[Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative

Kosei Akama <akama@keio.jp> Mon, 01 July 2024 00:02 UTC

Return-Path: <akama@keio.jp>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE9AC14F70B for <privacy-pass@ietfa.amsl.com>; Sun, 30 Jun 2024 17:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=keio.jp
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNfXb826asVX for <privacy-pass@ietfa.amsl.com>; Sun, 30 Jun 2024 17:02:43 -0700 (PDT)
Received: from mailgate3-1.keio.jp (mailgate3-1.keio.jp [131.113.132.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C06FC14F703 for <privacy-pass@ietf.org>; Sun, 30 Jun 2024 17:02:42 -0700 (PDT)
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailgate3-1.keio.jp (Postfix) with ESMTPS id 4WC5p55MQKzLp4T for <privacy-pass@ietf.org>; Mon, 1 Jul 2024 09:02:37 +0900 (JST) (envelope-from akama@keio.jp)
Authentication-Results: mailgate3-1.keio.jp; dkim=pass header.d=keio.jp header.s=google header.b=VfSyuBW9; spf=pass (mailgate3-1.keio.jp: domain of akama@keio.jp designates 209.85.215.199 as permitted sender) smtp.mailfrom=akama@keio.jp; dmarc=pass (policy=none) header.from=keio.jp
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailgate3-1.keio.jp; s=202310; t=1719792158; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=MAX5QOQIejaWMEkex3KlepHszkzZY5vp2PE4mSpRY4Lwh9kbPJztJlAF3A+JNymn3hgzaj 0wz2gffg2HknRKAClyt59ZCggWRiy/6r/2CWQ96VoJtOwKgmUdR5uyot/tkhxvDu226cR2 m47A3XzZwlfY4/GzKDIUt2rjawxW7Ny/QsXg0lM1ztQNqp5evOHRpXZ+eJaRjC+HfIpqM1 c+nF+Ndz/Se0bbuXyIXZyfU6QG5kUNpUMeeHKOysNjKT9TqusrLJNiV+YjLyEWYp+sBkRx Fp78sCAe0+403sz71UQ85V4XVP/lznKAX//jvbZruZ8A7fauPMXsb6Yf4YiVnw==
ARC-Authentication-Results: i=1; mailgate3-1.keio.jp; dkim=pass header.d=keio.jp header.s=google header.b=VfSyuBW9; spf=pass (mailgate3-1.keio.jp: domain of akama@keio.jp designates 209.85.215.199 as permitted sender) smtp.mailfrom=akama@keio.jp; dmarc=pass (policy=none) header.from=keio.jp
ARC-Seal: i=1; s=202310; d=mailgate3-1.keio.jp; t=1719792158; a=rsa-sha256; cv=none; b=MEnDB9+51bRPc3S0vpurGvDzWCOJKHupjGf8kkwF1Bz3hEXPlDmYPBOFc2cAUXvV81XhoY zt+fjz6omb0wChxMz+Nb1lMuPcXXOn56Wk2GubTuK6OVZ1s5ECXG6/pldGPYiNKXqFaIKj HI9QdgZ/gPeRgwgdl2W8KPpba5AWYdgu6a1t3/0RUEGNmDuvBklcuwnBCFxVQhKIECCf5C cFSGdNNBO7QMWoPngHqVQPTjySaIbtaTz5aQoHZdXxCOl6YZc7j4Sfe1du6o63xcSi+r3G hSgbvQfNWLSu2XW7kN6/Ml6huq34Eq6XB7g/m7rc2idMxHbIpDtB/lsiSIxGsg==
