Re: [CFRG] Partially blind issuance and proofs on revealed values (and a syntax change)
Watson Ladd <watsonbladd@gmail.com> Mon, 08 April 2024 18:44 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17C26C15153F for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxECVNRcN-EE for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:44:46 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4625C151064 for <cfrg@irtf.org>; Mon, 8 Apr 2024 11:44:46 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-345af34433aso704736f8f.2 for <cfrg@irtf.org>; Mon, 08 Apr 2024 11:44:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712601885; x=1713206685; darn=irtf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=OPCDTnI5m/ShnWncAhrnQoajwrlSCaNh7r4x60tvvNk=; b=cTHVzCI2SRSPPPZzzx4QQGJnW5zQORw7MVlZbUc0oL3yBRGkn8RXO6BNKWLxT9N7EE 6Iy1m8E4kzOO+P+Z2ddwTb6GoWzCW+eMWLo0e/1ppOGY7hUcpYcmrRTRIgZU+UTsUrf+ 5WpovIQ1/26mvji4ASfeqfIWkNY37+2Rsj9BbiUWzLERaVex9oo9Ofb71//jFy3JTQBQ 9PZiwPBy1cHlvKgFE19eiXB/7WcfSB6TaJg7V8otc+s/Y7Q0dwdPuErUZnF5yRrHhhIA apfaok5cdEeliE/FLNX3jtxwF9+UGEYCdxSPLGk3qojNkgGY6YX+ZbzivrVnsWBPw8r/ c+aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712601885; x=1713206685; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OPCDTnI5m/ShnWncAhrnQoajwrlSCaNh7r4x60tvvNk=; b=YryDpi5HDQCp9vCswvd8Ul/KzH6/nfZl7FK+qOTttIbAYz8F1ZuYgQgkVTuEKmRN38 5Y3koPkA3TLs2uxKDJhzLQaU7TWH3TKSk4KyP7gccJz+qL+kOA9avT3c8HjM8evIRq18 3deqgtd3KGTLi1C9qMeFVUGDirJ8XHlsoGri+w7r+6/eJ9XDMZgTN+NbdXTYom5UGZor ZtT3BfR6MJhwWZ3ytc9sxAKIjWxkITifCyBky91mRLvLJ/gOPa/mxYsFeH1pver3Jwos 5U1vS+VwDClB1M4/YfrufQxIa8W6i+7StQZ1F6igKlnJdOZLk4UxOIHG37MtNuUFMf5g bdAw==
X-Gm-Message-State: AOJu0Yyu1U7QHQMygSFnmmF3+A1gadDzjM7fFRYzvY98/RrELMSA2a2Z qUtwK6fi5bOIypcYLP1wcLUOvnO9Kyhkn1XUStuw/ECqRW7eCUPBgWfz+PWvXLNRK+burEGMTBQ 0nRYaXWcKIibNpi7Hzk8ruG1z/DsxznmL
X-Google-Smtp-Source: AGHT+IFNgS6D2aizbqy1IHx3Ji7vm/s5ajkvg7/MwXaREiuVfcTEiI5/KcTvXkUFGF1q0t+8JEZXIcNcT39zUWazneE=
X-Received: by 2002:a05:6000:100d:b0:343:74c9:51a8 with SMTP id a13-20020a056000100d00b0034374c951a8mr7359450wrx.68.1712601885033; Mon, 08 Apr 2024 11:44:45 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cnQF7zO=KnYFcXpNL5ibkzkaE7KdYv5341Q7yoPERoatQ@mail.gmail.com> <CAN8C-_LEUZM7y_C=cLbJA+tjAOsBPU7EFvLjMtw0kSX_Oq35LA@mail.gmail.com>
In-Reply-To: <CAN8C-_LEUZM7y_C=cLbJA+tjAOsBPU7EFvLjMtw0kSX_Oq35LA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 08 Apr 2024 11:44:33 -0700
Message-ID: <CACsn0ckys3vbnPRdP3FFoF-eh9pphReZGoWG5Cs4rg0z0qBxyg@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OAX_ZAoqmaHaHNckDBkcEzn2iX4>
Subject: Re: [CFRG] Partially blind issuance and proofs on revealed values (and a syntax change)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 18:44:49 -0000
On Mon, Apr 8, 2024 at 11:18 AM Orie Steele <orie@transmute.industries> wrote: > > Your second comment appears to be follow up to https://mailarchive.ietf.org/arch/msg/cfrg/QnAzetPq5KUzbl0QTUDMmJfVQpE/ I think thats the syntax change. Maybe I'm not clear on the current properties: is it the case that if an issuer signs with attributes 1, 2 and a different one with attributes 1, 3, that when revealing just attribute 1 there is no way for an attacker to tell which one was signed? If so then this is probably worth keeping as is in the draft. > > > > Your first comment seems like possibly a significant change to: > > https://datatracker.ietf.org/doc/draft-irtf-cfrg-bbs-signatures/ > > Or perhaps: https://datatracker.ietf.org/doc/draft-vasilis-bbs-per-verifier-linkability/ ? > > > Is there a link to the privacy pass context / discussion? > > I see https://datatracker.ietf.org/doc/draft-ladd-privacypass-bbs/ > > Is that the right document to review, in order to better understand your first comment? Kind of. I had a telephone call today with researchers where we determined this was the way to go for rate limiting. Basically we would partially blind a credential where of the messages say m1 is a random value x picked by the client (and blinded). On redemption the client can send a value e=1/(x+k)H(site)+rG where k is a counter value, and prove knowledge of a witness to the correctness of the equation ve=zG+kH(site)+xH(site) and that k is small and x is part of the message. To do this we need both partially blind issuance and DL proofs over messages (which in extreme cases can link us to GS if we want the big guns). Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [CFRG] Partially blind issuance and proofs on rev… Watson Ladd
- Re: [CFRG] Partially blind issuance and proofs on… Orie Steele
- Re: [CFRG] Partially blind issuance and proofs on… Watson Ladd