IETF Logo Mail Archive

Re: [Privacy-pass] External verifiability: a concrete proposal

Michele Orrù <lists@tumbolandia.net> Sat, 11 July 2020 19:32 UTC

Return-Path: <michele@tumbolandia.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E94B83A1220 for <privacy-pass@ietfa.amsl.com>; Sat, 11 Jul 2020 12:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.075
X-Spam-Level:
X-Spam-Status: No, score=-1.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tumbolandia.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3nmBQP0iy1T for <privacy-pass@ietfa.amsl.com>; Sat, 11 Jul 2020 12:32:24 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8DBA3A121E for <privacy-pass@ietf.org>; Sat, 11 Jul 2020 12:32:24 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id y22so7689841oie.8 for <privacy-pass@ietf.org>; Sat, 11 Jul 2020 12:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tumbolandia.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=hoLnLSTZyZRH4TvtN5+Eqxhw4IizU/4dRzgEyqjaNzE=; b=aUkFXu4WAZcXNSJ7d259dQ9UD8nNHGcvcaqQqpkXuB+EabM34nRBOLyxAZHE4RArAk wabwbG3hthQS/THkhBO5hMLajZe37EMhvaL3oqLg0BvDH4yoYahS4qLFi33WtoBUAebv KdNN8s7/IrWtbskwrRLkUQTKSnkzV4hj7YDwbG8AGMkmHnOm1Q9TsTlR6SgIt8zkurye bwcsCufMgu0lNj0+detop0yHUsnQ3oo/ycjc2k+OhGEGqoQvcPCtIeRlev0imDNLSIzN wzWDK3ki7yOleufY5SRQPiqVoeHBZgPJH0UfPX3WLZu6gGsLVvhLa5gV+yROGl6wnthO KxvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=hoLnLSTZyZRH4TvtN5+Eqxhw4IizU/4dRzgEyqjaNzE=; b=OgjSmCpCuf12M/IBhdlbjCOb5p0W6KsTg7A2GwrmbZK5/I97NP/VT6bgMFfjqe6Q6G 1H0ZD3Ts5T4EwNhMsgPDgXsPQ4bGjZlzBkuk+Qb+1RQjuhklt4fHmll4ikcxggK55gBJ SQqYDe+pNrSuRXyFjsubyJSWLofjomNu1b0b1bx73nUPfvkl9Jpn4RFp4fYXwQfRRsCM Op3MJscg65JkNoaEim2j+obIJeytIYY8kAC+hXeHv+z3rtBbhzHWxMk7iLB1AE+sne3K yCkbYoFGX1Qtap19simOn4D5BzU8BW7NVOKO7THO+UzCAwAQq/gtQ+BCVq74JXPv8Gms YVPg==
X-Gm-Message-State: AOAM531QRsquSyGBNi8NQKJq41x2GCCbr4QxvEq8HNtYwz6SEYhte5/C aLdRDpnV8nugzQJVHWSE4G0M2xjaUiiCYnRIZRmuUeuWB4Y=
X-Google-Smtp-Source: ABdhPJyuABx1hIu1nuydc1JQjvtGIAe332w7jISd1OX1lw8vJQYJpmpT1GADbbs+hZ2BnJOFUxgadFl/vUQhgYqZheo=
X-Received: by 2002:a05:6808:7d0:: with SMTP id f16mr9148879oij.20.1594495943524; Sat, 11 Jul 2020 12:32:23 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0c=KCcq27wEiVnkRritmuxYyR_mewwe48FBx1YnxZTu_aA@mail.gmail.com> <CAHbrMsB_5Y58St3dKu2SeAuxPYEV6=VuDxC+DbpTzhwi8iJHKw@mail.gmail.com> <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com> <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com> <20200710134907.GW4003@yoink.cs.uwaterloo.ca>
In-Reply-To: <20200710134907.GW4003@yoink.cs.uwaterloo.ca>
From: Michele Orrù <lists@tumbolandia.net>
Date: Sat, 11 Jul 2020 21:32:07 +0200
Message-ID: <CAOyO2_Jb8iEg=qY-mPCfyQ5Tyf2H-Qm46Avd=8t7ngi-1NcEzg@mail.gmail.com>
Cc: privacy-pass@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004f661205aa2f8449"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/61SmZ5UZTLI_Lgnx_Ddx5Vosa5w>
Subject: Re: [Privacy-pass] External verifiability: a concrete proposal
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2020 19:32:26 -0000

Hi,


To my understanding, Watson is proposing to use blind BLS signatures (BBLS)
as an option for public verifiability.

In section 5.1 of [Boldyreva
<https://www.cc.gatech.edu/~aboldyre/papers/bold.pdf>] they are described
with additive blinding; If you apply it multiplicatively you have Privacy
Pass (PP) with a DH oracle.


I think that's a great idea to add this as a possible publicly-verifiable
mechanism. The assumptions are more or less the same: PP is exposing a DH
oracle with the NIZK, BBLS will do so with the pairing; PP uses
chosen-target Diffie-Hellman and so will BBLS [JKK
<https://eprint.iacr.org/2014/650.pdf>]. However, I don't particularly see
the advantages w.r.t e.g. blind RSA signatures.


Ben: the double-spending protection can follow the same logic of privacy
pass.

As Ian says, the ZK proof can go away in BBLS, but the performances will
still be worse than vanilla PP.

I had run some numbers on my laptop a while back (please take them with a
pinch of salt):


blind RSA:

- signing server: 2.27ms

- signing client: <0.1ms

- verification: <1e-5 ms

This was done with RSA-2048 (sha256) and C's relic
<https://github.com/relic-toolkit/relic>.


blind BLS:

- signing server: 0.8ms

- signing client: 6ms

- verification: ~4.5 ms

This was done with BLS12-381 (sha256) and Rust's pairing.
<https://github.com/zkcrypto/bls12_381>


Clause Blind Schnorr signatures would be faster than BBLS just as well, for
instance. Just for comparison, on my implementation of PP I have:


PP:

- signing server: ~4ms

- signing client: 3ms

- verification: ~1 ms

This was done with curve25519 (sha512) and curve25519-dalek.



Hope this helps better framing the problem,

--

Michele.

v2.23.0 | Report a Bug | By Email