IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt

Christopher Wood <caw@heapingbits.net> Fri, 09 December 2022 01:57 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E90C1516FB for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 17:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=3m8Y6v4W; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=n5w9TNG8
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGCMmP8Q8Gvm for <cfrg@ietfa.amsl.com>; Thu, 8 Dec 2022 17:57:28 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91B4DC1516E3 for <cfrg@ietf.org>; Thu, 8 Dec 2022 17:57:28 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id A03FC5C0049; Thu, 8 Dec 2022 20:57:27 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Thu, 08 Dec 2022 20:57:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1670551047; x= 1670637447; bh=swC2Vj6503ZnsOBpkxlbGB4OzkEW7fgSIzygyzMDqCQ=; b=3 m8Y6v4WJWpDs5ilj1VGY5C8WTNspNUz3nEr4VBuvrONY7c6lc4B24icOCwh1PnFC +0X75hRWQYB/wwl3JUfpVCiipQC0hGB8aK54ztMgvWEbtBlFxqOqzcfhtuaZqz0k t0nbMfTRLHn8Io5SfBJtMowbTVFVJvFuh+b8B/MORlqk26zsOp1JSNeQT1vbKSfs MqaAPzphAs7KAgY4fRVXho/+JXnw0RxHdwPDwqAZbetKYRHJs+J1g/RnfX9v5Fcl /SnmIHv3SQ5jpPYEc4QROTdvopwGJnnIk89F8HhceNd9ERTlB4XGY0QyCeqs1mAu X+8rg+ZBC1a9Qfe6EI+qw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1670551047; x= 1670637447; bh=swC2Vj6503ZnsOBpkxlbGB4OzkEW7fgSIzygyzMDqCQ=; b=n 5w9TNG8NncQspld/D/LNTgrDqZbj8feUuglN6QWCmXW6hmY0kIuTEBdaKPatTMmo 7Q1mIuxxPjtJFD+x9AnPDbF9xPdDNSINev08bMaoXDhpR+fUCkxkz/pMrmdlB8NF sZRd/6MFgKldjS/Hd5j+uycppwIEYtQyvANw4zhZ+MdRbPokFoREeN2BNMt/Yux6 oqm16BaGgZnznP9EX0bm67IAFYlg3sBGLex3mbjTq69VYxFScbWH4eJAlpzienzn xXFmwn/dXivRWciw9iGAlIibOL1foSZ6bYW/Rg4iFr2KyJgE65Vgfin9GzMLQzjj ZmZ2wIpvrR2WYV/gL2XoQ==
X-ME-Sender: <xms:B5aSY-symo-Vm8dlXfmn5--Rv0Or8G10V5KKn4dbQB18ADaHEtT6Ww> <xme:B5aSYzfsALGCN437-17Ko8jzmH1vA7kfW3AmcH55n-tUyb2ehKR-Jk2z8NAH1akTz Go5VzdmbDOHTvGKghw>
X-ME-Received: <xmr:B5aSY5xVsp0jDJzeDcLspUHnHIScAAJOxyOPiPXhqf6FHeKuWgerURkYfaUVjkUwiUV_Yh5upMJo3XTi6oZTPfTjVpT7yzW-bS0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvddugdegvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjffevgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepvehhrhhi shhtohhphhgvrhcuhghoohguuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqne cuggftrfgrthhtvghrnhepffduteelhfehtdelueetueeuheekfefftdegfedvteevheej gfehveefteegvddvnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghi thhsrdhnvght
X-ME-Proxy: <xmx:B5aSY5MHjNaDTwVMnvbBs6f-5uZdbZDyzLYouXkwadqNG4RGKT8GOg> <xmx:B5aSY-8PNdpEoXhfaA3dlz0mrQ6hO9un-1zdruCVLlyllOOljRYuCg> <xmx:B5aSYxUfIwifBqVShcfEYWm4Zg_510u1RmKzRADCWh_XDo_LbSvm8g> <xmx:B5aSYzEKAoN66Gg_iMDoHJSAjVKtmn1dkHgjeTOJ3TqXV4vpm5darA>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 8 Dec 2022 20:57:27 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <20221208182902.GB7583@yoink.cs.uwaterloo.ca>
Date: Thu, 08 Dec 2022 20:57:26 -0500
Cc: cfrg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F70E0F6-9F5D-4A78-BB9B-8FC23F8F60D5@heapingbits.net>
References: <166906886082.62494.8820552099363522855@ietfa.amsl.com> <6A1E08FD-09CF-4929-94DD-8B7A8E6CACBA@heapingbits.net> <CAMmp5CAt-A+qJTDbhwj14b24DUGD+xzxrbBpPGM2hCYfNVA4-w@mail.gmail.com> <CAJowLmN8CZRS9V0N5tW=XohC9QNYRE-FpMe=errGSETAq7WT1w@mail.gmail.com> <20221129225921.GR7583@yoink.cs.uwaterloo.ca> <E6C680D7-9480-4E43-BFD9-5A38BB8B1CB3@heapingbits.net> <20221208182902.GB7583@yoink.cs.uwaterloo.ca>
To: Ian Goldberg <iang@uwaterloo.ca>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AS0ySFZRByWGrUz6J2NNeT7odXY>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-rsa-blind-signatures-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2022 01:57:32 -0000


