This is a simple implementation of the Mercurial signature scheme which is instroduced in the paper Delegatable Anonymous Credentials from Mercurial Signatures, by Elizabeth C. Crites and Anna Lysyanskaya.
A mercurial signature, which allows a signature
sig
on a messagem
under public keypk
to be transformed into a signaturesig'
on an equivalent but unlinkable messagem'
under an equivalent but unlinkable public keypk'
.
The crate implements the signature scheme with use of the elliptic curve Bls12-381
. It uses the dependencies from Arkworks which is a rust ecosystem for cryptography.
Note: this repository has not been thoroughly audited. Please take your own risk if you use it in production environment.
use mercurial_signature::{Curve, CurveBls12_381, PublicParams, change_representation};
use ark_std::UniformRand;
use rand::thread_rng;
type G1 = <CurveBls12_381 as Curve>::G1;
type Fr = <CurveBls12_381 as Curve>::Fr;
let mut rng = rand::thread_rng();
let pp = PublicParams::new(&mut rng);
let (mut pk, mut sk) = pp.key_gen(&mut rng, 10);
let mut message = (0..10).map(|_| G1::rand(&mut rng)).collect::<Vec<G1>>();
let mut sig = sk.sign(&mut rng, &pp, &message);
// Convert keys and signatures (i.e. randomization)
let p = Fr::rand(&mut rng);
pk.convert(p);
sk.convert(p); // not necessary for the following steps.
sig.convert(&mut rng, p);
// public key, secret key and the signatre are different now.
// Change the message and signature (i.e. randomization)
let u = Fr::rand(&mut rng);
change_representation(&mut rng, &mut message, &mut sig, u);
// message and the signature are different now.
// Verification can still pass.
assert!(pk.verify(&pp, &message, &sig));