blind signatures in scriptless scripts
play

Blind Signatures in Scriptless Scripts Jonas Nick - PowerPoint PPT Presentation

Nov 20, 2023 •352 likes •607 views

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17, 2019 Blind Signatures in Scriptless Scripts Jonas Nick

  1. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler February 17, 2019 Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 1/24

  2. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Schnorr Signatures G is generator of a DLog hard group def keygen(): x := rand, P := x*G return (x, P) def sign(x, m): k := rand, R := k*G s := k + hash(R,P,m)*x return (R, s) def verify(P, m, R, s): return s*G ?= R + hash(R,P,m)*P Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 2/24

  3. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures ◮ Blind signer does not know the message being signed ◮ Blind signature gets unblinded , s.t. unblinded and blind sig are not linkable ◮ 2 party protocol between Client and Server 1. Client knows message, Server does not 2. Client creates blind challenge 3. Server signs blind challenge and gives to Client 4. Client unblinds signature Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 3/24

  4. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Schnorr Signatures def server_nonce(): k := rand, R := k*G return (k, R) def client_blind(R, m): alpha := rand, beta := rand R’ := R + alpha*G + beta*P c’ := hash(R’,P,m), c := c’+beta return (alpha, beta, R’, c’, c) Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 4/24

  5. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Schnorr Signatures def server_sign (k, x, c): s := k + c*x return s def client_unblind(alpha, s): s’ := s + alpha return s’ def verify(P, m, R, s): return s*G ?= R + hash(R,P,m)*P Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 5/24

  6. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion EDIT: Blind Schnorr Signatures are not secure per se ◮ EDIT: At this point I should have stressed that implementations of above Blind Schnorr signatures are not secure against forgery ◮ They are vulnerable to Wagner’s attack. With 65536 parallel signing sessions can forge a signature with only O (2 32 ) work. ◮ This could be somewhat mitigated by having the signer abort in p < 1/2 cases during the signing step. Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 6/24

  7. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion EDIT: Blind Schnorr Signatures are not secure per se ◮ Moreover, they can’t be proven secure in the ROM (Baldimtsi, Lysyanskaya) ◮ Use them only when the signatures need to pass normal Schnorr verification. Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 7/24

  8. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Ecash ◮ Trusted server maintains a database to prevent double spending ◮ Server database consists of serial numbers that have been spent ◮ Ecash token is tuple ◮ (serial number, server sig(serial number)) Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 8/24

  9. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Ecash Reissuance protocol to exchange token for fresh unlinkable token: 1. Client chooses new random serial number and blind challenge 2. Client shows token and blind challenge to Server 3. Server aborts if token serial number is in DB 4. Server signs blind challenge and inserts serial number in database 5. Client unblinds signature to get fresh token (reissuance proocol is also used for payments) Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 9/24

  10. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchange Discrete Logs for Bitcoin Buyer wants to buy discrete log of point T = t*G from Seller 1. Buyer creates multisig output with Seller 2. Seller sends transaction and adaptor signature with T to Buyer 3. Buyer gives Seller her signature over the transaction 4. Seller spends the output 5. Buyer computes the discrete log t from Seller’s tx signature and adaptor signature Blockchain footprint: single boring transaction Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 10/24

  11. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchange Discrete Logs for LN Payments Requires Lightning with Multi-Hop Locks in place of HTLCs. ◮ HTLCs hash(p) hash(p) 1. Buyer → Hop → Seller − − − − − − − − − − 2. Seller claims with preimage p Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 11/24

  12. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchange Discrete Logs for LN Payments Multi-Hop Locks use curve points instead of hashes L1 L2 1. Buyer → Hop → Seller − − − − ◮ Buyer set up route to buy discrete log of T = t*G ◮ L1 = T + l1*G ◮ L2 = L1 + l2*G 2. Buyer gives l2 to Hop and l1 + l2 to Seller 3. Seller claims L2 with c2 = (t + l1 + l2) 4. Hop claims L1 with c1 = c2 - l2 5. Buyer computes t = c1 - l1 Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 12/24

  13. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchange Blind Signatures for Bitcoin Building block: Committed R-point signatures 1. Seller creates public nonce R 2. Buyer can compute Seller’s signature s times G (without being able to compute s of course) as R + hash(R,P,m)*P = s*G Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 13/24

  14. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchange Blind Signatures for Bitcoin ◮ Committed R-point signatures work for blind signatures too! So Client computes Server’s blind signature s times G ◮ Then buys discrete log of s*G with bitcoins using above techniques Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 14/24

  15. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Coinswaps ◮ Coinswap where Server can not link coins ◮ similar to Tumblebit ◮ but with scriptless scripts ◮ Key idea: Client buys blind signature from Server where the message is a transaction that gives Server’s coins to the Client Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 15/24

  16. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Coinswaps 1. Create blind challenge from unsigned tx 2. Create blind sig times G 3. Pay for its DLog (the actual blind sig) 4. Unblind and broadcast tx Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 16/24

  17. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchanging Ecash Tokens for Bitcoin ◮ Want Clients buy tokens from each other without trust ◮ Server needs to make sure that buyer gets token and seller bitcoins 1. Payment uses multisig with Server 2. Or Server is part of lightning payment route 3. Or issue token with locktime Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 17/24

  18. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Brands credentials ◮ think ecash tokens that encode more attributes ◮ essentially Pedersen multicommitments of the attributes ◮ a1*G1 + a2*G2 + .... + r*G ◮ allows proving properties of token attributes in zero knowledge Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 18/24

  19. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Brands credentials Reissuance of example ecash token (type, amount, serial number, server signature) 1. Client chooses new random serial number and blind challenge 2. Client shows token and blind challenge to Server 3. Client proves that type and amount in token and in challenge is the same 4. [...] Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 19/24

  20. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchanging Ecash Tokens for Bitcoin ◮ Token seller runs version of reissuance protocol with Server and receives two tokens with the same serial number ◮ Buyer token (BUYERSECRET, SELLERSECRET, type buyer, amount, serial number, server signature) ◮ reissued only when providing BUYERSECRET, SELLERSECRET ◮ Seller token (LOCKTIME, type seller, amount, serial number, server signature) ◮ reissued only when LOCKTIME is over Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 20/24

  21. Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Exchanging Ecash Tokens for Bitcoin 1. Seller gives buyer token without SELLERSECRET to buyer and proves that LOCKTIME of seller token is sufficiently far in the future 2. Buyer buys SELLERSECRET from seller either on-chain or off-chain using above techniques 3. EITHER Buyer runs reissuance protocol with Server OR Buyer becomes unresponsive and Seller runs reissuance protocol after LOCKTIME Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler 21/24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4,

Blind Signatures Ecash Fair Exchange Blind Coinswaps Tokens Conclusion Blind Signatures in Scriptless Scripts Jonas Nick jonasd.nick@gmail.com @n1ckler September 4, 2018 Blind Signatures in Scriptless Scripts Jonas Nick

374 views • 22 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

298 views • 15 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

794 views • 40 slides
Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May 18, 2018 1 / 11 Mimblewimble and Scriptless Scripts Mimblewimble, proposed in 2016 by Tom Elvis Jedusor No scripts, only signatures. What

509 views • 11 slides
Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net January 10, 2018

Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net January 10, 2018

Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net January 10, 2018 1 / 25 What is a Blockchain? For our purposes, a blockchain is a Merkleized linked list of commitments, called blocks , along with rules restricting

385 views • 25 slides
Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net June 15, 2017 1

Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net June 15, 2017 1

Mimblewimble and Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net June 15, 2017 1 / 30 Overview / What is Mimblewimble? Mimblewimble is an anonymously-originated design for a blockchain-based ledger that is very different from

958 views • 30 slides
On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore,

On The Security of Unique- Witness Blind Signature Schemes December 2013 ASIACRYPT, Bangalore, India Foteini Baldimtsi, Anna Lysyanskaya 2 Blind Signatures [Chaum'82] Blind signatures are a special type of digital signatures. Signer is

439 views • 33 slides
Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with

Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint

366 views • 12 slides
Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique

Strengthened Security for Blind Signatures David Pointcheval Laboratoire dInformatique Ecole Normale Suprieure David.Pointcheval@ens.fr http://www.dmi.ens.fr/pointche Strengthened Security for Blind Signatures Summary Blind

370 views • 9 slides
Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Round Optimal Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder* Dominique Unruh University of Maryland University of Tartu (http://eprint.iacr.org/2011/264) *Postdoctoral Fellow of the DAAD Blind

1.15k views • 22 slides
Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G.

