gmaxwell

Legendary





Offline



Activity: 3178

Merit: 4301









ModeratorLegendaryActivity: 3178Merit: 4301 [Crypto] Borromean ringsig: Efficiently proving knowledge for monotone functions June 02, 2015, 07:07:36 AM

Last edit: June 02, 2015, 07:47:27 AM by gmaxwell #1



https://github.com/Blockstream/borromean_paper/raw/master/borromean_draft_0.01_34241bb.pdf



This new ring-signature is asymptotically 2x more efficient than the one used in Monero/Bytecoin: It needs n_pubkeys+1 field elements in the signature instead of 2 * n_pubkeys. In particular, it retains this 2x efficiency gain when doing an AND of many smaller rings, because the +1 term is amortized across all of them.



The paper also describes a new way to think about ring signatures; which might be helpful to anyone who has looked at them before and found them confusing. (If we were successful, you'll think the new construction was so simple that it was completely obvious; I can assure you it was not... fortunately Andrew Poelstra came up with an especially good way to explain it.)



While the connection to Bitcoin may not be immediately obvious, I've used this as a building block in a much larger and more applicable cryptosystem which I'll be publishing, complete with implementation, shortly (I'm trying to not flood people with too many new ideas built on new ideas all at once, and I'm still working on the description of the other constructions). I think this construction is interesting in its own right, and I'd be happy to learn if someone knows of this being previously published (though I was unable to find anything prior).

Some here may be interested in a new cryptosystem I've been working on which efficiently and privately proves the knowledge of secrets according to an policy defined by an AND/OR network:This new ring-signature is asymptotically 2x more efficient than the one used in Monero/Bytecoin: It needs n_pubkeys+1 field elements in the signature instead of 2 * n_pubkeys. In particular, it retains this 2x efficiency gain when doing an AND of many smaller rings, because the +1 term is amortized across all of them.The paper also describes a new way to think about ring signatures; whichbe helpful to anyone who has looked at them before and found them confusing. (If we were successful, you'll think the new construction was so simple that it was completely obvious; I can assure you it was not... fortunately Andrew Poelstra came up with an especially good way to explain it.)While the connection to Bitcoin may not be immediately obvious, I've used this as a building block in a much larger and more applicable cryptosystem which I'll be publishing, complete with implementation, shortly (I'm trying to not flood people with too many new ideas built on new ideas all at once, and I'm still working on the description of the other constructions). I think this construction is interesting in its own right, and I'd be happy to learn if someone knows of this being previously published (though I was unable to find anything prior).

Sergio_Demian_Lerner





Offline



Activity: 549

Merit: 548







Hero MemberActivity: 549Merit: 548 Re: [Crypto] Borromean ringsig: Efficiently proving knowledge for monotone functions June 03, 2015, 11:12:11 PM #8 Quote from: gmaxwell on June 02, 2015, 07:07:36 AM



https://github.com/Blockstream/borromean_paper/raw/master/borromean_draft_0.01_34241bb.pdf



Some here may be interested in a new cryptosystem I've been working on which efficiently and privately proves the knowledge of secrets according to an policy defined by an AND/OR network:

Very interesting! I have several ideas on how to improve it, but I must think more.



One possibility to extend one level depth of logic operations is to create signatures for additions of keys (P1+P2). Then, as long as keys are linearly independent there is no way to cheat (I think this would be the Representation Problem in the EC). User 2 may cheat by choosing his pubkey as (-P1+Q) as to allow proving the signature of both (and not having a private key for any of them). One way to prevent this cheating would be that each public key must be accompanied by a non-interactive ZPN of the secret key. Of course, if two users collude to create two keys so that one is a multiple of the other, then there is a hidden key (the difference) that is neither one nor the other that can be used to build the signature, but this seems not to be a practical concern.



So you can achieve circuits like ( (P1 AND P2 AND P3) OR (P4 AND P5 AND P6) ) AND ( .... ) with 3 levels of gates: AND-OR-AND



PS: using a edge-to-vertex dual graph where signatures are represented as nodes and edges are time implications seems easier to reason about.



Regards







Very interesting! I have several ideas on how to improve it, but I must think more.One possibility to extend one level depth of logic operations is to create signatures for additions of keys (P1+P2). Then, as long as keys are linearly independent there is no way to cheat (I think this would be the Representation Problem in the EC). User 2 may cheat by choosing his pubkey as (-P1+Q) as to allow proving the signature of both (and not having a private key for any of them). One way to prevent this cheating would be that each public key must be accompanied by a non-interactive ZPN of the secret key. Of course, if two users collude to create two keys so that one is a multiple of the other, then there is a hidden key (the difference) that is neither one nor the other that can be used to build the signature, but this seems not to be a practical concern.So you can achieve circuits like ( (P1 AND P2 AND P3) OR (P4 AND P5 AND P6) ) AND ( .... ) with 3 levels of gates: AND-OR-ANDPS: using a edge-to-vertex dual graph where signatures are represented as nodes and edges are time implications seems easier to reason about.Regards