An implementation of Groth-Kohlweiss one-of-N knowledge of discrete logs

Ian Goldberg e7dd0c12b9 Add a brief README %!s(int64=4) %!d(string=hai) anos
README.md e7dd0c12b9 Add a brief README %!s(int64=4) %!d(string=hai) anos
gk15.go 09fecd374b Make all of the arrays 0-based %!s(int64=4) %!d(string=hai) anos
main.go 7e2b0506e7 Verification %!s(int64=4) %!d(string=hai) anos

README.md

Log-sized Proof of 1-of-N knowledge of DL

Ian Goldberg (iang@uwaterloo.ca), 2020-04-20

This code implements the protocol of Section 3 of Groth and Kohlweiss, "One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin", Eurocrypt 2015.

You can look at this protocol in a number of ways:

  • knowledge of an opening of one of N Pedersen commitments to 0
  • knowledge of one of N discrete logs of group elements
  • knowledge of one of N private keys

The technique of Section 4 of the above paper uses this same protocol to produce a log-sized ring signature: just compute the challenge x non-interactively as a hash of the group parameters, a message, the ring of public keys, and the output of the prover's first message.

The size of the proof is 4n group elements, plus 3n+1 scalars, where n = ceil(log_2(N)), and N is the number of commitments/group elements/public keys.