You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The goal of this bounty is to implement discrete log equality (DLEQ) proofs in Cashu.
This will enable three concrete things:
It will be possible for user Alice to make sure that the token they received from the mint Bob was indeed signed by them and not by a man-in-the-middle.
Alice can be sure that Bob has indeed used a the private key for signing their token that it had used, say, the day before. Otherwise, Bob could secretly use a special private key for every single token they sign, undermining the privacy of the entire setup by collapsing the anonymity set to 1.
In combination with P2SH, this will enable secure offline token transfers from Alice to Carol without Carol having to redeem tokens immediately to be sure that the signatures haven't been forged by Alice.
Cryptography
To quote from the original gist of Ruben Somsen (note that Alice and Bob have been swapped below because in the notation of Cashu, Alice is the user and Bob is the mint):
The protocol also has one additional weakness that can be addressed. Bob can't be certain that C' was correctly generated and thus corresponds to a*B' . Alice can resolve this by also supplying a discrete log equality proof (DLEQ), showing that a in A = a*G is equal to a in C' = a*B'. This equality can be proven with a relatively simple Schnorr signature, as described below.
Step 1
These steps occur while Bob the mint returns the blinded signature C'
Bob:
r = random nonce
R1 = r*G
R2 = r*B'
e = hash(R1,R2,A,C')
s = r + e*a
return e, s
Step 2
The wallet (Alice) validates DLEQ proofs once it receives the blinded signature:
Alice:
R1 = e*A - s*G
R2 = e*C'- s*B'
e == hash(R1,R2,A,C')
If true, a in A = a*G must be equal to a in C' = a*B'
Step 3
When a token is transferred from Alice to Carol, Carol executes the same steps as Alice in Step 2 to validate that the tokens from Alices are indeed signed by Bob.
The text was updated successfully, but these errors were encountered:
callebtc
changed the title
Bounty: Impelment DLEQ proofs for client-side mint signature validation
Bounty: Implement DLEQ proofs for client-side mint signature validation
Oct 20, 2022
This is a bounty offered by the Nodesignal Podcast and the developer who provides this functionality will receive a 250,000 sats bounty. More Information about the bounty program can be found here:
https://nodesignal.space/spenden-bitcoin-bounties/
Bounty goals
The goal of this bounty is to implement discrete log equality (DLEQ) proofs in Cashu.
This will enable three concrete things:
Alice
to make sure that the token they received from the mintBob
was indeed signed by them and not by a man-in-the-middle.Alice
can be sure thatBob
has indeed used a the private key for signing their token that it had used, say, the day before. Otherwise,Bob
could secretly use a special private key for every single token they sign, undermining the privacy of the entire setup by collapsing the anonymity set to 1.Alice
toCarol
withoutCarol
having to redeem tokens immediately to be sure that the signatures haven't been forged byAlice
.Cryptography
To quote from the original gist of Ruben Somsen (note that Alice and Bob have been swapped below because in the notation of Cashu, Alice is the user and Bob is the mint):
The protocol also has one additional weakness that can be addressed. Bob can't be certain that
C'
was correctly generated and thus corresponds toa*B'
. Alice can resolve this by also supplying a discrete log equality proof (DLEQ), showing thata
inA = a*G
is equal toa
inC' = a*B'
. This equality can be proven with a relatively simple Schnorr signature, as described below.Step 1
These steps occur while Bob the mint returns the blinded signature
C'
Step 2
The wallet (Alice) validates DLEQ proofs once it receives the blinded signature:
Step 3
When a token is transferred from Alice to Carol, Carol executes the same steps as Alice in Step 2 to validate that the tokens from Alices are indeed signed by Bob.
The text was updated successfully, but these errors were encountered: