Crate short_group_sig
source ·Expand description
§Short group signatures
- BB and Weak-BB signatures and proof of knowledge of weak-BB signature as described in the paper Short Signatures Without Random Oracles
- Proof of knowledge of BB signature adapted from the paper Proof-of-Knowledge of Representation of Committed Value and Its Applications
- An optimized implementation of proof of knowledge of weak-BB signature taken from the paper Scalable Revocation Scheme for Anonymous Credentials Based on n-times Unlinkable Proofs. This does not require the prover to do pairings
- Similar to weak-BB, proof of knowledge of BB signature that does not require the prover to do pairings.
- A keyed-verification protocol for proving knowledge of weak-BB signature. Here the verifier is assumed to have the secret key and the protocol does not require pairings.
Modules§
- BB signature
- Proof of knowledge of BB signature. Adapted from the construction in section 4.2 of the paper Proof-of-Knowledge of Representation of Committed Value and Its Applications Specifically the adaptation is of
SPK_1
of constructionpi_m
in section 4.2 as following: For BB signature, secret key =(x, y)
, public key =(w1=g2*x, w2=g2*y)
, message =m
and signature =(A = g*{1/{m + x + e*y}}, e)
As part of setup params, generatorsu
,v
andh
og group G1 exist. - Proof of knowledge of BB signature. This is not published in any paper but is an adaptation of similar protocol for proving knowledge of weak-BB signature. The advantage of this variation is that the prover does not need to compute any pairings. Following is a description For BB signature, secret key =
(x, y)
, public key =(w1=g2*x, w2=g2*y)
, message =m
and signature =(A = g*{1/{m + x + e*y}}, e)
As part of setup params, generatorsu
,v
andh
og group G1 exist. - Weak BB signature
- Proof of knowledge of weak-BB signature. Implements the protocol described in section 4 of the paper Short Group Signatures
- Proof of knowledge of weak-BB signature as described in the paper Scalable Revocation Scheme for Anonymous Credentials Based on n-times Unlinkable Proofs The advantage of this variation is that the prover does not need to compute any pairings
- Proofs of knowledge of weak-BB signature with keyed-verification, i.e. the verifier needs to know the secret key to verify the proof.
g1
is generator of group G1, secret key =x
, message =m
, signature =A = g1 * 1/(x + m)