You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

343 lines
13 KiB

  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta name="description" content="Notes on ring signatures" />
  5. <meta charset="utf-8">
  6. <title> bLSAG ring signatures overview - arnaucube - blog</title>
  7. <meta name="title" content=" bLSAG ring signatures overview - arnaucube - blog">
  8. <meta name="description" content="Notes on ring signatures">
  9. <meta property="og:title" content=" bLSAG ring signatures overview - arnaucube - blog" />
  10. <meta property="og:description" content="Notes on ring signatures" />
  11. <meta property="og:url" content="https://arnaucube.com/blog/ringsig.html" />
  12. <meta property="og:type" content="article" />
  13. <meta property="og:image" content="https://arnaucube.com/blog/" />
  14. <meta name="twitter:title" content=" bLSAG ring signatures overview - arnaucube - blog">
  15. <meta name="twitter:description" content="Notes on ring signatures">
  16. <meta name="twitter:image" content="https://arnaucube.com/blog/">
  17. <meta name="twitter:card" content="summary_large_image">
  18. <meta name="author" content="arnaucube">
  19. <link rel="icon" type="image/png" href="img/logoArnauCubeFavicon.png">
  20. <meta name="viewport" content="width=device-width, initial-scale=1">
  21. <link href="css/bootstrap.min.css" rel="stylesheet">
  22. <link rel="stylesheet" href="css/style.css">
  23. <!-- highlightjs -->
  24. <!-- <link rel="stylesheet" href="js/highlightjs/atom-one-dark.css"> -->
  25. <link rel="stylesheet" href="js/highlightjs/atom-one-light.css">
  26. <!-- <link rel="stylesheet" href="js/highlightjs/gruvbox-dark.css"> -->
  27. <script src="js/highlightjs/highlight.pack.js"></script>
  28. <!-- katex -->
  29. <link rel="stylesheet" href="js/katex/katex.min.css">
  30. </head>
  31. <body>
  32. <!-- o_gradient_background" -->
  33. <nav id="mainNav" class="navbar navbar-default navbar-fixed-top"
  34. style="height:50px;font-size:130%;">
  35. <div class="container">
  36. <div style="float:left;">
  37. <a href="/blog" style="color:#000;display:inline-block;">Blog index</a>
  38. <span style="margin-right:20px; margin-left:20px;">|</span>
  39. <a href="/blog/notes.html" style="font-size:90%;color:#000;display:inline-block;">other-notes</a>
  40. </div>
  41. <div style="float:right;">
  42. <a href="/" style="color:#000;display:inline-block;">arnaucube.com</a>
  43. <div class="onoffswitch" style="margin:10px;display:inline-block;" title="change theme">
  44. <input onclick="switchTheme()" type="checkbox" name="onoffswitch" class="onoffswitch-checkbox"
  45. id="themeSwitcher">
  46. <label class="onoffswitch-label" for="themeSwitcher"></label>
  47. </div>
  48. </div>
  49. </div>
  50. <img style="height:5px; width:100%; margin-top:8px;" src="img/gradient-line.jpg" />
  51. </nav>
  52. <div class="container" style="margin-top:40px;max-width:800px;">
  53. <h1>bLSAG ring signatures overview</h1>
  54. <p><em>2022-07-20</em></p>
  55. <blockquote>
  56. <p>Note: I’m not a mathematician, I’m just an amateur on math. These notes are just an attempt to try to sort the notes that I took while learning abut bLSAG.</p>
  57. </blockquote>
  58. <p><br>
  59. bLSAG: Back&rsquo;s Linkable Spontaneous Anonymous Group signatures</p>
  60. <ul>
  61. <li>signer ambiguity</li>
  62. <li>linkability</li>
  63. <li>unforgeability</li>
  64. </ul>
  65. <h3>Setup</h3>
  66. <p>Let <span class="math inline">\(G\)</span> be the generator of an EC group.
  67. We use a hash function <span class="math inline">\(\mathcal{H}_p\)</span>, which maps to curve points in EC, and a normal hash <span class="math inline">\(\mathcal{H}_n\)</span>, which maps to <span class="math inline">\(\mathbb{Z}_p\)</span>.
