blocksight 2021-06-18 05:23:19 阅读数:215
In the last introduction Blind signature principle , A friend added that blind signature is currently used in electronic signature occasions .
Today, I will continue to talk about another variant of signature scheme -- Ring signature , Right now in privacy Monero There are applications in the project .
Ring signature allows a signer to sign on behalf of a signature set , At the same time, the anonymity of the signer's identity is guaranteed , The signer does not need the help of other members in the collection when signing （ Collaboration ）, Even without other members knowing , You only need to use your own private key and the public key of other members . The difference in verifying a signature is , Only verifiable signatures from group members , But there's no way to distinguish a particular member .
Ring signature technology is developed by Ron Rivest, Adi Shamir, and Yael Tauman Invented , On 2001 Published . Ring signature is named after its ring structure signature algorithm .
Ring signature is a special kind of signature , About group signature , No expansion , If you are interested, please refer to .
Ring signature satisfies the property ：
1. Unconditional anonymity : The attacker cannot determine which member of the group generated the signature , Even if the ring member's private key is obtained , The probability is no more than 1/r【r Is the number of members in the group 】.
2. Unforgeability : Other members of the group cannot forge the signature of the real signer , Even if the attacker obtains a valid ring signature , And not for news m Forge a signature .
Other properties , Such as correctness is obvious .
Sign contract : Select hash function Hash, Symmetric encryption algorithm E, secret key k, Message to be signed m, Group member public key $（P_1,P_2,...,P_r）$, The first j Members are real signers ,
Signature generation process ：
Verify the signature ：
The following is a detailed introduction to RSA A combined solution ！
Simplicity , All member public keys have the same n,$P_i$ representative $（n, e_i）$
5. The signer uses the private key to solve $x_j=g_j^1(y_j)$ ;
6. Get the news m The signature on is $（P_1,P_2,...,P_r;v;x_1,x_2,...x_r）$ ;
Specific project code , Can be found in GitHub Find a lot of open source implementations in .
The key point of ring signature is , If you know the private key $sk_j$, So we can reverse it $x_i$, send $y_1,y_2,...,y_r$ Form a ring . It's like the signer found a rope , The math guarantees that only people with private keys , To connect the two ends of the rope , Form a ring . And once it's a ring , There's no trace at the joint of the ring , This makes it impossible for the verifier to determine where the ring is connected .
Ring signature can achieve a certain degree of anonymity , But the real signer will still be exposed in the ring . And in the current public chain Market , Compared with ring signature , Zero knowledge proof is still one of the best anonymous schemes .
BTW, There is also an interesting historical story about ring signatures , It can be traced back to France in the 17th century . According to legend , When the French ministers gave advice to the king , In order not to let the king find out who had the head , This kind of ring signature is adopted , The names of all the people are arranged in a circle , Hiding the order , There is no way for the initiators to investigate .
（ Picture source network ）
Link to the original text ：https://mp.weixin.qq.com/s/Yg0Niv2Avf7Toj6rUPZP8Q Welcome to the official account ：blocksight
Mathematics in blockchain - Blind signature （Blind Signature） Blind signature principle
Mathematics in blockchain - sigma agreement OR Proof& Signature sigma Protocol extension --OR proof
Mathematics in blockchain -sigma Deal with the Fiat-Shamir Transformation sigma Deal with the Fiat-Shamir Transformation
Mathematics in blockchain - What is zero knowledge proof ? What is zero knowledge proof
Mathematics in blockchain - RSA Non member proof of accumulator RSA Accumulator Non member proof and blockchain applications
Mathematics in blockchain - Accumulator( accumulator ) Accumulator and RSA Accumulator
Mathematics in blockchain - Kate promise batch opening Kate Promise volume Certification
Mathematics in blockchain - I promise Knowledge and commitment
Mathematics in blockchain - Pedersen Key sharing Pedersen Key sharing
Mathematics in blockchain - Pedersen promise Cryptography promises --Pedersen promise
Mathematics in blockchain - Inadvertently transmit Oblivious transport protocol
Mathematics in blockchain - RSA Algorithm encryption and decryption process and principle RSA Encryption and decryption algorithm
Mathematics in blockchain - BLS Threshold signature BLS m of n Threshold signature
Mathematics in blockchain - BLS Key aggregation BLS Key aggregation
Schorr Signature Basics Schorr Signature and elliptic curve
Mathematics in blockchain -Uniwap Automated market maker core algorithm analysis Uniwap Core algorithm analysis （ in ）