The crypto-currency Monero is about to introduce a new milestone in Blockchain technology: RingCT.
This is a scheme that allows using Confidential Transactions (CT) while keeping the non-interactive coin mixing typical for Monero.
CT enables hiding the transaction amounts from anyone but sender and receiver while full nodes are still able to verify that input amounts are equal to output amounts.
RingCT is currently not active in Monero; it is designed to be introduced as a hard fork early January.
I am a complete outsider to Monero and especially the Monero development community, but having reviewed the CT design and implementation (in libsecp256k1) extensively during my day job, I was very interested in the design decisions underlying RingCT.
Very quickly I found a red flag in the ring signature scheme called ASNL used in the range proofs.
This scheme is a new contribution by the paper and indeed turned out to be exploitable such that an attacker would be able to create coins from nothing.
You can find the exploit code on GitHub and a detailed explanation in this post.
While writing the exploit code and preparing this blog post I learned that an anonymous person called RandomRun reported a flaw in the security proof of ASNL, which convinced the Monero devs to publish a bugfix release that switches to Borromean signatures (good call!).
As a result the upcoming hard fork will not be vulnerable to this exploit.
Interestingly, the error in the security proof is exactly the flip-side of the vulnerability discussed in this post.
EDIT: The Monero community reacted to this article (see reddit) but they didn’t like its style. Also, they got the timeline of the discovery of the bug wrong.