[Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative

Christopher Patton <cpatton@cloudflare.com> Wed, 26 June 2024 00:19 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CF7C19ECBA for <privacy-pass@ietfa.amsl.com>; Tue, 25 Jun 2024 17:19:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLdEW5DOuSug for <privacy-pass@ietfa.amsl.com>; Tue, 25 Jun 2024 17:19:27 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7657AC18DB91 for <privacy-pass@ietf.org>; Tue, 25 Jun 2024 17:19:27 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-e02e4eb5c3dso5249547276.3 for <privacy-pass@ietf.org>; Tue, 25 Jun 2024 17:19:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1719361166; x=1719965966; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BkXj1ZhtZA2zI9jeRxDTeI85Z+Wegq+DHoGee05Yzb0=; b=Yw8SuvXbeaZJuA6nt8Mp3Kd/Ba24/5hBoAEYIdrMjgObQi5PqxdhVgEtRvMCan/vtk HGfyOfhF1iQZ9ptiYlRQO7uc4TC16oheF1zaleegBDPQsN0//757G2U6KOPygj3Pa6vy I0aQuhAn+xf43c/XdZ+gbk/8KIi/Kz01hCjtzWgfd5Em9o0QQsZzbtF2z5epfigIkhqA nLyM6otjCH1Qke8pustRS+P3MYs2Sc2vi5qnD9Pf4i9AY0TAnE5jFL2kqdPtjOMmcwF5 bS7LsTPYMA6afit2Qu/fsG/lsR6WVPDPvmlZ0PvGjglZA8CUsojZPgL8ipGVbIs+xvFB temA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719361166; x=1719965966; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BkXj1ZhtZA2zI9jeRxDTeI85Z+Wegq+DHoGee05Yzb0=; b=g7UikzBc68fYzd1NC9FwpNpNqZTtwbl7KiVJyijf7PIKvG4MgHoM5YbLXid2nynUKc YF71jCXibk03BaveG6d1Z7TjdARbhAnrvZzA501uIDS6/Q7fShU2QML32FDk+YJ/9OTt WOFiREQQg4B5VxLLK6iGhAs0ef5TS7Odd9GsAVXmKpXWFyqpEpOR2Qkn0S+NR/MWftPZ edQLwjtexjrPnJIMWwb7FMmLvJgHEnckQiVMy2Zg9oFaNUGsp70jN3zT9r72MUUUU0s1 uFPibW3li7C7XJNNw/KAsibBztTspB6TFJF2gb33ukfWkTTEEFtan3fcSVTBMQ0gkG95 JZQQ==
X-Gm-Message-State: AOJu0YzPYGSjAnMzYrVaJ8ZwbodDQTOucVOgn0TW0kNMA3Ap9F742Jd3 08117zEtICX+W1KfoCKWZL2FwB7NcVR8B/4JlyWPDmbQrkEtR1gz/UjLUyQLe28g5GDs+Jc5PIy LbyRjcHH4CEZ3vVnzFa0YIB7be1OYp1oU9J71uaCIqqr167T+
X-Google-Smtp-Source: AGHT+IGXhvxSoUaXfjylOoDpbfKi9UXtomR4duclvqNk5dD3/2lam145jY41MRG+35GRh26OSRkkC2d9UJCoo5Hx/UI=
X-Received: by 2002:a25:c83:0:b0:e02:c53a:a531 with SMTP id 3f1490d57ef6-e02fc264aeemr9437038276.5.1719361166140; Tue, 25 Jun 2024 17:19:26 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0c=odKu40eoZ8rjTOZVP4kveMKYDm1Qgs5OiccFNbm1DxA@mail.gmail.com>
In-Reply-To: <CACsn0c=odKu40eoZ8rjTOZVP4kveMKYDm1Qgs5OiccFNbm1DxA@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 25 Jun 2024 17:19:15 -0700
Message-ID: <CAG2Zi23x==CVZtoiOCp00hH3DHJJoSbVmjOd6itB=moeZ68iBA@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008cc67a061bbff758"
Message-ID-Hash: 334I6P6MN2SC2KDXHNFU7MZYU5AUAOMJ
X-Message-ID-Hash: 334I6P6MN2SC2KDXHNFU7MZYU5AUAOMJ
X-MailFrom: cpatton@cloudflare.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: privacy-pass@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/DH8yJlcTw2LG0NxRXK_d4IT-fbI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>

Watson,

It would be great to see a presentation on this at 120. In lieu of a
draft(s), could you slap together a proof-of-concept? No need to plug it
into Privacy Pass, but it would at least be useful to see what each party
does and how the proof system works.

Chris P.

On Tue, Jun 25, 2024 at 3:48 PM Watson Ladd <watsonbladd@gmail.com> wrote:

> Dear privacy pass,
>
> Over the past few months a group of us have been discussing some of
> the desiderata for privacy pass, and trying to ensure we have a
> flexible, well-considered cryptographic foundation for deployments.
>
> Currently what we have is a number of extensions, but each extension
> has to be examined anew and they don't compose: if you want both
> public metadata and rate limiting, it takes a new document to make
> them work. Instead we can make sure that the single token format
> supports a bunch of features.
>
> Foundationally we use a blind issuing variant of BBS, where the user
> proves that they have asked for the right fields. Some can be hidden,
> and others revealed to the issuer, and then a different set shown to
> origins. In addition it's possible to do zero-knowledge proofs
> efficiently over equations for the secret values.
>
> For rate limiting one of the fields is a secret key x. On showing the
> user computes Y=(x+k)^{-1}H(origin), and proves with a range proof
> that k is small and transmits Y to the origin. There are some very
> short range proofs available. The origin blocks repeated use of Y.
> This has some big benefits: origins can set the rate limit without
> cooperation from the issuer. The issuer no longer needs to be split.
>
> The origin could also use a nym by having k=0 and using Y as a user
> identifier.
>
> We also have a way to do issuer blindness where the origin learns only
> that an issuer they trust issued the credential. This resolves a
> number of the challenges for the web environment of existing
> solutions.
>
> We do need to write this all up, and there's significant modifications
> to CFRG drafts (or new ones) needed to make it all work, and there are
> some subtleties that lead to needing particular kinds of ZKP that
> complicate the efficency story somewhat. However, we're extremely
> optimistic that these are not showstopers and the time and space
> consumption is moderate enough to make it practical.
>
> Sincerely,
> Watson
>
> --
> Astra mortemque praestare gradatim
>
> --
> Privacy-pass mailing list -- privacy-pass@ietf.org
> To unsubscribe send an email to privacy-pass-leave@ietf.org
>