none V. Kalos Internet-Draft MATTR Intended status: Informational G. Bernstein Expires: 9 January 2025 Grotto Networking 8 July 2024 Blind BBS Signatures draft-kalos-bbs-blind-signatures-01 Abstract This document defines an extension to the BBS Signature scheme that supports blind digital signatures, i.e., signatures over messages not known to the Signer. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/BasileiosKal/blind-bbs-signatures. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 9 January 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Kalos & Bernstein Expires 9 January 2025 [Page 1] Internet-Draft Blind BBS Signatures July 2024 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. BBS Signature Scheme Operations . . . . . . . . . . . . . . . 6 4. Scheme Definition . . . . . . . . . . . . . . . . . . . . . . 7 4.1. Commitment Operations . . . . . . . . . . . . . . . . . . 7 4.1.1. Commitment Computation . . . . . . . . . . . . . . . 7 4.1.2. Commitment Verification . . . . . . . . . . . . . . . 8 4.2. Blind BBS Signatures Interface . . . . . . . . . . . . . 9 4.2.1. Blind Signature Generation . . . . . . . . . . . . . 10 4.2.2. Blind Signature Verification . . . . . . . . . . . . 12 4.2.3. Proof Generation . . . . . . . . . . . . . . . . . . 13 4.2.4. Proof Verification . . . . . . . . . . . . . . . . . 16 4.3. Core Operations . . . . . . . . . . . . . . . . . . . . . 18 4.3.1. Core Blind Sign . . . . . . . . . . . . . . . . . . . 18 5. Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.1. Blind Challenge Calculation . . . . . . . . . . . . . . . 20 5.2. Commitment Validation and Deserialization . . . . . . . . 20 5.3. Serialize . . . . . . . . . . . . . . . . . . . . . . . . 21 5.3.1. Commitment with Proof to Octets . . . . . . . . . . . 21 5.3.2. Octet to Commitment with Proof . . . . . . . . . . . 22 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 6.1. Prover Blind Factor . . . . . . . . . . . . . . . . . . . 24 6.2. Key Binding . . . . . . . . . . . . . . . . . . . . . . . 24 6.3. Commitment Randomization . . . . . . . . . . . . . . . . 24 7. Ciphersuites . . . . . . . . . . . . . . . . . . . . . . . . 25 8. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 25 8.1. BLS12-381-SHAKE-256 Test Vectors . . . . . . . . . . . . 25 8.1.1. Commitment . . . . . . . . . . . . . . . . . . . . . 25 8.1.2. Signature . . . . . . . . . . . . . . . . . . . . . . 26 8.1.3. Proof . . . . . . . . . . . . . . . . . . . . . . . . 33 8.2. BLS12-381-SHA-256 Test Vectors . . . . . . . . . . . . . 54 8.2.1. Commitment . . . . . . . . . . . . . . . . . . . . . 54 8.2.2. Signature . . . . . . . . . . . . . . . . . . . . . . 55 8.2.3. Proof . . . . . . . . . . . . . . . . . . . . . . . . 62 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 83 10. Normative References . . . . . . . . . . . . . . . . . . . . 83 11. Informative References . . . . . . . . . . . . . . . . . . . 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 84 Kalos & Bernstein Expires 9 January 2025 [Page 2] Internet-Draft Blind BBS Signatures July 2024 1. Introduction The BBS digital signature scheme, as defined in [I-D.irtf-cfrg-bbs-signatures], can be extended to support blind signatures functionality. In a blind signatures setting, the user (called the Prover in the context of the BBS scheme) will request a signature on a list of messages, without revealing those messages to the Signer (who can optionally also include messages of their choosing to the signature). By allowing the Prover to acquire a valid signature over messages not known to the Signer, blind signatures address some limitations of their plain digital signature counterparts. In the BBS scheme, knowledge of a valid signature allows generation of BBS proofs. As a result, a signature compromise (by an eavesdropper, a phishing attack, a leakage of the Signer's logs etc.,) can lead to impersonation of the Prover by malicious actors (especially in cases involving "long-lived" signatures, as in digital credentials applications etc.,). Using Blind BBS Signatures on the other hand, the Prover can commit to a secret message (for example, a private key) before issuance, guaranteeing that no one will be able to generate a valid proof without knowledge of their secret. Furthermore, applications like Privacy Pass ([I-D.ietf-privacypass-protocol]) may require a signature to be "scoped" to a specific audience or session (as to require "fresh" signatures for different sessions etc.,). However, simply sending an audience or session identifier to the Signer (to be included in the signature), will compromise the privacy guarantees that these applications try to enforce. Using blind signing, the Prover will be able to require signatures bound to those values, without having to reveal them to the Signer. The presented protocol, compared to the scheme defined in [I-D.irtf-cfrg-bbs-signatures], introduces an additional communication step between the Prover and the Signer. The Prover will start by constructing a "hiding" commitment to the messages they want to get a signature on (i.e., a commitment which reveals no information about the committed values), together with a proof of correctness of that commitment. They will send the (commitment, proof) pair to the Signer, who, upon receiving the pair, will attempt to verify the commitment's proof of correctness. If successful, they will use it in generating a BBS signature over the messages committed by the Prover, including their own messages if any. This document, in addition to defining the operation for creating and verifying a commitment, also details a core signature generation operation, different from the one presented in Kalos & Bernstein Expires 9 January 2025 [Page 3] Internet-Draft Blind BBS Signatures July 2024 [I-D.irtf-cfrg-bbs-signatures], meant to handle the computation of the blind signature. The document will also define a new BBS Interface, which is needed to handle the different inputs, i.e., messages committed by the Prover or chosen by the Signer etc... The signature verification and proof generation core cryptographic operations however, will work as described in [I-D.irtf-cfrg-bbs-signatures]. To further facilitate deployment, both the exposed interface as well as the core cryptographic operation of proof verification will be the same as the one detailed in [I-D.irtf-cfrg-bbs-signatures]. Below is a basic diagram describing the main entities involved in the scheme. Kalos & Bernstein Expires 9 January 2025 [Page 4] Internet-Draft Blind BBS Signatures July 2024 (3) Blind Sign (1) Commit +----- +----- | | | | | | | | | \ / | \ / +----------+ +-----------+ | | | | | | | | | |<-(2)* Commitment + Proof of Correctness--| | | Signer | | Prover | | |-------(4)* Send signature + msgs-------->| | | | | | | | | | +----------+ +-----------+ | | | (5)* Send proof + disclosed msgs | | \ / +-----------+ | | | | | | | Verifier | | | | | | | +-----------+ | / \ | | | | +----- (6) ProofVerify Figure 1: Basic diagram capturing the main entities involved in using the scheme. *Note* The protocols implied by the items annotated by an asterisk are out of scope for this specification 1.1. Terminology Terminology defined by [I-D.irtf-cfrg-bbs-signatures] applies to this draft. Kalos & Bernstein Expires 9 January 2025 [Page 5] Internet-Draft Blind BBS Signatures July 2024 Additionally, the following terminology is used throughout this document: blind_signature The blind digital signature output. commitment A point of G1, representing a Pedersen commitment ([P91]) constructed over a vector of messages, as described e.g., in [BG18]. committed_messages A list of messages committed by the Prover to a commitment. commitment_proof A zero knowledge proof of correctness of a commitment, consisting of a scalar value, a possibly empty set of scalars (of length equal to the number of committed_messages, see above) and another scalar, in that order. secret_prover_blind A random scalar used to blind (i.e., randomize) the commitment constructed by the prover. signer_blind A random scalar used by the signer to optionally re- blind the received commitment. 1.2. Notation Notation defined by [I-D.irtf-cfrg-bbs-signatures] applies to this draft. Additionally, the following notation and primitives are used: list.append(elements) Append either a single element or a list of elements to the end of a list, maintaining the same order of the list's elements as well as the appended elements. For example, given list = [a, b, c] and elements = [d, a], the result of list.append(elements) will be [a, b, c, d, a]. 2. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. BBS Signature Scheme Operations This document makes use of various operations defined by the BBS Signature Scheme document [I-D.irtf-cfrg-bbs-signatures]. For clarity, whenever an operation will be used defined in [I-D.irtf-cfrg-bbs-signatures], it will be prefixed by "BBS." (e.g., "BBS.CoreProofGen" etc.). More specifically, the operations used are the following: Kalos & Bernstein Expires 9 January 2025 [Page 6] Internet-Draft Blind BBS Signatures July 2024 * BBS.CoreVerify: Refers to the CoreVerify operation defined in Section 3.6.2 (https://www.ietf.org/archive/id/draft-irtf-cfrg- bbs-signatures-05.html#name-coreverify) of [I-D.irtf-cfrg-bbs-signatures]. * BBS.CoreProofGen: Refers to the CoreProofGen operation defined in Section 3.6.3 (https://www.ietf.org/archive/id/draft-irtf-cfrg- bbs-signatures-05.html#name-coreproofgen) of [I-D.irtf-cfrg-bbs-signatures]. * BBS.create_generators: Refers to the create_generators operation defined in Section 4.1.1 (https://www.ietf.org/archive/id/draft- irtf-cfrg-bbs-signatures-05.html#name-generators-calculation) of [I-D.irtf-cfrg-bbs-signatures]. * BBS.messages_to_scalars: Refers to the messages_to_scalars operation defined in Section 4.1.2 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures- 05.html#name-messages-to-scalars) of [I-D.irtf-cfrg-bbs-signatures]. * BBS.get_random_scalars: Refers to the get_random_scalars operation defined in Section 4.2.1 (https://www.ietf.org/archive/id/draft- irtf-cfrg-bbs-signatures-05.html#name-random-scalars) of [I-D.irtf-cfrg-bbs-signatures]. * BBS.hash_to_scalar: Refers to the hash_to_scalar operation defined in Section 4.2.2 (https://www.ietf.org/archive/id/draft-irtf-cfrg- bbs-signatures-05.html#name-hash-to-scalar) of [I-D.irtf-cfrg-bbs-signatures]. 4. Scheme Definition 4.1. Commitment Operations 4.1.1. Commitment Computation This operation is used by the Prover to create a commitment to a set of messages (committed_messages), that they intend to include in the blind signature. Note that this operation returns both the serialized combination of the commitment and its proof of correctness (commitment_with_proof), as well as the random scalar used to blind the commitment (secret_prover_blind). Kalos & Bernstein Expires 9 January 2025 [Page 7] Internet-Draft Blind BBS Signatures July 2024 (commitment_with_proof, secret_prover_blind) = Commit( committed_messages, api_id) Inputs: - committed_messages (OPTIONAL), a vector of octet strings. If not supplied it defaults to the empty array ("()"). - api_id (OPTIONAL), octet string. If not supplied it defaults to the empty octet string (""). Outputs: - (commitment_with_proof, secret_prover_blind), a tuple comprising from an octet string and a random scalar in that order. Procedure: 1. M = length(committed_messages) 2. generators = BBS.create_generators(M + 1, "BLIND_" || api_id) 3. (Q_2, J_1, ..., J_M) = generators 4. (msg_1, ..., msg_M) = BBS.messages_to_scalars(committed_messages, api_id) 5. (secret_prover_blind, s~, m~_1, ..., m~_M) = BBS.get_random_scalars(M + 2) 6. C = Q_2 * secret_prover_blind + J_1 * msg_1 + ... + J_M * msg_M 7. Cbar = Q_2 * s~ + J_1 * m~_1 + ... + J_M * m~_M 8. challenge = calculate_blind_challenge(C, Cbar, generators, api_id) 9. s^ = s~ + secret_prover_blind * challenge 10. for m in (1, 2, ..., M): m^_i = m~_1 + msg_i * challenge 11. proof = (s^, (m^_1, ..., m^_M), challenge) 12. commit_with_proof_octs = commitment_with_proof_to_octets(C, proof) 13. return (commit_with_proof_octs, secret_prover_blind) 4.1.2. Commitment Verification This operation is used by the Signer to verify the correctness of a commitment_proof for a supplied commitment, over a list of points of G1 called the blind_generators, used to compute that commitment. Kalos & Bernstein Expires 9 January 2025 [Page 8] Internet-Draft Blind BBS Signatures July 2024 result = verify_commitment(commitment, commitment_proof, blind_generators, api_id) Inputs: - commitment (REQUIRED), a commitment (see (#terminology)). - commitment_proof (REQUIRED), a commitment_proof (see (#terminology)). - blind_generators (REQUIRED), vector of pseudo-random points in G1. - api_id (OPTIONAL), octet string. If not supplied it defaults to the empty octet string (""). Outputs: - result: either VALID or INVALID Deserialization: 1. (s^, commitments, cp) = commitment_proof 2. M = length(commitments) 3. (m^_1, ..., m^_M) = commitments 4. if length(blind_generators) != M + 1, return INVALID 5. (Q_2, J_1, ..., J_M) = blind_generators Procedure: 1. Cbar = Q_2 * s^ + J_1 * m^_1 + ... + J_M * m^_M + commitment * (-cp) 2. cv = calculate_blind_challenge(commitment, Cbar, blind_generators, api_id) 3. if cv != cp, return INVALID 4. return VALID 4.2. Blind BBS Signatures Interface The following section defines a BBS Interface for blind BBS signatures. The identifier of the Interface is defined as ciphersuite_id || BLIND_H2G_HM2S_, where ciphersuite_id the unique identifier of the BBS ciphersuite used, as is defined in Section 6 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures- 03.html#name-ciphersuites) of [I-D.irtf-cfrg-bbs-signatures]). Each BBS Interface MUST define operations to map the input messages to scalar values and to create the generator set, required by the core operations. The input messages to the defined Interface will be mapped to scalars using the messages_to_scalars operation defined in Section 4.1.2 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs- signatures-05.html#name-messages-to-scalars) of [I-D.irtf-cfrg-bbs-signatures]. The generators will be created using Kalos & Bernstein Expires 9 January 2025 [Page 9] Internet-Draft Blind BBS Signatures July 2024 the create_generators operation defined in Section Section 4.1.1 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures- 05.html#name-generators-calculation) of [I-D.irtf-cfrg-bbs-signatures]. Other than the BlindSign operation defined in Section 4.2.1, which uses the CoreBlindSign procedure, defined in Section 4.3.1, all other interface operations defined in this section use the core operations defined in Section 3.6 (https://www.ietf.org/archive/id/draft-irtf- cfrg-bbs-signatures-05.html#name-core-operations) of [I-D.irtf-cfrg-bbs-signatures]. 4.2.1. Blind Signature Generation This operation returns a BBS blind signature from a secret key (SK), over a header, a set of messages and optionally a commitment value (see Section 1.1). If supplied, the commitment value must be accompanied by its proof of correctness (commitment_with_proof, as outputted by the Commit operation defined in Section 4.1.1). The issuer can also further randomize the supplied commitment, by supplying a random scalar (signer_blind), that MUST be computed as, signer_blind = BBS.get_random_scalars(1) If the signer_blind input is not supplied, it will default to the zero scalar (0). The BlindSign operation makes use of the CoreBlindSign procedure defined in Section 4.3.1. blind_signature = BlindSign(SK, PK, commitment_with_proof, header, messages, signer_blind) Inputs: - SK (REQUIRED), a secret key in the form outputted by the KeyGen operation. - PK (REQUIRED), an octet string of the form outputted by SkToPk provided the above SK as input. - commitment_with_proof (OPTIONAL), an octet string, representing a serialized commitment and commitment_proof, as the first element outputted by the Commit operation. If not supplied, it defaults to the empty string (""). - header (OPTIONAL), an octet string containing context and application specific information. If not supplied, it defaults to an empty string (""). Kalos & Bernstein Expires 9 January 2025 [Page 10] Internet-Draft Blind BBS Signatures July 2024 - messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array ("()"). - signer_blind (OPTIONAL), a random scalar value. If not supplied it defaults to zero ("0"). Parameters: - api_id, the octet string ciphersuite_id || "BLIND_H2G_HM2S_", where ciphersuite_id is defined by the ciphersuite and "BLIND_H2G_HM2S_"is an ASCII string composed of 15 bytes. - (octet_point_length, octet_scalar_length), defined by the ciphersuite. Outputs: - blind_signature, a blind signature encoded as an octet string; or INVALID. Deserialization: 1. L = length(messages) // calculate the number of blind generators used by the commitment, // if any. 2. M = length(commitment_with_proof) 3. if M != 0, M = M - octet_point_length - octet_scalar_length 4. M = M / octet_scalar_length 5. if M < 0, return INVALID Procedure: 1. generators = BBS.create_generators(L + 1, api_id) 2. blind_generators = BBS.create_generators(M + 1, "BLIND_" || api_id) 3. message_scalars = BBS.messages_to_scalars(messages, api_id) 4. blind_sig = CoreBlindSign(SK, PK, commitment_with_proof, generators, blind_generators, header, message_scalars, signer_blind, api_id) 5. if blind_sig is INVALID, return INVALID 6. return blind_sig Kalos & Bernstein Expires 9 January 2025 [Page 11] Internet-Draft Blind BBS Signatures July 2024 4.2.2. Blind Signature Verification This operation validates a blind BBS signature (signature), given the Signer's public key (PK), a header (header), a set of, known to the Signer, messages (messages) and if used, a set of committed messages (committed_messages), the secret_prover_blind as returned by the Commit operation (Section 4.1.1) and a blind factor supplied by the Signer (signer_blind). This operation makes use of the CoreVerify operation as defined in Section 3.6.2 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs- signatures-05.html#name-coreverify) of [I-D.irtf-cfrg-bbs-signatures]. result = Verify(PK, signature, header, messages, committed_messages, secret_prover_blind, signer_blind) Inputs: - PK (REQUIRED), an octet string of the form outputted by the SkToPk operation. - signature (REQUIRED), an octet string of the form outputted by the Sign operation. - header (OPTIONAL), an octet string containing context and application specific information. If not supplied, it defaults to an empty string. - messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array "()". - committed_messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array "()". - secret_prover_blind (OPTIONAL), a scalar value. If not supplied it defaults to zero "0". - signer_blind (OPTIONAL), a scalar value. If not supplied it defaults to zero "0". Parameters: - api_id, the octet string ciphersuite_id || "BLIND_H2G_HM2S_", where ciphersuite_id is defined by the ciphersuite and "BLIND_H2G_HM2S_"is an ASCII string composed of 15 bytes. Outputs: - result: either VALID or INVALID Deserialization: Kalos & Bernstein Expires 9 January 2025 [Page 12] Internet-Draft Blind BBS Signatures July 2024 1. L = length(messages) 2. M = length(committed_messages) Procedure: 1. generators = BBS.create_generators(L + 1, api_id) 2. blind_generators = BBS.create_generators(M + 1, "BLIND_" || api_id) 3. message_scalars = BBS.messages_to_scalars(messages, api_id) 4. committed_message_scalars = () 5. blind_factor = secret_prover_blind + signer_blind 6. committed_message_scalars.append(blind_factor) 7. committed_message_scalars.append(BBS.messages_to_scalars( committed_messages, api_id)) 8. res = BBS.CoreVerify( PK, signature, generators.append(blind_generators), header, message_scalars.append(committed_message_scalars), api_id) 9. return res 4.2.3. Proof Generation This operation creates a BBS proof, which is a zero-knowledge, proof- of-knowledge, of a BBS signature, while optionally disclosing any subset of the signed messages. Note that in contrast to the ProofGen operation of [I-D.irtf-cfrg-bbs-signatures] (see Section 3.5.3 (https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs- signatures.html#name-proof-generation-proofgen)), the ProofGen operation defined in this section accepts 2 different lists of messages and disclosed indexes, one for the messages known to the Signer (messages) and the corresponding disclosed indexes (disclosed_indexes) and one for the messages committed by the Prover (committed_messages) and the corresponding disclosed indexes (disclosed_commitment_indexes). Furthermore, the operation also expects the secret_prover_blind (as returned from the Commit operation defined in Section 4.1.1) and signer_blind (as inputted in the BlindSign operation defined in Section 4.2.1) values. If the BBS signature is generated using a commitment value, then the secret_prover_blind returned by the Commit operation used to generate the commitment should be provided to the ProofGen operation (otherwise the resulting proof will be invalid). Kalos & Bernstein Expires 9 January 2025 [Page 13] Internet-Draft Blind BBS Signatures July 2024 This operation makes use of the CoreProofGen operation as defined in Section 3.6.3 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs- signatures-05.html#name-coreproofgen) of [I-D.irtf-cfrg-bbs-signatures]. proof = BlindProofGen(PK, signature, header, ph, messages, committed_messages, disclosed_indexes, disclosed_commitment_indexes, secret_prover_blind, signer_blind) Inputs: - PK (REQUIRED), an octet string of the form outputted by the SkToPk operation. - signature (REQUIRED), an octet string of the form outputted by the Sign operation. - header (OPTIONAL), an octet string containing context and application specific information. If not supplied, it defaults to an empty string. - ph (OPTIONAL), an octet string containing the presentation header. If not supplied, it defaults to an empty string. - messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array "()". - committed_messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array "()". - disclosed_indexes (OPTIONAL), vector of unsigned integers in ascending order. Indexes of disclosed messages. If not supplied, it defaults to the empty array "()". - disclosed_commitment_indexes (OPTIONAL), vector of unsigned integers in ascending order. Indexes of disclosed committed messages. If not supplied, it defaults to the empty array "()". - secret_prover_blind (OPTIONAL), a scalar value. If not supplied it defaults to zero "0". - signer_blind (OPTIONAL), a scalar value. If not supplied it defaults to zero "0". Parameters: - api_id, the octet string ciphersuite_id || "BLIND_H2G_HM2S_", where Kalos & Bernstein Expires 9 January 2025 [Page 14] Internet-Draft Blind BBS Signatures July 2024 ciphersuite_id is defined by the ciphersuite and "BLIND_H2G_HM2S_"is an ASCII string composed of 15 bytes. Outputs: - proof, an octet string; or INVALID. Deserialization: 1. L = length(messages) 2. M = length(committed_messages) 3. if length(disclosed_indexes) > L, return INVALID 4. for i in disclosed_indexes, if i < 0 or i >= L, return INVALID 5. if length(disclosed_commitment_indexes) > M, return INVALID 6. for j in disclosed_commitment_indexes, if i < 0 or i >= M, return INVALID Procedure: 1. generators = BBS.create_generators(L + 1, api_id) 2. blind_generators = BBS.create_generators(M + 1, "BLIND_" || api_id) 3. message_scalars = BBS.messages_to_scalars(messages, api_id) 4. committed_message_scalars = () 5. blind_factor = secret_prover_blind + signer_blind 6. committed_message_scalars.append(blind_factor) 6. committed_message_scalars.append(BBS.messages_to_scalars( committed_messages, api_id)) 7. indexes = () 8. indexes.append(disclosed_indexes) 9. for j in disclosed_commitment_indexes: indexes.append(j + L + 1) 10. proof = BBS.CoreProofGen( PK, signature, generators.append(blind_generators), header, ph, message_scalars.append(committed_message_scalars), indexes, api_id) 11. return proof Kalos & Bernstein Expires 9 January 2025 [Page 15] Internet-Draft Blind BBS Signatures July 2024 4.2.4. Proof Verification The ProofVerify operation validates a BBS proof, given the Signer's public key (PK), a header and presentation header values, two arrays of disclosed messages (the ones known to the Signer and the ones committed by the prover) and two corresponding arrays of indexes those messages had in the original vectors of signed messages. In addition, the BlindProofVerify operation defined in this section accepts the integer L, representing the total number of signed messages known by the Signer. This operation makes use of the CoreProofVerify operation as defined in Section 3.6.4 (https://identity.foundation/bbs-signature/draft- irtf-cfrg-bbs-signatures.html#name-coreproofverify) of [I-D.irtf-cfrg-bbs-signatures]. result = BlindProofVerify(PK, proof, header, ph, L, disclosed_messages, disclosed_committed_messages, disclosed_indexes, disclosed_committed_indexes) Inputs: - PK (REQUIRED), an octet string of the form outputted by the SkToPk operation. - proof (REQUIRED), an octet string of the form outputted by the ProofGen operation. - header (OPTIONAL), an optional octet string containing context and application specific information. If not supplied, it defaults to