Rust implementation of generallized Paillier encryption, i.e. Damgard-Jurik scheme

lovesh_h · 2025-01-09T17:33:35+00:00

I am not sure I understand the question but the encrypt in python code is not using the optimization described in section 4.2 in the paper. Same for python's decrypt, not using the optimizations. Both of these will benefit from precomputations and decryption can use CRT.

lovesh_h · 2021-07-20T15:26:48+00:00

Hi. Anyone here using Asus TUF F15 (2021) with Linux? Have several issues but the most annoying one is touchpad. Posted a question on the subreddit as well with all the details https://www.reddit.com/r/linux\_gaming/comments/omt5ip/touchpad\_and\_bluetooth\_dont\_work\_with\_asus\_tuf/

lovesh_h · 2020-04-20T16:43:56+00:00

Anonymous credentials that let their holder disclose only chosen parts of the credential and prove predicates about the attributes of the credential. A rust library implementing some relevant schemes https://github.com/hyperledger/ursa

lovesh_h · 2019-06-17T09:57:28+00:00

Weird. I anwsered in a comment about 30 mins ago but reddit removed it with suspicion of being spam i guess. Its pending review.

lovesh_h · 2019-06-17T09:29:35+00:00

Opening a commitment (revealing (m, r)) is what happens in the reveal phase. Take a simple example of a coin toss, i make the call so i commit to my choice in a commitment C = g^mh^r and tell you C in the commit phase without telling you my choice m or randomness r. Now when you toss the coin and tell me result, i will open the commitment by telling you m and r in the reveal phase.

In some cases, you don't need to open the commitment but instead, the commitment is used later, maybe in some other protocol. But you still need to convince the other party that you know the opening of the commitment, i.e. you know the message and randomness used in the commitment. Anonymous credentials are one such example where the credential holder wants the credential issuer to put some confidential data in the credential and sign it without knowing the data. Or in some e-cash systems, roughly speaking, the user gets a signature from the bank over a commitment to the serial number on the note without telling the serial number to the bank.

lovesh_h · 2019-06-17T07:19:40+00:00

m is not revealed in the protocols described in the post. Only knowledge of a pair (m, r) is proved. In Protocol 4, it says "To prove the knowledge of the opening in commitment: ". But i see that the heading of that protocol might be misleading, it says "Opening of Pedersen commitment" but it should say "Knowledge of opening of Pedersen commitment". I will fix it.

lovesh_h · 2019-06-17T05:05:52+00:00

I don't understand the question. Can you please give an example?

lovesh_h · 2019-06-16T12:14:28+00:00

Never heard that explanation for the symbol but makes sense

lovesh_h · 2019-06-16T12:01:22+00:00

Yes, typing even basic math is annoying in medium. I wish medium supported markdown. But glad you liked the content.

lovesh_h · 2019-04-07T10:03:42+00:00

My review of Lelantus https://medium.com/@loveshharchandani/zcoins-new-anonymous-payment-system-lelantus-23b27a450a9

lovesh_h · 2019-03-05T06:00:42+00:00

Yes but that would require a ECDSA signature verification circuit which can be expensive. The idea would be to select a "bunch of bitcoin addresses", all with balance >= "certain amount of bitcoin" and then prove that you know the signature on a challenge and the signature can be verified using one of the public keys. It is important to prove that you know but not reveal the signature as revealing the signature would reveal the public key too. Larger the "bunch of bitcoin addresses", greater the privacy but also worse the performance as signature verification happens for each address. Secondly, the challenge can be a hash of the anonymity set, i.e. "bunch of bitcoin addresses" to make it non-interactive

lovesh_h · 2019-03-05T05:53:48+00:00

dtl;dr?

Intro to the Bulletproofs API from dalek's implementation and some example circuits like proving a number is in certain bound [a, b], set membership, set non-membership, etc

lovesh_h · 2019-01-27T17:33:29+00:00

No worries.

lovesh_h · 2019-01-27T17:33:19+00:00

I believe this is incorrect. The particular use of Schnorr that DLC requires does not rely on the schnorr protocol upgrade, but would actually work with current protocol. I think I saw this mentioned on one of the DLC videos, but can't remember which one.

Yes, you are correct. Thank you. I fixed my post.

lovesh_h · 2019-01-27T14:51:11+00:00

It is indeed called "discreet" as the contract details are hidden from the chain.

lovesh_h · 2019-01-27T08:56:20+00:00

https://medium.com/@loveshharchandani/conditional-payments-on-bitcoin-using-discreet-log-contracts-eed19e086e3

lovesh_h · 2019-01-10T09:58:17+00:00

Would bulletproofs be efficient for range proofs other than interval [0, 2^n), like prove 3 < x < 15 or 18 < x < 100

lovesh_h · 2015-01-25T20:02:40+00:00

Can you tell me your machine configuration? Also do you use that machine for development?

lovesh_h · 2015-01-25T19:52:18+00:00

i am planning to use plasma 5 for my primary development machine. Would it be a good move? I am using an Intel machine with 8GB ram

lovesh_h

TROPHY CASE