You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As h = H(L) * g, yk = xk * g, and y = xk * h, we can transform y to y = xk * H(L) * g = H(L) * xk * g = H(L) * yk which means that y, the key image, can be computed from the public key (and the list of all public keys). This makes identifying the signer of a ring signature trivial, as you simply need to check if the key image matches each of the public keys.
To fix this, you need to use a function that computes a curve point directly from a hash. There are several potential algorithms for this, such as:
As
h = H(L) * g
,yk = xk * g
, andy = xk * h
, we can transform y toy = xk * H(L) * g = H(L) * xk * g = H(L) * yk
which means that y, the key image, can be computed from the public key (and the list of all public keys). This makes identifying the signer of a ring signature trivial, as you simply need to check if the key image matches each of the public keys.To fix this, you need to use a function that computes a curve point directly from a hash. There are several potential algorithms for this, such as:
It also seems that I'm not the first person to find this issue in other implementations of the same algorithm: https://web.archive.org/web/20160218042108/shnoe.wordpress.com/2016/02/11/de-anonymizing-shadowcash-and-oz-coin/
The text was updated successfully, but these errors were encountered: