Closed anargle closed 6 years ago
Very nice catch, thanks for keeping an eye on us!
🤦♀️ Took me a couple of reads of this bug report to actually get my head around what's being said here. But basically (please correct my thinking here if wrong) this distills down to - If we sum a signed kernel excess and an unsigned kernel offset (and we know both commitments) then it is trivial to replace them with any pair of commitments. i.e. we can sign anything and trivially provide the necessary offset commitment.
Working on reverting this change on the consensus_breaking
branch.
Thanks @anargle for this.
Got so deep into the "everything in Grin is just summing commitments" that I forgot to fully consider the kernel signatures here...
Tried to re-read the intro page of the Grin docs without succeeding to match with what is being said in this issue:
https://github.com/mimblewimble/grin/blob/master/doc/intro.md
Are these commitments / signed kernel excess / unsigned kernel offset described in details somewhere?
@mably You can read more about it here https://github.com/mimblewimble/grin/pull/681.
The commitmens and the kernel excess are described in that doc. Offsets are an addition on top of the excess and its signature to improve privacy. They're not formally documented (yet) but #671 covers a lot of it.
And @quentinlesceller beats me to it by throwing #681 in the mix as well :-)
Using a kernel offset to maintain privacy of individual transactions in a block - good. Using a kernel offset that allows all the funds to be stolen - bad.
Fixed by #1062
I believe that #1020 completely destroys Grin's security properties and should be reverted. Although the kernel offset was always just turned into a commitment, the fact that it was stored and transmitted as a blinding factor serves as a (trivial) proof of knowledge of the discrete logarithm or the kernel offset commitment. By storing a commitment instead of a blinding factor, the signature that makes up the kernel is useless.
As an example, I could, in a single transaction, steal every UTXO in existence and forge as much money as I wanted: if the sum of all existing UTXOs is
P
, then I can post a transaction withbG + 1000000000H
as an output (with a random blinding factorb
chosen by me)bG + 1000000000H
.rG
and a signature using that kernel (with a random, arbitrary factorr
chosen by me)bG + 1000000000H - rG - P
. I don't know the discrete logarithm of the kernel offset, but that is fine, as nothing verifies that I do. Everything adds up as a valid transaction. This isn't even distinguishable from an ordinary transaction (except for the fact that I'm clearly stealing everybody's money, but that isn't necessary).