IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt

Christopher Wood <caw@heapingbits.net> Fri, 09 December 2022 02:37 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3EBC157B56 for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 18:37:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=OE/6Xk8A; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=BHocXDt2
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGn1bRJWzmcJ for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 18:37:49 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3A33C15257B for <cfrg@ietf.org>; Thu, 8 Dec 2022 18:37:49 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id B7F375C00C3; Thu, 8 Dec 2022 21:37:48 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute2.internal (MEProxy); Thu, 08 Dec 2022 21:37:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1670553468; x= 1670639868; bh=Beu39NOS0TyfX061jrBlZMsOt9Qr4rkwcqnmitZL4OY=; b=O E/6Xk8A2J8sblCY8o5poEayHCEVhNj4P2X9n2Ha2tQJ/UWNCoghKEPTlE341ywJb x4DB0ntPob8LiQee+wPRluj4DOEhWQMaRb1tiRulnZ+bkFTPhYEa22VrNgVQYJI1 v96y1/zsmhkNiGbLybvA9YhknU/qrsUQ8bfqjjF+ljIW+ygO0mJkmF9ez9x3MsoO rtLluQ8Ih6f9WWHTIyvxBRvnFEI6eNAUXQ+9LLm6e43iSfQuUPqtw6yo9ks5P89R lZPKZNCP6C05YVEZTRgVPiu7zcNsR30WREuDsrcHkrJr502nqECzaMGE/yB/KDwm rsS6kNu76cuoWFydHl2Aw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1670553468; x= 1670639868; bh=Beu39NOS0TyfX061jrBlZMsOt9Qr4rkwcqnmitZL4OY=; b=B HocXDt2apa1zN0hl09GigWMZWGCViktWlNNn7CnujCf07SXF8/pUj/B8WD4InCpX KcOyDpZw12864bjjYBNyQG1SaeJEq3ec7g/rW62VQ73/g91Q/OJAhEpuTmteugAM Ia089a7lTGyAPIAIToUVZ/Uekz/s7Pf09VVnYDZ2g1SLD2hmp86kNa9YR5L77syE SqkgMwTQBGR9O1jCfpQr/EDZuYEawtxdbxM8TY46VuyHGVFQTO/y5bmmRo/CrKic lucIQISNVuyDuhT8WDJXhJBmIw4N1SH0o7Nh2D4gAhAi9UQdA3TunCnNW5jZ6MB5 M5FdF+3EQsl/JC4nZlcYg==
X-ME-Sender: <xms:fJ-SY7vEew5_xQ-bZLx1vv0BV6yxDMW0s3klJDaOKr5IA698cFA9eg> <xme:fJ-SY8fhzCv5iPL5ejN_DAHZSVa3ygQZhkjlREgv_IJdA-HPRSeZfMNvMmA3Aa5wX kovC1plfkHLEBg-igs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddugdehtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgfgsehtqhertderreejnecuhfhrohhmpedfvehh rhhishhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvg htqeenucggtffrrghtthgvrhhnpedufeekjeetleejhfdtfeffkeefheefgefhfefhfedt fffggeektdelkefgveeigeenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhn ghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:fJ-SY-xD6WVsGanJiMSZU0mdkuFrHSTvrjqJsrKIgfrBbbz8tNCsOg> <xmx:fJ-SY6Nfy4EA4Ja3Lda7BeEViNTbVmySzOKPn-sDK46uxs3oFnVVIQ> <xmx:fJ-SY7_uC7w0Mn8lyZUYNFCMLqtMDUN0N1Zx3PRVep4xYIJvf9H8aA> <xmx:fJ-SY4LmKpAMXEPIWtvQPWQ0lXGX5MujrvY1awJEKgxRNh0Us7KuJw>
Feedback-ID: i2f494406:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 71F80234007B; Thu, 8 Dec 2022 21:37:48 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-1115-g8b801eadce-fm-20221102.001-g8b801ead
Mime-Version: 1.0
Message-Id: <affc0a02-de7e-4b48-ab25-19901f90e970@app.fastmail.com>
In-Reply-To: <20221209023411.GE7583@yoink.cs.uwaterloo.ca>
References: <166906886082.62494.8820552099363522855@ietfa.amsl.com> <6A1E08FD-09CF-4929-94DD-8B7A8E6CACBA@heapingbits.net> <CAMmp5CAt-A+qJTDbhwj14b24DUGD+xzxrbBpPGM2hCYfNVA4-w@mail.gmail.com> <CAJowLmN8CZRS9V0N5tW=XohC9QNYRE-FpMe=errGSETAq7WT1w@mail.gmail.com> <20221129225921.GR7583@yoink.cs.uwaterloo.ca> <E6C680D7-9480-4E43-BFD9-5A38BB8B1CB3@heapingbits.net> <20221208182902.GB7583@yoink.cs.uwaterloo.ca> <3F70E0F6-9F5D-4A78-BB9B-8FC23F8F60D5@heapingbits.net> <72F9CFE3-CCEF-4D55-9E62-CF70EEF65AC4@heapingbits.net> <20221209023411.GE7583@yoink.cs.uwaterloo.ca>
Date: Thu, 08 Dec 2022 21:37:28 -0500
From: Christopher Wood <caw@heapingbits.net>
To: Ian Goldberg <iang@uwaterloo.ca>
Cc: cfrg@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/40oaVkfrqQ4xXclUBxBKOy_D4ag>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2022 02:37:54 -0000

Do you think there’s a more clear way to describe this property? If not, maybe we could give an example (maybe as described in this thread) to illustrate the idea.