Received: by mail-pg1-f199.google.com with SMTP id 41be03b00d2f7-71bce629b2fso2240300a12.1 for <privacy-pass@ietf.org>; Sun, 30 Jun 2024 17:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=keio.jp; s=google; t=1719792156; x=1720396956; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=VfSyuBW9kAaUdZ3aLO/2qSIffEHpPv90J4Aejzyt15OMUV/PaWQUows84Ejb0F/eo4 c3SuUx7uoTtokZOVmhdivThbW0mw/id4JEAYng0zDoRFAKTNE/19oJ5MX3MrZu+E53YX cFSKncex9cdBrqthb3NdqCXPstkV62SSeDH8cEDTuSwWi6lAY0Aq1OzBF3tPsB4WUFdZ BnHGo4JOBh+t4Wo+JcJPB756nqFJsMBuhP03v9noDCl3/ZSKou35ta5BQReLfzbweAz5 wOdYfKGIOQQPnaW7DdPmJUXBCwYoeJkBneiM6QiFJZ/DUpZt8xBkg0UmktOjbHOFnPdS lV3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719792156; x=1720396956; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Vo7LzUFEXWNpOco7+wH0E0bKCrmhlW5LpBEDgtA5UzI=; b=rVcizRXhEgVEKBN5TrQUOQMo1xgq0q/Hz8WbQIxC8qkpa5N6cp4K6EUU/5IWlu3sIk Ky6PjaaJPTPN3sfgmwhn2k8w97OxlPfo//mJqI5H4klawEP7FlvRPjST4fAnRbRDdWdk cOnGuRLnldeWr+1EbwKVU4Aj4HU2JBbTACDtB/hQ4U7nle1UDrzzSivH/nxzzLmTz82U zZalKgq1qkRwv5msGtNyYuDrbmVa9QxuS6UYAM6dztWUMCr6an6+tYLyADT5fYN1PGz8 zpE+JRIFSNeBjuhwnlc23FijDu+NbeAup8WQJ7MEaLcmxPr8ohypw4HAPX1emIrWr3pu 5m9g==
X-Gm-Message-State: AOJu0YxozFNfnGNkZb5GL5ffwlEksvwbkwjCCUs9aLNgCTakbfkcSJ5g TQtnvQIzvDpBemDpRirWcC39a18/j8xgU7sMFeGO87wM67j9FU1VTzhlJoJ0pd1iGwLl9UIa/A4 fgoUMjZ9BN+MO189twwm2sGx7BRZ5HUMUL2e0Yk/nJ3k1F/Q6SG2+MBwOsqXTRsMRWhL2VMw33f Z5rr7OoliDBbYMuJ8YP8hu0QkzhC7FFeucfMo=
X-Received: by 2002:a05:6a21:329f:b0:1be:fccc:a162 with SMTP id adf61e73a8af0-1befccca6eamr5470034637.61.1719792156273; Sun, 30 Jun 2024 17:02:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGj8nBydBRxyaNK+MjwSwgxfZOCXwxzsgljPn2NI2EOF+drSiVHjpUse6WMllvtstTfe1ECcDt0rCsDteJlgAQ=
X-Received: by 2002:a05:6a21:329f:b0:1be:fccc:a162 with SMTP id adf61e73a8af0-1befccca6eamr5470000637.61.1719792155585; Sun, 30 Jun 2024 17:02:35 -0700 (PDT)
MIME-Version: 1.0
References: <CANqGDH56KgcU-vZ2thOJqy8AzG7bGGSCpPfFSeFMOg0cSU6K_g@mail.gmail.com>
In-Reply-To: <CANqGDH56KgcU-vZ2thOJqy8AzG7bGGSCpPfFSeFMOg0cSU6K_g@mail.gmail.com>
From: Kosei Akama <akama@keio.jp>
Date: Mon, 01 Jul 2024 09:02:24 +0900
Message-ID: <CANqGDH5qGZ+AmwWFFabS-u7ib7QH0qCh83=oC-pNR8Yrj50KKw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008583ee061c245080"
Message-ID-Hash: 5V6PPWK33P75VNAIGY3OQ5ZC75Q3JWSE
X-Message-ID-Hash: 5V6PPWK33P75VNAIGY3OQ5ZC75Q3JWSE
X-MailFrom: akama@keio.jp
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: privacy-pass@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Privacy-pass] Re: Where we are with BBS and a true rate limiting alternative
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/gmFUyUmjSAuiDR810YHeDTAt2QQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Owner: <mailto:privacy-pass-owner@ietf.org>
List-Post: <mailto:privacy-pass@ietf.org>
List-Subscribe: <mailto:privacy-pass-join@ietf.org>
List-Unsubscribe: <mailto:privacy-pass-leave@ietf.org>

