Why old elliptic?

[O.S.G.]

You use EdDSA and elliptic curve cryptography, as your whitepaper says, and so does Bitcoin. Why did't you use a modern crypto like pairings or NTRU? It could have been huge advantage against Bitcoin and create an an additional feature to stand out.

[Maurice.P]

You use EdDSA and elliptic curve cryptography, as your whitepaper says, and so does Bitcoin. Why did't you use a modern crypto like pairings or NTRU? It could have been huge advantage against Bitcoin and create an additional feature to stand out.

To answer your question,I believe that brand new algorithms are actually more about marketing than security.

CryptoNote was created with the state-of-the-art cryptography with sufficient security level for the next decades. Schnorr signatures and 256-bit ECC keys (the basis for EdDSA) are very strong cryptos, which have passed the test of times. It has been implemented in various systems (not only ours). There have been tons of papers with analysis and researches on that top. I can't say the same applies to pairing-based cryptography or NTRU.

Also, there are efficiency considerations. Daniel Bernstein's implementation of EdDSA (which we use) is a highly optimized code with every line tweaked (Albert once praised it as a form of art). During the R&D phase (2011-2012) we were aware of pairing-based versions of ring signatures, but according to what we know there was no efficient implementation of such a crypto. Once again, it's a quite young area of science.

And lastly, we have never perceived our technology as a total replacement for Bitcoin or any other "coin"; it is not a race. We created the technology according to our digital cash vision and every choice we have made arose from the common sense and best practices.

[Johnny Mneumonic]

It is to my understanding that elliptic curve signatures are vulnerable to Shor's algorithm. We already know of rumors that certain government agencies are working to build powerful quantum computers that can become a major threat to our privacy in the near future. I'm curious as to why you didn't choose Lamport signatures, for example, in an effort to remain secure in a world of quantum computing?

[O.S.G.]

I believe that brand new algorithms are actually more about marketing than security

Then you should have used old-fashioned SHA2 instead of SHA3. Correct me if I'm wrong, bit Bruce Schneier says there is no advantage of SHA3 against SHA2.

[O.S.G.]

Just found the link: https://www.schneier.com/blog/archives/2012/09/sha-3_will_be_a.html

[Maurice.P]

It is to my understanding that elliptic curve signatures are vulnerable to Shor's algorithm. We already know of rumors that certain government agencies are working to build powerful quantum computers that can become a major threat to our privacy in the near future. I'm curious as to why you didn't choose Lamport signatures, for example, in an effort to remain secure in a world of quantum computing?

Actually, Lamport signatures are inefficient in size to be implemented anywhere at all.

If quantum computers do appear at some point, it would mark an end to 90% of all the existing cryptography, including SSH and practically anything. However, the threat is still vague and it would be pointless to use inefficient tools like Lamport signatures to try to prevent it. I guess if the quantum computer is created, each and every cryptocurrency will be subject to a hard fork.

[Maurice.P]

I believe that brand new algorithms are actually more about marketing than security

Then you should have used old-fashioned SHA2 instead of SHA3. Correct me if I'm wrong, bit Bruce Schneier says there is no advantage of SHA3 against SHA2.

We actually agree with Bruce that Keccak hash is not significantly better than SHA-512. On the other hand, there are certain advantages like speed and length-extension attack defense, which we think will matter in the future.

The main point we had in mind is that any consensus-based decentralized cryptocurrency does not tolerate radical changes well. Let's say if a new Whatsapp update replaces SHA-2 with SHA-3, then the clients will be simply updated preserving all the message history. However, applying such a change will cause the hard fork resulting in the network split into two incompatible parts. Even after the upgrade all the work (blocks and transactions) of the "older" part will be discarded.

Therefore, choosing the hash function we were trying to understand what would the hash standard likely be in 2022? Our answer was SHA-3.

[Joshua Zeidner]

You use EdDSA and elliptic curve cryptography, as your whitepaper says, and so does Bitcoin. Why did't you use a modern crypto like pairings or NTRU? It could have been huge advantage against Bitcoin and create an an additional feature to stand out.

I read a few negative comments about NTRU.

Are any of these problems substantial in your view?

thanks, -jmz

[bbelev]

How likely is it that they actually invent quantum computers that will break all or most known cryptography?

[Maurice.P]

The advent of quantum computes will render the modern cryptography utterly useless.
There are ongoing discussions as to how quantum-resistant systems can counter the attacks employing advanced quantum algorithms and whether or not they will be put to use in the future. However the idea of quantum-resistance itself has as many drawbacks as it has advantages.

The quantum computers will be able to gain access to the crypto systems much more effectively due to existence of the corresponding hacking algorithms employing polynomial time as opposed to exponential. So increasing the length of the keys even by 1000 times does not look like a feasible solution. The emergence of the quantum computers will spur the migration to the newer crypto systems however costly and resource-intensive the process may be.

Besides, one has to keep in mind that the quantum-resistant system can only serve the purpose so long as a hacking algorithm for this particular system is not invented and used on QC. Therefore the quantum-resistant label does not guarantee 100% safety unless someone proves empirically that the security of such a system can not be breached.