the empty octet string (""). - ph (OPTIONAL), an octet string containing the presentation header. If not supplied, it defaults to the empty octet string (""). - L (OPTIONAL), an integer, representing the total number of Signer known messages if not supplied it defaults to 0. - disclosed_messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array ("()"). - disclosed_committed_messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array ("()"). - disclosed_indexes (OPTIONAL), vector of unsigned integers in ascending order. Indexes of disclosed messages. If not supplied, it defaults to the empty array ("()"). - disclosed_commitment_indexes (OPTIONAL), vector of unsigned integers in ascending order. Indexes Kalos & Bernstein Expires 9 January 2025 [Page 16] Internet-Draft Blind BBS Signatures July 2024 of disclosed committed messages. If not supplied, it defaults to the empty array ("()"). Parameters: - api_id, the octet string ciphersuite_id || "H2G_HM2S_", where ciphersuite_id is defined by the ciphersuite and "H2G_HM2S_"is an ASCII string comprised of 9 bytes. - (octet_point_length, octet_scalar_length), defined by the ciphersuite. Outputs: - result, either VALID or INVALID. Deserialization: 1. proof_len_floor = 2 * octet_point_length + 3 * octet_scalar_length 2. if length(proof) < proof_len_floor, return INVALID 3. U = floor((length(proof) - proof_len_floor) / octet_scalar_length) 4. total_no_messages = length(disclosed_indexes) + length(disclosed_committed_indexes) + U - 1 5. M = total_no_messages - L Procedure: 1. generators = BBS.create_generators(L + 1, api_id) 2. blind_generators = BBS.create_generators(M + 1, "BLIND_" || api_id) 3. disclosed_message_scalars = messages_to_scalars( disclosed_messages, api_id) 4. disclosed_committed_message_scalars = messages_to_scalars( disclosed_committed_messages, api_id) 5. message_scalars = disclosed_message_scalars.append( disclosed_committed_message_scalars) 6. indexes = () 7. indexes.append(disclosed_indexes) 8. for j in disclosed_commitment_indexes: indexes.append(j + L + 1) 9. result = BBS.CoreProofVerify(PK, proof, generators.append(blind_generators), header, ph, message_scalars, indexes, Kalos & Bernstein Expires 9 January 2025 [Page 17] Internet-Draft Blind BBS Signatures July 2024 api_id) 10. return result 4.3. Core Operations 4.3.1. Core Blind Sign This operation computes a blind BBS signature, from a secret key (SK), a set of generators (points of G1), a supplied commitment with its proof of correctness (commitment_with_proof), a header (header) and a set of messages (messages). The operation also accepts a random scalar (signer_blind) and the identifier of the BBS Interface, calling this core operation. blind_signature = CoreBlindSign(SK, PK, generators, blind_generators, commitment_with_proof, header, messages, signer_blind, api_id) Inputs: - SK (REQUIRED), a secret key in the form outputted by the KeyGen operation. - PK (REQUIRED), an octet string of the form outputted by SkToPk provided the above SK as input. - generators (REQUIRED), vector of pseudo-random points in G1. - blind_generators (OPTIONAL), vector of pseudo-random points in G1. If not supplied it defaults to the empty array. - commitment_with_proof (OPTIONAL), an octet string, representing a serialized commitment and commitment_proof, as the first element outputted by the Commit operation. If not supplied, it defaults to the empty string (""). - header (OPTIONAL), an octet string containing context and application specific information. If not supplied, it defaults to an empty string. - messages (OPTIONAL), a vector of octet strings. If not supplied, it defaults to the empty array "()". - signer_blind (OPTIONAL), a random scalar value. If not supplied it defaults to zero "0". Kalos & Bernstein Expires 9 January 2025 [Page 18] Internet-Draft Blind BBS Signatures July 2024 Parameters: - api_id, the octet string ciphersuite_id || "BLIND_H2G_HM2S_", where ciphersuite_id is defined by the ciphersuite and "BLIND_H2G_HM2S_"is an ASCII string composed of 15 bytes. Outputs: - blind_signature, a blind signature encoded as an octet string; or INVALID. Definitions: 1. signature_dst, an octet string representing the domain separation tag: api_id || "H2S_" where "H2S_" is an ASCII string composed of 4 bytes. Deserialization: 1. L = length(messages) 2. (msg_1, ..., msg_L) = messages 3. (Q_1, H_1, ..., H_L) = generators 4. Q_2 = Identity_G1 5. if length(blind_generators) > 0, Q_2 = blind_generators[0] 6. commit = deserialize_and_validate_commit(commitment_with_proof, blind_generators, api_id) 7. if commit is INVALID, return INVALID Procedure: 1. domain = calculate_domain(PK, generators.append(blind_generators), header, api_id) 2. e_octs = serialize((SK, commitment_with_proof, signer_blind, msg_1, ..., msg_L, domain)) 3. e = BBS.hash_to_scalar(e_octs, signature_dst) // if a commitment is not supplied, Q_2 = Identity_G1, meaning that // signer_blind will be ignored. 4. commit = commit + Q_2 * signer_blind 5. B = P1 + Q_1 * domain + H_1 * msg_1 + ... + H_L * msg_L + commit 6. A = B * (1 / (SK + e)) 7. return signature_to_octets((A, e)) 5. Utilities Kalos & Bernstein Expires 9 January 2025 [Page 19] Internet-Draft Blind BBS Signatures July 2024 5.1. Blind Challenge Calculation challenge = calculate_blind_challenge(C, Cbar, generators, api_id) Inputs: - C (REQUIRED), a point of G1. - Cbar (REQUIRED), a point of G1. - generators (REQUIRED), an array of points from G1, of length at least 1. - api_id (OPTIONAL), octet string. If not supplied it defaults to the empty octet string (""). Definition: - blind_challenge_dst, an octet string representing the domain separation tag: api_id || "H2S_" where ciphersuite_id is defined by the ciphersuite and "H2S_" is an ASCII string composed of 4 bytes. Deserialization: 1. if length(generators) == 0, return INVALID 2. M = length(generators) - 1 Procedure: 1. c_arr = (M) 2. c_arr.append(generators) 3. c_octs = serialize(c_arr.append(C, Cbar)) 4. return BBS.hash_to_scalar(c_octs, blind_challenge_dst) 5.2. Commitment Validation and Deserialization The following is a helper operation used by the CoreBlindSign procedure (Section 4.3.1) to validate an optional commitment. The commitment input to CoreBlindSign is optional. If a commitment is not supplied, or if it is the Identity_G1, the following operation will return the Identity_G1 as the commitment point, which will be ignored by all computations during CoreBlindSign. Kalos & Bernstein Expires 9 January 2025 [Page 20] Internet-Draft Blind BBS Signatures July 2024 commit = deserialize_and_validate_commit(commitment_with_proof, blind_generators, api_id) Inputs: - commitment_with_proof (OPTIONAL), octet string. If it is not supplied it defaults to the empty octet string (""). - blind_generators (OPTIONAL), vector of points of G1. If it is not supplied it defaults to the empty set ("()"). - api_id (OPTIONAL), octet string. If not supplied it defaults to the empty octet string (""). Outputs: - commit, a point of G1; or INVALID. Procedure: 1. if commitment_with_proof is the empty string (""), return Identity_G1 2. com_res = octets_to_commitment_with_proof(commitment_with_proof) 3. if com_res is INVALID, return INVALID 4. (commit, commit_proof) = com_res 5. if length(commit_proof[1]) + 1 != length(blind_generators), return INVALID 6. validation_res = verify_commitment(commit, commit_proof, blind_generators, api_id) 7. if validation_res is INVALID, return INVALID 8. commitment 5.3. Serialize 5.3.1. Commitment with Proof to Octets Kalos & Bernstein Expires 9 January 2025 [Page 21] Internet-Draft Blind BBS Signatures July 2024 commitment_octets = commitment_with_proof_to_octets(commitment, proof) Inputs: - commitment (REQUIRED), a point of G1. - proof (REQUIRED), a vector comprising of a scalar, a possibly empty vector of scalars and another scalar in that order. Outputs: - commitment_octets, an octet string or INVALID. Procedure: 1. commitment_octs = serialize(commitment) 2. if commitment_octs is INVALID, return INVALID 3. proof_octs = serialize(proof) 4. if proof_octs is INVALID, return INVALID 5. return commitment_octs || proof_octs 5.3.2. Octet to Commitment with Proof Kalos & Bernstein Expires 9 January 2025 [Page 22] Internet-Draft Blind BBS Signatures July 2024 commitment = octets_to_commitment_with_proof(commitment_octs) Inputs: - commitment_octs (REQUIRED), an octet string in the form outputted from the commitment_to_octets operation. Parameters: - (octet_point_length, octet_scalar_length), defined by the ciphersuite. Outputs: - commitment, a commitment in the form (C, proof), where C a point of G1 and a proof vector comprising of a scalar, a possibly empty vector of scalars and another scalar in that order. Procedure: 1. commit_len_floor = octet_point_length + 2 * octet_scalar_length 2. if length(commitment_octs) < commit_len_floor, return INVALID 3. C_octets = commitment_octs[0..(octet_point_length - 1)] 4. C = octets_to_point_g1(C_octets) 5. if C is INVALID, return INVALID 6. if C == Identity_G1, return INVALID 7. j = 0 8. index = octet_point_length 9. while index < length(commitment_octs): 10. end_index = index + octet_scalar_length - 1 11. s_j = OS2IP(commitment_octets[index..end_index]) 12. if s_j = 0 or if s_j >= r, return INVALID 13. index += octet_scalar_length 14. j += 1 15. if index != length(commitment_octs), return INVALID 16. if j < 2, return INVALID 17. msg_commitment = () 18. if j >= 3, set msg_commitment = (s_2, ..., s_(j-1)) 19. return (C, (s_0, msg_commitments, s_j)) 6. Security Considerations Security considerations detailed in Section 6 (https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures- 05.html#name-security-considerations) of [I-D.irtf-cfrg-bbs-signatures] apply to this draft as well. Kalos & Bernstein Expires 9 January 2025 [Page 23] Internet-Draft Blind BBS Signatures July 2024 6.1. Prover Blind Factor The random scalar value secret_prover_blind calculated and returned by the Commit operation is responsible for "hiding" the committed messages (otherwise, in many practical applications, the Signer may be able to retrieve them). Furthermore, it guarantees that the entity generating the BBS proof (see BlindProofGen defined in Section 4.2.3) has knowledge of that factor. As a result, the secret_prover_blind MUST remain private by the Prover and it MUST be generated using a cryptographically secure pseudo-random number generator. See Section 6.7 (https://www.ietf.org/archive/id/draft- irtf-cfrg-bbs-signatures-05.html#name-randomness-requirements) of [I-D.irtf-cfrg-bbs-signatures] on recommendations and requirements for implementing the BBS.get_random_scalars operation (which is used to calculate the secret_prover_blind value). 6.2. Key Binding One natural use case for the blind signatures extension of the BBS scheme is key binding. In the context of BBS Signatures, key binding guarantees that only entities in control of a specific private key can compute BBS proofs. This can be achieved by committing to the private key prior to issuance, resulting in a BBS signature that includes that key as one of the signed messages. Creating a BBS proof from that signature will then require knowledge of that key (similar to any signed message). The Prover MUST NOT disclose that key as part of a proof generation procedure. Note also that the secret_prover_blind value returned by the Commit operation defined in Section 4.1.1 (see Section 6.1), has a similar property, i.e., it's knowledge is required to generate a proof from a blind signature. Many applications however, requiring key binding, mandate that the same private key is used among multiple signatures, whereas the secret_prover_blind is uniquely generated for each blind signature issuance request. In those cases, a commitment to a private key must be used, as described above. 6.3. Commitment Randomization A commitment is "randomized" using the secret_prover_blind random value. The Signer MAY elect to re-randomize a commitment by using it's own randomness. This can be helpful for applications that need to guarantee the uniqueness of each commitment (and of the resulting signatures) supplied by (untrusted) Provers. Examples include voting systems, where each unique signature will provide a single vote. To re-randomize a commitment, the Signer can provide the signer_blind input to the BlindSign operation defined in Section 4.2.1. If used, the signer_blind MUST be computed using the BBS.get_random_scalars operation. In contrast with the secret_prover_blind value however, Kalos & Bernstein Expires 9 January 2025 [Page 24] Internet-Draft Blind BBS Signatures July 2024 the signer_blind doesn't need to be secret. The Signer will need to return it to the Prover, who requires it to verify the signature and generate the proofs. 7. Ciphersuites This document uses the BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_ and BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_ defined in Section 7.2.1 (https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs- signatures.html#name-bls12-381-shake-256) and Section 7.2.2 (https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs- signatures.html#name-bls12-381-sha-256) correspondingly, of [I-D.irtf-cfrg-bbs-signatures]. 8. Test Vectors 8.1. BLS12-381-SHAKE-256 Test Vectors 8.1.1. Commitment 8.1.1.1. No Committed Messages Mocked RNG parameters: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "2" committed_messages = "[ ]" secret_prover_blind = "30bd5c9bd2b61c44dd169c92cf28bb607830c56073f10e7a8 00c857cb05ec249" commitment_with_proof = "b6389b0fdf04b9c35165acb11685e02193c53c3c1bb8ef3 a9404dcee1727a365a3ac6ba7fc32654101cc72cc0ee7d3 2b23d2018bd6dc2f932c71d4401e763d4ed9999ee6c9883 7aa7dbe823050697dd744b05920ad0b6393e94f9b86e92d 419406945f1e79d4be58dbaf9dc95237c951" 8.1.1.2. Multiple Committed Messages Kalos & Bernstein Expires 9 January 2025 [Page 25] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" countsource ~./ = "7" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f 8fcb1525c93b649" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" 8.1.2. Signature 8.1.2.1. No Committed Messages, No Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 26] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "2" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "b6389b0fdf04b9c35165acb11685e02193c53c3c1bb8ef3 a9404dcee1727a365a3ac6ba7fc32654101cc72cc0ee7d3 2b23d2018bd6dc2f932c71d4401e763d4ed9999ee6c9883 7aa7dbe823050697dd744b05920ad0b6393e94f9b86e92d 419406945f1e79d4be58dbaf9dc95237c951" header = "11223344556677889900aabbccddeeff" messages = "[ ]" committed_messages = "[ ]" secret_prover_blind = "30bd5c9bd2b61c44dd169c92cf28bb607830c56073f10e7a8 00c857cb05ec249" signer_blind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e 0a1e3c7f" Signature trace: B = "96d691cae20b5089b65383a1a39e33efef0e00c5a88d779af0895daddaad1f7 9bc361ae64458b69db1741077c9b63e54" domain = "48d64a62d7dbc8d88d643f15b3c8a1eed78afe3a80bc3e41bc2f92257b 25f6d8" signature = "94e59d341a107330ebee0f7022bfe8639139c1383a945a9371fbc3046f7 1cec86fd6528d98b7ba388da6394cfc4ca62645cba02f83bb6a6c3ab736 d7e45f60fd7506d28ee86b7e2a1c81cb86d4acf722" 8.1.2.2. Multiple Prover Committed Messages, No Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 27] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" header = "11223344556677889900aabbccddeeff" messages = "[ ]" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f 8fcb1525c93b649" signer_blind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e 0a1e3c7f" Signature trace: B = "b7fc207ed2d77c2e4058acf2ef5f3b0b4ee822fcf8de0a5fde095db175fa8bf a39af4b46fc9402cd9cd48a60be77c57e" domain = "3600988bb64779f01c57bfb0524521bc241aa0fdfc92e1b892ac2066ed cceef1" Kalos & Bernstein Expires 9 January 2025 [Page 28] Internet-Draft Blind BBS Signatures July 2024 signature = "86f46e9f656965c1f88f5f58243127ddc37fd38f4edba8e1d111d0c0aab aff1cd5d10b9b918933b743744b61c0ddce9e0764552e596674db723e72 34233c7c97dd14270c7a0fffc70ef65b2e1137004a" 8.1.2.3. No Prover Committed Messages, Multiple Signer Messages Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "2" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "b6389b0fdf04b9c35165acb11685e02193c53c3c1bb8ef3 a9404dcee1727a365a3ac6ba7fc32654101cc72cc0ee7d3 2b23d2018bd6dc2f932c71d4401e763d4ed9999ee6c9883 7aa7dbe823050697dd744b05920ad0b6393e94f9b86e92d 419406945f1e79d4be58dbaf9dc95237c951" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message = "[ ]" secret_prover_blind = "30bd5c9bd2b61c44dd169c92cf28bb607830c56073f10e7a8 00c857cb05ec249" signer_blind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e 0a1e3c7f" Kalos & Bernstein Expires 9 January 2025 [Page 29] Internet-Draft Blind BBS Signatures July 2024 Signature trace: B = "b5f5dfb257702b03b05bb835b2ec5be89f17a490e6b0a3c0fb5f47fb0845c84 450533bebb5921efffd48417071ea4c46" domain = "62638964b2b8eb67c2635a8b87731e2f876e7e84fc4f051903022a731c 5fe3b8" signature = "aefec656164a1d429acf8d7f1a7daf1fe2fcc959428633fc76748d15f45 15f2c1ff7d26a6e784b20c743f9d01c8f73d51fe9585124b79cf0122ee5 8acb41e0e1e6940af4ad3eab5fb63e2438a946be94" 8.1.2.4. Multiple Prover Committed and Signer Messages Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" Kalos & Bernstein Expires 9 January 2025 [Page 30] Internet-Draft Blind BBS Signatures July 2024 messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f 8fcb1525c93b649" signer_blind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e 0a1e3c7f" Signature trace: B = "aae3698e7234be35ab7310270e9ed3a9f000b5a94ad3ea0a2d5a8677331de7d c806a0ac97c94f76a508b85ac386655a6" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" 8.1.2.5. Multiple Prover Committed and Signer Messages, No Signer Blind Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 Kalos & Bernstein Expires 9 January 2025 [Page 31] Internet-Draft Blind BBS Signatures July 2024 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f 8fcb1525c93b649" signer_blind = "null" Signature trace: B = "95e018b5b7fe84bff803e829231870d1dec64608083a6a7b4b8f5be66ee9a6e 25a6d067f528e48712528205ae9cdf340" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" signature = "823d5849764eff90d9d57252233dc4b2a694224f90d56cc81bcbcc0b329 3096f3f4fdb309e06c1163a47bc61b681fdb149bf605aaf3ec89d0784e3 cca39500d6acd0356d90c8ba6bef9ef6960bb60be1" 8.1.2.6. No Commitment Signature Kalos & Bernstein Expires 9 January 2025 [Page 32] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" SK = "2eee0f60a8a3a8bec0ee942bfd46cbdae9a0738ee68f5a64e7238311cf09a079" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" commitment_with_proof = "null" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message = "null" secret_prover_blind = "null" signer_blind = "null" Signature trace: B = "8ce18ec220f427e23eced9bc5d6a90bf242941676569b406a179e7fe8a3d1c3 ba7fd0271ce37817876e55fe1fdf598e5" domain = "62638964b2b8eb67c2635a8b87731e2f876e7e84fc4f051903022a731c 5fe3b8" signature = "abc558ec1e0899c9ad878d4fd19fe9d622920684038ecaf81488c1b67c1 c49a6213f62674d08ac6eff67cf02b046ce4d4a70f7153dc7d6d4cbf17d c2a305acef53a4a4557ae63bdb87226df2e28df1d8" 8.1.3. Proof 8.1.3.1. All Prover Committed Messages and Signer Messages Disclosed Kalos & Bernstein Expires 9 January 2025 [Page 33] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "6" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" Kalos & Bernstein Expires 9 January 2025 [Page 34] Internet-Draft Blind BBS Signatures July 2024 PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 ]" disclosed_commitment_indexes = "[ 0, 1, 2, 3, 4 ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "ad2515c9e6265896d9d1891819dcde6a55ded5ff96b48d4b2f9fa8eebf4ee8 67082445c953032567dcb43049be22ae1b" T2 = "a02131e660ceb864718f803010e6435567e7d09299857fa718a361f643febd a90a0fe7b7566fc83031e7e880f3009a81" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" // random scalars r1 = "49269fc9884182a1591f959e813384df71ffb220660cb2a4aa3956e27936d4 d8" r2 = "66b80c544ba7563a7de236678d228a36195f2b483daec4c49470b63c7231cb 11" e~ = "6714fe17c1529464fd269b37dda00e6cdd2b82b592a497cc52e78f24930eff da" r1~ = "1da4b2f8fe1790bbff2efabd71c8ed624f9fedd10d62dc7a3ca1088657ebf 220" r3~ = "2354f9de39e2689b893f357e14cead4e405ab3486f188a0b5a503e733d007 588" // m_tilde_scalars m~_1 = "42510c348487be3c19994565911729eafcd4804dacf25a7cb7b7a634ddef c3b5" proof = "92b9f9f19e07616a7933ca8ef4719916a7cfd27bca4081b3593313237b0d17e 505ee2245c7ebea6dbf11c5ff00796af0a43965054cb458805d352b8ea04459 eb9ee9c194bbc94eb89c6b76fd95b5892df98978f31aed49a4a89d1a56f71e1 7bea5e3790a19fa6cdaca1154b5f2c7113ea3145225ed6fc49f04593ae3d5ac cca80949e5f24415ff2a99044bd8d453891e115e93cf7312481f87bea699ce9 5b96136dd9715de9d96a5204baee35610db3d5db4dcbaf18451777f30d4dbfc Kalos & Bernstein Expires 9 January 2025 [Page 35] Internet-Draft Blind BBS Signatures July 2024 ebe6da1f04b4922f0ebcc71fa9ea2568d4e3081b9fe25f0e9d1dcc496d45a67 36ba3330f8a1f3f33b9c8256ccdaae6ecb73332091643100fed2d0eda4c5594 8c8ddf38682430d5276235d294d5c40faa920bd66bc956d4f9226588d302787 eaf442ea79364ca4cd646927c1b752567e8c62b75" 8.1.3.2. Half Prover Committed Messages and All Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "8" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 Kalos & Bernstein Expires 9 January 2025 [Page 36] Internet-Draft Blind BBS Signatures July 2024 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "a66f3c0cd9ac5f94f5f075ac4368a651d9e0b8c3bc7b01d5a79ab9b2c51f86f f7fd82c247ed8204ac5a5a0a2b399b6af" T2 = "92988db2213041d210fa33739ae654afc0f2f366398e488a7817e4761740a00 633e7c59d0faee1640db5479a4178fbb0" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f5 64a04" // random scalars r1 = "11119e21b175fb9fc7c17cbbaf9f5193ff29018deab299e0179517f518c887c a" r2 = "293d6d461a4cfd449607b211dcc500540c49cc73d6c77b1ec62eb982be4935b 4" e~ = "3bc9fe82bbca21200fbbff238cf666d79270bbfc9293ea3fed177ac128cff30 e" r1~ = "5224e6c760e66d54dae6fac6adee3edca19df9f12f84416980b5c2820b647f fd" r3~ = "723457f7d95dfeb89077f16f58f343b1d53b44d474004564a8cc9be5c5cd32 44" // m_tilde_scalars m~_1 = "107b5b89bc2574eed71a48bf869b094351bcb2a32fe4ed0f5c62b9063a086 Kalos & Bernstein Expires 9 January 2025 [Page 37] Internet-Draft Blind BBS Signatures July 2024 d4b" m~_2 = "6c757b1e66cc101e9e69c2a7c665d68ce19193f11a28ac1efc0a41b5292a1 a87" m~_3 = "635ef91197c84f74b14ef14ed7b74ea6a2c4770a1f665cd545854330e3550 221" proof = "95962116bfb3b9b2de1018579e9fa17b90c1b961ab665b4a4f006540a068cf4 32a4b681bf2ed60ad2722a8bb95721aa0b440cb1fa03c5260e3e1baae441f73 aa0dfe304e156af3425cc8ca0b59ecae2be09d8cf4851b2ad6e11390703a86d fc08fc29e731352a3142ff72cf153a713f7639324591cf6108db67ce047a5aa 19405b56eee355ae091dd648e4b03f25d43164d59bbbca99b525289657aebcb e8ec1de2c7d4f277518d0aa3caae96135cd3f388124edd9d03ec9cd333113f5 7d19c5886cbf36170930b54d569539276dfbeb5f5e34e0e93edbb440841214c 38170c9ee7e60a943b290f7db8d2e09f64dbb7c3ed7a698774a3ea3585f698a fefcc2b648295180943654cbf6a43da1fe190bbb661f79ee3fe448d681fa625 7bc9770c26c87feb52a3c3abed0fe0272715f993e54632136c16ef6b8e87d69 a54939a7508dd26ef82418fb6636ddf84482008b8e3109e279a97ebd2b1e259 59cb0cdd63004706e16e66a53fe71c6851052da0c02" 8.1.3.3. All Prover Committed Messages and Half Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "11" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" Kalos & Bernstein Expires 9 January 2025 [Page 38] Internet-Draft Blind BBS Signatures July 2024 message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ 0, 1, 2, 3, 4 ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "81172a458bf764c942cfc9d2f4c6d77ecce1b98c7167a0483c4c65d37bc29d 61fdf27fb9a941b8a351e4674203c38f1d" T2 = "91b8aff9920c55af087dfd6c28f0e8c33edc8a5e5ba50ad501132d95e39b0f e90ba82536a7518287c3b0cde01acc9c5c" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" Kalos & Bernstein Expires 9 January 2025 [Page 39] Internet-Draft Blind BBS Signatures July 2024 // random scalars r1 = "517c6ba25814e7e8a6b1e1e7a1eaefbd13a47b874a249094592b51295c896b e6" r2 = "17d278dc4ff520d8bcde7c7f35e635c19d9d0e19e0f32e4900e4a69af300b2 f6" e~ = "658838c65c01e42cd39fe21885284cef7006630bf8b8ab9183bcc2d212778d ee" r1~ = "21e2ce874aaef017a9d67f01e432cd16bcf2794299e6594f5065b417d0039 f42" r3~ = "51a834a77851b6f5b476bd8ce9440019c0ba3b19a1739ae20e0834abca1fa cd4" // m_tilde_scalars m~_1 = "586ad615bf1d62d511c8737ebb6a0492e0769faed21e1fb23cbbdf898b25 ad55" m~_2 = "441e55f5927fb14f4059f4d4c7aad45b72349b50436cd8d2cd5ae3666ecd 64dd" m~_3 = "10292482d9e08dc8d3a14223dfdbe4a14433ddfbff0950732a12f99edd78 efd9" m~_4 = "1acd7900624f83027ee6c7700c579d10eaa0060dba6b9432247094971739 4645" m~_5 = "4e525012cc1649cd7a6a4d3a16899e39b9d877243716e6212effb6320294 a382" m~_6 = "65f2bf6e3dcde2dece63dd45ffcdecc8019f04664cb245f45ecdbc945e8a 4772" proof = "885fc9be8194a72628b0a75828b6f2297e0ac0db13473d8c8346f3862926365 e38a5ab28265854a2a165fac412d201ca937eb6e249768e52c4ec15c711b8a4 c2153b09caa7d64c5e010fc05f3f6ef3865920e877365f82d0400738b65f9bb 421a8e4e5f7bbade675d55eb91d32adf0eac29d9dd1168acf39e89824e7b83e 98381b47030c5e2ba4b9edb7b5ea262b01310ae1bf7884d2aee023504adcd48 ed1c4312fc401618ab24679ca46c448fe478227d0bc48cccafe0d61b91b01bd 9e9821842af129f3c2a5c877fa9c759f81b5e8606cdec75a7af1e99c0750394 e8fb39465d07fb8b6049d8e8070fb1523fd6a1d052c2daaf7bb42d1187ef6ef b12df7c0b9200a7230c377767289b7aac236b2f703b0f2d0914266cc0b1bad8 f21330ecaee604f49d494befe28b46d6dcf2de82f73a3d4e82d628097aa7730 63d4e868f25fe6544abe890b30b8ae08ef22cf8529498d3e7fb7c881f275c56 