学习笔记:Borromean Ring Signatures
Gregory Maxwell, Andrew Poelstra. Borromean Ring Signatures 2015.
一些概念
Borromean环签名可以描述用签名密钥的任意函数签名的签名。
验证公钥: V = { v i } i = 1 n \mathcal{V}=\{v_i\}_{i=1}^n V={vi}i=1n
对应的签名密钥集: { s 1 , . . . , s n } \{s_1,...,s_n\} {s1,...,sn}
f : f: f:称为admissibility function,从 V \mathcal{V} V的有限子集到 { 0 , 1 } \{0,1\} {0,1}的映射;admissible set V 如果 f ( V ) = 1 f(V)=1 f(V)=1
Borromean环签名是消息 m m m上的一个签名,具有一组 V \mathcal{V} V的验证密钥和 f f f,满足以下条件:
- 签名只能由共同知道一组 V V V的所有密钥的各方产生
- 仅给定 σ , V \sigma, \mathcal{V} σ,V和 m m m,统计上无法区分使用的是哪个容许集 V V V。
单调函数
如果 V V V是容许集, f ( V ) = 1 f(V)=1 f(V)=1,则任何 V ′ ⊇ V , f ( V ′ ) = 1 V'\supseteq V,~f(V')=1 V′⊇V, f(V′)=1,这样的函数称为单调函数(monotone functions)
And 和 Or
如果说普通的环签名可理解成一组析取语句(已知环中的任意一个公钥对应的私钥),Borromean环签名可看做是一组析取语句的连接语句:
⋀ i ( ⋁ j a i , j ) \bigwedge_i (\bigvee_j a_{i,j}) i⋀(j⋁ai,j)
Borromean Ring Signature
S i g n Sign Sign
签名者收集的公钥集合 P i , j , i ∈ [ 0 , n − 1 ] , j ∈ [ 0 , m − 1 ] P_{i,j},i\in[0,n-1],j\in[0,m-1] Pi,j,i∈[0,n−1],j∈[0,m−1],创建n个密钥的知识的验证 { P i , j i ∗ } i = 1 n \{P_{i,j_i^*}\}_{i=1}^n {Pi,ji∗}i=1n(对应的私钥是 x i x_i xi)
- M = H ( m e s s a g e ) M=H(message) M=H(message)
- f o r ( i = 0 , . . . , n − 1 ) for(i=0,...,n-1) for(i=0,...,n−1):
- 随机选择 k i k_i ki
- 令 e i , j i ∗ + 1 = H ( M ∣ ∣ k i G ∣ ∣ i ∣ ∣ j i ∗ ) e_{i,j_i^*+1}=H(M||k_iG||i||j_i^*) ei,ji∗+1=H(M∣∣kiG∣∣i∣∣ji∗)
- f o r ( j i ∗ < j < m i − 1 ) for(j_i^*< j
随机选择 s i , j s_{i,j} si,j,计算 e i , j + 1 = H ( M ∣ ∣ s i , j G − e i , j P i , j ∣ ∣ i ∣ ∣ j ) e_{i,j+1}=H(M||s_{i,j}G-e_{i,j}P_{i,j}||i||j) ei,j+1=H(M∣∣si,jG−ei,jPi,j∣∣i∣∣j)
- 对每个 i i i,随机选择 s i , m i − 1 s_{i,m_i-1} si,mi−1,令 e 0 = H ( s 0 , m 0 − 1 G − e 0 , m 0 − 1 P 0 , m 0 − 1 ∣ ∣ . . . ∣ ∣ s n − 1 , m n − 1 − 1 G − e n − 1 , m n − 1 − 1 P n − 1 , j m n − 1 − 1 ) e_0=H(s_{0,m_0-1}G-e_{0,m_0-1}P_{0,m_0-1}||...||s_{n-1,m_{n-1}-1}G-e_{n-1,m_{n-1}-1}P_{n-1,jm_{n-1}-1}) e0=H(s0,m0−1G−e0,m0−1P0,m0−1∣∣...∣∣sn−1,mn−1−1G−en−1,mn−1−1Pn−1,jmn−1−1).也就是说, e 0 e_0 e0提交几个 s s s值,每个环一个
- f o r ( 0 ≤ i ≤ n − 1 ) for(0\leq i\leq n-1) for(0≤i≤n−1)
- f o r ( 0 ≤ j ≤ j i ∗ − 1 ) for(0\leq j\leq j_i^*-1) for(0≤j≤ji∗−1)
