bitcoin-dev

Lamport scheme (not signature) to economize on L1

Lamport scheme (not signature) to economize on L1

Original Postby yurisvb at pm.me

Posted on: December 21, 2023 16:07 UTC

In a recent exchange concerning the robustness of a cryptographic proposal, it was acknowledged that further measures are required to enhance the defense against rainbow-table attacks.

A suggested approach is to incorporate nonces from recent blockchain blocks as salts for LSIG (the signature) and ECCPUB (the public key). By doing so, 256 bits of salt for LSIG and additional entropy provided by ECCPUB can be employed effectively, since these values would not have been known at the time when the rainbow table was constructed.

The discussion then shifts focus to brute-force analysis, which remains a concern even with the rainbow table threat mitigated. The current assumption regarding an adversary's capabilities is considered excessively lenient, given it overestimates their computational power by equating SHA256 ASIC performance with that of general-purpose CPUs for hashes requiring significant memory or serial processing work. This unrealistic upper bound could lead to underestimating the difficulty of cracking hashes, specifically those up to 2^48 in strength within two days, and even more alarmingly, those up to 2^64 within the timeframe of a single block. Such miscalculations have the potential to compromise widely used security protocols.

The email concludes with a commitment to reevaluate the adversarial model to ensure it accurately reflects realistic constraints without attributing disproportionate capabilities akin to a "magic wand." The sender promises to revisit the issue after a few days of contemplation, indicating an ongoing effort to refine and secure the proposal.