-
Data can be encoded multiple ways depending on how it will be used with other ZKPs. For example, it will not be useful to hash an integer to a 32 byte value using SHA256 and expect it to work properly…
-
to save on gas, a secp256k1 ScalarBaseMult can occur in the swap contract instead of a ed25519 ScalarBaseMult to verify the secret corresponding to the public key, as this is cheaper to do with secp25…
-
currently, the first step of the protocol (key exchange phase) does not require either party to go first. however, there is a potential attack where if Bob sends his public key `P_b = G*s_b` first, Al…
-
-
The PMB Tokens paper constructs a weaker version of a VOPRF without DLEQ proofs (see Section 7 of https://eprint.iacr.org/2020/072). The weakness of the construction allows the server to send back ran…
-
I designed the VRF to be useful for DLEQ proofs more generally. Right now, we only support DLEQ proofs with merged signing by one private key though, but a DLEQ proof tool should probably do merged s…
-
I think we should add some documentation on the repo about our choice to use adaptor signatures and what variant we are using with links to more extensive documentation on what they are. They are a co…
-
### Motivation
The implementation of the cross-curve DLEQ proof from `sigma_fun` (subcrate of `secp256kfun`) is 2.5 times faster, quite a bit smaller and more likely to be correct.
-
When attempting to using vrf sign in `#[no_std]` context, no rand features, and with a custom rng attached to my transcript (via `attach_rng`) I got a panic, since schnorrkel was attempting to use os-…
ghost updated
3 years ago
-
## Situation
Currently, Alice sends to Bob the following keys in `alice::Message0`:
- Bitcoin public key `A`;
- Monero public spend key `S_a^xmr`;
- Bitcoin public key `S_a^btc`; and
- Monero…