arnaucube/blog
1
0
Fork 0
mirror of https://github.com/arnaucube/blog.git synced 2026-02-10 04:36:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

small polishing, update fri-stir link

Browse Source
This commit is contained in:
arnaucube
2024-12-14 20:47:32 +01:00
parent cd4e9556f5
commit 60a87fd643
5 changed files with 43 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
public/blind-signatures-ec.html
View File

@@ -72,7 +72,7 @@
<h4>Blind signatures</h4>
<p>Few years ago I read about the RSA blind signatures scheme (thanks to <a href="https://futur.upc.edu/JuanBautistaHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <a href="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
<p>Few years ago I read about the RSA blind signatures scheme (thanks to <a href="https://futur.upc.edu/JuanHernandezSerrano">Juan Hernández</a> who discovered it to me) and I was amazed on such thing being possible. You can read the step by step of the <em>RSA blind signatures</em> scheme in <a href="https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures">this Wikipedia article</a>.
The main idea is that one party has a message and blinds it, then sends the blinded message to a signer. The signer generates a signature of that blinded message, who sends it to the initial party, who unblinds the signature, obtaining a valid signature for the original message, while the signer does not know what it is signing, but the signature can be verified for the original message for the signer&rsquo;s public key.</p>
<p><div style="text-align:center; font-size:80%;">
@@ -167,6 +167,37 @@ func main() {
<p><em>Special thanks to <a href="https://github.com/dhole">@dhole</a> for reviewing this text.</em></p>
<h3>Update 2022-10-29: Schnorr Blind Signatures</h3>
<p><em>2022-10-29</em></p>
<p><a href="https://sites.google.com/site/vincenzoiovinoit/">Vincenzo Iovino</a> recently showed me the paper <a href="https://eprint.iacr.org/2019/877">https://eprint.iacr.org/2019/877</a>, which describes the <em>Blind Schnorr Signature</em>. This subsection describes it. The concepts and parties are the same, the difference is in the values computed.</p>
<p>The public parameters consist of a group <span class="math inline">\(\mathbb{G}\)</span> of order <span class="math inline">\(p\)</span> and generator <span class="math inline">\(G\)</span>, and a cryptographic hash function <span class="math inline">\(\mathcal{H} : \{0,1\}^* \rightarrow \mathbb{Z}_p\)</span>.</p>
<p>The private key of the Signer is a random scalar <span class="math inline">\(x \in \mathbb{Z}_p\)</span> and the corresponding public key is <span class="math inline">\(X = xG\)</span>.</p>
<p>Any User who wants to obtain a signature for some message <span class="math inline">\(m\)</span> without disclosing the content of that message to the Signer proceeds as follows:</p>
<ol>
<li>The User sends a signing request to the Signer. This request will typically be signed; thus the Signer knows whether the request is legitimate or not.</li>
<li>If the request is legitimate, the Signer generates a random <span class="math inline">\(r \in \mathbb{Z}_p\)</span>, computes <span class="math inline">\(R = rG\)</span> and sends <span class="math inline">\(R\)</span> to the User.</li>
<li>The User selects random scalars <span class="math inline">\(\alpha, \beta \in \mathbb{Z}_p\)</span>, computes the \emph{blinding factor} <span class="math inline">\(R' = R + \alpha G + \beta X\)</span>, sets <span class="math inline">\(c = \mathcal{H}(R', m) + \beta \bmod{p}\)</span> and sends <span class="math inline">\(c\)</span> to the Signer.</li>
<li>The Signer computes <span class="math inline">\(s = r + cx \bmod{p}\)</span> and sends <span class="math inline">\(s\)</span> to the User.</li>
<li>The User verifies that the value <span class="math inline">\(s\)</span> received is correct by verifying that <span class="math inline">\(sG = R + cX\)</span>. Setting <span class="math inline">\(s' = s + \alpha \bmod{p}\)</span>, the signature of the message <span class="math inline">\(m\)</span> is then <span class="math inline">\(\sigma = (R', s')\)</span>.</li>
</ol>
<p>Anyone can then verify the validity of the signature by checking the equality <span class="math inline">\(s'G \stackrel{?}{=} R' + \mathcal{H}(R', m)X\)</span>. To see why this must hold, we can unroll the equation:</p>
<p><span class="math display">\[
s'G = sG + \alpha G \\
= rG + cxG + \alpha G \\
= rG + (\mathcal{H}(R', m) + \beta) X + \alpha G \\
= R + \alpha G + \beta X + \mathcal{H}(R', m) X \\
= R' + \mathcal{H}(R', m) X
\]</span></p><p>Note that blind Schnorr signatures can be subject to so-called ROS (Random inhomogeneities in a Overdetermined Solvable system of linear equations) attacks, but these attacks can be defended against by forbidding parallel sessions.</p>
<p>An implementation of this scheme in Rust and also in R1CS circuits can be found at <a href="https://github.com/aragonzkresearch/ark-ec-blind-signatures">github.com/aragonzkresearch/ark-ec-blind-signatures</a> . We used this scheme in the <a href="https://github.com/aragonzkresearch/research/blob/main/blind-ovote/blind-ovote.pdf">Blind-OVOTE</a> project, a L2 validity rollup, which uses blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum.</p>
</div>
<footer style="text-align:center; margin-top:100px;margin-bottom:50px;">

