[Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative
Kosei Akama <akama@keio.jp> Mon, 01 July 2024 00:02 UTC
Return-Path: <akama@keio.jp>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE9AC14F70B for <privacy-pass@ietfa.amsl.com>; Sun, 30 Jun 2024 17:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=keio.jp
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNfXb826asVX for <privacy-pass@ietfa.amsl.com>; Sun, 30 Jun 2024 17:02:43 -0700 (PDT)
Received: from mailgate3-1.keio.jp (mailgate3-1.keio.jp [131.113.132.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C06FC14F703 for <privacy-pass@ietf.org>; Sun, 30 Jun 2024 17:02:42 -0700 (PDT)
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailgate3-1.keio.jp (Postfix) with ESMTPS id 4WC5p55MQKzLp4T for <privacy-pass@ietf.org>; Mon, 1 Jul 2024 09:02:37 +0900 (JST) (envelope-from akama@keio.jp)
Authentication-Results: mailgate3-1.keio.jp; dkim=pass header.d=keio.jp header.s=google header.b=VfSyuBW9; spf=pass (mailgate3-1.keio.jp: domain of akama@keio.jp designates 209.85.215.199 as permitted sender) smtp.mailfrom=akama@keio.jp; dmarc=pass (policy=none) header.from=keio.jp
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailgate3-1.keio.jp; s=202310; t=1719792158; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=MAX5QOQIejaWMEkex3KlepHszkzZY5vp2PE4mSpRY4Lwh9kbPJztJlAF3A+JNymn3hgzaj 0wz2gffg2HknRKAClyt59ZCggWRiy/6r/2CWQ96VoJtOwKgmUdR5uyot/tkhxvDu226cR2 m47A3XzZwlfY4/GzKDIUt2rjawxW7Ny/QsXg0lM1ztQNqp5evOHRpXZ+eJaRjC+HfIpqM1 c+nF+Ndz/Se0bbuXyIXZyfU6QG5kUNpUMeeHKOysNjKT9TqusrLJNiV+YjLyEWYp+sBkRx Fp78sCAe0+403sz71UQ85V4XVP/lznKAX//jvbZruZ8A7fauPMXsb6Yf4YiVnw==
ARC-Authentication-Results: i=1; mailgate3-1.keio.jp; dkim=pass header.d=keio.jp header.s=google header.b=VfSyuBW9; spf=pass (mailgate3-1.keio.jp: domain of akama@keio.jp designates 209.85.215.199 as permitted sender) smtp.mailfrom=akama@keio.jp; dmarc=pass (policy=none) header.from=keio.jp
ARC-Seal: i=1; s=202310; d=mailgate3-1.keio.jp; t=1719792158; a=rsa-sha256; cv=none; b=MEnDB9+51bRPc3S0vpurGvDzWCOJKHupjGf8kkwF1Bz3hEXPlDmYPBOFc2cAUXvV81XhoY zt+fjz6omb0wChxMz+Nb1lMuPcXXOn56Wk2GubTuK6OVZ1s5ECXG6/pldGPYiNKXqFaIKj HI9QdgZ/gPeRgwgdl2W8KPpba5AWYdgu6a1t3/0RUEGNmDuvBklcuwnBCFxVQhKIECCf5C cFSGdNNBO7QMWoPngHqVQPTjySaIbtaTz5aQoHZdXxCOl6YZc7j4Sfe1du6o63xcSi+r3G hSgbvQfNWLSu2XW7kN6/Ml6huq34Eq6XB7g/m7rc2idMxHbIpDtB/lsiSIxGsg==
Received: by mail-pg1-f199.google.com with SMTP id 41be03b00d2f7-71bce629b2fso2240300a12.1 for <privacy-pass@ietf.org>; Sun, 30 Jun 2024 17:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=keio.jp; s=google; t=1719792156; x=1720396956; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=VfSyuBW9kAaUdZ3aLO/2qSIffEHpPv90J4Aejzyt15OMUV/PaWQUows84Ejb0F/eo4 c3SuUx7uoTtokZOVmhdivThbW0mw/id4JEAYng0zDoRFAKTNE/19oJ5MX3MrZu+E53YX cFSKncex9cdBrqthb3NdqCXPstkV62SSeDH8cEDTuSwWi6lAY0Aq1OzBF3tPsB4WUFdZ BnHGo4JOBh+t4Wo+JcJPB756nqFJsMBuhP03v9noDCl3/ZSKou35ta5BQReLfzbweAz5 wOdYfKGIOQQPnaW7DdPmJUXBCwYoeJkBneiM6QiFJZ/DUpZt8xBkg0UmktOjbHOFnPdS lV3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719792156; x=1720396956; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=rVcizRXhEgVEKBN5TrQUOQMo1xgq0q/Hz8WbQIxC8qkpa5N6cp4K6EUU/5IWlu3sIk Ky6PjaaJPTPN3sfgmwhn2k8w97OxlPfo//mJqI5H4klawEP7FlvRPjST4fAnRbRDdWdk cOnGuRLnldeWr+1EbwKVU4Aj4HU2JBbTACDtB/hQ4U7nle1UDrzzSivH/nxzzLmTz82U zZalKgq1qkRwv5msGtNyYuDrbmVa9QxuS6UYAM6dztWUMCr6an6+tYLyADT5fYN1PGz8 zpE+JRIFSNeBjuhwnlc23FijDu+NbeAup8WQJ7MEaLcmxPr8ohypw4HAPX1emIrWr3pu 5m9g==
X-Gm-Message-State: AOJu0YxozFNfnGNkZb5GL5ffwlEksvwbkwjCCUs9aLNgCTakbfkcSJ5g TQtnvQIzvDpBemDpRirWcC39a18/j8xgU7sMFeGO87wM67j9FU1VTzhlJoJ0pd1iGwLl9UIa/A4 fgoUMjZ9BN+MO189twwm2sGx7BRZ5HUMUL2e0Yk/nJ3k1F/Q6SG2+MBwOsqXTRsMRWhL2VMw33f Z5rr7OoliDBbYMuJ8YP8hu0QkzhC7FFeucfMo=
X-Received: by 2002:a05:6a21:329f:b0:1be:fccc:a162 with SMTP id adf61e73a8af0-1befccca6eamr5470034637.61.1719792156273; Sun, 30 Jun 2024 17:02:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGj8nBydBRxyaNK+MjwSwgxfZOCXwxzsgljPn2NI2EOF+drSiVHjpUse6WMllvtstTfe1ECcDt0rCsDteJlgAQ=
