Yes, right. I get where you're coming from. I agree that linkability is a nice-to-have feature here, maybe not essential. For spontaneity, yes, you get that with the AOS style (all of its derivatives, LWW, LSAG etc), I guess in practice it only ever mattered in cryptocurrency; because the nice idea of spontaneous ring formation rarely ended up being useful in practice; people have to have a key that you can spontaneously choose; if the number of such people is small enough, why not choose them all? IIRC Liu Wei Wong actually covered this point in one interesting way, suggesting that you could spontaneously form ring sigs over keys of different types (e.g. RSA and ECDSA etc.).
From a 20 minute look through the results for "ring signature" on github, I agree with you that it's hard to impossible to find an existing library that is reputable enough/well enough developed to be usable for a generic ring signature application of the type you're looking for. It's, I guess, a function of the fact that ring signatures never reached the threshold of common usage that led to them being included into the big crypto toolkits like you find in popular languages like Python and Javascript etc. After all they were never standardized by NIST and I don't think an RFC exists.
It might be better to just allow anonymous submission *without* a keyset, like they do for whistleblowers. The nature of such reports is that they can be verified anyway, right, so that you don't need to trust the one reporting.
Ephemeral keys without group membership. Hmm ... then it will be free for all and spammy. Verifying the non-spam might be possible but drown in low effort accusations maybe? Also I want nut zaps to be possible. With ephemeral keys, who will store those?
I didn't actually mean ephemeral keys, but I suppose such a thing is possible. I also didn't consider zaps but that seems to add nontrivial complexity either way.
Thread collapsed
Thread collapsed
Thread collapsed
