Multilayered Linkable Spontaneous Anonymous Group - Implemented as is from paper. Not Monero specific

Overview

MLSAG

This is a pure Rust implementation of the Multilayered Linkable Spontaneous Anonymous Group construction.

  • This implementation has not been reviewed or auditted. Use at your own risk.

Rust

This implementation requires Rust nightly.

Details

  • This particular version leverages Ristretto255. The basepoint used can be modified accordingly.

Monero Differences

  • This construction differs from the monero implementation in that we do not assume a specific context for the scheme, therefore all key images are needed to validate the signature.

  • Using Merlin transcripts, we do allow prefixing before items are added into the transcript. For no other reason than simplicity, we have opted to not add any extra items into the hash function. This should not affect the security of the scheme.

Further Applied Explorations

This particular library aims at a more generic construction for MLSAG therefore, the following features may be explored:

  • Custom ordering of members in the ring before signing. This can be done by adding a "tag" field to each member and allowing the user to pass in a closure to sort on this "tag".

  • Generic group trait to allow an instantiation of any Group to be used.

  • Currently code does not check if one members key is a permutation of anothers. This may not be consequential.

Known attacks

  • Since the Ristretto255 co-factor is 1. This implementation does not suffer form a small-order subgroup attack.

  • Another attack vector that can be explored is through the hash to point construction for the key image. If the hash to point construction allows for any commutativity, then the privacy feature of a ring signature will be lost.

For example:

  • Let P = x * G

  • HashToPoint(P) = (sha_256)(P) * G

  • KeyImage(x) = x * HashToPoint(P) = x * (sha_256(P) * G) = (x * G) * (sha_256(P)) = P * sha_256(P)

This allows an outsider to calculate the key Image of the signer with knowledge of just the public key.

Benchmarks

  • Processor : 2.2Ghz intel core i7

License

Licensed under MIT:

Design decisions

The Verify method takes a reference to the public keys

  • In the context of blockchains, the public key will be derived by deserailising a blob of bytes. In this sense, it will not be coming from another part of the program. It is therefore likely that it may be used in another process after verification; in some state management logic.

The Sign method does not take a reference to the the private key

  • The private key is consumed for safety and for contexttual reasons. In the blockchain context, a user can only sign once with a particular private key. If a user would like to sign the same/different message with a new set of decoys, this must be intentional; the user must create a new mlsag object, pick the same private keys and a different set of decoys. For safety, once a user has completed signing, the author does not believe that keeping the private key in the program is beneficial. If a user would like to use the private key again, they must re-generate. It is therefore impossible to continuously sign different messages on accident.

We could equally argue that the private key should take a reference and the destroying of it, should not be this libraries responsibility.

  • This library does not mamnage any state, therefore if a user produces two signatures with the same linkability tags, there will be no errors. This logic is usually handled in a state machine.
You might also like...
Schnorr VRFs and signatures on the Ristretto group

schnorrkel Schnorrkel implements Schnorr signature on Ristretto compressed Ed25519 points, as well as related protocols like HDKD, MuSig, and a verifi

BTM is an incremental data backup mechanism that does not require downtime.

BTM Blockchain Time Machine. BTM is an incremental data backup mechanism that does not require downtime.

Simple (not simplest) UST vault that integrate with Anchor Protocol

Simple (not simplest) UST Vault Building a simple UST Vault that generate yield from Anchor while also have UST reserved for lending, and etc. This co

Hackathon project, not production ready (yet)

Ledger Nano PIV Application This is a Ledger Hackathon project targeted on building a PIV compatible Ledger Nano X/S+ application. The focus of this a

A Web3.0 forum implemented based on Substrate

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking 🚀 Getting Started Follow the steps below to get started with the Node T

A very bare-bone Block Chain demo that purely implemented by Rust and yew
A very bare-bone Block Chain demo that purely implemented by Rust and yew

Intro bloc is one of bare-bone blockchain demo written by Rust, Yew during my learning BlockChain, about years ago. see demo here It just demonstrate

A Web3.0 forum implemented based on Substrate

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking 🚀 Getting Started Follow the steps below to get started with the Node T

Thaler's Proofs, Args, and ZK Implemented in Rust using arkworks
Thaler's Proofs, Args, and ZK Implemented in Rust using arkworks

rthaler • Dr. Thaler's book Proofs, Args, and ZK implemented in rust using the arkworks cryptographic rust toolset. Various Zero Knowledge Protocols a

An ECDSA threshold signature algorithm implemented in Rust.
An ECDSA threshold signature algorithm implemented in Rust.

Open TSS This project is a Rust implementation of multi-party {t,n}-threshold signature scheme(TSS). The current version of this library supports ECDS

Owner
Crate Crypto
Open source cryptographic implementations. Mostly from IACR.
Crate Crypto
Silent monero miner using xmrig and has 0% donation.

Note If this reprository is useful to you in in any shape or form please give it a star. Educational purposes only Don't use this project maliciously.

RadonCoding 4 Nov 21, 2022
Nym provides strong network-level privacy against sophisticated end-to-end attackers, and anonymous transactions using blinded, re-randomizable, decentralized credentials.

The Nym Privacy Platform The platform is composed of multiple Rust crates. Top-level executable binary crates include: nym-mixnode - shuffles Sphinx p

Nym 653 Dec 26, 2022
The Light Protocol program verifies zkSNARK proofs to enable anonymous transactions on Solana.

Light Protocol DISCLAIMER: THIS SOFTWARE IS NOT AUDITED. Do not use in production! Tests cd ./program && cargo test-bpf deposit_should_succeed cd ./pr

null 36 Dec 17, 2022
L2 validity rollup combined with blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum

blind-ovote Blind-OVOTE is a L2 voting solution which combines the validity rollup ideas with blind signatures over elliptic curves inside zkSNARK, to

Aragon ZK Research 3 Nov 18, 2022
An implementation of the paper "Honey Badger of BFT Protocols" in Rust. This is a modular library of consensus.

Honey Badger Byzantine Fault Tolerant (BFT) consensus algorithm Welcome to a Rust library of the Honey Badger Byzantine Fault Tolerant (BFT) consensus

null 335 Dec 25, 2022
Noir is a domain specific language for zero knowledge proofs

The Noir Programming Language Noir is a Domain Specific Language for SNARK proving systems. It has been designed to use any ACIR compatible proving sy

null 404 Jan 1, 2023
A pure-Rust implementation of group operations on Ristretto and Curve25519

curve25519-dalek A pure-Rust implementation of group operations on Ristretto and Curve25519. curve25519-dalek is a library providing group operations

dalek cryptography 611 Dec 25, 2022
A Rust implementation of the Message Layer Security group messaging protocol

Molasses An extremely early implementation of the Message Layer Security group messaging protocol. This repo is based on draft 4 of the MLS protocol s

Trail of Bits 109 Dec 13, 2022
Implementation of the BLS12-381 pairing-friendly elliptic curve group

bls12_381 This crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction. This implementation has not been review

Zero-knowledge Cryptography in Rust 183 Dec 27, 2022
Two-party and multi-party ECDSA protocols based on class group with Rust

CG-MPC-ECDSA This project aims to implement two-party and multi-party ECDSA protocols based on class group with Rust. It currently includes schemes de

LatticeX Foundation 16 Mar 17, 2022