An implementation of Groth-Kohlweiss one-of-N knowledge of discrete logs
Ian Goldberg e7dd0c12b9 Add a brief README | 2 years ago | |
---|---|---|
README.md | 2 years ago | |
gk15.go | 2 years ago | |
main.go | 2 years ago |
Ian Goldberg (iang@uwaterloo.ca), 2020-04-20
This code implements the protocol of Section 3 of Groth and Kohlweiss, "One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin", Eurocrypt 2015.
You can look at this protocol in a number of ways:
The technique of Section 4 of the above paper uses this same protocol to produce a log-sized ring signature: just compute the challenge x non-interactively as a hash of the group parameters, a message, the ring of public keys, and the output of the prover's first message.
The size of the proof is 4n group elements, plus 3n+1 scalars, where n = ceil(log_2(N)), and N is the number of commitments/group elements/public keys.