1
$\begingroup$

I'm working on a pairing-friendly (Barreto-Naehrig) elliptic curve. If I understand correctly, one consequence of this is that the Decisional Diffie-Hellman assumption no longer holds, but the Computational Diffie-Hellman assumption still should.

I'd like to be able to construct linkable ring signatures, but all the linkable ring signature schemes I know of depend on DDH for their anonymity proofs, and none of the pairing-based ring signature schemes I know of are linkable.

Are there any linkable ring signature schemes that are usable on pairing-friendly curves?

Improve this question
$\endgroup$
2
  • $\begingroup$ Why are you looking for linkable ring signatures on pairing-friendly curves? What is motivating you to use pairing-friendly curves in the first place, and what does that have to do with linkable ring signatures? $\endgroup$ Commented Nov 3, 2017 at 17:21
  • $\begingroup$ I thought it would be fun to try implementing something like CryptoNote or RingCT as an Ethereum smart contract. The Ethereum VM doesn't currently have primitives for the sorts of curves that are usually used for this sort of thing (Curve25519, secp256k1), which makes them prohibitively expensive, but they did recently add primitives for BN curves. $\endgroup$ Commented Nov 3, 2017 at 17:30

1 Answer 1

Reset to default
1
$\begingroup$

As I know, the pairing on bn-curve is type 3, $G_1\times G_2\rightarrow G_T$. In CryptoNote, the key image is $I=H(P)^x$ and it can't be attacked if $H(*)$ and $P$ belong to same group.

See my question related.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.