Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose Borromean ring signature and de-anonymization functionality #110

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

apoelstra
Copy link
Contributor

FIxes #109

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fwiw, this API worked just fine for taproot-ringsig.

@apoelstra
Copy link
Contributor Author

Nice :).

One design point though -- since we have to nail down the stream cipher to make the anonymity revocation work in the future, maybe we should switch to chacha rather than sha2_hmac? It'd be much much faster.

@apoelstra
Copy link
Contributor Author

Also worth considering whether we should expose an encyption API for this too.

@real-or-random
Copy link
Collaborator

real-or-random commented Dec 3, 2020

Nice :).

One design point though -- since we have to nail down the stream cipher to make the anonymity revocation work in the future, maybe we should switch to chacha rather than sha2_hmac? It'd be much much faster.

I haven't looked at the PR so far but we need to think about the properties we require from the function that maps a seed to the coefficients. The function still needs to be a PRG simply because we need random coefficients.

I think for security against "false claims" of not being the signer, we need only preimage resistance and AFAIU, the text quoted in #109 is essentially arguing that any function {0,1}^s -> {0,1}^n from a short seed of s bits to a much longer output of n bits is statistically preimage-resistant: Given a random element of {0,1}^n, it has a preimage with probability at most 2^(s-n).

Also worth considering whether we should expose an encyption API for this too.

Encryption API for what exactly?

@apoelstra
Copy link
Contributor Author

I didn't realize that chacha was biased and could not be used as a PRG. Will need to address this in the Bulletproofs PR as well.

The encryption API lets you hide data inside the rangeproof by xoring it with the PRG output.

@real-or-random
Copy link
Collaborator

I didn't realize that chacha was biased and could not be used as a PRG. Will need to address this in the Bulletproofs PR as well.

Wait, who said that ChaCha is biased?

The encryption API lets you hide data inside the rangeproof by xoring it with the PRG output.

Ah yes, that will be neat.

@apoelstra
Copy link
Contributor Author

Wait, who said that ChaCha is biased?

I am quoting https://tools.ietf.org/html/rfc8439#page-20 which says

Additionally, unlike HMAC, Poly1305 is biased, so using it for key derivation would reduce the security of the symmetric encryption.

@apoelstra
Copy link
Contributor Author

Oh, I'm an idiot, it says in the next sentence that chacha20 would be fine but that is not what some particular use case needs, so they don't specifiy it in the RFC.

How could something be a stream cipher but not a PRG?

@jonasnick jonasnick closed this Jan 12, 2021
@jonasnick jonasnick deleted the branch BlockstreamResearch:master January 12, 2021 20:28
@jonasnick
Copy link
Contributor

Sorry this was automaticaly closed. PR needs to be reopened against the master branch.

@apoelstra
Copy link
Contributor Author

All good. I will reopen. Looks like github won't let me retarget the same PR so we'll lose the comments, but given that they're mostly me being confused about chacha, that's not a big loss.

@jonasnick jonasnick reopened this Jan 12, 2021
@apoelstra apoelstra changed the base branch from secp256k1-zkp to master January 12, 2021 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Expose ring signatures including verifiable anonymity revocation
3 participants