<p>Few years ago I read about the RSA blind signatures scheme (thanks to <ahref="https://futur.upc.edu/JuanBautistaHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <ahref="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
<p>Few years ago I read about the RSA blind signatures scheme (thanks to <ahref="https://futur.upc.edu/JuanHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <ahref="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
The main idea is that one party has a message and blinds it, then sends the blinded message to a signer. The signer generates a signature of that blinded message, who sends it to the initial party, who unblinds the signature, obtaining a valid signature for the original message, while the signer does not know what it is signing, but the signature can be verified for the original message for the signer’s public key.</p>
<p><divstyle="text-align:center; font-size:80%;">
@ -167,6 +167,37 @@ func main() {
<p><em>Special thanks to <ahref="https://github.com/dhole">@dhole</a> for reviewing this text.</em></p>
<p><ahref="https://sites.google.com/site/vincenzoiovinoit/">Vincenzo Iovino</a> recently showed me the paper <ahref="https://eprint.iacr.org/2019/877">https://eprint.iacr.org/2019/877</a>, which describes the <em>Blind Schnorr Signature</em>. This subsection describes it. The concepts and parties are the same, the difference is in the values computed.</p>
<p>The public parameters consist of a group <spanclass="math inline">\(\mathbb{G}\)</span> of order <spanclass="math inline">\(p\)</span> and generator <spanclass="math inline">\(G\)</span>, and a cryptographic hash function <spanclass="math inline">\(\mathcal{H} : \{0,1\}^* \rightarrow \mathbb{Z}_p\)</span>.</p>
<p>The private key of the Signer is a random scalar <spanclass="math inline">\(x \in \mathbb{Z}_p\)</span> and the corresponding public key is <spanclass="math inline">\(X = xG\)</span>.</p>
<p>Any User who wants to obtain a signature for some message <spanclass="math inline">\(m\)</span> without disclosing the content of that message to the Signer proceeds as follows:</p>
<ol>
<li>The User sends a signing request to the Signer. This request will typically be signed; thus the Signer knows whether the request is legitimate or not.</li>
<li>If the request is legitimate, the Signer generates a random <spanclass="math inline">\(r \in \mathbb{Z}_p\)</span>, computes <spanclass="math inline">\(R = rG\)</span> and sends <spanclass="math inline">\(R\)</span> to the User.</li>
<li>The User selects random scalars <spanclass="math inline">\(\alpha, \beta \in \mathbb{Z}_p\)</span>, computes the \emph{blinding factor} <spanclass="math inline">\(R' = R + \alpha G + \beta X\)</span>, sets <spanclass="math inline">\(c = \mathcal{H}(R', m) + \beta \bmod{p}\)</span> and sends <spanclass="math inline">\(c\)</span> to the Signer.</li>
<li>The Signer computes <spanclass="math inline">\(s = r + cx \bmod{p}\)</span> and sends <spanclass="math inline">\(s\)</span> to the User.</li>
<li>The User verifies that the value <spanclass="math inline">\(s\)</span> received is correct by verifying that <spanclass="math inline">\(sG = R + cX\)</span>. Setting <spanclass="math inline">\(s' = s + \alpha \bmod{p}\)</span>, the signature of the message <spanclass="math inline">\(m\)</span> is then <spanclass="math inline">\(\sigma = (R', s')\)</span>.</li>
</ol>
<p>Anyone can then verify the validity of the signature by checking the equality <spanclass="math inline">\(s'G \stackrel{?}{=} R' + \mathcal{H}(R', m)X\)</span>. To see why this must hold, we can unroll the equation:</p>
<p><spanclass="math display">\[
s'G = sG + \alpha G \\
= rG + cxG + \alpha G \\
= rG + (\mathcal{H}(R', m) + \beta) X + \alpha G \\
= R + \alpha G + \beta X + \mathcal{H}(R', m) X \\
= R' + \mathcal{H}(R', m) X
\]</span></p><p>Note that blind Schnorr signatures can be subject to so-called ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) attacks, but these attacks can be defended against by forbidding parallel sessions.</p>
<p>An implementation of this scheme in Rust and also in R1CS circuits can be found at <ahref="https://github.com/aragonzkresearch/ark-ec-blind-signatures">github.com/aragonzkresearch/ark-ec-blind-signatures</a> . We used this scheme in the <ahref="https://github.com/aragonzkresearch/research/blob/main/blind-ovote/blind-ovote.pdf">Blind-OVOTE</a> project, a L2 validity rollup, which uses blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum.</p>
@ -77,7 +77,7 @@ The paper is very well written and exposes the ideas very clearly, so it’s
<p>ProtoGalaxy is a <em>folding scheme</em> which iterates on ideas from <ahref="https://eprint.iacr.org/2023/620">ProtoStar paper</a> (here you can find <ahref="https://geometry.xyz/notebook/paper-speedrun-protostar">Geometry’s post</a> overviewing its main results and techniques).</p>
<p>For an introduction to <em>folding schemes</em> I highly recommend <ahref="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <ahref="https://twitter.com/CPerezz19">Carlos Perez</a>.</p>
<p>For an introduction to <em>folding schemes</em> I highly recommend <ahref="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <ahref="https://twitter.com/CPerezz19">Carlos Pérez</a>.</p>
<p>I would like to thank <ahref="https://twitter.com/LiamEagen">Liam Eagen</a> and <ahref="https://twitter.com/rel_zeta_tech">Ariel Gabizon</a> for their kind explanations on the scheme.
Also thanks to <ahref="https://twitter.com/kiliconu">Onur</a> for comments and corrections.</p>
@ -192,14 +192,14 @@ While, when we evaluate $L_2(X)$ at for example $\omega^1$, we will obtain a $0$
<p>The way to check that the lemma is true for me was to implement it with code and check that it is satisfied. This is not a proper way, so luckily later <ahref="https://hecmas.github.io">Héctor Masip</a> showed me an actual proof of this lemma, which goes as follows:</p>
<p>Recall from the <ahref="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">euclidean polynomial division</a>:</p>
<p>Recall from the <ahref="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">Euclidean polynomial division</a>:</p>
<blockquote>
<p>For <spanclass="math inline">\(f(X), g(X) \in \mathbb{F}[X]\)</span> with <spanclass="math inline">\(\deg f \geq \deg g\)</span>, <spanclass="math inline">\(\exists\)</span> unique polynomials <spanclass="math inline">\(q(X), r(X) \in \mathbb{F}[X]\)</span> such that <spanclass="math inline">\(f(X) = g(X) q(X) + r(X)\)</span>, with <spanclass="math inline">\(0 \leq \deg r < \deg g\)</span>.</p>