Dear Mr. Watson,

Hello, I am sending this email to follow up.

Do you have any plans to discuss this?
It might be a better alternative to BBS proof for rate-limiting.

If it is not sufficient, could you tell me your concern?

Best regards,


/**
  * Kosei Akama
  * @email akama@keio.jp
  * @tel 070-4465-3525
  * @twitter _akakou
  **/

On Thu, Jun 27, 2024, 10:55 AM Kosei Akama <akama@keio.jp> wrote:

> Dear Watson,
>
>
> Hello! I am Kosei Akama,
>
> a master course student at Keio University.
>
>
> This discussion is very interesting and important,
>
> and I would like to share an idea that may help.
>
>
> The following proof might be sufficient for rate-limiting:
>
> SPK{(x): K = H(origin || t)^x}
>
> where:
>
> - x is the prover's secret key,
>
> - origin is the verifier's identifier,
>
> - t is the time window,
>
> - H is the hash function.
>
> - || is concatenation
>
>
> In this scheme, the verifier can check if the prover has not sent proof in
> the same time window. Specifically, if the prover generates K in the same
> window t again, the K will be the same as the previous one; thus, the
> verifier can recognize them. This is because K is computed
> deterministically from t (and x).
>
>
> This proof is simple and efficient because it is constructed from one
> Schnorr proof.
>
>
>
> References:
>
>    -
>    https://www.ndss-symposium.org/ndss-paper/scrappy-secure-rate-assuring-protocol-with-privacy/
>    (base paper)
>    -
>    https://speakerdeck.com/akakou/scrappy-secure-rate-assuring-protocol-with-privacy
>    (slide)
>
>
> Thank you so much for reading this email.
>
> Please do not hesitate to ask me if you have any questions.
>
>
> Best regard.
>
>
>
> /**
>   * Kosei Akama
>   * @email akama@keio.jp
>   * @twitter _akakou
>   **/
>
>
> 2024年6月27日(木) 8:30 <privacy-pass-request@ietf.org>:
>
>> Send Privacy-pass mailing list submissions to
>>         privacy-pass@ietf.org
>>
>> To subscribe or unsubscribe via email, send a message with subject or
>> body 'help' to
>>         privacy-pass-request@ietf.org
>>
>> You can reach the person managing the list at
>>         privacy-pass-owner@ietf.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Privacy-pass digest..."Today's Topics:
>>
>>    1. Re: Where we are with BBS and a true rate limiting alternative
>>       (Watson Ladd)
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Watson Ladd <watsonbladd@gmail.com>
>> To: Christopher Wood <caw@heapingbits.net>
>> Cc: privacy-pass@ietf.org
>> Bcc:
>> Date: Wed, 26 Jun 2024 16:29:30 -0700
>> Subject: [Privacy-pass] Re: Where we are with BBS and a true rate
>> limiting alternative
>>
>>
>>
>> On Wed, Jun 26, 2024 at 3:40 PM Christopher Wood <caw@heapingbits.net>
>> wrote:
>>
>>>
>>> On Jun 26, 2024, at 5:11 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>>
>>> On Wed, Jun 26, 2024 at 12:27 PM Christopher Wood <caw@heapingbits.net>
>>> wrote:
>>>
>>>
>>> Hi Watson,
>>>
>>> Thanks for writing this up! Please see inline below.
>>>
>>> On Jun 25, 2024, at 6:48 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>>
>>> Dear privacy pass,
>>>
>>> Over the past few months a group of us have been discussing some of
>>> the desiderata for privacy pass, and trying to ensure we have a
>>> flexible, well-considered cryptographic foundation for deployments.
>>>
>>> Currently what we have is a number of extensions, but each extension
>>> has to be examined anew and they don't compose: if you want both
>>> public metadata and rate limiting, it takes a new document to make
>>> them work. Instead we can make sure that the single token format
>>> supports a bunch of features.
>>>
>>> Foundationally we use a blind issuing variant of BBS, where the user
>>> proves that they have asked for the right fields. Some can be hidden,
>>> and others revealed to the issuer, and then a different set shown to
>>> origins. In addition it's possible to do zero-knowledge proofs
>>> efficiently over equations for the secret values.
>>>
>>> For rate limiting one of the fields is a secret key x. On showing the
>>> user computes Y=(x+k)^{-1}H(origin), and proves with a range proof
>>> that k is small and transmits Y to the origin. There are some very
>>> short range proofs available. The origin blocks repeated use of Y.
>>> This has some big benefits: origins can set the rate limit without
>>> cooperation from the issuer. The issuer no longer needs to be split.
>>>
>>>
>>> Can you clarify what the origin requirements are for this to work? It
>>> seems like the origin would have to (1) verify the showing via a pairing
>>> computation, (2) verify the rate limit proof, (3) and then check for double
>>> spend of the Y value. Did I get that right? If so, what are you envisioning
>>> for range proofs? Bulletproof or something?
>>>
>>>
>>> That's morally correct, assuming the showing reveals a commitment to
>>> k. Bulletproofs would work as is for the range proof.
>>>
>>> To expand a little: a BBS showing is the demonstration of a
>>> rerandomized signed commitment, and then demonstrating the commitment
>>> opens in certain ways via a statement that's of the kind
