Silvio Micali – A Genius Which Will Stay in the Bottle

Silvio Micali, one of the most brilliant computer scientists on this planet has just re-invented democracy or blockchains or finance or law order and public authority and few other things, with his ALGORAND system. And some other brilliant crypto innovators are also doing the same thing: see DFINITY.

Possibly this is what we really want, a distributed ledger system which is very hard to corrupt and acts for the benefit of the honest players rather than the bad ones. The anti-dote to our mafia economy and all the fake sponsored consensus run by the corrupted few, in media, science, politics, etc, which we see every day.


On the surface, Dr Micali has the tool which we all want: a weapon for the  oppressed, the under-represented, or just ordinary  honest players in the market, a major step forward towards building a truly civilized society, towards restoring the market economy and truly democratic finance which benefits everyone.  A space where people can live their digital economy lives without fear of being abused by fraudsters and criminals.

The system works by deterministic randomness which is quite hard to control for the attackers and which decides which entities will be able to vote on the future state of the ledger. It is designed to be extremely robust and stable. It is claimed to be secure in some quite strong adversarial settings, for example the attacker is allowed to corrupt the very person who will be [temporarily] in charge of deciding the next update of the ledger. And the system claims to resist this sort of attack. Micali his this nice metaphor: […the powerful attacker] “cannot call back the leader’s message no more than a powerful government can put back in the bottle a message virally spread by WikiLeaks”.

However in fact Micali is doing just this. He has just started to suppress the very brilliant ideas he has been building in the last few years. The process of suppressing these brilliant ideas have already began, and the person who runs the revolution and the counter-revolution is the same, Dr Micali himself. On the first page of their paper we read:

These technologies are the object of the following patent applications: US62/117,138 US62/120,916 US62/142,318 US62/218,817 US62/314,601 PCT/US2016/018300 US62/326,865 62/331,654 US62/333,340 US62/343,369 US62/344,667 US62/346,775 US62/351,011 US62/653,482 US62/352,195 US62/363,970 US62/369,447 US62/378,753 US62/383,299 US62/394,091 US62/400,361 US62/410,721

You bet that for the next 20 years we will be left with what we have: mafia-friendly systems such as bitcoin, hyper-centralized champions of excessively poor network neutrality, which are essentially privately controlled financial systems designed and working exclusively for the corrupt few. Why it is the systems such as bitcoin which are free and open source and good ones patented?

Shame on you Silvio Micali!


Interesting Parts in CIA Leaks

Schneier wrote:

  • 8,761 classified CIA documents […] 2012-2016 […]it sounds like this cache of documents wasn’t taken from the CIA and given to WikiLeaks for publication, but has been passed around the community for a while — and incidentally some part of the cache was passed to WikiLeaks. […]  extraordinary collection […] several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.[…]
  • […]there is absolutely nothing illegal in the contents of any of this stuff. It’s exactly what you’d expect the CIA to be doing in cyberspace[…]
  • […] these tools are a few years out of date

Danezis in UCL blog wrote:.

  • “If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified.”

Other observations which many sources reported:

  • Frankfurt is a major CIA outpost for hacking ops.
  • CIA is masquerading to make things look like cyberattacks come from Russia.






Donald Trump Under 51% Attack

Tomorrow 20 January, Trump will become the next US president. It will allow us to test again the concept of a 51% attack: more than 51% of Americans disapprove of Trump.

Here come the bad news. Possibly 90% would not help either. We have been losing control of the wealth and resources of this planet since the end of 1980s, and this concerns the 90% of us, the whole of the so called middle class included.

ADDITIONS: there are also many good people among the rich and influential.

Is PGP Bankrupt?

In the last few years, we have seen an increased awareness that PGP/GPG is a dinosaur of 1990s crypto, and it does not satisfy the need of modern users for secure communication.

PGP model has many perverse effects: like creating a single point of failure where all sensitive communications are compromised with cracking one single key, which sooner or later quantum computer will crack.

Possibly PGP can be fixed and have forward security added etc, but for now many security researchers do not advocate to use PGP.

Now are there any trustworthy alternatives on this planet? I believe there aren’t. I would recommend users NOT to trust anyone who says them some app is secure, like in this article which advocates Signal/What App . They are going to be disappointed.


Blockchain Privacy – Part 3: Ring Signature Mixes

Now we’ve covered why privacy is essential for widespread cryptocurrency adoption, and how stealth addresses can help assist the pseudonymity (stealth addresses defined and explained in Part 2, pseudonymity discussed in Part 1), it’s time to explain how to combine cryptography and Ethereum’s smart contract functionality to add another layer of obfuscation to public blockchains!


Ring signatures generally satisfy several essential properties, namely anonymity, unforgeability, and collusion resistance. The definition of anonymity here is that an adversary has no more than a negligible advantage of correctly identifying the individual that produced the signature.

Ring signatures offer honestly participating users with ‘unconditional anonymity’, and are formed without a complex setup procedure or the requirement for a trusted third party, trusted setup, or any form of group leader. Users are simply required to be part of an existing public key infrastructure.

Ring signatures are constructed in a way that the ring can only be ‘completed’, and so will only verify correctly, if the signer has knowledge of some secret information, most commonly a private key corresponding to one of the public keys in the ‘ring’. This is done through a zero-knowledge proof of membership.
In the signature generation algorithm, a number is generated at random for each of the other public keys in the ring, and then the signer uses the knowledge of their own private key, or some other ‘trapdoor information’, to ‘close’ the ring.


Ring signatures offer users anonymity by hiding transactions within a set of others’ transactions. If there are many users contributing very similar amounts to a ring, then the ring is said to have good liquidity, meaning the transactions can occur quickly, and also that transactions can be effectively mixed, with a high resistance to attempted mixing analysis attacks.

Linkable ring signature algorithms provide a scheme that allows users to sign on behalf of a group, again without revealing the individual signer’s identity, but with the additional property that any signatures produced by the same signer, whether signing the same message or different messages, have an identifier, called a tag, linking the signatures. With this tag, third parties can efficiently verify that the signatures were produced by the same signer, without learning who that signer is.

In our case, we use linkable ring signatures in a mixing contract.animix

Ring Signature Mixing Contract

Our linkable ring signature scheme relies on the hardness of EC-DDH, and the general scheme is as follows:

  1. A contract is made to verify ring signatures, receive and distribute coins. Parameters for the specific mix (such as the transaction value of each amount to be deposited into the ring, or the minimum number of users with which the contract will execute) are entered into the contract.
  2. Each sender randomly generates an ephemeral elliptic curve key pair. The public key of this pair is sent to the intended transaction recipient. The two parties then generate a shared secret as in the stealth address protocol, and the sender submits the freshly formed public key to the ring mixing contract.
  3. Along with the freshly generated public key, users wishing to participate in the mix send the agreed denomination of the cryptocurrency, for example 1 Ether, to the contract. When a sufficient number of users have sent their public keys to the contract, with sufficient defined in respect to the original contract parameters, users can read the list of public keys which together form the ring.
  4. Each intended recipient can construct the secret key corresponding to a public key submitted to the contract. If the mix user is simply someone wanting to mix their coins, rather than transfer the coins into a recipient’s account, the user can still generate an ephemeral key pair and create a new stealth address for their coins to be transferred into.
  5. Intended recipients send the signature to the contract. The signature includes a tag, which is unique to each signer, message, and ring.
  6. The contract verifies that the tag is formed correctly, corresponding to one of the public keys in the ring. The signature and tag will only verify if:
    • The message signed is the correct message,
    • The ring in question is correct,
    • The tag is correctly formed,
    • The tag has not been seen before.
  7. Funds are released to each sender of a verified signature and tag.

There are grittier details about adding opcodes to the EVM, hashing to secp256k1, indistinguishability and random oracle assumptions, etc, but we’ll gloss over them here!

Combining cool thing #1 and cool thing #2

The combination of stealth addresses and ring signatures makes revealing blockchain anonymous almost impossible (in cryptography the property is generally referred to as infeasibility). Combining these two techniques, we arrive at a scheme that satisfies the following properties:

  1. Anonymity: The probability of an adversary identifying who created a transaction is at most negligibly higher than if the adversary were to guess entirely at random.
  2. Efficiency. The transactions take less than a second to generate, and when used with Ethereum’s ~15 second block time, your transaction could be mined before a ZCash zkSNARK has even finished generating 😉

Now breathe. And please tell me if you hated everything I said or have a million questions or want to let me know I’m wrong in a thousand ways!!!! (Or if more animal pictures are required).

