Re: [Privacy-pass] External verifiability: a concrete proposal
Alex Davidson <adavidson@cloudflare.com> Tue, 14 July 2020 15:15 UTC
Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2F123A086C for <privacy-pass@ietfa.amsl.com>; Tue, 14 Jul 2020 08:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2Fnf8-_YKJv for <privacy-pass@ietfa.amsl.com>; Tue, 14 Jul 2020 08:15:49 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EA23A0865 for <privacy-pass@ietf.org>; Tue, 14 Jul 2020 08:15:48 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id f2so22315206wrp.7 for <privacy-pass@ietf.org>; Tue, 14 Jul 2020 08:15:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=s0WhKez+JuAN/GvrWivh6lsv4A+iqIlygFAPVfkY+3c=; b=Pvy1GZFvec8aebtA9XgvjCjCbfMJDkgi1dJeTPtBtB7gGpo1b5HBcmZGb/OhsEta1O +cwWNeXH/LOZbCG8n4/15s1ADkmKLuPIvMRCzCfUGILbKt9uexPpdXivJPF3aYd/1zJ+ OSo0DBDIFnmXRowbEmL61jUKgkyo7QUBSGVKg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=s0WhKez+JuAN/GvrWivh6lsv4A+iqIlygFAPVfkY+3c=; b=kMLzr2GjSatlkUps2udp28WmWOFq7eHVnlneu8zfnR5pFboDOMcJPDc8/STZji78k1 oyvcModObcrBkYesIPk28N44q9XcjJ0R9AuCloHYftuokHYvhQMEShtuF3KyjCKiVIJH 6Q03BH46rLw/X1zE0gl00HQMREzPyKBBI8+VHlIqx9gawQ9SaWsd7BxqP1PqVrfSw7Yh AejRJo+nJ2rNrMtCrreBonA9ngQJKpjvaqXRKg56pWm0MQIZA+723wZnuZ1fng8w3Nxr gDYPKbwrLZCISTdkr/1YQatoTM7OXkL1dH7E+Kg3rkG2kK9Hek6dv8rq+p1IZpochVQm 6LHw==
X-Gm-Message-State: AOAM532YCHSau0MFzYi6dpBcCAxXxoIYW6W/6ZwxNoXISFV85FbEmJpY lKUrZHjZYvG6LCxsOxFlM/4pcuNrqACUxQ==
X-Google-Smtp-Source: ABdhPJwWkkhvn24wTV4IGMkEMPCiWQkkVKb069HcnRxRCSDT6WDLS4K+c03vs9061Pxo77mZB9JqNg==
X-Received: by 2002:adf:e948:: with SMTP id m8mr6485474wrn.398.1594739747126; Tue, 14 Jul 2020 08:15:47 -0700 (PDT)
Received: from ?IPv6:2001:8a0:7ac8:f600:28e5:4877:f966:c82? ([2001:8a0:7ac8:f600:28e5:4877:f966:c82]) by smtp.gmail.com with ESMTPSA id t4sm5077533wmf.4.2020.07.14.08.15.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Jul 2020 08:15:46 -0700 (PDT)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <6476CDA9-688F-4970-9287-C35893CBFA90@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_98E6E393-4D50-486F-A8C0-8A42E0571440"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 14 Jul 2020 16:15:23 +0100
In-Reply-To: <CAOyO2_Jb8iEg=qY-mPCfyQ5Tyf2H-Qm46Avd=8t7ngi-1NcEzg@mail.gmail.com>
Cc: privacy-pass@ietf.org
To: Michele Orrù <lists@tumbolandia.net>
References: <CACsn0c=KCcq27wEiVnkRritmuxYyR_mewwe48FBx1YnxZTu_aA@mail.gmail.com> <CAHbrMsB_5Y58St3dKu2SeAuxPYEV6=VuDxC+DbpTzhwi8iJHKw@mail.gmail.com> <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com> <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com> <20200710134907.GW4003@yoink.cs.uwaterloo.ca> <CAOyO2_Jb8iEg=qY-mPCfyQ5Tyf2H-Qm46Avd=8t7ngi-1NcEzg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/0jvMsmzUYNPaCBqu2CwlgIx0QX4>
Subject: Re: [Privacy-pass] External verifiability: a concrete proposal
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 15:15:51 -0000
Hi Michele, Thanks, this is really informative. Is the verification time for the blind BLS construction for only a single token? Or is it batched for multiple tokens? Do you have a link for the Clause Blind Schnorr signature scheme? Is there a reason why we would not consider this scheme instead, if it is more efficient? Best, Alex > On 11 Jul 2020, at 20:32, Michele Orrù <lists@tumbolandia.net> wrote: > > Hi, > > To my understanding, Watson is proposing to use blind BLS signatures (BBLS) as an option for public verifiability. > In section 5.1 of [Boldyreva <https://www.cc.gatech.edu/~aboldyre/papers/bold.pdf>] they are described with additive blinding; If you apply it multiplicatively you have Privacy Pass (PP) with a DH oracle. > > I think that's a great idea to add this as a possible publicly-verifiable mechanism. The assumptions are more or less the same: PP is exposing a DH oracle with the NIZK, BBLS will do so with the pairing; PP uses chosen-target Diffie-Hellman and so will BBLS [JKK <https://eprint.iacr.org/2014/650.pdf>]. However, I don't particularly see the advantages w.r.t e.g. blind RSA signatures. > > Ben: the double-spending protection can follow the same logic of privacy pass. > As Ian says, the ZK proof can go away in BBLS, but the performances will still be worse than vanilla PP. > I had run some numbers on my laptop a while back (please take them with a pinch of salt): > > blind RSA: > - signing server: 2.27ms > - signing client: <0.1ms > - verification: <1e-5 ms > This was done with RSA-2048 (sha256) and C's relic <https://github.com/relic-toolkit/relic>. > > blind BLS: > - signing server: 0.8ms > - signing client: 6ms > - verification: ~4.5 ms > This was done with BLS12-381 (sha256) and Rust's pairing. <https://github.com/zkcrypto/bls12_381> > > Clause Blind Schnorr signatures would be faster than BBLS just as well, for instance. Just for comparison, on my implementation of PP I have: > > PP: > - signing server: ~4ms > - signing client: 3ms > - verification: ~1 ms > This was done with curve25519 (sha512) and curve25519-dalek. <http://curve25519-dalek./> > > > Hope this helps better framing the problem, > -- > Michele. > > -- > Privacy-pass mailing list > Privacy-pass@ietf.org > https://www.ietf.org/mailman/listinfo/privacy-pass
- [Privacy-pass] External verifiability: a concrete… Watson Ladd
- Re: [Privacy-pass] External verifiability: a conc… Ben Schwartz
- Re: [Privacy-pass] External verifiability: a conc… Watson Ladd
- Re: [Privacy-pass] External verifiability: a conc… Alex Davidson
- Re: [Privacy-pass] External verifiability: a conc… Ian Goldberg
- Re: [Privacy-pass] External verifiability: a conc… Michele Orrù
- Re: [Privacy-pass] External verifiability: a conc… Alex Davidson
- Re: [Privacy-pass] External verifiability: a conc… Michele Orrù