IETF Logo Mail Archive

Re: [Privacy-pass] External verifiability: a concrete proposal

Alex Davidson <adavidson@cloudflare.com> Fri, 10 July 2020 13:28 UTC

Return-Path: <adavidson@cloudflare.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 733F23A0CC8 for <privacy-pass@ietfa.amsl.com>; Fri, 10 Jul 2020 06:28:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4d1qwccZbfW9 for <privacy-pass@ietfa.amsl.com>; Fri, 10 Jul 2020 06:28:10 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 561633A0CC6 for <privacy-pass@ietf.org>; Fri, 10 Jul 2020 06:28:10 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id l2so5927609wmf.0 for <privacy-pass@ietf.org>; Fri, 10 Jul 2020 06:28:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=PXNGrmKW3b65oatWayBKC4Tf6UnpXUG+5D4pCN+mOo4=; b=s4E0OuwZLchoHpHYjpiu3ZrSkwNNhmU+jWlV2/A1HRq0hAnLjj1tX7hD6iGDdH77+0 XD/X17MexywyrVA+/Xv2WjefXSUD4SmrdwV+y7HPGEmgHx1xcpPh3D2gSCOMhEJ+O4P0 gL1wGa38oPASxuzdDQ5oXNKk4O0jHmoJ/AFPw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=PXNGrmKW3b65oatWayBKC4Tf6UnpXUG+5D4pCN+mOo4=; b=MS+GhbsHacMVm7TLBYwXSIqakuGIIjeY8XR5afIXRIzOpnIVVV5/jzh7vvsUyqqpuW XRTC5VtuKtxKZluAtk4T1tf9/XCM80susiYheztpIfFK0iQRfOVo5zlm7ykph+lfkp31 /6OwpaefrcParnHvftL3qzUSYVLqnQ+nwFQ6KICtqCeBt0IXVsFmMsHmjZGef6qWXH9Y ztijm8HAR3EhB8rQfjY/+RW+CLs/guhbGUumse/CE3wkYiArTq/LWWmf3yzyLiYxpafD 5FBIOuhv/0YOWQeZj7BAdWL5CwF7xfLc9Aedtgu4dYBDM18BVzJ5ZFrJI3YK0pD6Wp2v kdlg==
X-Gm-Message-State: AOAM5328+GQfW0YmEWj3vuTf61P/kk4pKE5pcs4HZfcKU0d+tjEvoCnH +0FzUBJVG1h2B1W4PKuMBHLVDQ==
X-Google-Smtp-Source: ABdhPJxRGLZiHOAIVssTWDySuwb8p0ByDnDh1xqxrGqokn8lgXOHPPYX5PfvGduqF5JKbcrcwCC8/g==
X-Received: by 2002:a7b:c208:: with SMTP id x8mr5216261wmi.49.1594387688764; Fri, 10 Jul 2020 06:28:08 -0700 (PDT)
Received: from 101.178.37.188.rev.vodafone.pt (101.178.37.188.rev.vodafone.pt. [188.37.178.101]) by smtp.gmail.com with ESMTPSA id s10sm9587017wme.31.2020.07.10.06.28.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Jul 2020 06:28:07 -0700 (PDT)
From: Alex Davidson <adavidson@cloudflare.com>
Message-Id: <AE699CA2-3B60-44B2-823E-1AC620BBB2EC@cloudflare.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D813F1CD-D779-4A89-B80B-566861ADC341"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Fri, 10 Jul 2020 14:28:06 +0100
In-Reply-To: <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com>
Cc: Ben Schwartz <bemasc@google.com>, privacy-pass@ietf.org
To: Watson Ladd <watsonbladd@gmail.com>
References: <CACsn0c=KCcq27wEiVnkRritmuxYyR_mewwe48FBx1YnxZTu_aA@mail.gmail.com> <CAHbrMsB_5Y58St3dKu2SeAuxPYEV6=VuDxC+DbpTzhwi8iJHKw@mail.gmail.com> <CACsn0c=u9ETDw-tvC26Yz8odPT4bO7CFFrnC8+AvEwgZ5Y8s8A@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/upLDSvc823-rATM0oOA8xJg9Fz8>
Subject: Re: [Privacy-pass] External verifiability: a concrete proposal
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 13:28:13 -0000

Hi Watson,

Thanks for bringing this up, I like this idea.
I’m not familiar with the Boneh-Lynn-Shacham signature scheme, but it seems what you’re proposing is only a minor modification on the redemption procedure used in the core protocol design.

When it comes to alternative designs for publicly verifiability, the only things that come to my mind are to use a different blind signature scheme, or to try a more general anonymous credential scheme such as https://eprint.iacr.org/2001/019.pdf <https://eprint.iacr.org/2001/019.pdf> (or something more recent). However, I like the simplicity of what you’re proposing, and the similarity that it enjoys with the existing versions of the protocol.

I’d be interested in hearing more opinions on this topic.

Cheers,
Alex

> On 10 Jul 2020, at 00:17, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> On Thu, Jul 9, 2020 at 6:36 PM Ben Schwartz <bemasc@google.com> wrote:
>> 
>> How would you verify double-spend protection?
> 
> In the applications I've heard of double spending at different places
> is fine, double spending at the same place is not.
> 
>> 
>> On Thu, Jul 9, 2020 at 5:46 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>>> 
>>> Dear WG members,
>>> 
>>> Recently I heard of some interesting applications of privacy pass
>>> where external verifiability would be essential. These applications
>>> where ones where a central server was issuing tokens that various
>>> others could use.
>>> 
>>> My concrete proposal is blind Boneh-Lynn-Shacham signatures.
>>> Concretely we use G1, G2, GT a type III pairing, and have the key of
>>> the issuer be kg_2. As in vanilla privacy pass the tokens are kH(x)
>>> where x is a string and H is a hash function into G_1. However to
>>> verify a token (y, x) one verifies the pairing equations e(y,
>>> g_2)=e(H(x), kg_2). One could use the BLS12-381 parameter set for
>>> this.
>>> 
>>> Sincerely,
>>> Watson Ladd
>>> 
>>> --
>>> Privacy-pass mailing list
>>> Privacy-pass@ietf.org
>>> https://www.ietf.org/mailman/listinfo/privacy-pass
> 
> 
> 
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
> 
> -- 
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email