7
public/index.html
View File

@@ -90,10 +90,11 @@ ProtoGalaxy is a <em>folding scheme</em> which iterates on ideas from ProtoStar
</div>
</a><a href='https://raw.githubusercontent.com/arnaucube/math/master/notes_fri.pdf'><div class="row postThumb">
<h3>Notes on FRI (pdf)</h3>
</a><a href='https://raw.githubusercontent.com/arnaucube/math/master/notes_fri_stir.pdf'><div class="row postThumb">
<h3>Notes on FRI and STIR (pdf)</h3>
<p>This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.</p>
<p>This document contains notes on FRI low degree testing and the trick to convert it to a polynomial commitment scheme.
(Update 2024-03-22: also few notes on STIR).</p>
<p><em>2023-02-26</em></p>

8
public/protogalaxy.html
View File

@@ -77,7 +77,7 @@ The paper is very well written and exposes the ideas very clearly, so it&rsquo;s
<p>ProtoGalaxy is a <em>folding scheme</em> which iterates on ideas from <a href="https://eprint.iacr.org/2023/620">ProtoStar paper</a> (here you can find <a href="https://geometry.xyz/notebook/paper-speedrun-protostar">Geometry&rsquo;s post</a> overviewing its main results and techniques).</p>
<p>For an introduction to <em>folding schemes</em> I highly recommend <a href="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <a href="https://twitter.com/CPerezz19">Carlos Perez</a>.</p>
<p>For an introduction to <em>folding schemes</em> I highly recommend <a href="https://youtu.be/IzLTpKWt-yg?t=6367">this talk (at 1:46)</a> by <a href="https://twitter.com/CPerezz19">Carlos Pérez</a>.</p>
<p>I would like to thank <a href="https://twitter.com/LiamEagen">Liam Eagen</a> and <a href="https://twitter.com/rel_zeta_tech">Ariel Gabizon</a> for their kind explanations on the scheme.
Also thanks to <a href="https://twitter.com/kiliconu">Onur</a> for comments and corrections.</p>
@@ -192,14 +192,14 @@ While, when we evaluate $L_2(X)$ at for example $\omega^1$, we will obtain a $0$
<p>The way to check that the lemma is true for me was to implement it with code and check that it is satisfied. This is not a proper way, so luckily later <a href="https://hecmas.github.io">Héctor Masip</a> showed me an actual proof of this lemma, which goes as follows:</p>
<p>Recall from the <a href="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">euclidean polynomial division</a>:</p>
<p>Recall from the <a href="https://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor#Euclidean_division">Euclidean polynomial division</a>:</p>
<blockquote>
<p>For <span class="math inline">\(f(X), g(X) \in \mathbb{F}[X]\)</span> with <span class="math inline">\(\deg f \geq \deg g\)</span>, <span class="math inline">\(\exists\)</span> unique polynomials <span class="math inline">\(q(X), r(X) \in \mathbb{F}[X]\)</span> such that <span class="math inline">\(f(X) = g(X) q(X) + r(X)\)</span>, with <span class="math inline">\(0 \leq \deg r &lt; \deg g\)</span>.</p>
</blockquote>
<p>Thus,</p>
<p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(X)) = Q(X) \cdot Z(X) + r(X)\]</span></p><p>with <span class="math inline">\(0 \leq \deg r &lt; \deg z = k+1\)</span>.</p>
<p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(X)) = Q(X) \cdot Z(X) + r(X)\]</span></p><p>with <span class="math inline">\(0 \leq \deg r &lt; \deg Z = k+1\)</span>.</p>
<p>So, when evaluating at <span class="math inline">\(a_j, ~\forall j=0, \ldots, k\)</span>,</p>
<p><span class="math display">\[f(\sum_{i=0}^k a_i \cdot L_i(a_j)) = f(a_j) = \underbrace{Q(a_j) \cdot Z(a_j)}_{0} + r(a_j)\]</span></p><p>so <span class="math inline">\(f(a_j)=r(a_j)\)</span>, therefore</p>
@@ -259,7 +259,7 @@ F(X) := \sum_{i \in [n]} pow_i(
\\
\text{\scriptsize{representation of the new random vector over $X$}}
\\
\text{\scriptsize{where $\overrightarrow{\eta}=\{ \beta+X \delta, \beta^2 + X \delta^2, \beta^4 +X \delta^4, \ldots, \beta^{2^{t-1}} + X \delta^{2^{t-1}} \}$}}
\text{\scriptsize{where $\overrightarrow{\eta}=\{ \beta+X \delta, (\beta + X \delta)^2, (\beta +X \delta)^4, \ldots, (\beta + X \delta)^{2^{t-1}} \}$}}
\\
= \sum_{i \in [n]}
pow_i(\textcolor{orange}{\overrightarrow{\eta}})