secp256k1-zkp icon indicating copy to clipboard operation
secp256k1-zkp copied to clipboard

Published 20 hours ago verified publisher icon BlockstreamResearch

Expose Borromean ring signature and de-anonymization functionality

Open apoelstra opened this issue 5 years ago • 9 comments

FIxes #109

apoelstra avatar Nov 25 '20 23:11 apoelstra

Nice :).

One design point though -- since we have to nail down the stream cipher to make the anonymity revocation work in the future, maybe we should switch to chacha rather than sha2_hmac? It'd be much much faster.

apoelstra avatar Dec 03 '20 14:12 apoelstra

Also worth considering whether we should expose an encyption API for this too.

apoelstra avatar Dec 03 '20 15:12 apoelstra

Nice :).

One design point though -- since we have to nail down the stream cipher to make the anonymity revocation work in the future, maybe we should switch to chacha rather than sha2_hmac? It'd be much much faster.

I haven't looked at the PR so far but we need to think about the properties we require from the function that maps a seed to the coefficients. The function still needs to be a PRG simply because we need random coefficients.

I think for security against "false claims" of not being the signer, we need only preimage resistance and AFAIU, the text quoted in #109 is essentially arguing that any function {0,1}^s -> {0,1}^n from a short seed of s bits to a much longer output of n bits is statistically preimage-resistant: Given a random element of {0,1}^n, it has a preimage with probability at most 2^(s-n).

Also worth considering whether we should expose an encyption API for this too.

Encryption API for what exactly?

real-or-random avatar Dec 03 '20 17:12 real-or-random

I didn't realize that chacha was biased and could not be used as a PRG. Will need to address this in the Bulletproofs PR as well.

The encryption API lets you hide data inside the rangeproof by xoring it with the PRG output.

apoelstra avatar Dec 03 '20 17:12 apoelstra

I didn't realize that chacha was biased and could not be used as a PRG. Will need to address this in the Bulletproofs PR as well.

Wait, who said that ChaCha is biased?

The encryption API lets you hide data inside the rangeproof by xoring it with the PRG output.

Ah yes, that will be neat.

real-or-random avatar Dec 03 '20 17:12 real-or-random

Wait, who said that ChaCha is biased?

I am quoting https://tools.ietf.org/html/rfc8439#page-20 which says

Additionally, unlike HMAC, Poly1305 is biased, so using it for key derivation would reduce the security of the symmetric encryption.

apoelstra avatar Dec 03 '20 19:12 apoelstra

Oh, I'm an idiot, it says in the next sentence that chacha20 would be fine but that is not what some particular use case needs, so they don't specifiy it in the RFC.

How could something be a stream cipher but not a PRG?

apoelstra avatar Dec 03 '20 19:12 apoelstra

Sorry this was automaticaly closed. PR needs to be reopened against the master branch.

jonasnick avatar Jan 12 '21 20:01 jonasnick

All good. I will reopen. Looks like github won't let me retarget the same PR so we'll lose the comments, but given that they're mostly me being confused about chacha, that's not a big loss.

apoelstra avatar Jan 12 '21 20:01 apoelstra