txmn.tk Blog Links en – fr

bLSAG ring signatures


A ring signature is a cryptographic proof that a message is original and authentified by someone in a given assembly, without revealing this person's identity.

For example, jury members may each give their decision anonymously, so that the other jury members or the public cannot connect any decision with any member. In order to ensure the decisions are authentic, with each one is attached a ring signature that enables to prove it has been emitted by a jury member.

Multiple ring signature algorithms exist. Here will be introduced bLSAG, which has the property of enabling the detection of multiple distinct signatures emitted by the same person. In our example of a jury, we want indeed to ensure nobody voted twice.

The main source of this introduction to bLSAG is Zero to Monero 2.0.0 (page 29) and the Rust library nazgul which implements multiple ring signature schemes including bLSAG. Moreover, this article serves as additional documentation to the Rust library orodruin that I developed in order to implement anonymous transactions in Duniter.

Required: basics in algebra and cryptology. Knowledge of elliptic curves is not needed.

#Notations

#Signature

The signature $\sigma(m)$ of a message $m$, by the secret key $k_\pi$ of which the public key $K_\pi$ is in the ring $\mathcal{R}=\{K_1,\ldots,K_n\}$, is obtained as follows:

#Verification

We can now understand why a ring. We are forming a ring, or circle, with all the keys, then the challenge rotates around the ring. Each key modifies it by turn. In order to get the same, original challenge at the end, we need that one key somewhere in the ring (without us knowing where) made the right modification that finally cancels the noise created by the others.

#Correctness

Let's show that the verification algorithm is correct. First we recall the following definitions:

Our aim is to successively build the $c_i'$ and find $c_1=c_{n+1}'$ iff the signature is authentic.

$$ \begin{align*} c_1 = c_{n+1}' &\Leftrightarrow \begin{cases} r_n G + c_n K_n = r_n G + c_n' K_n \\ r_n H(K_n) + c_n \tilde K_\pi = r_n H(K_n) + c_n' \tilde K_\pi \end{cases} \\ &\Leftrightarrow \begin{cases} c_n K_n = c_n' K_n \\ c_n \tilde K_\pi = c_n' \tilde K_\pi \end{cases} \\ &\Leftarrow c_n = c_n' \\ &\Leftrightarrow \begin{cases} c_{n-1} K_{n-1} = c_{n-1}' K_{n-1} \\ c_{n-1} \tilde K_\pi = c_{n-1}' \tilde K_\pi \end{cases} \\ &\Leftarrow c_{\pi+1} = c_{\pi+1}' \quad\text{by induction} \\ &\Leftrightarrow \begin{cases} \alpha G = r_\pi G + c_\pi K_\pi &\quad\text{(1)}\\ \alpha H(K_\pi) = r_\pi H(K_\pi) + c_\pi \tilde K_\pi &\quad\text{(2)} \end{cases} \end{align*} $$

Let's show that (1) and (2) hold:

$$ \begin{align*} \text{(1)} &\Leftrightarrow \alpha G = (\alpha - c_\pi k_\pi) G + c_\pi K_\pi \\ &\Leftrightarrow \alpha G = \alpha G + c_\pi k_\pi + c_\pi K_\pi G \\ &\Leftarrow K_\pi = k_\pi G \end{align*} $$

$$ \begin{align*} \text{(2)} &\Leftrightarrow \alpha H(K_\pi) = (\alpha - c_\pi k_\pi) H(K_\pi) + c_\pi \tilde K \\ &\Leftrightarrow \alpha H(K_\pi) = \alpha H(K_\pi) - c_\pi k_\pi H(K_\pi) + c_\pi k_\pi H(K_\pi) \end{align*} $$

Hence the signature is correct.

#Security

Without making a security proof, we can have a sense of what makes this system safe:

Is the signature unfalsifiable, i.e. are we unable to forge a correct signature without knowing $k_\pi$? We see that the proofs of (1) and (2) use $r_\pi = \alpha - c_\pi k_\pi$, that is the private key.

Is the signature anonymous, i.e. are we unable to find $\pi$ from the signature? We have that $r_\pi$ is noised by $\alpha$. We can not distinguish $r_\pi$ from the other $r_i$, because they are uniformly random like $\alpha$ and $c_\pi$ (which is a hash), and because $k_\pi$ is secret.