Request for Funding: BLS sigs research

This is a request for funding for a research project in compliance with Grin’s open research problems (https://grin.mw/open-research-problems).

As this is my first funding request, the project is kept narrow and focused. It is my intention, however, to contribute to Grin’s research in the long term.

The project is to address the first problem on the list, which is to further investigate BLS signatures and their suitability to Grin (see also https://github.com/mimblewimble/grin/issues/2504).

The funding sought are for €5000 and the project time frame is a single month.

After discussing with several community members, it is my understanding that the main interest in BLS signatures is for kernel aggregation (due to the (non-interactive) signature aggregation ability), while the worries are mainly about the security guarantees.

After reviewing the materials on Grin’s different platforms and talking with community members, it seems to me that the disadvantages of BLS are fairly articulated, while the potential benefits are to be further investigated.

The main objectives of the project are the following:

• Put simple the security assumptions and explain the known vulnerabilities due to state-of-the-art attacks.

• Initial research on how BLS could be used for kernel aggregation.

• Get myself exposed to other features and research problems, like scriptless scripts and non-interactive transactions.

The last two objectives are an initial preparation for future contribution.

In more detail, my plan is the following:

• Review the security of BLS and pairing-based cryptography – I have very good knowledge in the area, yet there are new assessments (due to recent attacks) about the size of the curve’s base field needed in order to obtain a desired bit security.

• Review how BLS may enable kernel aggregation and hopefully proposing an initial construction – the advantage of BLS is straightforward due to the signature and public key aggregation ability; it remains to understand how such construction should look for the purposes of Grin, I had some discussion about it on keybase.

• Study GandalfThePink’s “BLS signatures in Mimblewimble” proposal (https://github.com/mimblewimble/grin/issues/2504#issuecomment-467446197), which includes kernel aggregation and some sort of non-interactive transaction process – I have already started studying this proposal, yet the full construction remains unclear.

• Understand the implications on scriptless scripts – I have no prior knowledge.

• [optional] Addressing related issues, if raised (e.g. efficiency: since the arithmetic involved in BLS is more complicated than simple elliptic curve operations, verification is significantly less efficient than other (elliptic curve based) signature schemes).

My plan is to finalise the project in one month time.

About me

My formal education is at the level of a PhD, which is in mathematics and specifically the mathematics of public key cryptography; this also includes post-quantum cryptography. I worked as a post doctoral researcher for a year and a half, and for over a year, until recently, I have been working as a researcher for a funded blockchain project (still in development, currently running testnet) - I am not involved with this project anymore.

I got exposed to mimblewimble about a year ago. My interest in this novel approach was immediate, but I was too busy to carefully study it. I would like to change this now.

The funding would allow me to put a focus on researching mimblewimble.

Thanks for this, I’m glad to see a request coming in for our Open Research Problems!

Funding request added as a point in the agenda for the next governance meeting on April 21 @ 3PM UTC.

This sounds awesome

Do you have any of your research papers publicly available?

Hi @DrazenV. Welcome :).

I’m very happy to finally see a funding request!

There is a lot to discuss in your request but it’s a good start!

First and foremost do you want to stay anonymous? We would need something like previous work, publications or anything that can validate the education/skills mentioned above. Thank you!

I think it’s great you applied! I echo some others that it would be great if you showed some of your work - I’m assuming you’re not anonymous. Even though I’m leaning towards not switching to BLS, I think it would be great to research the options there.

Hi @DrazenV. This sounds really interesting. Thank you for putting a proposal together.
I’m wondering if maybe it makes sense to split this proposal out into pre-requisite work followed by a proposal for subsequent research.

This is likely a pre-requisite, with a solid understanding of this necessarily in place before we can really start thinking about the tradeoffs inviolved with a BLS solution.

This is very likely a pre-requisite. It would be really valuable for the wider community if somebody could take time to review this in detail with a thorough understanding of how this relates to various earlier BLS discussions.
Is this technically possible? Is the proposal solid?

This is a pre-requisite. Any further research, at least directionally, should consider the implications here.

So maybe one way to approach this would be a “literature review” to summarize where we stand today, taking the above into account.

• Schnorr signatures and lack of signature aggregation
• BLS signature aggregation and how this relates to Grin transaction kernels today
• GandalfThePink proposal for non-interactive transactions (summary of what is being proposed and why it does or does not work)

This would give us a solid baseline and starting point for evaluating further possible research and investigation.

With this summary of our current “state of play” I suspect a funded 1 month research project would naturally emerge.

Thanks for looking at the proposal.

If applicable, I would like to stay anonymous, though I wouldn’t like to make a big deal of it. It is mainly my will to keep myself private (or rather unlinkable) online as much as possible.

If it matters, since I value my privacy I priced my proposal to take that into account (to be clear: I won’t change the funding request in any case, but I hope it is something that will be taken into account). I understand the concern and will take a couple of days to consider the right approach for me. I am happy to hear from the community for suggestions.

Again, I don’t want this to become an issue.

First I’d like to say that I am happy to revise my proposal with feedback from the community about Grin’s needs, as long as it fits my expertise. That is why I took the time to discuss on keybase and understand what are the main community interests before submitting this proposal.

Secondly, I basically agree with the view in @antioch’s post. Besides of the first task, which is to review the current attacks on elliptic curve pairings (actually DLP in extention fields) and the subsequent implications (I already know of several claims that the popular curve called “BLS381-12” does not provide the standard 128 bit security), the other tasks are indeed a preparation/ pre-requisites for further research. I hope that it is already clear in my proposal.

I tried to explain in my proposal that I am asking for the funding in order to be able to dedicate more time into researching Grin.
For example, I know that there’s a lot of interest in the “BLS signatures in Mimblewimble” document. I looked at this proposal several times, and I actually don’t believe that the aggregation proposed there works. But in order to formally convince myself that this is the case, I need to study it more thoroughly. Another example is some recent discussions about non-interactive txs, that should be carefully studied.

I am more than happy to hear what the community thinks. In particular, if we break the tasks, what should be the top priority.

You could agree to make yourself known to one member of the Grin council with whom you could share examples of previous work/research, as a means of validating that you are sufficiently qualified to knowledgeably research the proposed topics. The council member would have to agree not to divulge your identity to anyone else but verify to the council (and wider community) that you are who you say you are – a sort of Pedersen Commitment, albeit open to a “Man-in-the-Middle” attack. Some kind of penalty bond (denominated in Grin) could be put in escrow that would become payable to you should your real identity be reliably traced back to the nominated council member acting as the MITM. By design of such a scheme, the nominated council member would need to have sufficient expertise to assess your CV and I suggest that @Tromp would be a very suitable candidate.

“I priced my proposal to take that into account”

Are you kidding ?

Full time professors earn about this amount of money per month in France (5,000euros). Associates half of this. And it often is for ten years after they have finished their phD.

You have proven nothing to the community, you are new, and probably lying about your credentials, and you want to ask for a salary that junior lawyers don’t even win per month (in France), while sitting on your desk and working on introductionary problems that you could be doing by yourself and provided no proof that you can do them.

If I am rude, it is because I take the very fact that you stay anonymous in this context as something very alarming and disrespectful to the persons that take the time to give attention to your proposal. at least to me.

It doesnt take a phD to understand that, given you are totally unknown by everyone here, you have to provide proof (and it would not even be sufficient) that you did what you claimed you did. not doing that does not demonstrate a lot of maturity and a lot of effort from your side.

For my personal opinion, even if you have done a phD and a post doc, it is not sufficient to give 5,000 euros for someone that just proposes to introduce himself to problems that don’t even take a phD or a Master degrees to learn and understand.

5,000 euros. Any junior phD that may have more knowledge than you (we still do not know if your phD or post doc are something you really did) would dream about.

And I am not saying all that so that you lower your request.
I am saying that because I find it disrespectful for our times that you pretend you have to think about giving your identity or not for a few days.

