New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linkable Ring Signature based on 1-Out-of-Many, no sender-detection #56
Comments
It's not clear to me if this could be directly adapted to Lelantus, since it uses double-blinded commitments (one term for the value and the other for the standard blinder). In particular, the Lelantus modification to the Groth 1-of-N proof no longer shows that the prover knows a single value Was there another application you were considering that does a more "traditional" approach to linkable ring signatures and would also permit proving transaction balance, as Lelantus does? |
Indeed, what I am describing is not a proposed modification for Lelantus, just something that occurred to me while examining one of its components, the One-Out-of-Many Proof protocol. The way I stated it may have suggested that it was a modification to Lelantus, but I meant to say it is a modification of the RS scheme found in the 1ofMany paper. Indeed, all I did was try to map out the components of an LSAG into the ring signature proposed in the 1ofMany paper so as to make it linkable and with a similar key image format currently used in Monero (i.e. involving A possible approach for transaction balancing: The way I am thinking about incorporating amounts into a transaction model that incorporates this scheme is just create coins that are pairs In order to spend this money, form a list of Next, decide on new outputs to be created, The signature: First let (For what it comes next, it may be worth looking at the protocol illustrated in figure 2, page 14 of the paper linked above. Also we are going from additive to multiplicative notation.) As mentioned before, to ensure that all the relevant computation happens with the corresponding points at the same index The values of After all those have been picked, the random oracle picks a challenge Analogous behavior: These are just some parallels that I found interesting. In LSAGs, the verifier is convinced that the commitment is to zero by verifying a signature from it. In LSAGs, we ensure that the signing key, is processed along with its corresponding linkability tag and Pedersen commitment buy aligning them in the verification steps. In LSAGs, the verifier is convinced that the key image is correct by looking at two equations, on different base points, that have the same coefficient relations. This is achieved by using the same coefficients In LSAGs, in the linking component, the prover provides a linking tag |
This idea could be extended to the multi-input case as well, of course. If I'm doing my counting correctly, a 2-input set of proofs (not including the necessary intermediate commitments used to show balance) would occupy 4.1 kB for N=128, and 5.3 kB for N=512. Verification is linear in the size of the anonymity set as usual, but commitments could be reused across inputs, and non-commitment generators can be reused and cached for faster batching operations. |
Here is some basic proof-of-concept code for this idea. It's only for research, so don't use it for any production purposes. |
Intuitively, this protocol should perform no worse than running 1ofMany three times: one for the signing keys, another for their linking components, and a third for the amounts. Of course, it already does less than that, since some of the computation is done only once already. So I was considering whether we can make the proof even more compact by adapting the CLSAG idea to this construction, that is: signing with a linear combination of the controlled keys, along with their corresponding keys w.r.t. the linking component. If this works here, then there would be one less set of Indeed, we are proving that for some index Using the above notation for the amount commitment to zero, i.e., if
As before, this is insecure, so we require instead that the above relation be satisfied for any random linear combination for those keys. That is, for any scalars
In practice, of course, What do you think? |
The algebra seems to check out. |
I believe we may be able to sign with several outputs at once, using a single ring! Please let me know what you think. (The starting point for what is suggested below is before the CLSAG-like ideas from my previous comment, so I suggest ignoring my previous comment on first reading this one. I haven't checked how the two might go together yet.) Recall: Let
is monic of degree Example: signing with two keys from the same ring: Suppose that the signer happens to also own another public key in that ring, of index
which is monic of degree So after subtracting away all contributions from the keys not controlled by the signer, it can use its knowledge of the discrete logarithm of those two points to produce a Indeed, if
This by itself seems like a plausible way to prove ownership of two of the keys in the ring. Involving the linking tags: As before, consider the corresponding ring of "public keys" Here we have to take the single
This break down of the discrete logarithm in two will be important for the linking component below, after we properly define their
for the linking component need to we use:
The final summation becomes:
The verifier, initially receiving Getting amounts involved: Suppose we have amount commitments associated with every key in the ring, so that in fact the ring looks like this: If we reuse the
In other words, passing a ring of amount commitments through this algorithm will produce a new commitment to the sum of the amounts of the selected commitments, multiplied by But this is good, because if the signer commits to the amount commitments it wants to create, say |
Another thing is that we may not have to communicate separately all the different
where:
The final sum
So, defining |
This commit contains some initial (and probably not secure) code to prove knowledge of openings to multiple commitments, along with the correct construction of the corresponding linking tags: SarangNoether/skunkworks@f0a1e1a |
Hi all.
I was reading the Lelantus paper to try to figure out a way to mitigate the sender detection problem with its key image format while retaining the good scaling properties, and ended up reading the One-Out-of-Many Proofs paper, which is one of its main components. I think that maybe the 1ofMnay construction could be used to yield another linkable ring signature using linking tags similar to current Monero key images, and that, due to their use of
Hp(.)
, cannot be detected by the sender.Here is my summarized understanding of what the One-Out-of-Many Proofs do, based on this version of the paper (mostly pages 11 through 14):
The proof takes in a collection of
2^n
points, such that, at a positionl
, is of the formc_l = g^r
(for some secretr
known only to the prover), and allows the prover to convince the verifier of his knowledge ofr
by producing a point whose discrete log wrt the base pointg
is:z_d := r*x^n + sum(\rho_k*x^k for k in [0,n-1])
.Notice that the value of the other commitments
c_i
do not affect the value ofz_d
. It only depends onr
and the\rho_k
's which were chosen randomly by the prover. Any contribution from the otherc_i
's only seem to affect only thec_dk
values, and those contributions are removed during the proof.As the paper mentions, producing such
z_d
in this manner can already be viewed as a (non-linkable) ring signature.Modified linkable scheme:
Now consider what would happen if we formed the auxiliary ring
(Hp(c_i))
, fori
in[0,2^n]
. At positionl
we haveHp(c_l)
, and if we could prove that the discrete log of that point with respect to some other point is alsor
using the same parameters as the first proof, then they both would output the samez_d
! And indeed, the pointJ
that satisfiesDL(Hp(c_l), J) = DL(c_l, g) = r
isJ := Hp(c_l)^(1/r)
, which is unlinkable toc_l
.J
will be the linking tag which, in the context of transactions, will be used to prevent double spend.At the beginning of the proof the prover provides
J
to the verifier, so they know to run the first part of the protocol wrt tog
(and stop right before the verifier would selectx
) and then repeat the procedure, replacingg
byJ
everywhere it occurs, but keeping the same parametersr_j, a_j, s_j, t_j
and\rho_k
. (In fact, the valuesr_j, a_j, s_j
andt_j
are only used to show that the indexl
committed is indeed a sequence of zeros and ones of sizen
and therefore this may be run only once to compute thef_j
's, which are just numbers. Indeed, it looks like the only thing that will incur an extra cost is computing the newc_dk
's.)Once once that is done, the random oracle picks a single random challenge value
x
that should be used in the two proofs. And if the prover has acted honestly, then the two values ofz_d
will match. (Correctness)If the prover messes with the
\rho_k
's orr
(when defining J) then, since thez_d
's will be different polynomials inx
, the chance of thez_d
values coinciding will be negligible. Also the indexl
will be the same, provided that the samef_i
's are used in both proofs (otherwise the same signer could produce multiple linking tags), so making sure that this happens is an important part of the verification. (So it seems plausible to me that this scheme will be unforgeable too, but it still requires proving, of course)Please let me know what you think.
The text was updated successfully, but these errors were encountered: