Browse Source

Add a brief README

Ian Goldberg 2 years ago
1 changed files with 22 additions and 0 deletions
  1. 22 0

+ 22 - 0

@@ -0,0 +1,22 @@
+# Log-sized Proof of 1-of-N knowledge of DL
+Ian Goldberg (, 2020-04-20
+This code implements the protocol of Section 3 of Groth and Kohlweiss,
+["One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin"](,
+Eurocrypt 2015.
+You can look at this protocol in a number of ways:
+  * knowledge of an opening of one of N Pedersen commitments to 0
+  * knowledge of one of N discrete logs of group elements
+  * knowledge of one of N private keys
+The technique of Section 4 of the above paper uses this same protocol
+to produce a log-sized ring signature: just compute the challenge
+x non-interactively as a hash of the group parameters, a message,
+the ring of public keys, and the output of the prover's first message.
+The size of the proof is 4n group elements, plus 3n+1 scalars, where
+n = ceil(log\_2(N)), and N is the number of commitments/group
+elements/public keys.