> On Dec 8, 2022, at 1:29 PM, Ian Goldberg <iang@uwaterloo.ca> wrote:
> 
> On Thu, Dec 08, 2022 at 12:37:55PM -0500, Christopher Wood wrote:
>> Thanks, Ian! Please see inline below.
>> 
>>> On Nov 29, 2022, at 5:59 PM, Ian Goldberg <iang@uwaterloo.ca> wrote:
>>> 
>>> On Tue, Nov 29, 2022 at 01:47:40PM +0000, Franziskus Kiefer wrote:
>>>> Chris asked me to review the draft.
>>> 
>>> Me as well.  My notes are below.
>>> 
>>> In Section 1, [I-D.irtf-cfrg-voprfs] is a broken reference.
>>> Interestingly, Section 1 motivates this document with, "Specifically,
>>> VOPRFs are not necessarily publicly verifiable", but
>>> draft-irtf-cfrg-voprf-16 (which is presumably what the dangling link is
>>> supposed to point to) _is_ publicly verifiable
>>> (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-2.2.2)
>>> Is there another motivation for using RSA instead of
>>> draft-irtf-cfrg-voprf-16?  Is it just the "in such a way that the
>>> resulting (unblinded) signature can be verified with a standard RSA-PSS
>>> library"?  As you point out here, VOPRFs are strongly related to
>>> deterministic blind signatures.  Should VOPRFs be discussed in Section
>>> 8.7?
>> 
>> We decided not to make a change here. The full text reads:
>> 
>>   Recently, interest in blind signatures has grown to address
>>   operational shortcomings from applications that use Verifiable
>>   Oblivious Pseudorandom Functions (VOPRFs) [VOPRF], such as Privacy
>>   Pass [PRIVACY-PASS].  Specifically, VOPRFs are not necessarily
>>   publicly verifiable, meaning that a verifier needs access to the
>>   VOPRF private key to verify that the output of a VOPRF protocol is
>>   valid for a given input.
>> 
>> 
>> The important bit here is that the private key is needed to verify the VOPRF value, which is what publicly verifiable means in this context. We determined this was clear enough as-is, but if you have concrete suggestions for how to improve it further, please do share!
> 
> But that's exactly what I'm saying is _not_ true for
> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-16#section-2.2.2
> since you only need the public key (A and B), not the private key (k) to
> verify.

I’m still not sure I see the confusion, so please bear with me as we zero in on it. I wonder if it’s the non-interactive nature of this property that we’re missing? In an attempt to clarify, let me try to explain my thinking (and apologies in advance if this is all obvious).

In this draft, public verifiability means that anyone with the output of the protocol (the signature) can _non-interactively_ verify it using the input of the protocol (the message that was signed and the public key). For Blind RSA, this property trivially holds, since the output is a digital signature that anyone with the public key and message can verify. For the VOPRF case, the output (y) is the PRF result and the input (x) is the PRF input and public key (g^k). The only way to non-interactively verify this output, i.e., to check that y = H(x, H2C(x)^k)), is with access to the VOPRF private key.

If it’s not the interactive nature of verifiability, can you clarify the problem here?

Thanks again,
Chris

> 
>> Can you please let us know if the latest version addresses your comments?
> 
> I'll add it to my queue.  :-)
> -- 
> Ian Goldberg
> Canada Research Chair in Privacy Enhancing Technologies
> Professor, Cheriton School of Computer Science
> University of Waterloo

v2.46.0 | Report a Bug | By Email | System Status