Is anyone aware of any implementation of EC ring signatures *not* using
pairing-based crypto? (If not, does anyone have any good ideas on the strategy
to pursue in, e.g., Ed25519?)
(I know that the original RST ("How to leak a secret") scheme has been shown
insecure if public keys in the ring are been adversarially chosen. Though the
citation is eluding me after several searches, I believe there is a scheme
using ZAPs to fix this.)
- David
(PS If you are also on Messaging, apologies for the duplication; I mistakenly
posted this there originally.)
—
Sent using alpine: an Alternatively Licensed Program for Internet News and Email_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