Blockchain Privacy – Part 2: Stealth Addresses


In Part 1 we covered why privacy is essential for widespread cryptocurrency adoption, and concluded that neither Bitcoin nor Ethereum, or even ZCash is suitable for the task we’re wanting to solve: anonymity with efficiency. (Also the bonus property of needing no trusted setup)!


The benefits of using stealth addresses can be explained through this slightly contrived example:

Say Alice has a store, and she has her public key stuck to her till, so people can make payments to her in bitcoin/ethereum/ZCash. Alice is aware of the transaction analysis that people can perform on public blockchains, and her competitor Eve knows that about 98% of store payments are in Ether, so if she tracks Alice’s blockchain address, she will be able to monitor how Alice’s business is doing in near-real time. This makes Alice’s business vulnerable. For example, Eve could even learn to predict when Alice runs out of stock and then sell items to Alice at an unfair price. Instead of Alice changing her public key sticker every day, she can use stealth addresses!

Stealth addresses work as follows:

Say Alice has long-term, publicly known public key A, and corresponding private key a, such that A = a \cdot G, with G the generator of an elliptic curve (EC) group (if you don’t know what that means, we can just pretend they’re coordinates plotted on a graph with the property that A is an excessively obscure representation which does not reveal the secret a). A is an elliptic curve point (as is G — it’s defined along with the curve we’re working on) and a is a 256 bit integer.


Bob wants to pay Alice. Normally he would just send Ether to Alice, but as we know, blockchain analysis would make this transaction entirely public. So instead, Bob’s wallet generates an ephemeral key pair, for use in just this one transaction, with B an elliptic curve point, and b a 256 bit integer. Bob (or Bob’s wallet, acting on his behalf) sends B to Alice, and they can both calculate the shared secret b \cdot A = a \cdot B = a \cdot b \cdot G = b \cdot a \cdot G.


Bob can  then send the Ether to an address formed K(A + H(b \cdot A) \cdot G) (…with K being the function used to map from public keys to public addresses in Ethereum), and Alice can spend the money with private key a + H(a \cdot B).


For any eavesdropper to compute the shared secret b \cdot a ( = a \cdot B), they would have to crack the ECDH (elliptic curve Diffie-Hellman) problem. This is infeasible. So Alice’s privacy is protected so far!!
While we’re here, here are the definitions of ECDLP & EC-DDH. Both are useful in different parts of our huge scheme. The assumed hardness of the ECDLP is essential for privacy in the stealth address system, and the hardness of EC-DDH is the requirement for our ring signature scheme, described in Part 3. Assume E here is for Eve, our adversary (conventionally, the adversary is called A for adversary, but we have A as Alice’s public key, so we can call the adversary E to avoid confusion between E, the malicious actor, and A \in E(\mathbb{F}_q), the elliptic curve point).

Definition 1 Elliptic Curve Discrete Logarithm Problem (ECDHP)
E has no advantage in solving following:
Given G, a \cdot G and b \cdot G \in E(\mathbb{F}_q),
find S = (ab) \cdot G.
Definition 2 Decisional Diffie-Hellman Assumption (EC-DDH)
E has no advantage in the following:
Given a \cdot G, b \cdot G, c \cdot G \in E(\mathbb{F}_q), with a, b, c \cdot \mathbb{Z}_n, decide whether c \in G = ab \in G.

Although the maths may look somewhat difficult to follow, Bob can send his one-time-use public key in the ‘data’ slot of the transaction, and so Alice can simply scan all transactions, find B, form the stealth private key, and spend the money as she wishes. The extra computations can all be automating inside and Alice and Bob’s wallets, and the communication is compressed down into 1 transaction needed, just like an entirely transparent result. This functionality is entirely possible with Ethereum & any wallet with stealth address capabilities.

However, if Eve is transferring money to Alice, and is really invested in finding out Alice’s income, she could produce a transaction (or many dust transactions) with stealth addresses for Alice, and then monitor the blockchain to see if Alice ever joins those accounts together or with others, in order to make an input to a higher value transaction in the future. This sounds unlikely to be relevant, but blockchain analysis (such as taint analysis) has been known to have crippling effects on the anonymity of public blockchain systems.

So we will work to prevent it. Using cool thing number 2.