  68. Signer&rsquo;s key pair: <span class="math inline">\(k_{\pi}\)</span>, s.t. <span class="math inline">\(K_{\pi} = k_{\pi} \cdot G \in \mathcal{R}\)</span>, with secret index <span class="math inline">\(\pi\)</span>.
  69. Set of Public Keys: <span class="math inline">\(\mathcal{R} = \{ K_1, K_2, \ldots, K_n \}\)</span></p>
  70. <pre><code class="language-python">def new_key():
  71. k = F.random_element()
  72. K = g * k # g is the generator of the EC group
  73. return K
  74. </code></pre>
  75. <h3>Signature</h3>
  76. <ol>
  77. <li><p>compute key image: <span class="math inline">\(\tilde{K} = k_{\pi} \mathcal{H_p} ( K_{\pi}) \in G\)</span></p>
  78. <pre><code class="language-python">key_image = k * hashToPoint(K)
  79. </code></pre></li>
  80. <li><p>Generate <span class="math inline">\(\alpha \in^R \mathbb{Z}_p\)</span>, and <span class="math inline">\(r_i \in^R \mathbb{Z}_p\)</span>, for <span class="math inline">\(i \in \{1, 2, \ldots, n \}\)</span>, with <span class="math inline">\(i \neq \pi\)</span></p>
  81. <ul>
  82. <li><p><span class="math inline">\(r_i\)</span> is used for the fake responses</p>
  83. <pre><code class="language-python">a = F.random_element()
  84. r = [None] * len(R)
  85. for i in range(0, len(R)):
  86. if i==pi:
  87. continue
  88. r[i] = mod(F.random_element(), p)
  89. </code></pre></li>
  90. </ul></li>
  91. <li><p>Compute <span class="math inline">\(c_{\pi + 1} = \mathcal{H}_n ( m, [\alpha G], [\alpha \mathcal{H}_p(K_{\pi})])\)</span></p>
  92. <pre><code class="language-python">c[pi1] = hash(R, m, a * g, hashToPoint(R[pi]) * a, p)
  93. </code></pre></li>
  94. <li><p>for <span class="math inline">\(i=\pi + 1, \pi +2, \ldots, n, 1, 2, \ldots, \pi -1\)</span>, calculate, replacing <span class="math inline">\(n+1 \rightarrow 1\)</span>
  95. $<span class="math inline">\(
  96. c_{i+1} = \mathcal{H}_n (m, [r_i G + c_i K_i], [r_i \mathcal{H}_p (K_i) + c_i \tilde{K}])
  97. \)</span>$</p>
  98. <ul>
  99. <li>Notice that (from step 3 &amp; 4):<br>
  100. <span class="math inline">\(\alpha \mathcal{H}_p (K_{\pi}) = r_{\pi} \mathcal{H}_p (K_{\pi}) + c_{\pi} \cdot (\tilde{K})\)</span>,<br>
  101. where <span class="math inline">\(\tilde{K}= k_{\pi} \mathcal{H_p} ( K_{\pi})\)</span>, so:<br>
  102. <span class="math inline">\(\alpha \mathcal{H}_p (K_{\pi}) = r_{\pi} \mathcal{H}_p (K_{\pi}) + c_{\pi} \cdot (k_{\pi} \mathcal{H}_p(K_{\pi}))\)</span><br>
  103. which is equal to,<br>
  104. <span class="math inline">\(\alpha \cdot \mathcal{H}_p (K_{\pi}) = (r_{\pi} + c_{\pi} \cdot k_{\pi}) \cdot \mathcal{H}_p(K_{\pi})\)</span><br>
  105. From where we can see: <span class="math inline">\(\alpha = r_{\pi} + c_{\pi} \cdot k_{\pi}\)</span><br>
  106. which we can rearrange to
  107. <span class="math inline">\(r_{\pi} = \alpha - c_{\pi} \cdot k_{\pi}\)</span>.<br><br></li>
  108. </ul>
  109. <pre><code class="language-python">for j in range(0, len(R)-1):
  110. i = mod(pi1+j, len(R))
  111. i1 = mod(pi1+j +1, len(R))
  112. c[i1] = hash(R, m, r[i] * g + c[i] * R[i],
  113. r[i] * hashToPoint(R[i]) + c[i] * key_image, p)
  114. </code></pre></li>
  115. <li><p>Define <span class="math inline">\(r_{\pi} = \alpha - c_{\pi} k_{\pi} \mod{p}\)</span></p></li>
  116. </ol>
  117. <pre><code class="language-python">r[pi] = mod(a - c[pi] * k, p)
  118. </code></pre>
  119. <p>Signature: <span class="math inline">\(\sigma(m) = (c_1, r_1, \ldots, r_n)\)</span>, with key image <span class="math inline">\(\tilde{K}\)</span> and ring <span class="math inline">\(\mathcal{R}\)</span>.