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G. Fuchsbauer , C. Hanser C. Kamath , and D. Slamanig Ecole Normale Sup erieure, Paris IAIK, Graz University of Technology,

391 views • 21 slides
Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O.

Blind Signatures with flying colors Olivier Blazy XLim, Universit de Limoges Feb 2014 O. Blazy (XLim) Blind Sig Feb 2014 1 / 50 General Remarks 1 Building blocks 2 Non-Interactive Proofs of Knowledge 3 Interactive Implicit Proofs 4

1.24k views • 89 slides
New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern David.Pointcheval@info.unicaen.fr Jacques.Stern@ens.fr Universit e de Caen Ecole Normale Sup erieure GREYC Laboratoire dInformatique F 14000

378 views • 10 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the

F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . . O UTLINE B ACKGROUND 1 S ECURITY M

566 views • 42 slides
Austin Marathon and Half Prep &amp; Pump 2015 The Prep, Part 1: Your Mind Lennie Waite

Austin Marathon and Half Prep &amp; Pump 2015 The Prep, Part 1: Your Mind Lennie Waite

Austin Marathon and Half Prep &amp; Pump 2015 The Prep, Part 1: Your Mind Lennie Waite The Prep, Part 2: The Course Chris McClung The Pump Steve Sisson The Prep, part 1: Your Mind Lennie Waite, PhD A Running State of Mind

294 views • 28 slides
CSc 337 LECTURE 33: DATABASES Databases Database (DB) - an organized collection of data. We

CSc 337 LECTURE 33: DATABASES Databases Database (DB) - an organized collection of data. We

CSc 337 LECTURE 33: DATABASES Databases Database (DB) - an organized collection of data. We have used files with data separated by new lines By this definition, our files can be considered a database. Database management system (DBMS) -

545 views • 16 slides
CUOC SI Course 01 Feb 2016 Pre-requisites Download and install stuff You should have the

CUOC SI Course 01 Feb 2016 Pre-requisites Download and install stuff You should have the

CUOC SI Course 01 Feb 2016 Pre-requisites Download and install stuff You should have the following software installed: Purple Pen SiConfig SI USB Driver Java Geco Purple Pen Export XML file SI Hardware SI boxes SI

658 views • 40 slides
for Our Communities Launch of 2019 Prosperity Now Scorecard Local Data July 16, 2019 Welcome

for Our Communities Launch of 2019 Prosperity Now Scorecard Local Data July 16, 2019 Welcome

Plotting a Path to Prosperity for Our Communities Launch of 2019 Prosperity Now Scorecard Local Data July 16, 2019 Welcome Kasey Wiedrich Director of Applied Research Prosperity Now Housekeeping This webinar is being recorded and will

935 views • 59 slides
Bitcoin &amp; Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David

Bitcoin &amp; Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David

Bitcoin &amp; Blockchains Kevin Sekniqi A Brave New World - The Vision of David Chaum David Chaum PhD CS/Business Adm from Berkeley 1982 Founded IACR same year eCash, mix nets, voting systems A Brave New World - The Vision of David Chaum

791 views • 52 slides
Practical Anonymous Subscriptions Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara

Practical Anonymous Subscriptions Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara

Practical Anonymous Subscriptions Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara Schmidt, Brent Waters, Emmett Witchel Practical Anonymous Subscriptions Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara

694 views • 34 slides
Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud Ecole normale sup erieure C.N.R.S. I.N.R.I.A. 3 avril 2014 D. Vergnaud (ENS) Cryptographic Primitives for Digital Confidence Apr. 3rd 2014,

1.27k views • 82 slides
ALPTEK N KP Assistant Professor of Computer Science and Engineering Two Main Types of

ALPTEK N KP Assistant Professor of Computer Science and Engineering Two Main Types of

ALPTEK N KP Assistant Professor of Computer Science and Engineering Two Main Types of Cloud Outsource a job to a more Outsource a job to powerful entity multiple entities Outsourcing computation to Outsourcing computation to Amazon

422 views • 6 slides

More recommend