grandmaster2: thanks, but i am still not sure if it's safe with all the terms provided
grandmaster2: if we can't decide on its security in the end, a better strategy would be using exponents which are a bit farther apart, e.g, e=2 and 7
grandmaster2
oakpacific, oops, you just reminded me sth. If auditee knows (a+b)^3 mod N and (a+b)^2 mod N, then (a+b)^3/(a+b)^2 = a+b
how on earth did i forget about that?
waxwing
grandmaster2, just to let you know i've seen it, but a bit distracted by other things. will try to comment as and when.
grandmaster2
waxwing, yeah it's ok, there's nothing to comment on atm, the scheme in my hastebin is broken.
I guess I'll have to start looking into paillier threshold decryption schemes cause I have no faith anymore that plain paillier will suffice.
oakpacific
so if i encrypt the same message using RSA with two different e, i am gonna be screwed?
hard to believe
waxwing
oakpacific, without padding, is it hard to believe? depending on which two e-s you chose, but in any case you're in dangerous waters given the homomorphism.
i guess it subsumes under the general 'you need to trust your auditor' worry. if it was deemed that tlsnotary was 'undesirable' it could be attacked in many ways; this doesn't seem to me like one of the main ways that could happen.
i think hgt's post is a good example of the fear and suspicion which is the majority of people's first response to this technology.
oakpacific joined the channel
oakpacific
waxwing: ZKP could probably disguise the destination account number, it's one 6-8 digits number after all
waxwing: we may need to make it clear in the forum thread and so on that you can test against yourself, someone may be hesitant to test because they don't want to leak anything about themselves to begin with