Home

tl;dr: We cover a few basic linear algebra concepts: vectors, matrices, matrix-vector products, vector dot products, Haddamard products, etc.

tl;dr: Do you want to sign (committed) field elements without relying on random oracles? Do you want to efficiently prove (in zero-knowledge) relations over your signed messages? BBS+ is here to help you! The BBS+ signature scheme is a transformation[^ASM08e] of the Boneh-Boyen-Shacham (BBS) group signature scheme[^BBS04] into a standalone sig...

tl;dr: We spoke about how a blockchain should keep a secret at the Next-Generation Secure Distributed Computing seminar at Schloss Dagstuhl. We sketched an approach based on trusted execution environments (TEEs) that could be practical, yet could still present interesting research challenges.

$ \def\prove{\mathsf{Prove}} \def\ver{\mathsf{Ver}} \def\A{\mathbf{A}} \def\B{\mathbf{B}} \def\bb{\mathbf{b}} $ tl;dr: This is a post-mortem write-up on how I failed to use the Bulletproofs IPA to convince a verifier that a multi-exponentiation $\A^\bb = \prod_i (A_i)^{b_i}$ was done correctly. The problem is that the Bulletproof verifier has t...

tl;dr: Everything I wanted to know, but was afraid to ask about elliptic curves.

tl;dr: What is a keyless blockchain account? Put simply, “Your blockchain account = Your Google account”. In other words, this keyless approach allows you to derive a blockchain account from any of your existing OpenID Connect (OIDC) account (e.g., Google, Apple), rather than from a traditional secret key or mnemonic. There are no long-term se...

tl;dr: ECDSA is one of the most widely-deployed signature schemes (for better or worse). ECDSA is efficient, offers versatility via its pubkey recovery feature and is widely adopted due to Bitcoin’s success. Its history is fascinating, as is its security analysis. Nonetheless: you should stay away from it, as I argue here.

tl;dr: Signs $m$ as $\sigma = (R, s)$, where $s = r - H(R, m) \cdot \sk$, $R = g^r$ and $r\randget \Zp$. Verifies this signature against $\pk = g^\sk$ as $R \equals g^s \cdot \pk^{H(R, m)}$.