-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose Borromean ring signature and de-anonymization functionality #110
base: master
Are you sure you want to change the base?
Expose Borromean ring signature and de-anonymization functionality #110
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fwiw, this API worked just fine for taproot-ringsig.
Nice :). One design point though -- since we have to nail down the stream cipher to make the anonymity revocation work in the future, maybe we should switch to chacha rather than sha2_hmac? It'd be much much faster. |
Also worth considering whether we should expose an encyption API for this too. |
I haven't looked at the PR so far but we need to think about the properties we require from the function that maps a seed to the coefficients. The function still needs to be a PRG simply because we need random coefficients. I think for security against "false claims" of not being the signer, we need only preimage resistance and AFAIU, the text quoted in #109 is essentially arguing that any function
Encryption API for what exactly? |
I didn't realize that chacha was biased and could not be used as a PRG. Will need to address this in the Bulletproofs PR as well. The encryption API lets you hide data inside the rangeproof by xoring it with the PRG output. |
Wait, who said that ChaCha is biased?
Ah yes, that will be neat. |
I am quoting https://tools.ietf.org/html/rfc8439#page-20 which says
|
Oh, I'm an idiot, it says in the next sentence that chacha20 would be fine but that is not what some particular use case needs, so they don't specifiy it in the RFC. How could something be a stream cipher but not a PRG? |
Sorry this was automaticaly closed. PR needs to be reopened against the |
All good. I will reopen. Looks like github won't let me retarget the same PR so we'll lose the comments, but given that they're mostly me being confused about chacha, that's not a big loss. |
FIxes #109