[Privacy-pass] Extending Privacy Pass: Anonymous Tokens with Public Metadata
Tjerand Silde <tjerand.silde@ntnu.no> Mon, 01 March 2021 19:03 UTC
Return-Path: <tjerand.silde@ntnu.no>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033FE3A2164 for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 11:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWoxkYCL6SAH for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 11:03:29 -0800 (PST)
Received: from mailgw03.it.ntnu.no (mailgw03.it.ntnu.no [IPv6:2001:700:300:3::29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 427E93A2160 for <privacy-pass@ietf.org>; Mon, 1 Mar 2021 11:03:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailgw03.it.ntnu.no (Postfix) with ESMTP id A57E71C1CEF; Mon, 1 Mar 2021 20:03:24 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailgw03.it.ntnu.no
Received: from mailgw03.it.ntnu.no ([127.0.0.1]) by localhost (mailgw03.it.ntnu.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Av_4vMgm-rN; Mon, 1 Mar 2021 20:03:23 +0100 (CET)
Received: from it-ex17.win.ntnu.no (it-ex17.it.ntnu.no [IPv6:2001:700:300:3::11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailgw03.it.ntnu.no (Postfix) with ESMTPS id 678AF1C1C7D; Mon, 1 Mar 2021 20:03:23 +0100 (CET)
Received: from it-ex18.win.ntnu.no (2001:700:300:3::12) by it-ex17.win.ntnu.no (2001:700:300:3::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 1 Mar 2021 20:03:23 +0100
Received: from it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb]) by it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb%17]) with mapi id 15.02.0792.005; Mon, 1 Mar 2021 20:03:23 +0100
From: Tjerand Silde <tjerand.silde@ntnu.no>
To: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
CC: "Martin.Strand@ffi.no" <Martin.Strand@ffi.no>
Thread-Topic: Extending Privacy Pass: Anonymous Tokens with Public Metadata
Thread-Index: AQHXDs2NV1fwVOf6n0u1iest34qbLw==
Date: Mon, 01 Mar 2021 19:03:23 +0000
Message-ID: <D899AD8B-A877-42E8-86E7-F6E2285CD3C3@ntnu.no>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.60.0.2.21)
X-Ntnu-xOriginatingIp: [129.241.34.190]
Content-Type: multipart/alternative; boundary="_000_D899AD8BA87742E886E7F6E2285CD3C3ntnuno_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/IfCi-hGbVdGNsiGfiaeXkcH5uSU>
Subject: [Privacy-pass] Extending Privacy Pass: Anonymous Tokens with Public Metadata
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 19:03:32 -0000
Dear all, We would like to share with you our new result regarding anonymous tokens with public metadata. The paper is available at: https://eprint.iacr.org/2021/203.pdf. To avoid the issues with key-rotation and key-transparency, one can use public metadata built into the token to determine which tokens are still valid and not, for example by using dates or time periods as metadata. We propose a direct extension of Privacy Pass with public metadata with identical communication complexity and essentially the same computation complexity. They key insight is that we can publicly update the key-material based on the metadata in a binding way. Let G be the generator of a group with prime order p, let K = [k] G be the public key with corresponding private key k, let d = H(md) be the hash of metadata md, and let e = inv(d+k) mod p. Then e is our new singing key. Verifiability follows from the Chaum-Pedersen proof of the relation log_G ([d] G + K) = d+k = log_W' (T’) for blinded token T’ and signature W’ = [e] T’. Our protocol basically fits into the framework that is described in the stadardization documents today, and should be straight forward to extend by just adding metadata to the message-flow and updating the key. Additionally: * We give updated definitions for tokens with and without public and/or private metadata, and tokens with public metadata and public verifiability. * We give instantiations of all types of protocols, where we use bilinear pairings for the protocols with public verifiability. * Note that the combination of private and public metadata adds some overhead. We would like to improve upon this in the future. * We give a comparison of Privacy Pass, Privacy Pass + Merkle-tree, PrivateStats and anonymous tokens with public metadata. * Contact Tracing is an application that benefits from anonymous tokens, and here, signer and verifier are not the same server. We explain how we implemented Privacy Pass into the Norwegian contact tracing app, and how this lead to the results above. We welcome all feedback and comments on our paper, either in this thread or by private communication. Best, Tjerand & Martin
- [Privacy-pass] Extending Privacy Pass: Anonymous … Tjerand Silde