ComSig Signature
Recent Major Changes:
- (20 Jan. 2020) Creation (on Cryptology ePrint Archive)
In a transaction-output-based blockchain system, where each transaction spends UTXOs (the previously unspent transaction outputs), a user must provide a signature, or more precisely a scriptSig for Bitcoin, to spend an UTXO, which proves the ownership of the spending output. When Pedersen commitment gxha or ElGamal commitment (gxha,hx) introduced into blockchain as transaction output, for supporting confidential transaction feature, where the input and output amounts in a transaction are hidden, the prior signature schemes such as Schnorr signature scheme and its variants does not directly work here if using the commitment as the public key, since nobody including the committer knows the private key of a gxha when a is not zero, meaning no one knows the c such that gc=gxha. This is a signature scheme which is able to use the C=gxha as the signature public key for any value of a. The signer, proceeding from a random Pedersen commitment R=gk1hk2, generates a random bit sequence e, by multiplication of a stored private key x with the bit sequence e and by addition of the random number k1 to get the u, by multiplication of the committed value a with the bit sequence e and by addition of the random number k2 to get the v, finally constructs σ=(R,u,v) as the signature, with the corresponding public key C. In turn, the verifier calculates a Pedersen commitment S=guhv, and accepts the signature if S=RCe. For an electronic signature, a hash value e is calculated from a random Pedersen commitment R, the Pedersen commitment C, and from the message m to be signed. This signature scheme will be very helpful in the design of a non-interactive transaction in Mimblewimble.
Introduction (including the related works intro), ComSig signature procedure description, multi-signatures, and two possible applications including applying it for a Mimblewimble non-interactive transaction solution.