Getting your Trinity Audio player ready...
|
This post was first published on Medium
We have implemented the first-ever Ring signature in Bitcoin.
Ring Signatures
A ring signature is a type of digital signature that allows a message to be signed by a single member in a group, or a ring. It proves that someone in the ring indeed signs, but there is no way to identify the actual signer amongst the ring members.
Its increased privacy enables many applications, such as:
- whistleblowing: a government whistleblower wants to leak that his agency is secretly collecting citizens’ private data, yet wants to remain anonymous due to the risk of being fired. By using a ring signature, he can demonstrate that he works for the agency and thus add credibility to the claim, while concealing his identity.
- e-voting: a voter signs his vote on behalf of all the people eligible to vote. She proves she has registered and is eligible to vote, without disclosing her vote¹.
- private membership authentication: a user proves to an application she is registered without disclosing who she is.
It has been used by many blockchains to preserve privacy, most notably in Monero.
Ring signatures in Bitcoin
There are multiple ways to implement ring signatures. We choose a scheme called Spontaneous Anonymous Group signatures², because it is based in elliptic curve and amenable for implementation in Bitcoin.
Signing
Given a message, a group/ring of public keys, and a private key, a signature is produced as follows:
Verifying
Given a signature, a message, and a ring of public keys, the following algorithm determines if the signature is created by a private key corresponding to a public key in the ring, in two steps:
Implementation
We have implemented Ring signature verification, using elliptic curve library. Anyone who knows a private key of the group of public keys can sign and spend the coins locked in the contract. No one can tell which one signed, even the group members.
Line 21 to 31 iteratively update c, as in step 1. Line 34 checks step 2.
***
NOTES:
[1] A ring signature that is linkable, which allows identifying whether two signatures belong to the same signer, is needed to detect double-voting.
[2] Section 3.3 of Zero to Monero.
Watch: CoinGeek New York presentation, Smart Contracts & Computation on Bitcoin