IETF Logo Mail Archive

Re: [Privacy-pass] External verifiability: a concrete proposal

Alex Davidson <adavidson@cloudflare.com> Tue, 14 July 2020 15:15 UTC

Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2F123A086C for <privacy-pass@ietfa.amsl.com>; Tue, 14 Jul 2020 08:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2Fnf8-_YKJv for <privacy-pass@ietfa.amsl.com>; Tue, 14 Jul 2020 08:15:49 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EA23A0865 for <privacy-pass@ietf.org>; Tue, 14 Jul 2020 08:15:48 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id f2so22315206wrp.7 for <privacy-pass@ietf.org>; Tue, 14 Jul 2020 08:15:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=s0WhKez+JuAN/GvrWivh6lsv4A+iqIlygFAPVfkY+3c=; b=Pvy1GZFvec8aebtA9XgvjCjCbfMJDkgi1dJeTPtBtB7gGpo1b5HBcmZGb/OhsEta1O +cwWNeXH/LOZbCG8n4/15s1ADkmKLuPIvMRCzCfUGILbKt9uexPpdXivJPF3aYd/1zJ+ OSo0DBDIFnmXRowbEmL61jUKgkyo7QUBSGVKg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=s0WhKez+JuAN/GvrWivh6lsv4A+iqIlygFAPVfkY+3c=; b=kMLzr2GjSatlkUps2udp28WmWOFq7eHVnlneu8zfnR5pFboDOMcJPDc8/STZji78k1 oyvcModObcrBkYesIPk28N44q9XcjJ0R9AuCloHYftuokHYvhQMEShtuF3KyjCKiVIJH 6Q03BH46rLw/X1zE0gl00HQMREzPyKBBI8+VHlIqx9gawQ9SaWsd7BxqP1PqVrfSw7Yh AejRJo+nJ2rNrMtCrreBonA9ngQJKpjvaqXRKg56pWm0MQIZA+723wZnuZ1fng8w3Nxr gDYPKbwrLZCISTdkr/1YQatoTM7OXkL1dH7E+Kg3rkG2kK9Hek6dv8rq+p1IZpochVQm 6LHw==
X-Gm-Message-State: AOAM532YCHSau0MFzYi6dpBcCAxXxoIYW6W/6ZwxNoXISFV85FbEmJpY lKUrZHjZYvG6LCxsOxFlM/4pcuNrqACUxQ==
X-Google-Smtp-Source: ABdhPJwWkkhvn24wTV4IGMkEMPCiWQkkVKb069HcnRxRCSDT6WDLS4K+c03vs9061Pxo77mZB9JqNg==
X-Received: by 2002:adf:e948:: with SMTP id m8mr6485474wrn.398.1594739747126; Tue, 14 Jul 2020 08:15:47 -0700 (PDT)
Received: from ?IPv6:2001:8a0:7ac8:f600:28e5:4877:f966:c82? ([2001:8a0:7ac8:f600:28e5:4877:f966:c82]) by smtp.gmail.com with ESMTPSA id t4sm5077533wmf.4.2020.07.14.08.15.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Jul 2020 08:15:46 -0700 (PDT)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <6476CDA9-688F-4970-9287-C35893CBFA90@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_98E6E393-4D50-486F-A8C0-8A42E0571440"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 14 Jul 2020 16:15:23 +0100
In-Reply-To: <CAOyO2_Jb8iEg=qY-mPCfyQ5Tyf2H-Qm46Avd=8t7ngi-1NcEzg@mail.gmail.com>
Cc: privacy-pass@ietf.org
To: Michele Orrù <lists@tumbolandia.net>
References: <CACsn0c=KCcq27wEiVnkRritmuxYyR_mewwe48FBx1YnxZTu_aA@mail.gmail.com> <CAHbrMsB_5Y58St3dKu2SeAuxPYEV6=VuDxC+DbpTzhwi8iJHKw@mail.gmail.com> <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com> <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com> <20200710134907.GW4003@yoink.cs.uwaterloo.ca> <CAOyO2_Jb8iEg=qY-mPCfyQ5Tyf2H-Qm46Avd=8t7ngi-1NcEzg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/0jvMsmzUYNPaCBqu2CwlgIx0QX4>
Subject: Re: [Privacy-pass] External verifiability: a concrete proposal
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 15:15:51 -0000

Hi Michele,

Thanks, this is really informative. Is the verification time for the blind BLS construction for only a single token? Or is it batched for multiple tokens?
Do you have a link for the Clause Blind Schnorr signature scheme? Is there a reason why we would not consider this scheme instead, if it is more efficient?

Best,
Alex

> On 11 Jul 2020, at 20:32, Michele Orrù <lists@tumbolandia.net> wrote:
> 
> Hi, 
> 
> To my understanding, Watson is proposing to use blind BLS signatures (BBLS) as an option for public verifiability. 
> In section 5.1 of [Boldyreva <https://www.cc.gatech.edu/~aboldyre/papers/bold.pdf>] they are described with additive blinding; If you apply it multiplicatively you have Privacy Pass (PP) with a DH oracle. 
> 
> I think that's a great idea to add this as a possible publicly-verifiable mechanism. The assumptions are more or less the same: PP is exposing a DH oracle with the NIZK, BBLS will do so with the pairing; PP uses chosen-target Diffie-Hellman and so will BBLS [JKK <https://eprint.iacr.org/2014/650.pdf>]. However, I don't particularly see the advantages w.r.t e.g. blind RSA signatures.
> 
> Ben: the double-spending protection can follow the same logic of privacy pass.
> As Ian says, the ZK proof can go away in BBLS, but the performances will still be worse than vanilla PP.
> I had run some numbers on my laptop a while back (please take them with a pinch of salt): 
> 
> blind RSA: 
> - signing server: 2.27ms
> - signing client: <0.1ms
> - verification: <1e-5 ms
> This was done with RSA-2048 (sha256) and C's relic <https://github.com/relic-toolkit/relic>.
> 
> blind BLS:
> - signing server: 0.8ms
> - signing client: 6ms
> - verification: ~4.5 ms
> This was done with BLS12-381 (sha256) and Rust's pairing. <https://github.com/zkcrypto/bls12_381>
> 
> Clause Blind Schnorr signatures would be faster than BBLS just as well, for instance. Just for comparison, on my implementation of PP I have:
> 
> PP:
> - signing server: ~4ms
> - signing client: 3ms
> - verification: ~1 ms
> This was done with curve25519 (sha512) and curve25519-dalek. <http://curve25519-dalek./>
> 
> 
> Hope this helps better framing the problem, 
> --
> Michele.
> 
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email