1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
Delivery-date: Thu, 11 Jul 2024 03:39:09 -0700
Received: from mail-yb1-f187.google.com ([209.85.219.187])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDCY7YODY4FRBRHMX22AMGQEN5M5KLA@googlegroups.com>)
id 1sRrCf-00052v-75
for bitcoindev@gnusha.org; Thu, 11 Jul 2024 03:39:09 -0700
Received: by mail-yb1-f187.google.com with SMTP id 3f1490d57ef6-e032d4cf26asf1306527276.3
for <bitcoindev@gnusha.org>; Thu, 11 Jul 2024 03:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1720694342; x=1721299142; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:x-original-sender
:mime-version:subject:message-id:to:from:date:from:to:cc:subject
:date:message-id:reply-to;
bh=T+RHw8te0HUKIIOb1pf49UzHouwRvZxwk8yqMxSt7CU=;
b=Ap24MgaD/VPrRJpfGkjXz+gqolJX0w2syhQ4+4IDgBUVbvuhUeY1ZZ8kJK6X57XJwT
KRLySZ2bE2smVH6Jqp8Z1eKzhZub+DoDfzkMaoDL/KWlpt0vj7Tt11j5x8yHWQ86RuxA
IsqsLvk3V/l6F9joFqXk8Gw9A1xN91BmhwTsyCCDvTh0gNzbqpq7xAt3EVlLb/iTvL5l
+4hvCWqkQZ5+XHb/zB6zwnyuAO9Nx+ZTduF1Me2P0J+YFdktLYurbcWenZYC7W2gV3H4
cgkOygayhjh0CtCDSCGCrxfS0VFlF8Lj/C7rfmBNhwJ7JiOo4OQPHjldDrxXSYldbFuj
5dNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1720694342; x=1721299142;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:x-original-sender
:mime-version:subject:message-id:to:from:date:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=T+RHw8te0HUKIIOb1pf49UzHouwRvZxwk8yqMxSt7CU=;
b=Ziu1m4CWADl0hw08tyP5ZLOrxPQJyH0qB4w7CF+Hq4Be3g/nunjkzpxRA5ALHSqT3Y
rISCxs4Zs6nmUY0DPVmrNTVFHjB7EkKf/ODjsn6IQxeApSOxxN9nAQwkyv4UojHt6nww
kbWsqpFuCdv5BIfAL3c3lx6zkssneGYrecyT6Uwi6LDevVfHvrq57LyfDPUFpBZKMJgZ
zaVHMrXYf3ShBVcv2qcLxYz+BqoRizxJG2bVNJlln4PPup2b+YFNYeWZn+tsLX6kX+XM
w1K8YMCy/VcPPEHdUL7tgLSwlFBqHqLp9I/XIUgGaMRFDD9Qd4dXQ3CN+k/xtRwZ2NXr
5kpA==
X-Forwarded-Encrypted: i=1; AJvYcCW3tT5mYvqLESWTRp8oYo3rw5ucmTDlE/GR3yUe6Vxump6JTecYosViYwmch1ZMqRpiUm4IAljzFvchpJNdbJqyuYMz8B0=
X-Gm-Message-State: AOJu0YxStM2Lmerrpz7xSSR058iYyV7dtotnBNJQvsZD8oVHi5JbfsmR
b4pcijj+H2PGaIm33hZztxfWEEAVqC9plSryKnHZjpDPiF4lom33
X-Google-Smtp-Source: AGHT+IH3JstOFGtbEmu5SHES7w9pJnb3rLccyiezQ7UkKdEeL5E1e8z0idnc9DLyo0BJ6r/mEaSaRA==
X-Received: by 2002:a25:ab2c:0:b0:e03:4d25:3182 with SMTP id 3f1490d57ef6-e041b03a036mr9540775276.6.1720694342081;
Thu, 11 Jul 2024 03:39:02 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:18c3:b0:e03:514d:f716 with SMTP id
3f1490d57ef6-e057904fdd9ls1243071276.2.-pod-prod-07-us; Thu, 11 Jul 2024
03:39:00 -0700 (PDT)
X-Received: by 2002:a05:6902:1b12:b0:e03:b3e8:f9a1 with SMTP id 3f1490d57ef6-e041b02fabamr557148276.2.1720694340455;
Thu, 11 Jul 2024 03:39:00 -0700 (PDT)
Received: by 2002:a81:8546:0:b0:64b:8595:7a39 with SMTP id 00721157ae682-65bbb1ba283ms7b3;
Thu, 11 Jul 2024 00:11:09 -0700 (PDT)
X-Received: by 2002:a05:690c:628a:b0:64b:2608:a6b9 with SMTP id 00721157ae682-65ca20118ccmr532687b3.3.1720681868668;
Thu, 11 Jul 2024 00:11:08 -0700 (PDT)
Date: Thu, 11 Jul 2024 00:11:08 -0700 (PDT)
From: "'Ed Hughes' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <672a69c1-aea9-4395-96cf-9a702bb94b82n@googlegroups.com>
Subject: [bitcoindev] A new logarithmic-size signature scheme LS-LSAG
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_83246_1008413778.1720681868342"
X-Original-Sender: edsgerhughes@protonmail.com
X-Original-From: Ed Hughes <edsgerhughes@protonmail.com>
Reply-To: Ed Hughes <edsgerhughes@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
------=_Part_83246_1008413778.1720681868342
Content-Type: multipart/alternative;
boundary="----=_Part_83247_490786043.1720681868342"