  120. - <span class="math inline">\(len(\sigma(m)) = 1+n\)</span></p>
  121. <pre><code class="language-python">return [c[0], r]
  122. </code></pre>
  123. <p><br><br><br></p>
  124. <h4>Step by step (simplified):</h4>
  125. <div style="overflow:auto;">
  126. <div style="width: 60%; float:left; height: 360px; overflow-y:scroll;">
  127. <img src="img/posts/ring-sig/step00.png" style="width:100%;" />
  128. <img src="img/posts/ring-sig/step00.png" style="width:100%;" />
  129. <img src="img/posts/ring-sig/step01.png" style="width:100%;" />
  130. <img src="img/posts/ring-sig/step02.png" style="width:100%;" />
  131. <img src="img/posts/ring-sig/step03.png" style="width:100%;" />
  132. <img src="img/posts/ring-sig/step04.png" style="width:100%;" />
  133. <img src="img/posts/ring-sig/step05.png" style="width:100%;" />
  134. <img src="img/posts/ring-sig/step06.png" style="width:100%;" />
  135. </div>
  136. <div style="width: 40%; float:right; margin-top:80px;">
  137. <ul>
  138. <li>Generate $r_i \in^R \mathbb{Z_p}$</li>
  139. <li>Compute $c_{i+1}$ from $r_i$</li>
  140. <li>Link $r_{\pi}$ with $c_{\pi}$</li>
  141. </ul>
  142. </div>
  143. </div>
  144. <p><em>You can scroll down the images through the step-by-step diagrams.</em></p>
  145. <p><br></p>
  146. <p>It reminds in some way to the approach to close a box like the one in the picture:
  147. <img src="img//posts/ring-sig/box-closed.png" alt="" /></p>
  148. <p><br><br><br></p>
  149. <h3>Verification</h3>
  150. <ol>
  151. <li><p>check <span class="math inline">\(p \tilde{K} \stackrel{?}{=} 0\)</span></p>
  152. <ul>
  153. <li>to ensure that <span class="math inline">\(\tilde{K} \in G\)</span> (and not in a cofactor group of <span class="math inline">\(G\)</span>)</li>
  154. </ul></li>
  155. <li><p>for <span class="math inline">\(i = 1, 2, \ldots, n\)</span>, replacing <span class="math inline">\(n+1 \rightarrow 1\)</span>
  156. $<span class="math inline">\(
  157. c'_{i+1} = \mathcal{H}_n (m, [r_i G + c_i K_i], [r_i \mathcal{H}_p (K_i) + c_i \tilde{K}])
  158. \)</span>$</p></li>
  159. <li><p>check <span class="math inline">\(c_1 \stackrel{?}{=} c'_i\)</span></p>
  160. <pre><code class="language-python">c[0] = c1
  161. for j in range(0, len(R)):
  162. i = mod(j, len(R))
  163. i1 = mod(j+1, len(R))
  164. c[i1] = hash(R, m, r[i] * g + c[i] * R[i],
  165. r[i] * hashToPoint(R[i]) + c[i] * key_image, p)
  166. assert c1 == c[0]
  167. </code></pre></li>
  168. </ol>
  169. <p><br><br></p>
  170. <h2>Links</h2>
  171. <p>Toy implementation:</p>
  172. <ul>
  173. <li>Sage: <a href="https://github.com/arnaucube/math/blob/master/ring-signatures.sage">https://github.com/arnaucube/math/blob/master/ring-signatures.sage</a></li>
  174. <li>Rust: <a href="https://github.com/arnaucube/ring-signatures-rs">https://github.com/arnaucube/ring-signatures-rs</a></li>
  175. </ul>
  176. <p>Resources:</p>
  177. <ul>
  178. <li><em>&ldquo;Zero to Monero&rdquo;</em> - <a href="https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf">https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf</a>
  179. (section <em>&ldquo;3.4 Back’s Linkable Spontaneous Anonymous Group (bLSAG) signatures&rdquo;</em>)</li>
