BBS+ signatures
tl;dr: BBS+ is a transformation[^ASM08e] of the the Boneh-Boyen-Shacham (BBS) group signature scheme[^BBS04] into a standalone signature scheme.
This blog post describes BBS+ as well as a recent improvement over it dubbed standalone BBS[^TZ23e].
Why BBS+?
The BBS+ and standalone BBS schemes have some really nice properties:
Can sign a vect...
How should a blockchain keep a secret?
tl;dr: I was at the Next-Generation Secure Distributed Computing seminar at Schloss Dagstuhl and spoke about how a blockchain should keep a secret.
Bulletproofs IPA for multiexp
$
\def\prove{\mathsf{Prove}}
\def\ver{\mathsf{Ver}}
\def\A{\mathbf{A}}
\def\B{\mathbf{B}}
\def\bb{\mathbf{b}}
$
tl;dr: This is a post-mortem write-up on how I failed to use the Bulletproofs IPA to convince a verifier that a multi-exponentiation $\A^\bb = \prod_i (A_i)^{b_i}$ was done correctly.
The problem is that the Bulletproof verifier has t...
Keyless blockchain accounts on Aptos
tl;dr: What is a keyless blockchain account?
Put simply, “Your blockchain account = Your Google account”.
In other words, this keyless approach allows you to derive a blockchain account from any of your existing OpenID Connect (OIDC) account (e.g., Google, Apple), rather than from a traditional secret key or mnemonic.
There are no long-term se...
Schnorr signatures: everything you wanted to know, but were afraid to ask!
tl;dr: Signs $m$ as $\sigma = (R, s)$, where $s = r - H(R, m) \cdot \sk$, $R = g^r$ and $r\randget \Zp$. Verifies this signature against $\pk = g^\sk$ as $R \equals g^s \cdot \pk^{H(R, m)}$.
What in the Smurf is a silent-setup multiverse unpredictable function?
tl;dr: This blog post investigates whether threshold verifiable unpredictable functions (VUFs) can be efficiently instantiated in the silent setup setting, which avoids the need for an interactive, expensive and often complex distributed key generation (DKG) phase.
We show that (1) silent setup threshold VUFs are possible from multilinear maps a...
Baird et al.'s unique threshold signature scheme
In this post, we describe a strawman threshold signature construction by Baird et al.[^BGJplus23] which produces unique signatures.
In their paper, Baird et al. modify this construction into a (non-unique) multiverse threshold signature scheme.
How to reshare a secret
tl;dr: A $t$-out-of-$n$ sharing of $s$ can be reshared as a $t’$-out-of-$n’$.
How?
Each old player $t’$-out-of-$n’$ reshares their share with the new players.
Let $H$ denote an agreed-upon set of $\ge t$ old players who (re)shared correctly.
Then, each new player’s $t’$-out-of-$n’$ share of $s$ will be the Lagrange interpolation (w.r.t. $H$) ...
36 post articles, 5 pages.