------=_Part_83247_490786043.1720681868342
Content-Type: text/plain; charset="UTF-8"
Hello all,
I'd like to propose an idea of a simple logarithmic-size ring signature
scheme
which can be used in the blockchain and related applications. The signature
is
called LS-LSAG, a draft of it is available at
https://eprint.iacr.org/2024/921
In making this announcement I'd like to ask the community to comment on
the idea if anyone is interested.
LS-LSAG has such a design so that it can drop-in replace the well-known
linear-size
LSAG/CLSAG signature. Also, it looks compatible with the full-chain Curve
Trees,
which in turn can drop-in replace both LS-LSAG and LSAG/CLSAG at the price
of
using one more curve with specific properties.
In more detail, LS-LSAG is built up of almost the same systems of equations
as
LSAG/CLSAG. However, it makes a call to the inner-product argument instead
of
doing the sequential challenges. This results in the size reduction from
linear to logarithmic and in the compatibility with LSAG/CLSAG.
Particularly, LS-LSAG and
LSAG has the same key image.
Formally, LS-LSAG is a log-size linkable ring signature without trusted
setup in a
pairings-free prime-order group of EC points under the DL assumption.
Unforgeability of LS-LSAG follows from the DL and collision-resistance of
the
standard hash-to-curve function, the draft contains a detailed proof sketch
of this.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/672a69c1-aea9-4395-96cf-9a702bb94b82n%40googlegroups.com.
------=_Part_83247_490786043.1720681868342
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hello all,<br /><br />I'd like to propose an idea of a simple logarithmic-s=
ize ring signature scheme=C2=A0<div>which can be used in the blockchain and=
related applications. The signature is=C2=A0</div><div>called LS-LSAG, a d=
raft of it is available at https://eprint.iacr.org/2024/921=C2=A0<div><div>=
<br /></div><div>In making this announcement I'd like to ask the community =
to comment on=C2=A0</div><div>the idea if anyone is interested.</div><div><=
br />LS-LSAG has such a design so that it can drop-in replace the well-know=
n linear-size</div><div>LSAG/CLSAG signature. Also, it looks compatible wit=
h the full-chain Curve Trees,=C2=A0</div><div>which in turn can drop-in rep=
lace both LS-LSAG and LSAG/CLSAG at the price of</div><div>using one more c=
urve with specific properties.</div><div><br />In more detail, LS-LSAG is b=
uilt up of almost the same systems of equations as</div><div>LSAG/CLSAG. Ho=
wever, it makes a call to the inner-product argument instead of=C2=A0</div>=
<div>doing the sequential challenges. This results in the size reduction fr=
om linear to logarithmic and in the compatibility with LSAG/CLSAG. Particul=
arly, LS-LSAG and=C2=A0</div><div>LSAG has the same key image.<br /><br />F=
ormally, LS-LSAG is a log-size linkable ring signature without trusted setu=
p in a=C2=A0</div><div>pairings-free prime-order group of EC points under t=
he DL assumption.=C2=A0</div><div>Unforgeability of LS-LSAG follows from th=
e DL and collision-resistance of the=C2=A0</div><div>standard hash-to-curve=
function, the draft contains a detailed proof sketch of this.<br /><br /><=
br /></div></div></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/672a69c1-aea9-4395-96cf-9a702bb94b82n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/672a69c1-aea9-4395-96cf-9a702bb94b82n%40googlegroups.com</a>.=
<br />
------=_Part_83247_490786043.1720681868342--
------=_Part_83246_1008413778.1720681868342--
|