-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add multi-evaluation support #1
Comments
Hey Jeff, Yep, that all sounds about right, also discussed this briefly with @mmaller. I'm out for the next few weeks, and I would be interested in following up on this when I get back! |
It'd support some roll up for your randomness beacon too, which sounds more immediately useful. |
In this vein, one could similarly do threshold decryption by replacing Z by a sender controlled scalar multiple of G_1, but then senders much include a proof-of-knowledge of Z, and you've a nice partially batched proof of correct decryption too. It's slightly inferior to straight IBE-like designs like https://eprint.iacr.org/2020/638 or scalar threshold IBE itself, but still fairly nice. |
If I read the protocol correctly, one signer could sign numerous messages simultaneously, like in BLS, using the same alpha and beta, and the same point not involving the hash Z, but supplying numerous π_2 and π_4 points. All messages could then be verified simultaneously by using Z = Σ_i Z_i and π_2 = Σ_i π_{2,i} and π_4 = Σ_i π_{4,i}. In this variant, adversaries could forge signatures on linear combinations of Z, and similarly malicious signers could play games, but this should yield nothing useful.
This looks useful because users could pay to query the threshold VRF alongside the randomness beacon.
Ideally one wants slightly more than this: Users should query for secret evaluations. We could implement secrecy by users providing a SNARK on BW6 that secretly evaluates the hash-to-curve on BLS12-377 and multiplies by a blinding scalar. Again this should yield security for this scheme.
I'm unsure if this make sense as some brain wallet recovery method, but it should definitely makes sense for public rendezvous protocols, like SecureDrop or the Panda protocol in Pond.
The text was updated successfully, but these errors were encountered: