{"id":22303529,"url":"https://github.com/lovesh/ps-sig","last_synced_at":"2025-07-29T04:31:03.706Z","repository":{"id":62443065,"uuid":"224025697","full_name":"lovesh/ps-sig","owner":"lovesh","description":"Pointcheval Sanders signature","archived":false,"fork":false,"pushed_at":"2020-01-16T09:45:11.000Z","size":65,"stargazers_count":27,"open_issues_count":0,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-21T10:49:26.865Z","etag":null,"topics":["multi-signature","randomizable-signature"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lovesh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-25T19:31:17.000Z","updated_at":"2025-02-05T20:22:35.000Z","dependencies_parsed_at":"2022-11-01T22:16:43.318Z","dependency_job_id":null,"html_url":"https://github.com/lovesh/ps-sig","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/lovesh/ps-sig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovesh%2Fps-sig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovesh%2Fps-sig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovesh%2Fps-sig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovesh%2Fps-sig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lovesh","download_url":"https://codeload.github.com/lovesh/ps-sig/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lovesh%2Fps-sig/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267026520,"owners_count":24023652,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-25T02:00:09.625Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["multi-signature","randomizable-signature"],"created_at":"2024-12-03T18:44:06.872Z","updated_at":"2025-07-29T04:31:03.433Z","avatar_url":"https://github.com/lovesh.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Randomizable signatures by David Pointcheval and Olivier Sanders.\n\n## From the CT-RSA 2016 paper [Short Randomizable signatures](https://eprint.iacr.org/2015/525) which uses interactive assumptions\n\n### Signature and proof of knowledge of signature\nImplements 2 variations as described in the paper in sections 4.2 and 6.1 respectively. Scheme in 6.1 was \npresented to make blind signatures efficient however there are ways to do blind signatures with 4.2 but they \nare relatively inefficient. One way to do so is described in [Coconut](https://arxiv.org/pdf/1802.07344.pdf).\n\nThe signature scheme from section 4.2 does not allow blind signatures straightaway and the paper does not \ndescribe any technique to do so. But less efficient techniques from Coconut or others can be used. The scheme \nis implemented as described in the paper.  \n\nThe code for this lives in signature.rs, blind_signature.rs and pok_sig.rs. For generating keys use `keys::keygen`\n      \nThe signature scheme from section 6.1 of the paper allows for signing blinded messages as well. \nDemonstrated by test `test_signature_blinded_messages`.  \nImplementing proof of knowledge of a signature from section 6.2 of paper. Demonstrated by test `test_PoK_sig`.  \nIn addition to proof of knowledge, the user can also reveal some of the messages under the signature without revealing all messages or signature.\nDemonstrated in test `test_PoK_sig_reveal_messages`.  \nA more comprehensive test where a user gets signature over a mix of messages where some of them are known while \nothers are committed to and then a proof of knowledge is done for signature with selectively revealing some messages. \nDemonstrated in the test `test_scenario_1`.\n2 variation of scheme in section 6.1 are implemented, one of the variations follows the paper as it is.   \nBut another variations implemented with some modifications. The public key is split into 2 parts, the \ntilde elements (X_tilde and Y_tilde) and non-tilde elements (X, Y). Now the verifier only needs the former \n(tilde elements) and thus verifier's storage requirements go down. Keygen and signing are modified as:\n- Keygen: Rather than only keeping X as the secret key, signer keeps x, y_1, y_2, ..y_r as secret key. \nThe public key is unchanged, i.e. (g, Y_1, Y_2,..., Y_tilde_1, Y_tilde_2, ...)\n- Sign: Lets say the signer wants to sign a multi-message of 10 messages where only 1 message is blinded. \nIf we go by the paper where signer does not have y_1, y_2, .. y_10, signer will pick a random u and compute signature as \n(g^u, (XC)^u.Y_2^{m_2*u}.Y_3^{m_3*u}...Y_10^{m_10*u}), Y_1 is omitted as the first message was blinded. Of course the term \n(XC)^u.Y_2^{m_2*u}.Y_3^{m_3*u}...Y_10^{m_10*u} can be computed using efficient multi-exponentiation techniques but it would be more efficient \nif the signer could instead compute (g^u, C^u.g^{(x+y_2.m_2+y_3.m_3+...y_10.m_10).u}). The resulting signature will have the same form \nand can be unblinded in the same way as described in the paper.  \nThis will make signer's secret key storage a bit more but will make the signing more efficient, especially in cases \nwhere the signature has only a few blinded messages but most messages are known to the signer which is usually the case with \nanonymous credentials where the user's secret key is blinded (its not known to signer) in the signature. This variation makes \nsigning considerably faster unless the no of unblinded messages is very small compared to no of blinded messages. \nRun test `timing_comparison_for_both_blind_signature_schemes` to see the difference \n\n### Multi-signature\nMultiple PS signatures can be aggregated using the same principle BLS signatures since the secrets are in the exponents like BLS signatures.\nSignatures are aggregated by multiplying them together like BLS signatures and verification keys can be aggregated by multiplying the \ncorresponding parts together. The signers should however use the same `Params` and while signing create deterministic signatures using \n`Signature::new_deterministic` which hashes the messages to create a group generator. Look at the test `test_multi_signature_all_known_messages`.\n\n\n## From the CT-RSA 2018 paper [Reassessing Security of Randomizable Signatures](https://eprint.iacr.org/2017/1197) which uses non-interactive assumptions\n\nThe code for this lives in signature_2018.rs and pok_sig_2018.rs. For generating keys use `keys::keygen_2018`. For multi-signatures, use methods\n`MultiSignatureFast::from_sigs_2018` and `MultiSignatureFast::verify_2018`. Since majority of the protocol of signing (known) and proof of knowledge \nof signature is same as the CT-RSA 2016 paper, there is a lot of code reuse. Currently there is no implementation of blind signature using this \nnew scheme but it can be done by using the ideas from Coconut where the committed attributes are individually committed using Elgamal encryption.\n\n### Implementation details\n\nThe groups for public key (*_tilde) and signatures can be swapped by compiling with feature `SignatureG2` or `SignatureG1`. \nThese features are mutually exclusive. The default feature is `SignatureG2` meaning signatures are in group G2 which \nmakes signing slower but proof of knowledge of signature faster.  \n\nTo run tests with signature in group G1. The proof of knowledge of signatures will involve a multi-exponentiation in group G2.\n```\ncargo test --release --no-default-features --features SignatureG1\n```\n\nTo run tests with signature in group G2. The proof of knowledge of signatures will involve a multi-exponentiation in group G1.\n```\ncargo test --release --no-default-features --features SignatureG2\n```\n\nTo benchmark, run tests prefixed with `timing` and the time taken for various actions will be printed.\n```\ncargo test --release --no-default-features --features SignatureG2 timing -- --nocapture\n```\n\nor \n```\ncargo test --release --no-default-features --features SignatureG1 timing -- --nocapture\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flovesh%2Fps-sig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flovesh%2Fps-sig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flovesh%2Fps-sig/lists"}