Score:3

Details about blind signature on ed25519

ca flag

Recently, I started looking up for details about implementing a blind signature on ed25519 cryptographic. I saw this article https://stan.bar/blindsig/ by Stanislaw Baranski about it. In the first point, it says that Bob generates random number (nonce) $k$ in range $(1, q-1)$, computes $r=k \times G (\mod p)$ $r=k×G(\mod p)$ and sends $r$ to Alice.

Now, how safe it is to make $r$ public and to share the same r across different signer? or should I make differents $r$ for each signer and still publicly publish all $r$?

knaccc avatar
es flag
Note that the article has errors. It says that "We use uppercase letters for points on a curve", yet uses lowercase $r$ instead of $R$ in $r=kG$. It uses the operator symbol ✕ both for scalar multiplication and for point addition, which is confusing. It also contains references to "mod p", which is a remnant of non-EC schemes which should not appear in EC point math.
user10002393 avatar
ca flag
You are right, after a better look i noticed such errors too. Do you know any better reference for blind signature on ed25519?
knaccc avatar
es flag
Is it essential for your use case that the signer is unable to recognize the signature later? It's easy to ask someone to sign something such that the signer isn't aware of the message. The more difficult part is making it impossible for the signer to recognize their signature later. What is your use case?
user10002393 avatar
ca flag
well, an anonymous cash system where i cant use zkstuff or rings. I can only verify that a ed25519 signature is valid. My idea is to build a three steps protocol where first users propose a "challenge" to be signed by a validator, the validatore sign every message and then user individually unblind the message to withfraw the funds
user10002393 avatar
ca flag
So yes, it would be nice to make it impossible to follow for the singer too. If this cant be done, the signer can just mix the signatures before publishjing them (but its not a good approach imo)
knaccc avatar
es flag
I've looked through the scheme in the article, and at first glance it looks good to me. Essentially, the signature challenge scalar is blinded by $b$, and the signer's commitment $R$ is blinded by $aG$. This makes it impossible for the signer to recognize their signature. $R$ should definitely not be re-used between signers. Hopefully someone here will have a reference to a security-audited paper that uses this technique, which is quite simple and elegant.
user10002393 avatar
ca flag
okay, then, can I make it public? can I prior publish n- r and then user will use such r in order?
knaccc avatar
es flag
$R$ is the public commitment of the signer's secret nonce $k$. Signers can't share the same $R$ value, because that would require them to all know the $k$ value, which is catastrophic. I think you can, however, publish a particular signer's $R$ value.
user10002393 avatar
ca flag
Im talking about this r=k×G(mod p). Can I precompute n-k and then publish all resulting r publicly for everyone?
knaccc avatar
es flag
I know, I'm calling it $R$ instead of $r$ because it's a point and not a scalar.
user10002393 avatar
ca flag
Okay so it can be done. then any user will pick his own R in order which has been published and will deploy their own e. So knowing R, e, and S its still impossible to track (R', s') signature to which user belong to
knaccc avatar
es flag
Just to be clear, only signers pick their own secret $k$ values, and therefore only signers publish their commitment values $R=kG$. The $e$ value is a challenge from the person asking the signer to blindly sign, and the signer should not choose it. And yes, if the signer already knows $R,e,s$ and they can't recognize their own signature, then neither can the public.
user10002393 avatar
ca flag
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/140606/discussion-between-user10002393-and-knaccc).
Stanislaw Baranski avatar
ng flag
Hey, thanks for pointing out the errors in the article. I've updated it accordingly. @knaccc can you spot any errors?
knaccc avatar
es flag
@StanislawBaranski it looks like you've addressed the issues. Btw, `mod p` still applies for scalar-only arithmetic - I just meant it should not appear on a line which has point operations, since you don't `mod p` a point. One other thing - when dealing with point coordinates, the x and y are mod q, where q is the dimension of the finite field, i.e. 2^255-19. The other number, p, is the group order, and is a different number that scalar-only operations are modded by. Random scalars are less than p, so that part of your article is correct as long as you don't say earlier that p = 2^255-19
Stanislaw Baranski avatar
ng flag
@knaccc Thank you! Fixed again :) Added the line "For scalar-only operations, we also use modular arithmetic but over a different prime number (group order)" and the (mod L) for each scalar operation.
knaccc avatar
es flag
@StanislawBaranski one last thing, if you're calling the group order L, then the scalars should be integers less than L. Your article currently still says less than p
Stanislaw Baranski avatar
ng flag
@knaccc ah, you're right, updated! Thank you very much :)
Score:3
es flag

The article makes reference to a point $r$, which is the blind signer's public commitment to their secret nonce $k$.

If $r$ is re-used, this implies the same secret nonce $k$ is re-used. You should therefore always have a different $k$ for every single signature produced, which implies a different $r$ commitment value each time.

There is no loss of signature blindness if a blind signer's $r$ values are published publicly.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.