Vasilis Kalos

IMO if the main use case for blind signatures is for holder binding it may be better to move the blind signature functionality on a extension of the spec to...

Just to track some issues. All of those may become mute from issue #70. 1. After talking with Mike i understood that the problem was not that the equations between...

Discussed in the WG call on 2022-06-27. The direction decided is to check available implementations and either ad a note in the definition of OS2IP and I2OSP, describing that they...

One option would be to define that anything that is described by a ciphersuite (i.e., base points etc.,) is a parameter. This will also apply to the message generators. A...

Although i agree with removing the dependency to hkdf I'm worried that we are changing the security assumptions. It's true that the H2C spec claims `expand_message` to be intistinquishable from...

> To be clear this proposal would yield a couple of use-ability benefits > > 1. The commitment required by the issuer of the BBS signature to construct a bound...

> Another example is to carry-over attributes from one credential to another: say the credential contains a user-ID, never disclosed but used for non-revocation proofs. A new credential could be...

Discussed on the WG call of the 22nd of August. Will open a PR with the proposed updates.

Discussed on the WG call of the 22nd of August. One proposed option by @andrewwhitehead is to use the PRF as an input to `proofGen` and iterate through it in...

That is truly very interesting. How will you prove zero knowledge though?? Following the same logic from the [paper](https://eprint.iacr.org/2016/663.pdf) doesn't seem possible, especially for `Abar` (the issuer will have to...