>>> Camenish-Stadler discuss. Discussions of BBS often don't note this
>>> explicitly. This can be extended to show the equation between Y, k, x
>>> and H(g) holds as well, as it's another equation of the same type.
>>> Separately a Bulletproof can show the commitment to k is well formed
>>> and has the right range, but there's some subtlety about properly
>>> composing sigma protocols here.
>>>
>>> There's a slight complication in that currently the proofs of the
>>> properties we want out of tokens rely on straightline extractability
>>> for composition. For Bulletproofs this is not a problem, but it does
>>> increase cost of the BBS showing as I think Fischlin's transform is
>>> needed rather than Fiat-Shamir. Work in progress but I should get a
>>> prototype hopefully soon so we can all see it work.
>>>
>>>
>>> OK, thanks. How would you compare this work to what’s required for
>>> origins in Privacy Pass today? Do you see this as being easy to deploy?
>>>
>>
>> Properly bottled up it is: it would be similar (but more expensive:
>> somewhere between 0.5-2 milliseconds per request, although I haven't
>> implemented to get a solid number) to what origins need to do for privacy
>> pass today. Namely verify an opaque token and store an identifier they
>> throw out when seen again. One fact worth mentioning is that the origin has
>> an easier time enforcing and changing rate limits as its now a local
>> operation. The duration of the token issuance keys has to be longer, but
>> that was I think always the case.
>>
>>
>>>
>>> The origin could also use a nym by having k=0 and using Y as a user
>>> identifier.
>>>
>>> We also have a way to do issuer blindness where the origin learns only
>>> that an issuer they trust issued the credential. This resolves a
>>> number of the challenges for the web environment of existing
>>> solutions.
>>>
>>>
>>> This feels incompatible with the current HTTP authentication scheme,
>>> where the origin explicitly asks for a token (or showing) from a specific
>>> issuer. Are you envisioning a separate HTTP authentication scheme for this
>>> to work?
>>>
>>>
>>> This is geared more towards the Web platform enabled parts like
>>> Google's private state tokens.
>>>
>>>
>>> This is definitely a limitation of the other rate limiting proposal, so
>>> I’m glad to see this work being done.
>>>
>>> There the limitation is imposed that
>>> sites can only ask for two issuers. Unfortunately this creates an
>>> artificial winner take all dynamic. If we want an RFC 9577 compatible
>>> system, I think it's an entry creating a new token challenge
>>> structure. This part is very tentative for now.
>>>
>>>
>>> Thanks for clarifying. Out of curiosity, where does this two issuer
>>> limitation come into play?
>>>
>>
>> It's part of the Privacy Sandbox documentation. As I understand it the
>> two issuer limitation comes into play because if a site could probe for
>> every potential issuer it would learn a lot of information about a client.
>> To reduce this it learns just two bits by querying for two issuers.
>>
>>>
>>>
>>> We do need to write this all up, and there's significant modifications
>>> to CFRG drafts (or new ones) needed to make it all work, and there are
>>> some subtleties that lead to needing particular kinds of ZKP that
>>> complicate the efficency story somewhat. However, we're extremely
>>> optimistic that these are not showstopers and the time and space
>>> consumption is moderate enough to make it practical.
>>>
>>>
>>> Can you elaborate on what new cryptographic dependencies would be needed
>>> over type 2 or 3 tokens today, from the client and origin perspective?
>>> Moreover, are those dependencies standardized yet, or is that new work the
>>> CFRG would need to do?
>>>
>>>
>>> What is token type 3? I only see 1 and 2 in the registry. CFRG would
>>> need to do some new work, or modify the already existing BBS draft to
>>> fit.
>>>
>>>
>>> Type 3 is the rate limited version. I’m asking to quantify the work
>>> required because it seems like this is quite far from being ready. This is
>>> fine, but I wanted to get a sense for the amount of work required to make
>>> this alternative work.
>>>
>>
>> The new work is more flexible BBS+Bulletproofs. There is ongoing work in
>> zkproofs.org to do some of the flexibile proofs stuff, but who knows
>> when it will be ready. So a bunch of work needed to standardize, but the
>> difference from the existing BBS draft for Issuance is not much, the
>> difference is really a "toss in a statement here" for proving and that's
>> well understood just not standardized AFAIK. Then Bulletproofs I think a
>> lot of work has happened in the blockchain world to write text that
>> describes it enough for interop. But obviously still a big chunk of work to
>> get through the IETF.
>>
>> It is definitely far from ready, but it's definitely in the realm of
>> doable in a reasonable amount of time and effort.
>>
>>
>>> Best,
>>> Chris
>>>
>>
>> Sincerely,
>> Watson
>>
> /**
>   * 赤間 滉星
>   * @email akama@keio.jp
>   * @tel 070-4465-3525
>   * @twitter _akakou
>   **/
>