Implementation of MODPOW opcode about neo-vm HOT 17 CLOSED

We can prefix the public key so that it is easy to choose a curve or algorithm when executing VERIFY.

from neo-vm.

Does onchain decryption not reveal the private key?

from neo-vm.

Onchain decryption sounds broken to me; couldn’t the message be intercepted and an alternative one relayed to consensus nodes first?

from neo-vm.

I found that the MODPOW of the built-in BigInteger has only 3 parameters.

https://github.com/dotnet/runtime/blob/a6acafd32d907eecd1359317fb340bced6f92210/src/libraries/System.Runtime.Numerics/src/System/Numerics/BigInteger.cs#L907

from neo-vm.

Does it have other scenarios besides on-chain decryption?

from neo-vm.

What about RSA? We may need to support onchain decryption too. This could also be done by modpow.

from neo-vm.

It reveals, but the key is only used in a single step and dropped if this command is activated, so it does not matter being exposed anymore (at this point the users loses his bond if smart contract manages to decrypt hidden info). I agree this looks like an unusual application, but other blockchains are migrating to this model too, allowing users to implement manually their own crypto. In this sense its better to have an opcode like this than one for decryption, por example. I think that curve parameters may be put on storage, and user account could be basically : load curve data, perform point verification.

from neo-vm.

I will try to devise an alternative without RSA (perhaps ECDH, although this will require point multiplication...), because we need to get this going asap, but community should strongly consider this modpow, perhaps as interop if more acceptable ("Neo.Crypto.ModPow" and "Neo.Crypto.ModInverse")

from neo-vm.

I think that the idea is that we really want to decrypt it, @jsolman, no matter who sends the invoke.
The decryptation is just activated after some initial conditions in the SC.

from neo-vm.

One example for application is the AnonyTree on SciChain. For now, it's beggining as a part of DRandLib, but soon will be moved to SciChain repo: https://github.com/igormcoelho/DRandLib
By having decryption, we could enforce that smart contract would validate information if necessary... since we won't have that, community will need to validate that through a majoritary voting... for us that's possible (not perfect though), but there will be scenarios where only onchain decryption will do the job.

from neo-vm.

@erikzhang just to exemplify a simple application that uses this (considering ECDSA).
Person A has pubkey pub_A and private key priv_A.
Person B has priv_B and pub_B.
Both will need to secretly define who will pass to next step, without cheating. So both calculate S = priv_A * pub_B = priv_B * pub_A, and use it together with some entropy to decide who will be next. Suppose A wins (and B loses). Using S, a new private key priv_S is derived, and pub_S is used for the next step together with some information from A. However.... B could try to cheat and pretend he won! But in this case, Person A could publish private key priv_A, and the Smart Contract could calculate S and it will know that B is a liar.
In this situation, B would lose its bond, or receive any other punishment, automatically from the smart contract.
However, since we don't have this opcode now, we will need to rely on a community voting to punish people based on public evidence... I think this works for us, because of the nature of the application, but it would be much better to be able to calculate that onchain.

from neo-vm.

As a syscall it couldn't damage to anyone, so is fine for me.

from neo-vm.

ahueahuehaea, I did not remember about that Milestone.

@shargon, let's do it, I remember that this would proportionate very good applications!

from neo-vm.

This should be an EXTENSION to neovm...not in blockchain itself.. lets see ;)

from neo-vm.

@igormcoelho what are next steps? Is this going to be added to this repository?

from neo-vm.

I found that the MODPOW of the built-in BigInteger has only 3 parameters.

Indeed the first multiplication can be done separately.. no need to require 4 params.

from neo-vm.

Does it have other scenarios besides on-chain decryption?

Not just decryption, which is strange (but useful for commit-reveal schemes), as the most amazing use-case is the ability of a user provide its own cryptography. To fulfill that in a practical manner (not being costly), and to avoid stateless situation during verifications (not depend on storage), I would suggest on Neo project to have some ability to store global constants. Maybe put a very high GAS cost on that (on Put, and very cheap on Get), but we could deploy constants for elliptic curve parameters, and just load them on verification, without breaking stateless invariants (as they will not change).

The interesting thing is that, with constants, we cannot break stateless invariants, because if we try to read them before deploying, verification would fail (so it couldn't be put on blocks or mempool). And after it's on block, any constant it requires must be kept forever (so it will never break any state invariant).

So I propose to have this MODPOW here, together with "Neo.Const.Put" (expensive on GAS) and "Neo.Const.Get" (cheap on GAS), on the Neo core project (see neo-project/neo#2040)

from neo-vm.