  180. </ul>
  181. </div>
  182. <footer style="text-align:center; margin-top:100px;margin-bottom:50px;">
  183. <div class="container">
  184. <br>
  185. <a href="/blog">Go to main</a>
  186. <br><br>
  187. <div class="row">
  188. <ul class="list-inline">
  189. <li><a href="https://twitter.com/arnaucube"
  190. style="color:gray;text-decoration:none;"
  191. target="_blank">twitter.com/arnaucube</a>
  192. </li>
  193. <li><a href="https://github.com/arnaucube"
  194. style="color:gray;text-decoration:none;"
  195. target="_blank">github.com/arnaucube</a>
  196. </li>
  197. </ul>
  198. </div>
  199. <div class="row" style="display:inline-block;">
  200. Blog made with <a href="http://github.com/arnaucube/blogo/"
  201. target="_blank" style="color: gray;text-decoration:none;">Blogo</a>
  202. </div>
  203. </div>
  204. </footer>
  205. <script>
  206. </script>
  207. <script src="js/external-links.js"></script>
  208. <script>hljs.initHighlightingOnLoad();</script>
  209. <script defer src="js/katex/katex.min.js"></script>
  210. <script defer src="js/katex/auto-render.min.js"></script>
  211. <script>
  212. document.addEventListener("DOMContentLoaded", function() {
  213. renderMathInElement(document.body, {
  214. displayMode: false,
  215. // customised options
  216. // • auto-render specific keys, e.g.:
  217. delimiters: [
  218. {left: '$$', right: '$$', display: true},
  219. {left: '$', right: '$', display: false},
  220. {left: "\\[", right: "\\]", display: true},
  221. {left: "\\(", right: "\\)", display: false},
  222. ],
  223. // • rendering keys, e.g.:
  224. throwOnError : true
  225. });
  226. });
  227. ///
  228. let theme = localStorage.getItem("theme");
  229. if ((theme === "light-theme")||(theme==null)) {
  230. theme = "light-theme";
  231. document.getElementById("themeSwitcher").checked = false;
  232. } else if (theme === "dark-theme") {
  233. theme = "dark-theme";
  234. document.getElementById("themeSwitcher").checked = true;
  235. }
  236. document.body.className = theme;
  237. localStorage.setItem("theme", theme);
  238. function switchTheme() {
  239. theme = localStorage.getItem("theme");
  240. if (theme === "light-theme") {
  241. theme = "dark-theme";
  242. document.getElementById("themeSwitcher").checked = true;
  243. } else {
  244. theme = "light-theme";
  245. document.getElementById("themeSwitcher").checked = false;
  246. }
  247. document.body.className = theme;
  248. localStorage.setItem("theme", theme);
  249. console.log(theme);
  250. }
  251. </script>
  252. <script>
  253. function tagLinks(tagName) {
  254. var tags = document.getElementsByTagName(tagName);
  255. for (var i=0, hElem; hElem = tags[i]; i++) {
  256. if (hElem.parentNode.className=="row postThumb") {
  257. continue;
  258. }
  259. hElem.id = hElem.innerHTML.toLowerCase().replace(" ", "-");
  260. hElem.innerHTML = "<a style='text-decoration:none;color:black;' href='#"+hElem.id+"'>"+hElem.innerHTML+"</a>";
  261. }
  262. }
  263. tagLinks("h2");
  264. tagLinks("h3");
  265. tagLinks("h4");
  266. tagLinks("h5");
  267. </script>
  268. <script src="js/mermaid.min.js"></script>
  269. </body>
  270. </html>