cf57cd19039a4189fcbd718bfb6b1e7de1274008d331fdd48de78b047b98966 dddb5492c9ef093f1b7064d6453615ad0776f131794b52c689527d84d67836a 61e993b8416299020a8d57bd5266043554541d0d30bd3464520473549979cbb be5172009ec1078cb039167b018853a3a507b8babb617d" 8.1.3.4. Half Prover Committed Messages and Half Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 40] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "13" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" Kalos & Bernstein Expires 9 January 2025 [Page 41] Internet-Draft Blind BBS Signatures July 2024 PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "b7b4f49648243c0645124c9d7370c11d2f4c03eeee6f874a07d6f395cbe2ec 11f48c0bc5f06092bd35ad4b74fd2e4c49" T2 = "b42257bf46107920e1c987957a589cdd1bd5f848bffb23c17177eeb18a4cc7 b3e1dfdd3d6ac590fcbea913696f9a93ae" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" // random scalars r1 = "11ac0d86f78a0bcdc7c20417d73522b46d20a8f7e3ac008d2d3bd77730614b 34" r2 = "2697d76e223bda4ed35e2428030bac7c2ca77122e3bab7b5d6b8bffca307a3 d3" e~ = "0fc4a68d61483036dbf45878430cc8382283c481c8c1cd3c9d3fe9aec9263b e3" r1~ = "1baffa5c4d6187496310d4014bc9f15d0150f215868722186679b8e68d84b 682" r3~ = "05b85a30f2f49348d34ca44242820c77421979b9b312a05b0fab16690026d 86a" // m_tilde_scalars m~_1 = "6f7e7893731097ba853486fea7eb62f66e3e14be47b0565b388c5a917013 5b86" m~_2 = "45a4a12e1a7a518a63b66eebbce90605c29f249f570c85685bc0232c8011 fbf3" m~_3 = "2ca1dd61fa58bc6670268750f5acdb19dbeca06ff2eb1a352d69e2131804 2772" m~_4 = "0c79f4d9a6373202c102adf291522c06e2bf7f0da76f8e6cc3d6762bcc6b ee1f" m~_5 = "48f8c3fdcdde12d9949c6ba62661e5694363145f140be07d928b4ea9521a Kalos & Bernstein Expires 9 January 2025 [Page 42] Internet-Draft Blind BBS Signatures July 2024 838b" m~_6 = "382d6baa8558a7cd49b2fb6ad333114d7d4842c1c29aa2fcb8d6159aa40e 84f2" m~_7 = "53ae47dc3e329331a0cc2f46920d6f8b07f27afc4ad662ddad0e61d5e1b7 4751" m~_8 = "6165660f8dde9349f501d169e463ddef10b94a248f2de5701966e65ba16b 656a" proof = "8e1434019ae87246297e159aa75f43eb5f394576cbaad9dab7392a57841d903 628c192583963dfa3c6628aa234e8aa3ba3c45b324a40223cb35af21cd4f643 a97efb3262359f0a0ab3606209030eadf2d59f404f67bf17cf9eccc2483e540 f68b8fbd18a6f55110fbc12966916ac698ca7a6c8c7ece5818945bfc5e3bf32 387d64e532ad32f432133dcc676c2926246f2ed725e744242940a383c33e173 1f366fcef24f6376615bcfc5c1bc4f29fe91553a8299ebaf843e32bc97c5114 d3d297e61bd9ebfdec31310650a904981c097319785f07c63da13ff11c718c9 8b91cc0af9f0a1fefa5c93cecc9884b15f467521b7495b8a039923bc41f39a7 79da0b06564d7db558b0576ef29ec29a5ed785321f2f77c3620143044683449 392de8349b4a4dd430ba33a250a419eac1c06a80f014a1f509a4abe09f4ad94 d3e0497d0377fa855d222bbebf928f8b643f5b81dd49c664c48342d0fb5004e d381ed88d0d98790305fc420c2e67afc2be3b1272c217d8150dd9c78cbed847 6d9a83ec0fc84c3d1ec69f6ccdeb4cca78d2207086943f76defd1943a5373fa dada7e52e45cd394d3a3e9c62eb504a30709e8de25e340baee1cf06bdadccd4 f6f1b1f1ab72dd9a7cdaf85507891bb446e2e483d2f0d53cbd7aa1417b01f72 1e149b8bdc8e0c54692ef3e136d0b363e25a44559e2c8fb28b941e2f8fdf90a e1fed6a1209cbba29fbaf607c9aa65e705c9245c7b3a2fc9" 8.1.3.5. No Prover Committed Messages and Half Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "16" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" Kalos & Bernstein Expires 9 January 2025 [Page 43] Internet-Draft Blind BBS Signatures July 2024 message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: Kalos & Bernstein Expires 9 January 2025 [Page 44] Internet-Draft Blind BBS Signatures July 2024 T1 = "b3c0f8ff30dc4b74e3ef80a49deae5581c1b30d3eeb3265a29934c77a3bf81 b088e9497ef56deb0e94160daf667a51c1" T2 = "b8d05b87e865db7669adb79813faa7302d88ab54806cf917d592e64d34913d e76ff1191b87971536815cf734f919ca00" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" // random scalars r1 = "211c1037bcd1316e4160817643c34a7bbb83021ddd3b1f22f37ed5253da52e 25" r2 = "6ca3bb81e84cd13823f2630f90f28084d1409bca3d08983d9901f290450ef5 2e" e~ = "2a37d3d049c506148362bb3411255f08bd504553caf90b877569b7250ca7f9 8c" r1~ = "3427333b9226659b999a422946edc23b382d9a355ac03ec8dc45ed57cbe56 bc4" r3~ = "633a0ef2d7d6a96a6d273e6984d0dc3a4d8a619fad2be125dd3e4237bfe2e 53a" // m_tilde_scalars m~_1 = "5f2b419df907cc204177fb0f60a8865cafc792fec2a5eee336146ad811cb d483" m~_2 = "03c340104c6b71dd62b77ed31d2b4863e9a6925cb9b78666a0b8c400c4ca 31f8" m~_3 = "45f9d520e8682e349a036b8763fd647d2a1cbb81a77f61da5879d563948c ffe4" m~_4 = "4010f0d66857c907ebb8f7544e04ff1ba4bdc2baa19f63b4a146f5ccc385 3544" m~_5 = "4ca37c03d4ab19de664f57d18874d7b86434cff1389cf9865506bcc49f63 b4f8" m~_6 = "47965b117a3d83c8133a1f915f858c0b4e1f3d648af84dadbf722696ab0d 62f2" m~_7 = "68bbcf9066fd79d6224a0a8d289bc38cc7768bca389779edfa29b0fe874b 2645" m~_8 = "6185e602029fe3df6f0023323d20d33c67e8e0093e4d603e00506869aa2f a57c" m~_9 = "47f3355d90deaa185a76e02fc2bb521714682686569e36f016f5161babdc 3006" m~_10 = "461a8b4fc326abf2bc18c43df883fd512d460419c4ee361a45714d8466b 5750f" m~_11 = "4da6a68e742b02785c398f1693b856908138fa2376c03546ab2b4168853 c255b" proof = "b49d202961fcd847f07546539dff3482d874bf49230d9195842d8e7d5681090 9542f670c77224652a06426ec23fe8aa7af22a741f60c494b57e511b0e39bed 7690187f0dc60aacbb601876c995c7137b26a3e00929ed9f04db85dd026449b d5c8511aa643200708fa241b82fc9c3ad43f4cb7ffb8108374bd80a104276aa 3b25fd99b4a39648bd6ed9d31a1dd99b0868516a282ebbb7c9e43bf4e8d02bc Kalos & Bernstein Expires 9 January 2025 [Page 45] Internet-Draft Blind BBS Signatures July 2024 2661e42cd9ccf8201eb363095fb8c99289a2a4a4250499a0a58e9040724be29 4e64cba78ac1a770a5a6825e83c6b2d190a7b54c069f0c67a72a9bd8252e2c7 6da8a0c736f94aba59ec8bab63f5eca2adb55403369a441e5e7da8898ebbf5d 9136ef84d706a44a14fb3e022862435b3ad9f7f4316d10d68a7769dbdc66a31 08bfedbaa1cc4d97af2ce2118f4ee87c2e269ac40135a07cf3286ea1169b657 121b44104036aba5e434d086cd4684a914262ad8e137ce0aac45fe18d907252 e145b68482a7e9639801fb73c20b262e58ab63cb49a30bd9529c968d145facc 8bdd1f8e0e29a9502832fbd28812d9d9ea58e6bca8125ec7b54f4cbf7a3a49b 4eae96627b8a800a840d3581f7d61782d467ab4fe9bed43377a53c19b02c883 abab17c089af3cfffedd0c3fda7523e829fb6256842efd4dbad7bd23e6fa424 358878047a76e5c10dd9eebd72c58bc1a0b28bcbebbc77a45f145871c9e4593 9e5fdfe8cfcda8cd7e7db06ada9062efa0615bcd8324a8a35498be70cebd3dc 49e0a5021aa62dc75a7575cf72aeddff26bd0ead27dabc18e31c0bfb468e8b9 dff0b6c3222ad18d01c654526539f5c3d32ffe6efccc951875430dc2408bf61 a1c780d89325e53943233336d878147a94e965928e430a35ebf" 8.1.3.6. Half Prover Committed Messages and No Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "18" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf Kalos & Bernstein Expires 9 January 2025 [Page 46] Internet-Draft Blind BBS Signatures July 2024 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "a31aaba48e0a2d09945a41472276d30842cc86e216880085c4c81b55d6c7a3 54a3076e41b8c97d03b130222effc07bd9" T2 = "8fed3661429624cc42d72019ecede724622d0d76e6bfa498d3329492b98c6f c488e9f32eae6c54162f3facddb964ce0f" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" // random scalars r1 = "72202656d242b95e869fbcd40581b1924183ac11ac323ebbe011d63536d828 7c" Kalos & Bernstein Expires 9 January 2025 [Page 47] Internet-Draft Blind BBS Signatures July 2024 r2 = "1b6f80e77f00fd46a7ab1e46be33db2582fbadbf8358e7dfb157c69f577b90 63" e~ = "48e116be2272e66dac308ec305869640dcc107d3de941659e7dfa80359a3a3 3d" r1~ = "67dbca3425cd03873b9ef9240389de348618c4eb142eb963f03e99f5cc857 55f" r3~ = "38beeb508bc526d9f70af680eb5e747daf0b0abf9c5dd2da78a795eb082c8 91e" // m_tilde_scalars m~_1 = "41e0af39eb876d842a6fa22e739bd8557782d8bc64f1e3e8caa407acf21e 9d83" m~_2 = "34318199184c1d1b0088b30f12b59b5be5eaf0a6d4f1bd06cae1844ce794 93db" m~_3 = "449a1a27becc25364804695002bb8671d66119c6b47ca0090a42690f108b 8743" m~_4 = "0db0eb8b857927356955a1e251ad1df40e45427e8dd488b822608565a62a 5a31" m~_6 = "21e0abb919758a5b8bfd32cc6417b36ca94d091a4ef4b6e9e6840a174ed1 93d4" m~_5 = "3030cf9de98a457fdfe9cfbe693e53a2eefbe6590557b04bc5abcc981b2c 5b53" m~_8 = "38af70a2dc939db80ec191f993d38ce477fbf53f0de85c8676e0bd32fb65 29b9" m~_7 = "6d46722a4f82d87d5012bab944b18239571c6c20b7133b529d0cd8199925 1eee" m~_9 = "39c92b70c8e3635a623da5dfeccb3b2a706e8179f1c94c5185f8cf3a4147 f0e4" m~_10 = "1521952789a9f1a2c8e88d102574fc3b11644dcd57e4658bcf37f44ba57 5a69f" m~_11 = "5ecc4872b50ac3e9159dc3eef11260766090788a864607e669c50ebc489 d5a75" m~_12 = "68c917c66ecd829f333f0f9b12fcaf0c93e6f085fbb0d490e1e1a43ba59 d6a94" m~_13 = "60f3ae300246e53d20ec89d0bce7f4ea8bb2f669f9b972f5e475401ab9a 44ad1" proof = "91316c2d47546e7eec8b974c58764d0002e9def61a4631f12e74a643a058f6a a95eb27b1b7b319635af43da84e9a104080542f0d9f5fbeacdc0e669d5a2e06 78ace2d258032ce6ae4e9c7ad35b4739ab3aaba3a2592fdd3af1fd70fc4b31b a8f92f36dff7f48afd0afb0e1ea9123b0a1d1387f16bfba16d4e48f28a78dbe 6a5c841c6ef939c268f7490f21878d81b39f4c2388ddb5e1e205cb4eda73cc8 30f415c6098325ba77739fdbc5a28d557302d591485fb5b5337ebe77cd33f1a a83daae47d21ec993d8d75a8956c894a6e61293c95bd0d785a0af5debb71aad 8580830eb258f6c8a68810505b4bfe8c941d36c42cd81f3a40e2784ca64cd10 a08e85cb9d7f6ad9dc2cd2704dd6cd31ab95f1c5123efb704c5061c1fdf9558 90414b43eafb2158ab7324a3d550349969fad60a52c68b3cd9e8936de4e602b 92cbe80963ed614c8f2ee498c460e5ae4bb521c37e58a88017fce41b8ccd5f1 Kalos & Bernstein Expires 9 January 2025 [Page 48] Internet-Draft Blind BBS Signatures July 2024 8963f3a6c4aea75ce64e55b578d5b41f96f24220269139cde310b9cace17efd 7237cc9df18009b424c6af03e955b04277ad89fc9a0365b0fc1391941dd5b87 fc95fe1fbf935d989fedd5f0cd9f684841e6b06ad8dbc64d31315fec28a0de9 abcd916e6229470434e471e08b401414067413a9e45fb206248b295c6496cb0 25221e8f1967f4e77fc2b3b26ea02e5f1fcb0e05856c6a251b3e7ee47206c62 2ed321523c04d0f65eaccb1f68323469efd34d8c4f6c052a30000dc810793b0 e74476002d34d8d509fe2d4d57315da6b7cbcede917446d1e3614cfb22a47a8 08865fa73487253c9eebe8a8fbe72969bc36ad4f895068bf2818031475232fe 085bb49e501a6bb202b1ab5a5dfdb8a1adbd31992aadbb0720d4ffebc562387 1fa60c35e6ce7b403a7fd564adb8ca4e913bb05ce2418232a7970a6b3883302 1e0813d96cc6415a88b04aa0e5bb3640ca0dc3815e75449517ef2" 8.1.3.7. No Prover Committed Messages and No Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RAN DOM_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "21" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" Kalos & Bernstein Expires 9 January 2025 [Page 49] Internet-Draft Blind BBS Signatures July 2024 commitment_with_proof = "85d8034b358566ebfd26f921211b257d30def9962ddf80d c7cbdbf96da2bf598a8bbdc03bdc311ff290673ab29edf4 a642be726c577a1aaeb11d00d10c5a07c824bbf8e47af13 042f570b6bfc05e42783d70fb3ee76ab7c2565fda74ed65 36e14105adf9ae943736a6c96c1102d1dc4424eda4ee196 1f0d450736d1cc9f6b3ad2f9f1bcd3b63ef5445798b65ad 04806240edee143b5c7c57f61ab7fc9fd8f0b05d984e12c ee674541b6a79202931e0ef11bcfc908660861b48cfd4ce 0970c9726d9359b4bd0c853da78891e9c9db41f20291952 79d92f6831b37b5c6d5ac28840e97c12f7962e65adac670 5ae712daa61c0c0bda85a3da6850a8dce296797beff88b1 c8e8459dba0730ecace09177f79" PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "98699909137b16b5ebfdec7396d515f606415353f4ef0a329db11bb2fdd d266900e54219da5cec913c1d4593b8231a1842c1659bc991b18e778c19 5540621d097d0288aba536052b1d14510d3ed165f5" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ ]" disclosed_commitment_indexes = "[ ]" proverBlind = "41fb2f74c30256398c927a262602b5ac3ebc6f84d9169476f8fcb1525 c93b649" signerBlind = "49541deb67dc42d5509d39548637959bc43e105fff02c780a308c78e0 a1e3c7f" Proof trace: T1 = "b47c7fdf1d5f18f776b436973084aef0d56550cc061584520ebd25b84bf2b9 648111b2090aa6e275059c9517a7d6fd1d" T2 = "a22a1474d8ef231d4acb70f707cb0b6f30a6fd373c5a39269142327015608c cbb03830106319691c9f6559db262600da" domain = "04ad1197bffbb54ae41c1d43c61dc29325c2dc771d5cc7dba67907b17f 564a04" // random scalars r1 = "2aa67d3759b3aa6cdc1e57822f10e4ac850a7f80a82f0967cd5fd21899ca0b 69" r2 = "1e946e0a41c6a6dcc24894f477899f060f0f6bbe5b913022848d39e356d83c f1" e~ = "6d6c354149a71ca3c43e5657fee3b95652c5978125350c6d317cebc9fb8829 2a" r1~ = "2508a44ef5e20176698f111e2375bfa84661ee27189c300bde8b9d946ceb5 8d7" Kalos & Bernstein Expires 9 January 2025 [Page 50] Internet-Draft Blind BBS Signatures July 2024 r3~ = "35632248dc2eea031c09ae0797e1b9974d675d60df32035a5fde566ff71dd 247" // m_tilde_scalars m~_1 = "26f66a47894e184b5fe32a2e6568c0786af376d089e2a11e632978c183a6 f3fb" m~_2 = "6d3606b3086f0c44c209c5af201d48d20e015f0fc80fd00a10259f7f46ea 6eed" m~_3 = "22063ed43999f4ae40a03c4ea9f934b3f946dc167957b20d501a13442669 5cc0" m~_4 = "29930e487c3e109322d0f2e097616ece04d87d91649dff92bda1dc438400 256f" m~_5 = "4b0cff28fe171b5179977f6bed33413ba420e0656e468a579a7fdac983d2 4314" m~_6 = "6451fce17b93ed5dbf4d2aafbbd6afaa18e6f222046ac31ed2dc1d6df9a3 3291" m~_7 = "1f9c3ab790fbad9b71f74783969fb01a14fc7e1f417a38696b0430a77b68 fe94" m~_8 = "480b325408ff54ddd292d3c3ce8253c540cc8c32ef42308389bc9543c471 c2da" m~_9 = "5e02607fbd4d0af561e61c377e2b31c2ae1c589ba835f93bd7be3814f65e a450" m~_10 = "6849cc6bf9367386c4189859998d9c4993c84488f9b03d311c197499dda 1ee0c" m~_11 = "51b9c711f25213b6a63a9ae2ade5b0d517539992c40bb45297d0709b216 db36e" m~_12 = "6be3bcea66b6872421a2572b0c37cfdd0541d226a18fefdd60619217554 eb08d" m~_13 = "48fd2d36c9e119fba1ad5f5fef059838c7b0150f7a4088919ed9bf6934f 7c90b" m~_14 = "2c7589a2b29e0be25b1f592ecb84d072fb17659c4bfc6dfc54dba002623 f5a0c" m~_15 = "55976175ecac1373e3e27ed645de08514e66d50600363a6de6e791f3358 b06f2" m~_16 = "5a4d330bd5d5fe02528f8c3b2a7d3dcc223d11452f2f772e95cc36b74fc 4c60c" proof = "8b3f43fbbf9649ee4992f8f9659261229ea655edcf678c498387eb35b5a1bfc 9a6e75c35a0e278bd287dee634ea7ec999283bee904996317f39fe21acd540d 54d5b059a03fe710c3a7c7458903f1ce7f571f24f8d0b4c33e8a360156da17c d2a88ff88dda253a3514af6af70b8ca6d70b1b90ffe7a5f1ae1f84e0b5b773e 03d7bc3e6c802a908338cf2f4f9a4259472526f4e747167f3cdbf2f715e466a 9b7d08f3c7233f217b619725b6c3223c7b84c377876d362203f249d66cde689 6b6cc60a42f853dc5ff3da5a07fb84d58d6cf97171ef532345c47e174cf361f 02d77b9d8ab6a071841fe9b43eea903f2deea9a2d0a8a31d838682699132b1b ddf9f3dd47fca6888f74551c7cc0a11c65330a5c05eeeb95894d65abada470d 07712632baeeb40394aa01df3ec04032742d3bfee0cfee07ed3842cbaf27b31 a45f95e8435fa4a571ee0b417d264c62170397c4e04844a32d9b5688e5b94e1 Kalos & Bernstein Expires 9 January 2025 [Page 51] Internet-Draft Blind BBS Signatures July 2024 f62deb87394663e5c832d8d167ed7d45fbcf4eefc813f542cd9e9e4802d9e80 ca56a60fe06d86cf22d364d72e1bb0472d56bc80796e6f978707e9b6d67bcfa fceb5f57cc6a41b30b9f3c64871af1f97e0ad28edaf905b9f72035daacd33e1 535aacf2c44224f49cd6eb3b8d147a771491df19452f8139fe077219bc39ee0 73e05bf80d6250fcae0da2cc87df3e9998ad9d128ac6f5c078deef38e1d0b08 ad4cb9aa14bcbea8520f2bcd0944a645b9334d73a1e0267a62b76a822e09754 a749c4f4bb10bfcf0749dfec40056e60396a19c742bcb9bbe620ba677d47d28 ef7c45105a93d4c61af612349ac323a6da07dfc302e3e42cc13d623d9d4ec63 27efd0e94fa74bd0395ae8764846f75127f107a939dec73ca9201b1c920736b 6c79bfae80d5b540eab88696d9cf2b6509bdeea769f6ee6acc0f5b641d7c0c4 f10cffe8a5c40f92a63806b04e8c7827a519ec775080a5bad7a4a03fa6c4c70 86176a0fd26ee56b22016af620a0ecbea6b2879dc8abd8844a2b8a54bad1220 aa8ffc60313432d41fb9e730312cb8035d6200110545e919dee73be05732f30 3b6e7b458cc70e9a030cf9cad455a05707d0458785acc59bf834dfef" 8.1.3.8. No Commitment and Half Signer Messages Disclosed Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_ RANDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RAND OM_SCALARS_DST_" count = "11" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "null" Kalos & Bernstein Expires 9 January 2025 [Page 52] Internet-Draft Blind BBS Signatures July 2024 PK = "92d37d1d6cd38fea3a873953333eab23a4c0377e3e049974eb62bd45949cdeb18f b0490edcd4429adff56e65cbce42cf188b31bddbd619e419b99c2c41b38179eb00 1963bc3decaae0d9f702c7a8c004f207f46c734a5eae2e8e82833f3e7ea5" signature = "abc558ec1e0899c9ad878d4fd19fe9d622920684038ecaf81488c1b67c1 c49a6213f62674d08ac6eff67cf02b046ce4d4a70f7153dc7d6d4cbf17d c2a305acef53a4a4557ae63bdb87226df2e28df1d8" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "null" proverBlind = "null" signerBlind = "null" Proof trace: T1 = "8a7302ad35f4207653c47edc6b7f387cce99fa86ff70a5b321883ce7597c51 ecf9e0868f01ee8a88f75185831c3fcbb3" T2 = "93de57520db22920522b0333764b0d28c19883c5464230e8529555a28cee96 14f55c7ec33c568eed567dcb26bff8e944" domain = "62638964b2b8eb67c2635a8b87731e2f876e7e84fc4f051903022a731c 5fe3b8" // random scalars r1 = "517c6ba25814e7e8a6b1e1e7a1eaefbd13a47b874a249094592b51295c896b e6" r2 = "17d278dc4ff520d8bcde7c7f35e635c19d9d0e19e0f32e4900e4a69af300b2 f6" e~ = "658838c65c01e42cd39fe21885284cef7006630bf8b8ab9183bcc2d212778d ee" r1~ = "21e2ce874aaef017a9d67f01e432cd16bcf2794299e6594f5065b417d0039 f42" r3~ = "51a834a77851b6f5b476bd8ce9440019c0ba3b19a1739ae20e0834abca1fa cd4" // m_tilde_scalars m~_1 = "586ad615bf1d62d511c8737ebb6a0492e0769faed21e1fb23cbbdf898b25 ad55" m~_2 = "441e55f5927fb14f4059f4d4c7aad45b72349b50436cd8d2cd5ae3666ecd 64dd" m~_3 = "10292482d9e08dc8d3a14223dfdbe4a14433ddfbff0950732a12f99edd78 efd9" m~_4 = "1acd7900624f83027ee6c7700c579d10eaa0060dba6b9432247094971739 4645" m~_5 = "4e525012cc1649cd7a6a4d3a16899e39b9d877243716e6212effb6320294 a382" Kalos & Bernstein Expires 9 January 2025 [Page 53] Internet-Draft Blind BBS Signatures July 2024 proof = "b253fe314909bcc37d6ead780a45928b897b861df3ba0f2c17ba840a4e217d9 e8012ae2592071bdd6631c11b9976bcf691505448e21f8eaf2203dcc1c420b8 de04b019ab97500209344625de28897c7ef3c53b9648f26ccc664c960500425 b5690e1a97c1b0d339107ae11f72cc2662b304b2fabc7fc3b3752d85f831873 cf2ae01919569fa98f68182fa99847e4e7164fc6c351dbad13920dd6305222a d828dc1f2b3975b5ad7ceded3eec02626fb0402f777334696b7bb08a554f354 ae1edb98a9b19f1779ab5916d3358047e9531268a774ea28faa6f59bcafca49 c0aec12984639770aa4538ef169b0185c6356e55f1e9bee32b3b2c591fe33d5 0b4e578c80ed8e17b5518f4643ff6083bc9b76f023e0ab9422bc613b7f880da 93a1601600f1f4cb7edd0ac8013099fcc25685b3b0c1530c32568059c27dd07 555d044488a5597e1696c7890810ca5d72c5b12baf5b5344e6583a7d11f827b 25cb825b62a1fcf038962735dba259f656a97fe12063ebe486df17dcd7893ef 1ab894a50e9bb4de1b223db65e88e51f4371d8d8350265f2bf6e3dcde2dece6 3dd45ffcdecc8019f04664cb245f45ecdbc945e8a47723209efc268ab0e1f82 66a1c283c91434fcd8c149ac811b1b34677495c7ee0a79" 8.2. BLS12-381-SHA-256 Test Vectors 8.2.1. Commitment 8.2.1.1. No Committed Messages Mocked RNG parameters: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "2" committed_messages = "[ ]" secret_prover_blind = "1b6f406b17aaf92dc7deb911c7cae49756a6623b5c385b5ae 6214d7e3d9597f7" commitment_with_proof = "849d3cc626720202cbc1610fc01ab41ce32099af602def0 c579f37dd18b485ef60719275a036bdd8120e7e938c8e1a 3d4d0322587441ccc5caf186001b45dd09ee159713c3e3e a0f411f94a5d6665546562d09c093b687a129e464a57e18 cdbf5306bcabf3e7cc95f5ba98cdd9bf3768" 8.2.1.2. Multiple Committed Messages Kalos & Bernstein Expires 9 January 2025 [Page 54] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20 249afb4abd37589" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" 8.2.2. Signature 8.2.2.1. No Committed Messages, No Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 55] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "2" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "849d3cc626720202cbc1610fc01ab41ce32099af602def0 c579f37dd18b485ef60719275a036bdd8120e7e938c8e1a 3d4d0322587441ccc5caf186001b45dd09ee159713c3e3e a0f411f94a5d6665546562d09c093b687a129e464a57e18 cdbf5306bcabf3e7cc95f5ba98cdd9bf3768" header = "11223344556677889900aabbccddeeff" messages = "[ ]" committed_messages = "[ ]" secret_prover_blind = "1b6f406b17aaf92dc7deb911c7cae49756a6623b5c385b5ae 6214d7e3d9597f7" signer_blind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33a baaa94e2" Signature trace: B = "8657e64b5d0002d46cb77f4c3f094ce2255e11d954bbf84b8ade0661b995fe5 ff36db1aa2a6bac22fcbe902f5e0dfbe6" domain = "0b3a152bc770ff9e21f09ac58f59c99379ca0eeb61990ba666d9940140 85b332" signature = "86d36893c07d903af95d51e8b825e55d865179bbf4d864be65c8120f487 957e8947ec51eb3d75b4116da0733fb448bb23b8a3df8c7574b114256a5 ea10e4ef3c04c1ca551f15d9add84afe8d1f778299" 8.2.2.2. Multiple Prover Committed Messages, No Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 56] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" header = "11223344556677889900aabbccddeeff" messages = "[ ]" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20 249afb4abd37589" signer_blind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33a baaa94e2" Signature trace: B = "8cef19ef65942ba26e3937da185d026a80296b776e7f2a5bc510ac19e5080aa 7f6488ca9636aaa9a3057d0982fc3f6d8" domain = "13c94073eb7dbd279f60d5907c19d83e4a9ae19f99d6b3ca020785730a 3f37eb" Kalos & Bernstein Expires 9 January 2025 [Page 57] Internet-Draft Blind BBS Signatures July 2024 signature = "a85e436a6956de97d72409a4a125bdb0ec61838b2d022963e1599d43f5a 66e1dc223396f0a4de94b110068f48e9e596a5836f2b435d94238e25734 8346f6902363d9fd0212b4cfb10c71b1a60a6051ac" 8.2.2.3. No Prover Committed Messages, Multiple Signer Messages Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "2" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "849d3cc626720202cbc1610fc01ab41ce32099af602def0 c579f37dd18b485ef60719275a036bdd8120e7e938c8e1a 3d4d0322587441ccc5caf186001b45dd09ee159713c3e3e a0f411f94a5d6665546562d09c093b687a129e464a57e18 cdbf5306bcabf3e7cc95f5ba98cdd9bf3768" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message = "[ ]" secret_prover_blind = "1b6f406b17aaf92dc7deb911c7cae49756a6623b5c385b5ae 6214d7e3d9597f7" signer_blind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33a baaa94e2" Kalos & Bernstein Expires 9 January 2025 [Page 58] Internet-Draft Blind BBS Signatures July 2024 Signature trace: B = "99c95be56780fa694d182ca279de80297eb93fae1c8f398c7bc155b0a3be3ab c7c61813cfead8a35a89dc4d7118b266f" domain = "1430cf0a3d8a0519a9ecf47534b6026a7671935d9854ed5e68b42fdb54 3d5f7a" signature = "9354cc873de959c7739553fcf7742796c49a314152ccd94af1b7f74244d 26276197cbe6b5be575d678b05c39cf4ffedf12dc2196dbcffd2c187d0c 905325ce89171ab66f3672a966e4fd56a48f6af115" 8.2.2.4. Multiple Prover Committed and Signer Messages Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" Kalos & Bernstein Expires 9 January 2025 [Page 59] Internet-Draft Blind BBS Signatures July 2024 messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20 249afb4abd37589" signer_blind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33a baaa94e2" Signature trace: B = "937ae4c3c82f8666f235b4bbd5e25b56f3608220bf7e813766d755561c00c9e 98ea3cecc579b795683b6bb5bfc571cc6" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" 8.2.2.5. Multiple Prover Committed and Signer Messages, No Signer Blind Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de Kalos & Bernstein Expires 9 January 2025 [Page 60] Internet-Draft Blind BBS Signatures July 2024 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" secret_prover_blind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20 249afb4abd37589" signer_blind = "null" Signature trace: B = "8e1c3ee4b13e5936f9cb5f87342107ed9ab4417c04d6e5d712143a54bdb476a af4240e8a4f11a67d81feb1398f889889" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" signature = "9391c79efcc8840774374b2463b28912ce2aad9dca39136746810c8563f a2dcae7dc88a454cfc2db5305831fe9c70b0f0cce199707ce1ae88a1d28 28486c14d039c191c26bf3560a0f4e71e364d4781a" 8.2.2.6. No Commitment Signature Kalos & Bernstein Expires 9 January 2025 [Page 61] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" SK = "60e55110f76883a13d030b2f6bd11883422d5abde717569fc0731f51237169fc" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" commitment_with_proof = "null" header = "11223344556677889900aabbccddeeff" messages_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4 a45f02" messages_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb07 5f9b80" messages_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" messages_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" messages_5 = "496694774c5604ab1b2544eababcf0f53278ff50" messages_6 = "515ae153e22aae04ad16f759e07237b4" messages_7 = "d183ddc6e2665aa4e2f088af" messages_8 = "ac55fb33a75909ed" messages_9 = "96012096" messages_10 = "" committed_message = "null" secret_prover_blind = "null" signer_blind = "null" Signature trace: B = "874d657ff2b90023d18c8eb1d2fbc0beb8b9c1ae98a285db1076466edd7c0a3 179bc572d4f7b0e15b39cbe298d2023cd" domain = "1430cf0a3d8a0519a9ecf47534b6026a7671935d9854ed5e68b42fdb54 3d5f7a" signature = "ac477879f31a2fdb1256aaaef7880a080878ec7aa763e576d8a29ae25d1 f531aa092aed33eca25c8858c5c4eba33076011f17025852ca737d12cd3 6df49a21cae48bd1a6ad0fdd213a2b847e9cecad1a" 8.2.3. Proof 8.2.3.1. All Prover Committed Messages and Signer Messages Disclosed Kalos & Bernstein Expires 9 January 2025 [Page 62] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "6" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" Kalos & Bernstein Expires 9 January 2025 [Page 63] Internet-Draft Blind BBS Signatures July 2024 PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 ]" disclosed_commitment_indexes = "[ 0, 1, 2, 3, 4 ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "8059770ad8131b0fe99597a61cc03b2054f01c7d991d0ceec3ec7f495cb1e1 599f3817d0bd6762eaa3e665e778d6c0d1" T2 = "b02ae25106a0a0f4c6f2236347a19001b8496bef33534db5606ba5fd950803 4606e2b9d60e4139d4ac195121b063ac1b" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" // random scalars r1 = "2cf2bd257845b6138247ad87cb387aee347a9104fd1090f92e3b7559e855b0 68" r2 = "14f989abea9c9d0cbae6d72e2eb806ac7dbfcd08a8ed647ad5b8e16a83b94d 4a" e~ = "07e5d7e2b504d3e3075617400781df19831fac0763602bc494b3fe40dcdefb 47" r1~ = "35888226d06bd50f1901008bdf70b1472ad98304664828c6a0fa45b396cca 7d9" r3~ = "21e5d2a43d0190ddee9319dab20ad1bfaacf7c12399ac384fe9bf1235c191 907" // m_tilde_scalars m~_1 = "6683a44c7e1b057c7ce5e99dca9d71a091441b6c23ad9bfd45ba23862f61 