Viewing posts by Adam Gibson

Avoiding Wagnerian tragedies

Posted by: Adam Gibson | in Cryptography | 2 months, 2 weeks ago | 0 comments

This blog post is all about this paper by David Wagner from 2002.

Multiparty S6

Posted by: Adam Gibson | in Bitcoin | 9 months ago | 10 comments

The multiparty symmetrical Schnorr signature scriptless script shuffle

This blog is in the category of "a new-ish idea about privacy tech"; like similar previous ones (e.g.: CoinJoinXT) it is little more than an idea, in this case I believe it is correct, but (a) I could be wrong and there could be a flaw in the thinking and (b) it's not entirely clear how practically realistic it will be. What I do hope, however, is that the kernel of this idea is useful, perhaps in Layer 2 tech or in something I haven't even thought about.

Ring signatures

Posted by: Adam Gibson | in Cryptography | 11 months, 1 week ago | 0 comments


  • Basic goal of 1-of-\(N\) ring signatures
  • Recap: the \(\Sigma\)-protocol
  • OR of \(\Sigma\)-protocols, CDS 1994
  • Abe-Ohkubo-Suzuki (AOS) 2002 (broken version)
  • Security weaknesses
  • Key prefixing
  • Borromean, Maxwell-Poelstra 2015
  • Linkability and exculpability
  • AND of \(\Sigma\)-protocols, DLEQ
  • Liu-Wei-Wong 2004
  • Security arguments for the LWW LSAG
  • Back 2015; compression, single-use
  • Fujisaki-Suzuki 2007 and Cryptonote 2014
  • Monero MLSAG

Basic goal of 1-of-\(N\) ring signatures

The idea of a ring signature (the term itself is a bit sloppy in context, but let's stick with it for now) is simple enough:

Liars, cheats, scammers and the Schnorr signature

Posted by: Adam Gibson | in Cryptography | 11 months, 1 week ago | 1 comment

How sure are you that the cryptography underlying Bitcoin is secure? With regard to one future development of Bitcoin's crypto, in discussions in public fora, I have more than once confidently asserted "well, but the Schnorr signature has a security reduction to ECDLP". Three comments on that before we begin:

Finessing commitments

Posted by: Adam Gibson | in Bitcoin, Cryptography | 12 months ago | 4 comments


This post was mostly prompted by a long series of discussions had online and in person with many people, including in particular Adam Back and Tim Ruffing (but lots of others!) - and certainly not restricted to discussions I took part in - about the tradeoffs in a version of Bitcoin that does actually use Confidential Transactions.