X-Received: by 2002:a05:6a21:329f:b0:1be:fccc:a162 with SMTP id adf61e73a8af0-1befccca6eamr5470000637.61.1719792155585; Sun, 30 Jun 2024 17:02:35 -0700 (PDT)
MIME-Version: 1.0
References: <CANqGDH56KgcU-vZ2thOJqy8AzG7bGGSCpPfFSeFMOg0cSU6K_g@mail.gmail.com>
In-Reply-To: <CANqGDH56KgcU-vZ2thOJqy8AzG7bGGSCpPfFSeFMOg0cSU6K_g@mail.gmail.com>
From: Kosei Akama <akama@keio.jp>
Date: Mon, 01 Jul 2024 09:02:24 +0900
Message-ID: <CANqGDH5qGZ+AmwWFFabS-u7ib7QH0qCh83=oC-pNR8Yrj50KKw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008583ee061c245080"
Message-ID-Hash: 5V6PPWK33P75VNAIGY3OQ5ZC75Q3JWSE
X-Message-ID-Hash: 5V6PPWK33P75VNAIGY3OQ5ZC75Q3JWSE
X-MailFrom: akama@keio.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: privacy-pass@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/gmFUyUmjSAuiDR810YHeDTAt2QQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>
Dear Mr. Watson, Hello, I am sending this email to follow up. Do you have any plans to discuss this? It might be a better alternative to BBS proof for rate-limiting. If it is not sufficient, could you tell me your concern? Best regards, /** * Kosei Akama * @email akama@keio.jp * @tel 070-4465-3525 * @twitter _akakou **/ On Thu, Jun 27, 2024, 10:55 AM Kosei Akama <akama@keio.jp> wrote: > Dear Watson, > > > Hello! I am Kosei Akama, > > a master course student at Keio University. > > > This discussion is very interesting and important, > > and I would like to share an idea that may help. > > > The following proof might be sufficient for rate-limiting: > > SPK{(x): K = H(origin || t)^x} > > where: > > - x is the prover's secret key, > > - origin is the verifier's identifier, > > - t is the time window, > > - H is the hash function. > > - || is concatenation > > > In this scheme, the verifier can check if the prover has not sent proof in > the same time window. Specifically, if the prover generates K in the same > window t again, the K will be the same as the previous one; thus, the > verifier can recognize them. This is because K is computed > deterministically from t (and x). > > > This proof is simple and efficient because it is constructed from one > Schnorr proof. > > > > References: > > - > https://www.ndss-symposium.org/ndss-paper/scrappy-secure-rate-assuring-protocol-with-privacy/ > (base paper) > - > https://speakerdeck.com/akakou/scrappy-secure-rate-assuring-protocol-with-privacy > (slide) > > > Thank you so much for reading this email. > > Please do not hesitate to ask me if you have any questions. > > > Best regard. > > > > /** > * Kosei Akama > * @email akama@keio.jp > * @twitter _akakou > **/ > > > 2024年6月27日(木) 8:30 <privacy-pass-request@ietf.org>: > >> Send Privacy-pass mailing list submissions to >> privacy-pass@ietf.org >> >> To subscribe or unsubscribe via email, send a message with subject or >> body 'help' to >> privacy-pass-request@ietf.org >> >> You can reach the person managing the list at >> privacy-pass-owner@ietf.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Privacy-pass digest..."Today's Topics: >> >> 1. Re: Where we are with BBS and a true rate limiting alternative >> (Watson Ladd) >> >> >> >> ---------- Forwarded message ---------- >> From: Watson Ladd <watsonbladd@gmail.com> >> To: Christopher Wood <caw@heapingbits.net> >> Cc: privacy-pass@ietf.org >> Bcc: >> Date: Wed, 26 Jun 2024 16:29:30 -0700 >> Subject: [Privacy-pass] Re: Where we are with BBS and a true rate >> limiting alternative >> >> >> >> On Wed, Jun 26, 2024 at 3:40 PM Christopher Wood <caw@heapingbits.net> >> wrote: >> >>> >>> On Jun 26, 2024, at 5:11 PM, Watson Ladd <watsonbladd@gmail.com> wrote: >>> >>> On Wed, Jun 26, 2024 at 12:27 PM Christopher Wood <caw@heapingbits.net> >>> wrote: >>> >>> >>> Hi Watson, >>> >>> Thanks for writing this up! Please see inline