Author

Topic: Does Bitcoin Script Support Verify Blind Signature? (Read 177 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
A bit off-topic, if you're looking cryptography where you can verify a signature without revealing the message, you should look for Zero-knowledge proof Cryptography.
There are few Cryptocurrency which uses it such as Monero and ZCash.
newbie
Activity: 13
Merit: 4

Blind signatures have various applications and as you may have already figured out, employing them in bitcoin is an application side issue and has nothing to do with full nodes and verifcation process.

For bitcoin ECDSA 256k1 encryption algorithm various blinding functions (f) has been proposed for instance: https://eprint.iacr.org/2018/660.pdf

I've no further information about the extents this technique is used in bitcoin ecosystem but the point is bitcoin nodes and their script processing engine are absolutely neutral in this regard and don't need to improve for supporting it.



Ok , Thanks!

Does Group signature schemes that are compatible with the Elliptic Curve Digital Signature Algorithm (ECDSA)existing?

Are there  papers about Group signature schemes are compatible with ECDSA?
 
legendary
Activity: 1456
Merit: 1175
Always remember the cause!
I think there is a deep misunderstanding here:

Blind signatures are not about verification phase but about signing phase :

Alice has a message m and wants Bob to sign it blindly. i.e without disclosing m or leaking any information about it. Alice needs e= s(m,pb) where s is the asymmetric encryption algorithm used (ECDSA 256k1 for bitcoin) and pb is Bob's private key. The problem would be Bob generating e without becoming aware of original message m where he doesn't want to disclose his private key to Alice as well.

1- Alice first calcualtes m' = f(m) where f is a one way special function such that e(f(x), p) = e(x,p). Function f is a homomorphism but is not reversible.

2- Alice sends m' to Bob and he signs it by generating e= s(m',pb). Bob has no clue about the actual message m being signed here.

3- Alice receives e from Bob and relays it to designated verifiers along with m (the original message) just like a normal signed message.

4- Verifiers check the signature e against Bob's public key and m without being aware of the blinding process at all and they will succeed because e= s(f(m),pb) = s(m,pb) according to the basic property of function f.

Blind signatures have various applications and as you may have already figured out, employing them in bitcoin is an application side issue and has nothing to do with full nodes and verifcation process.

For bitcoin ECDSA 256k1 encryption algorithm various blinding functions (f) has been proposed for instance: https://eprint.iacr.org/2018/660.pdf

I've no further information about the extents this technique is used in bitcoin ecosystem but the point is bitcoin nodes and their script processing engine are absolutely neutral in this regard and don't need to improve for supporting it.

newbie
Activity: 13
Merit: 4
 Had anyone read this paper?  Paper Link: https://eprint.iacr.org/2016/056.pdf

     In this paper, what script is used to verify the blind sign?  I didn't understand.
     In the seventh page of this paper, the transaction Tf needs to meet two conditions.
Code:
1. T[sub]f[/sub] is signed by I and contains a valid blind signature /theta on sn(overlines), or
2. T[sub]f[/sub] is signed by A and the time window tw has expired.
    I know that Condition 2 uses OP_EQUALVERIFY OP_CHECKSIG and timelock to achieve.
     But how is Condition 1  implemented?  
     Can someone teach me?

    
Jump to: