research-lab icon indicating copy to clipboard operation
research-lab copied to clipboard

Published 20 hours ago verified publisher icon monero-project

Proof data storage

Open SarangNoether opened this issue 5 years ago • 5 comments

It's possible to storage data in a Bulletproof range proof, under particular trust assumptions. In particular, knowledge of a PRNG seed used for random element generation can be used to store 32 bytes of arbitrary data; however, this allows for the brute-force recovery of all Pedersen values used in the proof by any entity that knows the seed. For a proof consisting of exactly one Pedersen commitment, the inclusion of another 32 bytes of data is possible, but this leaks the Pedersen mask. Storage of data should therefore be intended only for use by the prover.

Similarly, it's possible in Triptych to store 64 bytes of arbitrary data per proof in a way that leaks the signing index to a PRNG seed holder.

SarangNoether avatar Jan 31 '20 13:01 SarangNoether

Is storing 64 bytes of arbitrary data still possible with Triptych? If so, couldn't this be used to replace tx_extra?

boogerlad avatar Jul 13 '21 19:07 boogerlad

Yes, a Triptych proof can store 64 bytes of arbitrary data using a seeded PRNG.

SarangNoether avatar Jul 13 '21 21:07 SarangNoether

Is this a "bug" or a "feature"? That is, will the ability to store arbitrary data eventually be removed? I can think of some pretty nifty use cases.

boogerlad avatar Jul 14 '21 00:07 boogerlad

The network can't detect it, so it's not possible to "remove" this feature. It's entirely up to client software to embed and/or recover this data.

SarangNoether avatar Jul 14 '21 00:07 SarangNoether

Here is a paper about inserting a communication channel via steganography: https://ieeexplore.ieee.org/abstract/document/9356584

UkoeHB avatar Dec 13 '22 00:12 UkoeHB