below. >>> >>> On Jun 25, 2024, at 6:48 PM, Watson Ladd <watsonbladd@gmail.com> wrote: >>> >>> Dear privacy pass, >>> >>> Over the past few months a group of us have been discussing some of >>> the desiderata for privacy pass, and trying to ensure we have a >>> flexible, well-considered cryptographic foundation for deployments. >>> >>> Currently what we have is a number of extensions, but each extension >>> has to be examined anew and they don't compose: if you want both >>> public metadata and rate limiting, it takes a new document to make >>> them work. Instead we can make sure that the single token format >>> supports a bunch of features. >>> >>> Foundationally we use a blind issuing variant of BBS, where the user >>> proves that they have asked for the right fields. Some can be hidden, >>> and others revealed to the issuer, and then a different set shown to >>> origins. In addition it's possible to do zero-knowledge proofs >>> efficiently over equations for the secret values. >>> >>> For rate limiting one of the fields is a secret key x. On showing the >>> user computes Y=(x+k)^{-1}H(origin), and proves with a range proof >>> that k is small and transmits Y to the origin. There are some very >>> short range proofs available. The origin blocks repeated use of Y. >>> This has some big benefits: origins can set the rate limit without >>> cooperation from the issuer. The issuer no longer needs to be split. >>> >>> >>> Can you clarify what the origin requirements are for this to work? It >>> seems like the origin would have to (1) verify the showing via a pairing >>> computation, (2) verify the rate limit proof, (3) and then check for double >>> spend of the Y value. Did I get that right? If so, what are you envisioning >>> for range proofs? Bulletproof or something? >>> >>> >>> That's morally correct, assuming the showing reveals a commitment to >>> k. Bulletproofs would work as is for the range proof. >>> >>> To expand a little: a BBS showing is the demonstration of a >>> rerandomized signed commitment, and then demonstrating the commitment >>> opens in certain ways via a statement that's of the kind >>> Camenish-Stadler discuss. Discussions of BBS often don't note this >>> explicitly. This can be extended to show the equation between Y, k, x >>> and H(g) holds as well, as it's another equation of the same type. >>> Separately a Bulletproof can show the commitment to k is well formed >>> and has the right range, but there's some subtlety about properly >>> composing sigma protocols here. >>> >>> There's a slight complication in that currently the proofs of the >>> properties we want out of tokens rely on straightline extractability >>> for composition. For Bulletproofs this is not a problem, but it does >>> increase cost of the BBS showing as I think Fischlin's transform is >>> needed rather than Fiat-Shamir. Work in progress but I should get a >>> prototype hopefully soon so we can all see it work. >>> >>> >>> OK, thanks. How would you compare this work to what’s required for >>> origins in Privacy Pass today? Do you see this as being easy to deploy? >>> >> >> Properly bottled up it is: it would be similar (but more expensive: >> somewhere between 0.5-2 milliseconds per request, although I haven't >> implemented to get a solid number) to what origins need to do for privacy >> pass today. Namely verify an opaque token and store an identifier they >> throw out when seen again. One fact worth mentioning is that the origin has >> an easier time enforcing and changing rate limits as its now a local >> operation. The duration of the token issuance keys has to be longer, but >> that was I think always the case. >> >> >>> >>> The origin could also use a nym by having k=0 and using Y as a user >>> identifier. >>> >>> We also have a way to do issuer blindness where the origin learns only >>> that an issuer they trust issued the credential. This resolves a >>> number of the challenges for the web environment of existing >>> solutions. >>> >>> >>> This feels incompatible with the current HTTP authentication scheme, >>> where the origin explicitly asks for a token (or showing) from a specific >>> issuer. Are you envisioning a separate HTTP authentication scheme for this >>> to work? >>> >>> >>> This is geared more towards the Web platform enabled parts like >>> Google's private state tokens. >>> >>> >>> This is definitely a limitation of the other rate limiting proposal, so >>> I’m glad to see this work being done. >>> >>> There the limitation is imposed that >>> sites can only ask for two issuers. Unfortunately this creates an >>> artificial winner take all dynamic. If we want an RFC 9577 compatible >>> system, I think it's an entry creating a new token challenge >>> structure. This part is very tentative for now. >>> >>> >>> Thanks for clarifying. Out of curiosity, where does this two issuer >>> limitation come into play? >>> >> >> It's part of the Privacy Sandbox documentation. As I understand it the >> two issuer limitation comes into play because if a site could probe for >> every potential issuer it would learn a lot of information about a client. >> To reduce this it learns just two bits by querying for two issuers. >> >>> >>> >>> We do need to write this all up, and there's significant modifications >>> to CFRG drafts (or new ones) needed to make it all work, and there are >>> some subtleties that lead to needing particular kinds of ZKP that >>> complicate the efficency story somewhat. However, we're extremely >>> optimistic that these are not showstopers and the time and space >>> consumption is moderate enough to make it practical. >>> >>> >>> Can you elaborate on what new cryptographic dependencies would be needed >>> over type 2 or 3 tokens today, from the client and origin perspective? >>> Moreover, are those dependencies standardized yet, or is that new work the >>> CFRG would need to do? >>> >>> >>> What is token type 3? I only see 1 and 2 in the registry. CFRG would >>> need to do some new work, or modify the already existing BBS draft to >>> fit. >>> >>> >>> Type 3 is the rate limited version. I’m asking to quantify the work >>> required because it seems like this is quite far from being ready. This is >>> fine, but I wanted to get a sense for the amount of work required to make >>> this alternative work. >>> >> >> The new work is more flexible BBS+Bulletproofs. There is ongoing work in >> zkproofs.org to do some of the flexibile proofs stuff, but who knows >> when it will be ready. So a bunch of work needed to standardize, but the >> difference from the existing BBS draft for Issuance is not much, the >> difference is really a "toss in a statement here" for proving and that's >> well understood just not standardized AFAIK. Then Bulletproofs I think a >> lot of work has happened in the blockchain world to write text that >> describes it enough for interop. But obviously still a big chunk of work to >> get through the IETF. >> >> It is definitely far from ready, but it's definitely in the realm of >> doable in a reasonable amount of time and effort. >> >> >>> Best, >>> Chris >>> >> >> Sincerely, >> Watson >> > /** > * 赤間 滉星 > * @email akama@keio.jp > * @tel 070-4465-3525 > * @twitter _akakou > **/ >
- [Privacy-pass] Where we are with BBS and a true r… Watson Ladd
- [Privacy-pass] Re: Where we are with BBS and a tr… Christopher Patton
- [Privacy-pass] Re: Where we are with BBS and a tr… Christopher Wood
- [Privacy-pass] Re: Where we are with BBS and a tr… Watson Ladd
- [Privacy-pass] Re: Where we are with BBS and a tr… Christopher Wood
- [Privacy-pass] Re: Where we are with BBS and a tr… Kosei Akama
- [Privacy-pass] Re: Where we are with BBS and a tr… Watson Ladd
- [Privacy-pass] Re: Where we are with BBS and a tr… Christopher Wood
- [Privacy-pass] Re: Where we are with BBS and a tr… Kosei Akama