You could have thought of that before I think.
The question and the concern about your identity has been raised since one week on keybase, and you just ignored and responded nothing

For how much more time do you want to make us lose our time ?

What if the community agree to pay the 5000 euros only when some agreed-upon quality work results are delivered? Some kind of proof-of-work ?

The main problem is, that funds cannot be handed over to unknowns.
You could get in touch with someone from the Grin Council in private for providing proof. That would usually not endanger your privacy because your data will not get disclosed this way. Or you could start working on your proposal and if the initial results you provide proves that what you say and claim is correct, then the request could be granted retroactively. This requires of course some trust in the grin counsel to do so, but that would be basically the same amount of trust that is claimed with the request for funding.

In addition to some of the concerns listed above, I have to say I find the way this is worded very ambiguous. Do you have a PhD in mathematics or not?

I find it odd that people are concerned with their anonymity. I was accused of being apart of a three letter government agency for suggesting that anonymous people shouldn’t control vital assets such as funds or domains… Most everyone fought for supporting anonymity, especially for a privacy coin. Now the tone is very different. If the concern is being a dedicated member of the community and proven capability to deliver then just say this as your reasons for not agreeing with the proposal. I hope @DrazenV proves their capabilities and everyone benefits from the results. Personally, I am inclined to be for this proposal because of the need for more cryptographic research, but I did find it a little off that the bulk of the proposal was research/reading/thinking rather than delivering/building. Either way, I hope cooler heads prevail and @DrazenV sticks around because I’ve appreciated his insight thus far.

He gave 0 insight on his research, dude.

He said “extension field” and “subgroup” a few times. impressive.

And mentioned “recent attacks” on BLS.
Tatatsoin!
Its pathological and a great case study of robbery attempt.

But I will buy some pop corns and wait for his new intervention if any

Yes, please stick around @DrazenV, regardless of whether you have a PhD in mathematics or not.

In your dreams, if I can say . He will stick around only if he thinks he has still a chance to get the funding.

He shows quite poor involvement here and on keybase overall. Hardly knows what a signature is (no shame for that, but considering the context…) Takes one or two days each time to really think twice and prepare good answer to try to continue his lie

You spend enough time on grin discussions and tout your math skills and

then why don’t you take a week or however long it takes and do this for the community? I don’t get why you were engaging @DrazenV on keybase and are taking this approach here. If you’re suggesting it’s easy to do what he’s proposing then please do it. We’d all appreciate it.

“No need PhD” and “easy to do” are totally different things. But I always love your ability to deform the things that people say

take the olympiads, high school level, and understand the pain

The points of what I say is not about Drazen skills. He might be a genius I dont know. The thing on the signature I mentioned was just to inform people that it is very likely that he lies for his funding request, not to trash on his skills as a community participant.

I actually liked Drazen the first few days and weeks he was on keybase. I didnt imagine really he was lying at that point. Started to have very strong doubts until recently and it disappoints me even more

I decided to follow @antioch’s advise and break the project into several (pre-requisite) tasks, so I am halting the funding request. Hopefully in the process the community will gain more confidence in my capabilities.

I think that the top priorities are:

1. GandalfThePink’s document - I will study the proposal in greater detail, and report.
2. Review the overall security - this requires some research work: read the relevant papers, understand the attacks, verify the claims and understand their applicability.

I hoped that the discussion here would mostly revolve around the content of the project, to help in shaping it, like @antioch and @johndavies24 feedback (the goal set by Grin is to explore BLS, so it is mostly a research, rather than a constructive, work. The interest in BLS is clear, and the proposed project aimed to give an initial construction, but developing it further on to a complete kernel aggregation construction is in fact another open problem on Grin’s list).

Yes, I do.

If this is reversible, let me know. It seems to me that you get upset with what I said about pricing my proposal. I think that our point of view is just different. I have been working in the industry and know my value there. I think that comparing to academia is a bit problematic, for example professors know that they have job security for life - here we are talking about a single project.
We had some previous discussion on keybase, so I’ll answer there. I hope it’s fine by you.