository in preparation for tomorrow :)
@gf53417 While I will _eventually_ switch to working with post-quantum schemes, and have done some mild poking thus far, hash-based schemes don't really thresholdize except when aggregating via succinct proofs/threshold FHE and I can't claim to have any interest in the topic.
I'm happy to announce my latest work with my coauthor, Ariel Nof, has been accepted to ESORICS!
Our paper is Trout++: Robust Asynchronous Two-Round ECDSA for Arbitrary Thresholds, and builds on our prior work (with Hila Dahari-Garbian) of Trout.
@gf53417 Working with threshold ECDSA is still interesting for the techniques we may hope continue to apply even into the future. A _lot_ of post-quantum threshold signing protocols took inspiration from FROST. An upcoming work of ours really attempts to drive that home...
While the paper will be publicly available soon, Trout is available at https://t.co/2FqAuKTdvY, and the full ESORICS program can be seen here: https://t.co/AuIX7IuptT
Our work is without an honest majority assumption, aiming to be dead simple to implement yet still achieving a complete threshold ECDSA service. To that end, no additional prior setup is needed, solely a secret-shared signing key. We believe our result is comparable to FROST.
@matthew_d_green@alinush@secparam@colludingnode Eh. I can agree proofs do try and apply that approach, but I maintain my push back I wouldn't call ECDSA a fucked up Schnorr signature versus an elliptic curve signature fucked up to avoid Schnorr's patent. We can disagree there, and I agree ECDSA is horrible.
@matthew_d_green@alinush@secparam@colludingnode Except ECDSA isn't generally considered to use the Fiat-Shamir transform?
You'd have to argue that the x-coordinate of an elliptic curve point is a random oracle to make that claim. That's why there's push back about saying ECDSA is X or Y, because it's a super fucked up Z.
@matthew_d_green@alinush@secparam@colludingnode I found a record of what I was referring to!
https://t.co/G2K4bO4Mmy
Basically, transforming from a linear, Fiat-Shamir, to a non-linear, non-Fiat-Shamir signature, didn't change it was a signature scheme for a prime field with verification in the exponent /eyeroll
@matthew_d_green@alinush@secparam@colludingnode Though that arguably is more about how ludicrous the patent was than an actual discussion on how we classify interactive protocols with a commit before a reveal...
Re: Zcash Orchard:
This sucks. It sucks this complex piece of work had a flaw, leading to hidden inflation in the Orchard pool. Their network is likely suited to handle it, for reasons I disagree with but are here justified, and I hope they do rotate to a new Orchard pool.
@hohhle I mean, both allow double-spending via forging nullifiers, but one was immediately detectable if exploited (and verified not to have been on Monero) and one isn't so detectable. The cryptography is also light years apart (torsioned points with signatures vs arithmetic circuits)
@ambimorph It was to have empathy for Zcash, acknowledge a mutual risk (as I'm sure some will try and lambast Zcash over this as if it's uniquely at fault), and relate it to my own work to show how devastating such bugs can be, all of us needing to treat them seriously.
@ambimorph I tried to write my thread with empathy, and to acknowledge a real risk, demanding our attention. I noted I truly hope this leads to the development of better tooling, in response to the planned/ongoing work on formal verification. It in no way was meant to be some shill piece.
@ambimorph I'm unsure why acknowledging we're unaware of hidden inflation bugs, as I discuss how this was in Zcash's circuit, where Monero is also planning to deploy an arithmetic circuit with its next upgrade, suggests Monero definitely doesn't have one and we should be reassured.