2018年论文《Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers》,代码实现可见代码库。
Coconut:可selective disclosure credentials的门限发行签名机制,允许多个声明聚合为一个身份说明。(allows partial claims to be aggregated into a single credential.) 最终的credential的大小为2个group element,与所包含的属性个数以及authorities/issuers的数量均无关。
Coconut支持reveal指定的message(s)。通过PoKOfSignature::init()函数中的revealed_msg_indices: HashSet参数来设置。 支持将message(s)设置为public (known_messages)和private(count_hiddent)。公开的消息用于计算共用参数h:
let h = Self::compute_h(&commitment, &known_messages);
Coconut基于pairing曲线,安全性取决于: 
ProveCred步骤中增加了两个随机数r,r'(对应为PokOfSignature中init()函数内的t,r变量),可解决verifier暴力破解的问题: 
用到了:
- 秘密共享原理(如下 ( x , y ) = ( v ( 0 ) , w ( 0 ) ) (x,y)=(v(0),w(0)) (x,y)=(v(0),w(0))对所有的authorities和users均不可知,在此环节支持threshold门限)。
- sigma-protocol零知识证明原理。(用于vector commitment proof等等,见
https://github.com/lovesh/ps-sig/blob/master/src/pok_vc.rs) - 盲签名技术。(见
PrepareBlindSign、BlindSign、Unblind流程实现细节)。
Coconut主要特征对比: 
- Lagrange插值系数计算公式为:(针对的点集分别为 ( 1 , x 1 ) , ( 2 , x 2 ) , . . . , ( t − 1 , x t − 1 ) , ( t , x t ) (1,x_1),(2,x_2),...,(t-1,x_{t-1}), (t,x_{t}) (1,x1),(2,x2),...,(t−1,xt−1),(t,xt)求 ( 0 , x 0 ) (0,x_0) (0,x0)和为 ( 1 , y 1 ) , ( 2 , y 2 ) , . . . , ( t − 1 , y t − 1 ) , ( t , y t ) (1,y_1),(2,y_2),...,(t-1,y_{t-1}),(t,y_{t}) (1,y1),(2,y2),...,(t−1,yt−1),(t,yt)求 ( 0 , y 0 ) (0,y_0) (0,y0))
l i = [ ∏ i = 1 , j ! = i t ( 0 − j ) ] [ ∏ i = 1 , j ! = i t ( i − j ) ] − 1 = [ ∏ i = 1 , j ! = i t ( j ) ] [ ∏ i = 1 , j ! = i t ( j − i ) ] − 1 l_i=[\prod_{i=1,j!=i}^{t}(0-j)][\prod_{i=1,j!=i}^{t}(i-j)]^{-1}=[\prod_{i=1,j!=i}^{t}(j)][\prod_{i=1,j!=i}^{t}(j-i)]^{-1} li=[∏i=1,j!=it(0−j)][∏i=1,j!=it(i−j)]−1=[∏i=1,j!=it(j)][∏i=1,j!=it(j−i)]−1
从而有 x 0 = ∑ i = 1 t l i x i , y 0 = ∑ i = 1 t l i y i x_0=\sum_{i=1}^{t}l_ix_i, y_0=\sum_{i=1}^{t}l_iy_i x0=∑i=1tlixi,y0=∑i=1tliyi
详细的代码实现见:https://github.com/lovesh/secret-sharing-schemes/blob/master/src/polynomial.rs
/// Return the Lagrange basis polynomial at x = 0 given the x coordinates
pub fn lagrange_basis_at_0(x_coords: HashSet, i: usize) -> FieldElement {
let mut numerator = FieldElement::one();
let mut denominator = FieldElement::one();
let i_as_field_elem = FieldElement::from(i as u64);
let neg_i = -i_as_field_elem; // -i
for x in x_coords {
if x == i {
continue;
}
// numerator = numerator * x
let x_as_field_elem = FieldElement::from(x as u64);
numerator = &numerator * &x_as_field_elem;
let x_minus_i = &x_as_field_elem + &neg_i;
// denominator = denominator * (x - i)
denominator = &denominator * &x_minus_i;
}
denominator.inverse_mut();
// (x_coords[0]) * (x_coords[1]) * ... / ((x_coords[0] - i) * (x_coords[1] - i) * ...)
numerator * denominator
}
基本的流程如下: 
参考资料: [1] 2018年论文《Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers》 [2] 代码库:https://github.com/lovesh/coconut-rust [3] 博客盲签名 blind signature 简介
