MoneroResearch.info

WIKINDX Resources  

Goodell, B. (2024). Security Review - Generalized Bulletproofs. Unpublished manuscript. 
Added by: Rucknium (06/12/2024, 17:56)   
Resource type: Manuscript
BibTeX citation key: Goodell2024
View all bibliographic details
Categories: Monero-focused
Subcategories: Full-Chain Membership Proofs
Creators: Goodell
Collection: Cypher Stack
Views: 375/375
Attachments   GBP_Security_Review.pdf [47/47] URLs   https://repo.getmo ... sts/449#note_27508
Abstract
We review the Generalized Bulletproofs (GBPs) proposal in [7], [8], which reduces to the Bulletproofs (BPs) proposal described in [3] in a certain edge case. The GBPs proposal, and its proofs, are straightforward extensions of Bulletproofs (BPs), described in [3], demonstrating that GBPs are perfectly complete, have special honest-verifier zero-knowledge (SHVZK), and computational witness-extended emulation (CWEE). The proofs in [7] correctly and directly extend the proofs in [3], so it is subjectively unlikely that BPs are secure and GBPs are not.

That is to say, if BPs are up to industry standards, so are GBPs. Moreover, other recent work in [9] demonstrates that BPs are simulation-extractable, and so future extensions of that work may yet demonstrate that GBPs are also simulation-extractable. However, the security proofs in both [3] and [7] neglect runtime and success probability of their reductions, data which is useful in assessing tightness gaps and practical security. Taking tightness gaps into account when assessing practical security is not an industry standard because doing so leads to less efficient systems, but [2] describes practical attacks against a wide variety of popular signature schemes proven secure with forking arguments (Schnorr blind, Okamoto-Schnorr blind, GJKR threshold, original FROST threshold, CoSI and two-round MuSig multi-, Abe-Okamoto partially-blind, and ZGP17 conditional-blind signatures). The GBPs tightness gap is wide since the proof of CWEE in [7] (and [3]) uses a generalized forking lemma.

For these reasons, the author recommends further investigation into whether the attack vectors in [2] apply to BPs and GBP.


  
WIKINDX 6.10.2 | Total resources: 236 | Username: -- | Bibliography: WIKINDX Master Bibliography | Style: APA Enhanced