On Thu, Dec 8, 2022, at 9:34 PM, Ian Goldberg wrote:
> On Thu, Dec 08, 2022 at 09:03:51PM -0500, Christopher Wood wrote:
>> 
>> 
>> > On Dec 8, 2022, at 8:57 PM, Christopher Wood <caw@heapingbits.net> wrote:
>> > 
>> > 
>> > 
>> >> On Dec 8, 2022, at 1:29 PM, Ian Goldberg <iang@uwaterloo.ca> wrote:
>> >> 
>> >> On Thu, Dec 08, 2022 at 12:37:55PM -0500, Christopher Wood wrote:
>> >>> Thanks, Ian! Please see inline below.
>> >>> 
>> >>>> On Nov 29, 2022, at 5:59 PM, Ian Goldberg <iang@uwaterloo.ca> wrote:
>> >>>> 
>> >>>> On Tue, Nov 29, 2022 at 01:47:40PM +0000, Franziskus Kiefer wrote:
>> >>>>> Chris asked me to review the draft.
>> >>>> 
>> >>>> Me as well.  My notes are below.
>> >>>> 
>> >>>> In Section 1, [I-D.irtf-cfrg-voprfs] is a broken reference.
>> >>>> Interestingly, Section 1 motivates this document with, "Specifically,
>> >>>> VOPRFs are not necessarily publicly verifiable", but
>> >>>> draft-irtf-cfrg-voprf-16 (which is presumably what the dangling link is
>> >>>> supposed to point to) _is_ publicly verifiable
>> >>>> (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-2.2.2)
>> >>>> Is there another motivation for using RSA instead of
>> >>>> draft-irtf-cfrg-voprf-16?  Is it just the "in such a way that the
>> >>>> resulting (unblinded) signature can be verified with a standard RSA-PSS
>> >>>> library"?  As you point out here, VOPRFs are strongly related to
>> >>>> deterministic blind signatures.  Should VOPRFs be discussed in Section
>> >>>> 8.7?
>> >>> 
>> >>> We decided not to make a change here. The full text reads:
>> >>> 
>> >>>  Recently, interest in blind signatures has grown to address
>> >>>  operational shortcomings from applications that use Verifiable
>> >>>  Oblivious Pseudorandom Functions (VOPRFs) [VOPRF], such as Privacy
>> >>>  Pass [PRIVACY-PASS].  Specifically, VOPRFs are not necessarily
>> >>>  publicly verifiable, meaning that a verifier needs access to the
>> >>>  VOPRF private key to verify that the output of a VOPRF protocol is
>> >>>  valid for a given input.
>> >>> 
>> >>> 
>> >>> The important bit here is that the private key is needed to verify the VOPRF value, which is what publicly verifiable means in this context. We determined this was clear enough as-is, but if you have concrete suggestions for how to improve it further, please do share!
>> >> 
>> >> But that's exactly what I'm saying is _not_ true for
>> >> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-2.2.2
>> >> since you only need the public key (A and B), not the private key (k) to
>> >> verify.
>> > 
>> > I’m still not sure I see the confusion, so please bear with me as we zero in on it. I wonder if it’s the non-interactive nature of this property that we’re missing? In an attempt to clarify, let me try to explain my thinking (and apologies in advance if this is all obvious).
>> > 
>> > In this draft, public verifiability means that anyone with the output of the protocol (the signature) can _non-interactively_ verify it using the input of the protocol (the message that was signed and the public key). For Blind RSA, this property trivially holds, since the output is a digital signature that anyone with the public key and message can verify. For the VOPRF case, the output (y) is the PRF result and the input (x) is the PRF input and public key (g^k). The only way to non-interactively verify this output, i.e., to check that y = H(x, H2C(x)^k)), is with access to the VOPRF private key.
>> 
>> Oh, I should that by “anyone with the output of the protocol” I mean, importantly, someone that did not run the protocol in the first place. You’re right in that the client which runs the protocol can verify the VOPRF output. But the important point here is that the client verifying the output is not the client that ran the protocol to produce the output, which is why we describe it as being “publicly verifiable."
>> 
>> By the way, please do let us know if there’s a better or more accurate term to describe this property.
>
> Ah, I see what you're getting at now. The VOPRF protocol in
> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-3
> would prove to anyone that evaluatedElement is the correct answer for
> the input blindedElement, but not that the final output is the correct
> answer for the original input; only the client that ran the protocol
> knows that connection between input and blindedElement.
>
> Sounds good to me.

v2.46.0 | Report a Bug | By Email | System Status