随机选择 s i , j s_{i,j} si,j,计算 e i , j + 1 = H ( M ∣ ∣ s i , j G − e i , j P i , j ∣ ∣ i ∣ ∣ j ) e_{i,j+1}=H(M||s_{i,j}G-e_{i,j}P_{i,j}||i||j) ei,j+1=H(M∣∣si,jG−ei,jPi,j∣∣i∣∣j),其中 e i , 0 = e 0 e_{i,0}=e_0 ei,0=e0 - 令 s i , j i ∗ = k i + x i e i , j i ∗ s_{i,j_i^*}=k_i+x_ie_{i,j_{i}^*} si,ji∗=ki+xiei,ji∗
- f o r ( 0 ≤ j ≤ j i ∗ − 1 ) for(0\leq j\leq j_i^*-1) for(0≤j≤ji∗−1)
输出签名 σ = { e 0 , s i , j : 0 ≤ i ≤ n − 1 , 0 ≤ j ≤ m i − 1 } \sigma=\{e_0,s_{i,j}:0\leq i\leq n-1,0\leq j\leq m_i-1\} σ={e0,si,j:0≤i≤n−1,0≤j≤mi−1}
逻辑:(原文的标号真是乱七八糟啊…盘了好久才弄对)
e i , π + 1 , e i , π + 2 → e i , m i − 1 , e 0 , e i , 1 → e i , π e_{i,\pi+1},e_{i,\pi+2}\rightarrow e_{i,m_i-1},~~~~e_0~~~~,e_{i,1}\rightarrow e_{i,\pi} ei,π+1,ei,π+2→ei,mi−1, e0 ,ei,1→ei,π
s i , π + 1 → s i , m i − 2 , s i , m i − 1 , s i , 0 → s i , π − 1 , s i , π ~~~~~~~~~~~s_{i,\pi+1}\rightarrow s_{i,m_i-2},s_{i,m_i-1},s_{i,0}\rightarrow s_{i,\pi-1},s_{i,\pi} si,π+1→si,mi−2,si,mi−1,si,0→si,π−1,si,π
对所有的 i i i来说, e 0 e_0 e0都是一样的(因为 e 0 e_0 e0汇聚了所有 i i i对应的 j = m i − 1 j=m_i-1 j=mi−1参数)
V e r i f y Verify Verify
f o r ( 0 ≤ i ≤ n − 1 ) for(0\leq i\leq n-1) for(0≤i≤n−1)
f o r ( 1 ≤ j ≤ m i − 1 ) ~~~~for(1\leq j\leq m_i-1) for(1≤j≤mi−1)
R i , j + 1 = s i , j G + e i , j P i , j ~~~~~~~~R_{i,j+1}=s_{i,j}G+e_{i,j}P_{i,j} Ri,j+1=si,jG+ei,jPi,j
e i , j + 1 = H ( M ∣ ∣ R i , j + 1 ∣ ∣ i ∣ ∣ j ) ~~~~~~~~e_{i,j+1}=H(M||R_{i,j+1}||i||j) ei,j+1=H(M∣∣Ri,j+1∣∣i∣∣j)
e 0 ′ = H ( R 0 , m 0 ∣ ∣ . . . ∣ ∣ R n − 1 , m n − 1 ) e_0'=H(R_{0,m_0}||...||R_{n-1,m_{n-1}}) e0′=H(R0,m0∣∣...∣∣Rn−1,mn−1)
如果 e 0 ′ = e 0 e_0'=e_0 e0′=e0,返回1
C o r r e c t n e s s Correctness Correctness:
e i , j i ∗ + 1 ′ = H ( M ∣ ∣ s i , j i ∗ G − e i , j i ∗ P i , j i ∗ ∣ ∣ i ∣ ∣ j i ∗ ) = H ( M ∣ ∣ ( k i + x i e i , j i ∗ ) G − e i , j i ∗ P i , j i ∗ ∣ ∣ i ∣ ∣ j i ∗ ) = H ( M ∣ ∣ k i G − e i , j i ∗ P i , j i ∗ ∣ ∣ i ∣ ∣ j i ∗ ) = e i , j i ∗ + 1 \begin{aligned} e_{i,j_i^*+1}'&=H(M||s_{i,j_i^*}G-e_{i,j_i^*}P_{i,j_i^*}||i||j_i^*)\\ &=H(M||(k_i+x_ie_{i,j_{i}^*})G-e_{i,j_i^*}P_{i,j_i^*}||i||j_i^*)\\ &=H(M||k_iG-e_{i,j_i^*}P_{i,j_i^*}||i||j_i^*)=e_{i,j_i^*+1} \end{aligned} ei,ji∗+1′=H(M∣∣si,ji∗G−ei,ji∗Pi,ji∗∣∣i∣∣ji∗)=H(M∣∣(ki+xiei,ji∗)G−ei,ji∗Pi,ji∗∣∣i∣∣ji∗)=H(M∣∣kiG−ei,ji∗Pi,ji∗∣∣i∣∣ji∗)=ei,ji∗+1