0cf7" proof = "95b35609efaac8ae162df13e503761f5f3ba78b056aa00954a4705133dbf401 2777c99874fa769a60d5925dd4cb8e119ae8cf6d7d53a47dd9e999d09f3ffab 16b175b2be6ab7cb49dc3f10e0dc22e2222a9501fb205a73205016f45437d73 bd7914f246c258c1e6f3f03245ff335f65147adecd0380ecdc7ab2ffbd24609 f9376b8654b3d1b918b36a06bc03dbc09ed42a1632f03627023ccd62d613a90 fc0d9b51373679f33780044072ea6abc80bda4adf187ccddecc84cb95b55927 Kalos & Bernstein Expires 9 January 2025 [Page 64] Internet-Draft Blind BBS Signatures July 2024 3bb45afae1d9f9c4fe98463ff743c39bb7855b00e3d6c7c6d7b15089ff3e3a1 46507bb82a3a7c16b37af0b1148f2052832611a5d11796dbb529ad9616e7e97 881e5cee8d01593e4d5c61d5d584d09090b317221a7781f0e15568b87aa3900 5e62896ba934f5660ab25addd1cb0e26ec08289ad" 8.2.3.2. Half Prover Committed Messages and All Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "8" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d Kalos & Bernstein Expires 9 January 2025 [Page 65] Internet-Draft Blind BBS Signatures July 2024 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "a10c2ea9e3eb0a2cebd5fa26fcd16c81de6b0de026532f120180242bbb0e034 7dfa13fc2e552178c2d7adeb12857848c" T2 = "a460971a2795085af0c5e130da6ba9dcdf4829d7803ae66205bbd6411fc49fa 9b7a2e4376ce08c6bab0df5d6e331f036" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f18 23936" // random scalars r1 = "5a113c961c5d21bd78b50c3079ea482f5e861c20be37899d26e2ba565ea6709 3" r2 = "1ce7fcf7fc75bffdf3cd0a284a5cd4acf6be87df552fa937f246a38e8c03af0 b" e~ = "286458907bcd8e3fc535ed9575531919d1942a907ef8ed10360e292fca5ad0b b" r1~ = "40caa7858d917197f007c87ea7e80f638db1313b0e3d46612bb2e73798bb24 c8" r3~ = "6d30be5b88e8cb333e4872bdf0c4d7cffe4540eddf03eafaae3d4cb1f3ad1c da" // m_tilde_scalars m~_1 = "342ddc1b4e04cef472c764f5bda8afae4b189e78ffcbb519075a83e640c01 Kalos & Bernstein Expires 9 January 2025 [Page 66] Internet-Draft Blind BBS Signatures July 2024 00c" m~_2 = "51608282827ece21a8ed20b774e2ff129353416006317c16e409e1a925540 345" m~_3 = "0c1ff555f2b0f53e8859aff2947b22b1ef9d2be2c65621d8f6aa3252340fc af2" proof = "ae5d381f33044a0ea51b57c51b2519f6f1a0b47b2e5402fd5db57f2150f0e44 35a20e708d39fa469187e821356316852a58a1899c19750b876585fc7840206 c684d15bc4072d251997946e6b9641f48ee53dcb6372136fbd5aa85fa310a16 a7eb7b2e5ebaba4fa2b3d2127799e9642a0963f976c84bd4df2f1882d64394f 5e97199cdf20062ec9c3ba5c2d3b7977464817af4b34742aef6a233a54c1abc 990fe547b9f087cd0bf5404b17cf5c2a0c9af62b5be415ed3bdf0b95c3ed868 d79f03a4f1660e2da013fca2c237961a0a52b22044b9ed4c67edb74804d279c 5533ccc599ca42d49780d9c60e013e55a77db8045c09c8b035909802a1b0d57 ba47102929a04fa646ffd41b609bbcd6d2b8527d1559ba308e8872c06dc14e8 2c037ebcadb9889fbbc755c136a9c7d10e3048cd73c120bc0ebc3f4abbe448c 7c4f515752f06e4626eacb1b48dc3c033594e3501606e23ac97b00f1bd30611 ae8f5a23889d235d77a6f21405bd2e1c550421ddf45" 8.2.3.3. All Prover Committed Messages and Half Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "11" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" Kalos & Bernstein Expires 9 January 2025 [Page 67] Internet-Draft Blind BBS Signatures July 2024 message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ 0, 1, 2, 3, 4 ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "b07dbac9dc86fd07e135a432241ada37eac859d949190ef793e2cdb8b29069 ca39dc40aff3334761ceb4fe4e24b5731e" T2 = "a57ff147c6d214cc11b7ffcb867705d9f708225bf4be56e057b42c75bcbe68 2701fc29038c9925819779d2b2fec6adf2" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" Kalos & Bernstein Expires 9 January 2025 [Page 68] Internet-Draft Blind BBS Signatures July 2024 // random scalars r1 = "034d543fdd164520876e558a77c102d4ad8bc99bf82ebe74590481473df2df 56" r2 = "4a8334929ba48d36eb4ebc7f8bfa701b4d3f30ef25bc01e2a45ef9611c1603 7f" e~ = "19726feed8e0e5ff22e4f5de19713977beceb12c3e85c1f3fb41cfe4a7237d 1a" r1~ = "73012dc2f14039c8de5853b26baab7b51280a3f41425416d78a1a91fbaae9 bf2" r3~ = "68263029bdc322a3d6460758135205dec58957ff3e5397276a2f0ffdc738d 5e4" // m_tilde_scalars m~_1 = "52638b8d190f9fd439188b22c903507cfe5282296c2c9f605f1ef714afc1 4062" m~_2 = "2cbc33e381cf6ae09dbb6f1d08e3ea93a5aa03c4a6574fd2fa2e879dc4de eca9" m~_3 = "1ec36e6be1c702255d9aa4d590014b2b5de2f07d290c9551b66977cde157 094b" m~_4 = "5491612228a993693c79c11ae169dad9be4116a704ae9ed333ef96e39863 73a0" m~_5 = "6f4d920974d33c1e08c86b7f4b6bb7c58a5c0289d8d706a92d4855125cce db70" m~_6 = "279717a2b1e1d34cccfddfe9c8e3729f6e92e28197a09459c6dcd56e3920 a0d7" proof = "b912110a83e3645dfa2de4a569808b8e2088281f45a00429aa0c4a8dcbae13a 421f566d41f8b48d0bfdc6970d911a16886b87ccc69107bd0ec54690d415dd3 f2e07899a737951930375d55c76e14b394536c3b8555393841de0c5227bebbb f00935ce099219dd4f67defcb6e3ba5f428ba4ebcc1995eab806f3b68d484da 677f881d15c9e76f331b693a89de7846894125daf42ee6ca3dd6f3aa4d453d6 01d63e8f09b0d4b786f98206a513d3bd184004d8d9ee801d78eb56332ea6289 c91d70cf928c8c2fa760d38179616a7fb4a35d524b30f368e7ee5061dc191de b261dee18163812605a5e666ebad0609191a00166711b74fe54eb45afc41649 d4f06a336f30aa2a0f5d5dc80eb66bd4915c00fa417187306abf8d5ee20603f 5c9dd6d31cb120b4a95ac1e3eb32558e5e6aece931b94d532d7d7d5c5ca9f2b 8239d127fba284ff9fb0e091c1d7dba7f928dd497f6f42a2f9a9f12cdbb50b6 2fa79aad28266ccb04378fa6c0f0a580846d6ce1e264ef96b46bb2c34110301 e545933e51e4eba9d5092e3b158d8a412e52c3b260532173174c4ca43191bdb 8a8d97225c074c0f0799a724deeab447f101ccaed1df50b08901d5522b3ec56 1e4c4dbda9f257b8dfa584efb6d6ed437bd6c8bd80aa59" 8.2.3.4. Half Prover Committed Messages and Half Signer Messages Kalos & Bernstein Expires 9 January 2025 [Page 69] Internet-Draft Blind BBS Signatures July 2024 Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "13" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" Kalos & Bernstein Expires 9 January 2025 [Page 70] Internet-Draft Blind BBS Signatures July 2024 PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "9075ca64308e91b8f1b16eddb698304111442267f9b15948ad9b82c79594f6 e1b9eb2a0fb0cd2618adaca274e0ca3e2d" T2 = "8d5a33789b00e275f30b6c5cf3d9820b2b259a1269856b1c4af78856938d54 120a97d6634c909e616ecb7f173cfdbd11" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" // random scalars r1 = "6fe2700deae18571f365d5b549a03eca3a19414532982cdb173e6442f8488a 82" r2 = "4cc007c238298166e67bcbc8332435b27f39879b75ab00ed5e6863f6296051 a4" e~ = "53f3c5e5ff89fb20a89d7fffa1198b13744d1ae78457119e5bb3da42d77bfe 56" r1~ = "14e6c0d53eba55936c1f1ff11d9775fde7bc366d1859cdbd9ec9f65510a19 b02" r3~ = "0a3c38367bd4f42d8b44d988580b40ad1c929a3844fd92e0d2c2a72479621 8b4" // m_tilde_scalars m~_1 = "4e27cd534e2d06c2af769760a2651010d8f2495066c4a4bbf33778f558c7 2b09" m~_2 = "2ea785a49f1b29d7f79323d5e369e3598665c6e6ed1352797dcdd20b249d 58fe" m~_3 = "438393d39c51a4efe0bf3b53acf17a7b26724ad7de58ff8bd5fdf9dea0f5 675e" m~_4 = "01d9d79da4918a57bd628cd625cba37cb3a278b419e04f5880c6cbc77c90 5c2f" m~_5 = "525ec7e60016e00e8e1d039d245bd7c44c4dbff8f566deb9e902d10819ed Kalos & Bernstein Expires 9 January 2025 [Page 71] Internet-Draft Blind BBS Signatures July 2024 c0b5" m~_6 = "1a65097b4ef6145d0ca4c8257e193afe8245c85a3cc934b1a28c876c7d65 809f" m~_7 = "5f3a2f4d08763ca6a6685aebb3eeb66a0887c750698b44ac17b7bed8ac3a 1fd6" m~_8 = "4c583e5e4fc913aa71989afc50cfd8c2024d64df96ed12c7ef82d50ed4d8 bb1b" proof = "8c351e989532f6b0e9c4992d7696c73c49a2e70bbb166fb71f2ff8face46383 725c9f4667cc22da193830fdd0dba8676b0fa5b9366b8005cbf6835c425a87e 3cce620572d609519943855ed39a67943a71bd4f37726c78451fe2f1a9772a3 1a389bb30d3c88ad5603db31249880fa3288af95f6767907d1f80590f004963 7e56444c46ddd967866df8db33abae2fcbac1594a8282dbf0bc1ac912cde526 43977554c57fbbbd154081093de13f10097e4707b62b4d69617df3635def324 b9fb5e7609a21c73f1076df97f50a7affe23bc1afdafde9b826b94db01d5ea9 9a70a576a5295af627bd44e62141305bef9c076546469d1cda2bde227cea9bf 01fcde7cfb1b69701cb332aba22214bf0f5cbd2a32a9e8f694a2168157407d1 0cfd99b9f78e928c3f0d9f2946ada6bcdf1d1a60717dbdee1cb372a80bfedb3 d517b6814d1e41e65bf34b1f947623db7752fd86c33e419498717f964e25706 72b781266b59acb7b67bf6b104f0735ab9f10b23604166b47d6d398d3433a77 60bdc9c14e4c96f0008d61f8f522d0107b7eec8633260de697afa05733d0e71 beca9fd9843139a9920c78e3efde8f837125f1ef3a2342502e26d8f53622496 b7a96ca5126c9f8db04ef7dd1d631cc91358cabd54027624aa2141fb9043ce3 a5f9225f0ab3437ddf4c014e2abbf665b9cef75ef1e90ca47d6c72943e03023 c946387c005e3822febfcafffa3c9c69a4f23b449c957825" 8.2.3.5. No Prover Committed Messages and Half Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "16" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" Kalos & Bernstein Expires 9 January 2025 [Page 72] Internet-Draft Blind BBS Signatures July 2024 message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "[ ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: Kalos & Bernstein Expires 9 January 2025 [Page 73] Internet-Draft Blind BBS Signatures July 2024 T1 = "8d10a24de14f9fca79d959122f8002df7ec6c3d35f6fee46fbd0cb8f583afb 1fc5b6c9297b66ce1a27e80323cce19371" T2 = "8bef0e49dbfe055d5269ace37eb5922638d93d6bbeb731b990ad7c175a40da 1304b7f3696a40f650953853e5e7492ab4" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" // random scalars r1 = "143f08e576583f264b72129ca9892b9c688e13087ed3d9509f85c43120eb79 ad" r2 = "0217e712a7b1f6b5e65590f3f440f9d9ed25b76e065294fc728b866dbf4ef1 48" e~ = "33b25342e7badf42d6b56c2d2db9a20fbd96b87ff39d8cd471142f32098849 44" r1~ = "097f8d774312e72fd4f29f2d5d9d317b3f12942cdb9b2e9be3d191afe5cb8 b2b" r3~ = "5a77c4f0644db0007295cf51a6a31457573800802640c2b1cdf28e8ec2cf6 a9e" // m_tilde_scalars m~_1 = "0766852f1fa8f06c12dd87e3bb6f85162d2fcd7af8e9d14521b521dde5ff 8705" m~_2 = "65afb4d1a56075f316f72d2aa86fb9a8379a6ea1d47be68e55eeeb6cd176 f0d9" m~_3 = "04a0b83f6d79bb19a9230a7f3cfbe70a81371490dee785cb0a206a462f94 41ec" m~_4 = "4168e396ab4deb71c39e12e10ee26d8c0b8b56b136e78b64abdf0baabdb4 aa4f" m~_5 = "241cceaf36d43c7f1d56264ac98e7c35fcdfb5d77022334224fa05e43ab7 2e23" m~_6 = "59f396acf1d81dff23ea10d92dd718a0928fcd4f90585352b9f628df4904 808c" m~_7 = "057f3655600aaf1efe069fd15d1a8ed4f6b122fd3a54b9b2d0db6b7edf7c bfac" m~_8 = "2ddb9f0733eefa0c47edbe47f55601711d2a1b3d13c6f07747a4f6a7f940 5fb3" m~_9 = "30d19e2d1625799e21b7dc2b8cc08376863b7b1370aafac151216ecd5698 5814" m~_10 = "6f5c1c1071faced0bbdfb5e382ca6a0c62adf679128361ba48f890aca65 fb340" m~_11 = "496c5273ff17a2219473e75c203a4ee1210d43a3f31bbf18dbd262862e0 73bea" proof = "b3d9360a36d11dcbb895fa10e733036e7f9f71a86f0adf35f2bfb4feafe8a39 fe07732d05d794fa5e9f20a84b1529c5ca2ce37c3e30aaa1d40ddf00924e52e 4c205183624538e3229a91661e6a69804c635f169a3f13f2fd7ea20f54bd616 0948e19db59bba448ac3d7a6603af3b3849b5e2ac73f33cab2cce5261c4539b 4f6e5a1038f17dae24bb20cb084d0229e377532380d9d041d30275ac35ca8f0 Kalos & Bernstein Expires 9 January 2025 [Page 74] Internet-Draft Blind BBS Signatures July 2024 c85ed2030d7a7a087740fb17a3b726d09bbd56567d56a51ad0a647bc9cacd89 1c18f07e511186992b900e0191e9867b5b15045cbcfe57243ff74a7ba4ee894 1240248e6f79990f81cfc98ac88b90180de294049b55c70bf72af1283aa8d64 be6ec351bb3f43121f61ac1783253a9905d6b53530513c09315bdd04aad5643 699f68bd177e0c8525f4c725db1677b0046f84bbc29fc2d8170a012c531b4fd 957f3f2fdd98820658b0e631eb4bb537895b0c6d6669c8e8c880df40bfea0a8 cfe8434a90e8efd9e8e474e31a91862580630de574001fd07e404bc9b8a807c fa03f8bb03920d4535abed66b26bd16b6882a91c3147098d53c09f8f7dede10 7a6bdab8f67c5369fc56eb5f2bf90a3cb8ce555ac5c4b641f39867778f6d5e2 7178618091d2a2319d5a91db12da0b897782775860f7b03eecd5a7770681d34 8acf245d0d4c272fdb67358042bfade36b1c76640f05fda382b795690f6b279 b00add5e7be48c5e606e23d1829d1f72391249023671e37d0cff4e7317d5a1b 60542f04d06db8d273cafea3320a04c3c9f8690ab57ea80b7274c8ba8cd0001 2cf79abb154f66d63d3172c37870603e428843c5249c6c3f0e17f2679ebfa99 e4d2f7a873a9f59b0e51417d91242331e1fee078cb55c65d4cc" 8.2.3.6. Half Prover Committed Messages and No Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "18" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf Kalos & Bernstein Expires 9 January 2025 [Page 75] Internet-Draft Blind BBS Signatures July 2024 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ ]" disclosed_commitment_indexes = "[ 0, 2, 4 ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "97ac4963e423f412385fa1df0bba2052266d3ccf17af3b44e3c41798558856 9f5233920aab5a62522e972845b0f59246" T2 = "a928b145aba19ea736d34e1267c37a05142ec49fea44752d7c113330d17f8f 91e56875766107a954a38903187fea2271" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" // random scalars r1 = "23d8b41f82e80a32c4606bf7198b6a85bfdcbb9a87773a54e668aa6cc50f4b 60" Kalos & Bernstein Expires 9 January 2025 [Page 76] Internet-Draft Blind BBS Signatures July 2024 r2 = "259cb8451e183911fd32701689c8da084a351cbc878edabb5c65892f5566cb ee" e~ = "0750d611202174343211411eb9aeb18d6b09057c51e9f9524cf1ec29a845a4 c9" r1~ = "519d28834203f545ce2e917b1428e59f4ca3e716351c2f03b9884bf3b84ee 5d9" r3~ = "664fd86f51bd56079f1f58e8f29881ca6881f9022b267a0842eb9bd66d8ff 116" // m_tilde_scalars m~_1 = "35c21b4641053b0e351cecc6b4f7aa9687771ea67785ba51ddb13ee3d661 6344" m~_2 = "2dec7bd3fcd718500184d41d750642b55d21ea63b494bdf41011dca9d707 5b57" m~_3 = "277ca0dcb0183675a981bfa22e2ad09c8a61b23761575078374a9df40cb6 3237" m~_4 = "3376f31a419eb425ae5375029f0f1caba349467ff477c30aa6a577ffbabc 162b" m~_6 = "68b417316ece357d32bd0e94f5211a900abf5888ec25ad7762d40413d45a 6ff5" m~_5 = "22808132ab0fea4b85a2b6621abc8f2e78b65f3417db2e8350bec0a5d02f 12f7" m~_8 = "1f45ce8d90d44399aafe97bd024636747766b670004c366af6b19dfd211f dae9" m~_7 = "668d12f5ef2c391c0dc06f1f2c1451d710c743311cd213c268bd7b410853 00d5" m~_9 = "304b07fecf8dcc052c29b4d52934a031d4abdad430c4bd3ccc65028d4e26 da8f" m~_10 = "02d05a55bcfe243c268154cc03f548ffa461f84c4087c7bbb6284e4e07f fee53" m~_11 = "3e20f9d1709e50cf709530e4e267f544eda9c4b9e214e4b133c20cda847 7ffe9" m~_12 = "6e41035b050e5ea1f97bc975eb5a63447470bc24639a7f63269e8b3f5d8 f94a3" m~_13 = "31dad9cf8ab3482296a766c4c6e2a97b2ad9e83cf8c83755940736235be a6e0e" proof = "ad668f95a4be5360e4f2f8ec1ad4b00f063b789f3b5329ccd2d99c977aad877 e3c36eb36a1eee6de485017293453513c8aa711894f40c925c0fd346f2d3504 cf143dafeefb1b80537868c0bd6805f890d61d2a35b498f397602ec2fd2716f 2778edb30bee705086a460dc2a2e9fb566cc5b3196ddc90ecf1e948ecc37bef eff39e978b0a4dc5f08e44351c6fd877dbf91a1afa6574a212cfa01d16659e0 b1229aa8d8f03d6b2dbb64b8d8153a6eb48bd53b9afcccd3e0acdeb20827f2b 7a25b08fe8e1667cad177c4aef6c465c4defa71d4cb70e106a7fc9b1f2fafe4 4eb3c268714e4b43bfa7f944b2786830c4e6b743a4bd51a695da6228dc6f9d9 42fd823536e54f80e42604e4ee7a270c43e26be343560e9f8021eb34ed8adfb 54f9f7e4d1b4803696653e0292894d2047b75a86339e6238472556c4d896adc f4f2170a41afa41abec1aa98d912458db314d112714792ed6c037ac8486a734 Kalos & Bernstein Expires 9 January 2025 [Page 77] Internet-Draft Blind BBS Signatures July 2024 580d1b89e60b371357fbf00bad30b911d330b7b544653a91c34a2bd8310849a f199a591066e6ae586e14b58ca7b5d0e6cdb6c020006693fbe9acc66513544e b56fdb3d1fd83a0b8277cdd9d2bf1ef810e19ff569c4224b6f9de5c73062aa9 74506f8e6a54f3e5a1cbb889b0ae22e72207fae79e83103af70d3d88599f9c6 197cad13804a4fd2986e7e113e75cf4774df86270bb249c245c6a2bf5f5a997 1f076321e9c472a8382d206dbadbf7f86362a6908005ad3920d132dfc49c4a9 5ff2ca2b6c69d433338bb5046ade2d17cd18f95c4f1e448341eebf78bc73aec 7f5f5a547eb9953663afb4aab2b82f9dd4ed2fc45bbb1f14bf35173f0117c77 51ce7c374d556fb528995ad82385144a524514233cc841746e21ebfed48bcda 634985b63facc07b4534679015c8d622fb8cf3795ab5e709b74421c2f362675 1b1f833dcd77252a3b0bd09cd22d0c594eb61aecef46aa27f2476" 8.2.3.7. No Prover Committed Messages and No Signer Messages Disclosed Mocked RNG parameters for commitment: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_COMMIT_MOCK_RANDO M_SCALARS_DST_" count = "7" Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "21" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" Kalos & Bernstein Expires 9 January 2025 [Page 78] Internet-Draft Blind BBS Signatures July 2024 commitment_with_proof = "a2a3e178bcc77f98a3c07f8532134021ab5847326b5b3bf c3089ca73f1bc51cfe2c99163f4919525dd6bedc8a14ee3 9e30374643902017ca2e6fb8b5647c736e82d1d3c5b05de 5c3021fa6f40d9f36dd22fa06e522411aa20377088ca9a1 5885d7a5044175f0168e927149ee71e2d257079e0100d6d 96a7ddf5392dbc64267af8df7b4711cb5eeccb5e8901d05 80b9e837f38337cb7260cffcf4f962154fafe5c98beaed7 e4d2fc0f8e7eb1ba4eb04086f170aa4924894e2ab630540 49c9ef5dfff4f90b48ef0dcf1f50699907301073270e478 2d4d7628cfbe1444cea930928bb45004e41e0ad86a874ea 03473845ce42f78ceb6f855ba8326a4d47732c5aed3968b 396a07f079b22b5bf2139e51a03" PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "aa1a66a6feafef7fa91f158c11d305bde01ead2352e3678c07472b7086d 4315d4b260340b6946cf59dc1f8c0529242811f45b727c933ce0221a9e8 e8f3bb9263e74b432e4ad4d203705f9aa87ad7fac9" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ ]" disclosed_commitment_indexes = "[ ]" proverBlind = "4fba5396baa36b2fde81d46a9b9ee89c425dbc5e1ffd65c20249afb4a bd37589" signerBlind = "10e75ca49d242390896d9dd943b97ff23b8cb780bf27df185f51b33ab aaa94e2" Proof trace: T1 = "a688f2f75a0e1ba8519fca3272f8b4ae890744ca582f0e89a34767521fa751 9c04cfb63f5938d2da59fd03f032b659f0" T2 = "92a201a92637b9de1ea6053bb8686ad9851c2b0e5941e644e5de11618543eb aea16c5968db02922f8aa9a3aa79b02555" domain = "1207ed090723fa7e41c07e970ebb647d1d043079cc2a38c650c32234f1 823936" // random scalars r1 = "60d345d6f2bf3d7b6734145a0a1c84731771d9fb8f2caa849dc33a3e1ed429 06" r2 = "5fd44fc64975d153f17a73ce413b86211acf63e62494ae73a0865f068588fb 02" e~ = "6e3fdd342aa6c154fd11ba738e191c54f9877522f4648b466eb4ee1d301780 bb" r1~ = "3da42b3641758dc3d8bce1ced15d1fd1d291bfd533d11373248082eca6d45 d9c" Kalos & Bernstein Expires 9 January 2025 [Page 79] Internet-Draft Blind BBS Signatures July 2024 r3~ = "01be275b265a083b2b8a1ba7110576e28cfcad346717c512c3311ca403168 120" // m_tilde_scalars m~_1 = "67ff540238565851a1f98c6357507be2da16884e44ae26fe4d0a0a860753 2fbe" m~_2 = "5de3cb769cc629a9ab21fe29bb7acc06cd5df979826fabe26b78cc9ab67a 32f9" m~_3 = "1a14acb3666d2d123db8d19ec473dd980cb1100532be1abda1b941668b43 ff28" m~_4 = "4f03cb50f6a25f1f7f277682ab5965a772ac0b24e9ad2f1a7b42a047d8d7 adc6" m~_5 = "11ef78647f2fbdc57f8d29cab816584920596bbd3813d2ee7df7f44b2461 7f33" m~_6 = "4d7fb091d8f42be6fc0fc0401cc5ffbf0da7aad8951a451f26abf5820eec e429" m~_7 = "03b576c0e1b8063af7f9acc91784cb062920820e9b2d4baf11d55777d11e 2946" m~_8 = "5c8053e4347ad1c5f600a7d1d5aef448dc0fbbad6204430486c65e7216c1 8a73" m~_9 = "4b81ebb73b19c698f62d0fda7505452e97382b09bbe7821ef40fb1f3b3f2 6172" m~_10 = "1ab69f6373dcf9d87b75f2e140a34345a92f7952a44436832036bf6bc4f b3b75" m~_11 = "0f0059e68095e5edccc546ac5312234ed1d6b1ca65c4b13f77dc1b7bae4 623a2" m~_12 = "1372682d7f0522cf87aa4805f43d493c2beb7784fe9875712480a5bec63 a8b69" m~_13 = "366a39b41f91f2f6faee881f06c1077e9c65257fc75587353880f6406ff 828f0" m~_14 = "4eac85d64994ff0b48690a25055eb62f0f0b4a89095c54fc1b08fb7ba0e 90eae" m~_15 = "475da477f48d661e2271eefd16d7437a64f6ec7a4cda8deaacdc9c62754 89fe2" m~_16 = "3a9be520243abe976b50d5ad343692ac99e28d3d11e4e9a5cd458316d09 7ce36" proof = "8d1cc08eaace25a47e97b0f0a1eaf6a748aad4b15d2a769056b520fef96e061 9ef6be35b1b5ed5097ef127ae2fb950aeac675419153a7154204e29015963c2 2a9e8639b731989e336e9e0777dc534face34b26d5db97d6bb0ac29d9d1a97b 419841174ce8b0c2f0e4d5cc1dda2f5ae6ffdcc9c40d0cd7b7e8492134aa746 0b79f804235bcfbec9b8213aee93243de6c1066ff92bbe9ed5a5cb904757c40 101a0a17a6f2cca72697993833bf488e346ee460744b8988734f5f9232d79c5 a8821f05be4ce9099e19b857dadd287b55f8a202d76d918a000cf256f2d0a14 5ec71ee17c514816148230126a8ca71d8de486700f538e6c33b7c3ec16b85a4 3eac61acd7e98cb9e6c2ced8cd4552c1653c650705d102f436a0292046bf6c0 8b4ef96cce2ec56f659592edf9d8a082c682ad9da31cfe12ba6c9f21eb23c7d 4e569fabec33b677875db2c17dd1ad45b6973d6bfc09e551a7f2204b2024931 Kalos & Bernstein Expires 9 January 2025 [Page 80] Internet-Draft Blind BBS Signatures July 2024 4f1dc2e1bc099c25a0396f980acb3613449be4f8e0a5a197b565bb169e15f91 ab93d7d04b3316a16456d74f6ac9b05a6c65213577335cbe98fcde5747df9ee 17986d82014cc1db15a428292dfe6a350d1f7131b2d4d5092d784ced5b0a0b3 d5bdfecf03c9eecf9e5aad0d02a92ee9bd4b4cf69c328563fe25f309347b693 76ef47ad46ec6ece43bceed9664ca919888bdaf1162d7f3523c5616b3353774 74572c95441b523d34ee0aff14869ae71a51caab12887bef22c20c259a7ca0f 79f60bb0a8e76ca284ded334781838678e412e5ff79d0fdf3629e9259596e87 1aaf589d57cfde517ad672c126d43c89508763f9573b5b98ce113d511eec39e 99cbef97c87921148616eebf10e25c1fbd5f4cac6be569d44a746fb1a85ca99 596174bcf61df0a3cd78a34c601df931fdf29c2fac3d02a0152c5c6338a328e f725c6db9eb7ba3e1304168d280e6f861766772e37a10a2ef878d67759f017a 9a7a7aacff153b18c9f31895d56c764d5b1e7ff71cae7ca5dc5d0142a751e24 ada65b68f3b9dd6820a198f3ea04731ef24399b9121a9aa856d90b45dec193d 1518e13ff54a77765c7c3438c72a155e2fe178222fae1981fe5818bc" 8.2.3.8. No Commitment and Half Signer Messages Disclosed Mocked RNG parameters for the signature: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_SIGNATURE_MOCK_RA NDOM_SCALARS_DST_" count = "1" Mocked RNG parameters for the proof: dst = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_PROOF_MOCK_RANDOM _SCALARS_DST_" count = "11" message_1 = "9872ad089e452c7b6e283dfac2a80d58e8d0ff71cc4d5e310a1debdda4a 45f02" message_2 = "c344136d9ab02da4dd5908bbba913ae6f58c2cc844b802a6f811f5fb075 f9b80" message_3 = "7372e9daa5ed31e6cd5c825eac1b855e84476a1d94932aa348e07b73" message_4 = "77fe97eb97a1ebe2e81e4e3597a3ee740a66e9ef2412472c" message_5 = "496694774c5604ab1b2544eababcf0f53278ff50" message_6 = "515ae153e22aae04ad16f759e07237b4" message_7 = "d183ddc6e2665aa4e2f088af" message_8 = "ac55fb33a75909ed" message_9 = "96012096" message_10 = "" committed_message_1 = "5982967821da3c5983496214df36aa5e58de6fa25314af4cf 4c00400779f08c3" committed_message_2 = "a75d8b634891af92282cc81a675972d1929d3149863c1fc0" committed_message_3 = "835889a40744813a892eff9deb1edaeb" committed_message_4 = "e1ca9729410dc6ba" committed_message_5 = "" commitment_with_proof = "null" Kalos & Bernstein Expires 9 January 2025 [Page 81] Internet-Draft Blind BBS Signatures July 2024 PK = "a820f230f6ae38503b86c70dc50b61c58a77e45c39ab25c0652bbaa8fa136f2851 bd4781c9dcde39fc9d1d52c9e60268061e7d7632171d91aa8d460acee0e96f1e7c 4cfb12d3ff9ab5d5dc91c277db75c845d649ef3c4f63aebc364cd55ded0c" signature = "ac477879f31a2fdb1256aaaef7880a080878ec7aa763e576d8a29ae25d1 f531aa092aed33eca25c8858c5c4eba33076011f17025852ca737d12cd3 6df49a21cae48bd1a6ad0fdd213a2b847e9cecad1a" header = "11223344556677889900aabbccddeeff" ph = "bed231d880675ed101ead304512e043ade9958dd0241ea70b4b3957fba941501" disclosed_indexes = "[ 0, 2, 4, 6, 8 ]" disclosed_commitment_indexes = "null" proverBlind = "null" signerBlind = "null" Proof trace: T1 = "9069c438a3b8df1402e4b4675b7ac17f07d8c991baf55a7dd9b8a9fef52092 9c51540f98ad5182ea0299343e2859e95b" T2 = "b9e2a34b9780298689783b5e29b79a22031f3300f9eed29edc3610bdd71e4f ec5cd3c27dd474bbc51547d2f6547d520d" domain = "1430cf0a3d8a0519a9ecf47534b6026a7671935d9854ed5e68b42fdb54 3d5f7a" // random scalars r1 = "034d543fdd164520876e558a77c102d4ad8bc99bf82ebe74590481473df2df 56" r2 = "4a8334929ba48d36eb4ebc7f8bfa701b4d3f30ef25bc01e2a45ef9611c1603 7f" e~ = "19726feed8e0e5ff22e4f5de19713977beceb12c3e85c1f3fb41cfe4a7237d 1a" r1~ = "73012dc2f14039c8de5853b26baab7b51280a3f41425416d78a1a91fbaae9 bf2" r3~ = "68263029bdc322a3d6460758135205dec58957ff3e5397276a2f0ffdc738d 5e4" // m_tilde_scalars m~_1 = "52638b8d190f9fd439188b22c903507cfe5282296c2c9f605f1ef714afc1 4062" m~_2 = "2cbc33e381cf6ae09dbb6f1d08e3ea93a5aa03c4a6574fd2fa2e879dc4de eca9" m~_3 = "1ec36e6be1c702255d9aa4d590014b2b5de2f07d290c9551b66977cde157 094b" m~_4 = "5491612228a993693c79c11ae169dad9be4116a704ae9ed333ef96e39863 73a0" m~_5 = "6f4d920974d33c1e08c86b7f4b6bb7c58a5c0289d8d706a92d4855125cce db70" Kalos & Bernstein Expires 9 January 2025 [Page 82] Internet-Draft Blind BBS Signatures July 2024 proof = "b54ac6e1bde3f3cb16d939774db0678f6ca4076231ca919cee3284b75e9c587 73d0e13952d9d12863349551a198596768b998049451200915af5a577b1d884 01487920851c4ca66b15c1b23430d99edddff019282de51cf2aa475de61ae2a 4ad936d649f19d0e85a19118e5e13e2beabf2d705e1db59f8945adddafc7731 0b0a02042093a5477d9efd4a98cb2fad4dc541dcf9f7f6d76be6702e1481754 65a96ce0544b6f01aa53a99c686313a12155a3ffa17787b0fea91ce58c74d71 84f4ca4c0826ecc63e97b29f6f17672a14cfe139fc8043df0fe2931c4045cef a53d0b80233838fd3f6059cb6b0138b56c1d7db18cc3b3cb687bd8f88f90753 0b9f1a640ef0db8df8eb7b39835874560f4222995d47850de322c7ad845d6ee f499848d16fd5903860de2e955792f9914df2d4da32e2598e45ae4b0d606f77 599b4b12378b8fd2baf899e90258013a7fec685c550e163a988dc15ce35a3d2 d4ffcc3e897baa42ff39e4dd3108ba4bb82d19b3e4120fbfaed85949f2a21b4 ba61dac6403f71ae52ff26df78bf17bbcea8670363a3279717a2b1e1d34cccf ddfe9c8e3729f6e92e28197a09459c6dcd56e3920a0d74418e8d35e4956443a 5e4e33d3341a5aa93a817e53e6f05c84e6c432a0e3ef29" 9. IANA Considerations This document does not make any requests of IANA. 10. Normative References [I-D.irtf-cfrg-bbs-signatures] Looker, T., Kalos, V., Whitehead, A., and M. Lodder, "The BBS Signature Scheme", Work in Progress, Internet-Draft, draft-irtf-cfrg-bbs-signatures-06, 26 June 2024, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 11. Informative References [BG18] Bootle, J. and J. Groth, "Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials", In CRYPTO, 2018, . [I-D.ietf-privacypass-protocol] Celi, S., Davidson, A., Valdez, S., and C. A. Wood, "Privacy Pass Issuance Protocol", Work in Progress, Kalos & Bernstein Expires 9 January 2025 [Page 83] Internet-Draft Blind BBS Signatures July 2024 Internet-Draft, draft-ietf-privacypass-protocol-16, 3 October 2023, . [P91] Pedersen, T., "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing", In CRYPTO, 1991, . Authors' Addresses Vasilis Kalos MATTR Email: vasilis.kalos@mattr.global Greg M. Bernstein Grotto Networking Email: gregb@grotto-networking.com Kalos & Bernstein Expires 9 January 2025 [Page 84]