IETF Logo Mail Archive

Re: [Privacy-pass] External verifiability: a concrete proposal

Ian Goldberg <iang@uwaterloo.ca> Fri, 10 July 2020 13:49 UTC

Return-Path: <iang@uwaterloo.ca>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAC93A0D44 for <privacy-pass@ietfa.amsl.com>; Fri, 10 Jul 2020 06:49:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uwaterloo.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUsgBUMde0KS for <privacy-pass@ietfa.amsl.com>; Fri, 10 Jul 2020 06:49:17 -0700 (PDT)
Received: from psyche.uwaterloo.ca (psyche.uwaterloo.ca [129.97.128.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4516C3A0D6B for <privacy-pass@ietf.org>; Fri, 10 Jul 2020 06:49:13 -0700 (PDT)
Received: from mail.paip.net (whisk.cs.uwaterloo.ca [198.96.155.11]) (authenticated bits=0) by psyche.uwaterloo.ca (8.14.4/8.14.4) with ESMTP id 06ADn8KK012650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 10 Jul 2020 09:49:10 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 psyche.uwaterloo.ca 06ADn8KK012650
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uwaterloo.ca; s=default; t=1594388951; bh=Bot6K2p9Rm/um52M+EFOr9ujfHpvgzG+s6SoOHhTSs4=; h=Date:From:To:Subject:References:In-Reply-To:From; b=YNsxWGK/oboe5PoVfr/NJvWV4cIFb7HmjJyq+YrVZM8RTRUVGSNGNce5XQqcrHx4I gsClT7MSwW3X174czOTj8l/oVbv+gc4KGxItk+wsgZi876pSlVe1vQ0n1ZPtnrUxZO lYFgmQmnU0WHk5SBEl9hJ7/6UJMY1psZc3FtC8RQ=
Received: from yoink (brandeis.paip.net [66.38.236.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.paip.net (Postfix) with ESMTPSA id 4CB9A5FC00F2; Fri, 10 Jul 2020 09:49:08 -0400 (EDT)
Received: from iang by yoink with local (Exim 4.90_1) (envelope-from <iang@uwaterloo.ca>) id 1jttOl-0005PG-Si; Fri, 10 Jul 2020 09:49:07 -0400
Date: Fri, 10 Jul 2020 09:49:07 -0400
From: Ian Goldberg <iang@uwaterloo.ca>
To: privacy-pass@ietf.org
Message-ID: <20200710134907.GW4003@yoink.cs.uwaterloo.ca>
References: <CACsn0c=KCcq27wEiVnkRritmuxYyR_mewwe48FBx1YnxZTu_aA@mail.gmail.com> <CAHbrMsB_5Y58St3dKu2SeAuxPYEV6=VuDxC+DbpTzhwi8iJHKw@mail.gmail.com> <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com> <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-UUID: 6e9079dc-9b94-4267-a74a-df95773b4a1b
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/VugpEIvskVk0HcFv0mdQMAMx_lI>
Subject: Re: [Privacy-pass] External verifiability: a concrete proposal
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 13:49:24 -0000

On Fri, Jul 10, 2020 at 02:28:06PM +0100, Alex Davidson wrote:
> Hi Watson,
> 
> Thanks for bringing this up, I like this idea.
> I’m not familiar with the Boneh-Lynn-Shacham signature scheme, but it seems what you’re proposing is only a minor modification on the redemption procedure used in the core protocol design.
> 
> When it comes to alternative designs for publicly verifiability, the only things that come to my mind are to use a different blind signature scheme, or to try a more general anonymous credential scheme such as https://eprint.iacr.org/2001/019.pdf <https://eprint.iacr.org/2001/019.pdf> (or something more recent). However, I like the simplicity of what you’re proposing, and the similarity that it enjoys with the existing versions of the protocol.
> 
> I’d be interested in hearing more opinions on this topic.

In the original design, we wanted to avoid pairings because implementing
them in javascript promised to be annoying.  But nowadays with the
ability to compile different languages to WebAssembly?  Perhaps it's
more reasonable.  The protocol is probably considerably more
straightforward, actually: the ZKPs can go away entirely, and the client
can still batch-verify that a pile of tokens are generated with the same
public key.

v2.23.0 | Report a Bug | By Email