IETF Logo Mail Archive

Re: [Secdispatch] The BBS Signature Scheme

Eric Rescorla <ekr@rtfm.com> Sat, 21 May 2022 02:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7021C2B62F4 for <secdispatch@ietfa.amsl.com>; Fri, 20 May 2022 19:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWuuiNgPO1dy for <secdispatch@ietfa.amsl.com>; Fri, 20 May 2022 19:06:49 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA841C2B62EB for <secdispatch@ietf.org>; Fri, 20 May 2022 19:06:48 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id 2so606066iou.5 for <secdispatch@ietf.org>; Fri, 20 May 2022 19:06:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yp6TeO8Y+6WoNwAQcsMHelRxChACQ4HgbG1WIwI7zs4=; b=EO04vqoIDra2jN62MiRh5uVyf9IUlYuT4nVFcwVX8yJTWKXwt/5dnkPBD7y0T/LjvI /cR6PMBFyFeY1Ci5uoou4OU9/U2DhFUimN7GpDByTmJ2jk9mKPVDUmQmhTQnc7Iqa9E4 5GfXU7TZSDSoDZZkEcnc1Kx+bluMVEc0pWu7tsXayZ8ekgMGJkjJqXYCAwo8XjZiUTA4 l3L7hfn4qVCEvIEEYgeRxSnM7bC0TDu9YPrPh0ChojBvzjYORXSJneGxX9VkcrLbg+aL hSaauj0zwMLMzkFXqVO9h4M9v/UAsycjAIKwU21e4tvIOwOwF4w9MH/oc5/BayKRgnzn AuGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yp6TeO8Y+6WoNwAQcsMHelRxChACQ4HgbG1WIwI7zs4=; b=eJ8YT2vZHU9M1gi0EkgCFfCSC4LvWg+wYNTb1DAylQ7g+SVnBctTznrAIxt1M02n+F Kgz9iW26RwNbpE8xNMW8H7eZ41w1Y8n2eOq/fgpkSuczn+PM6xMTgmRopEOQFwRgdhNO 7221I3tu9GO0k9DP924OjPyxSs/xdjvYX5SFgxH7wxZr6Jx0ICFezWeOzueqKnjshSGj fMH6MwKqZZIS34Zot/On9t1Pv93OEg6KkhyZykAwFsRvQs5xzRVqJrxyS0w8Mgc3rdLO S+ejsfwevtoi/i8PuXHBQ4O0u3CIpYT02DE/c78ohGmrVvL2wa+Sx2B448Xv7arphaOU aGgA==
X-Gm-Message-State: AOAM532uOkVRUaKcxRUkhYmf89XNAJUm5jyC1DUh6oqVjwpbdpKZIbEk P7wTckFhBPADVa4wefVTnBiTVq1xW4T3vtsEBS4Y4IiwAC4=
X-Google-Smtp-Source: ABdhPJzeXVKoi1mfMG49q0wD+zxKhEb+a8aeqR+HjQKIQpE2rYXt7G7dUco2Vg9yAN/6JFiJh7KXDzLdcvX34CBQe/w=
X-Received: by 2002:a05:6638:f89:b0:32e:89f4:e150 with SMTP id h9-20020a0566380f8900b0032e89f4e150mr5731657jal.308.1653098808025; Fri, 20 May 2022 19:06:48 -0700 (PDT)
MIME-Version: 1.0
References: <SY4P282MB127415FCB32DF543727ADE8C9DD29@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <SY4P282MB127415FCB32DF543727ADE8C9DD29@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 May 2022 19:06:12 -0700
Message-ID: <CABcZeBN2Js_JG2XMYxQq-fPfiUZH90C+WSmy=5Ngita9xwvugw@mail.gmail.com>
To: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>, Vasileios Kalos <vasilis.kalos@mattr.global>, Mike Jones <Michael.Jones@microsoft.com>, Mike Lodder <redmike7@gmail.com>, Paul Wouters <paul.wouters@aiven.io>, "rdd@cert.org" <rdd@cert.org>, "cywolf@gmail.com" <cywolf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003b3f5205df7c0f84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/avOD2JbkD45tXIid4Jfk56hA030>
Subject: Re: [Secdispatch] The BBS Signature Scheme
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2022 02:06:52 -0000

This should definitely go to CFRG.

I think it might be useful to present in SAAG (not SECDISPATCH) so people
are aware that a primitive like this exists and could use it in their
protocols. I would focus on those functions not the math, which, as before,
belongs in CFRG.

-Ekr



On Fri, May 20, 2022 at 5:13 PM Tobias Looker <tobias.looker=
40mattr.global@dmarc.ietf.org> wrote:

> Hi All,
>
> The editors, WG members of the Applied Cryptography WG
> <https://identity.foundation/working-groups/crypto.html> at the
> Decentralized Identity Foundation (DIF) and I would like to discuss the
> following draft during the SecDispatch session at IETF 114. One possibility
> is for this to be considered as a work item for the CFRG, since it pertains
> to cryptography and there are already multiple drafts related to it located
> here, including Pairing Friendly Curves
> <https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-10.html>
>  and BLS Signatures
> <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04>.
> Security AD Roman Danyliw had suggested that we present this work to
> SecDispatch.
>
> Draft: https://identity.foundation/bbs-signature/draft-bbs-signatures.html
>
> Repository: https://github.com/decentralized-identity/bbs-signature
>
> Below is a brief blurb extracted from the introduction of the draft that
> introduces the work's purpose.
>
> ---
>
> A digital signature scheme is a fundamental cryptographic primitive that
> is used to provide data integrity and verifiable authenticity in various
> protocols. The core premise of digital signature technology is built upon
> asymmetric cryptography whereby the possessor of a private key is able to
> sign a message, and where anyone in possession of the public key
> corresponding to the private key is able to verify the signature.
>
> The BBS signature scheme, deriving its name from the original authors of
> the underlying academic works from Dan Boneh, Xavier Boyen and Hovav Shacham provide
> multiple additional unique properties, three key ones are:
>
> **Selective Disclosure** - The scheme allows a signer (issuer) to sign
> multiple messages and produce a single -constant size- output signature. An
> intermediary (prover) then possessing the messages and the signature can
> generate a proof whereby they can choose which messages to disclose, while
> leaking no-information about the un-disclosed messages. The proof itself
> guarantees the integrity and authenticity of the disclosed messages (e.g.
> that they were originally signed by the issuer).
>
> **Unlinkable Proof Presentations** - The proofs generated by the scheme
> are known as zero-knowledge, proofs-of-knowledge of the signature, meaning
> a verifying party in receipt of a proof is unable to determine which
> signature was used to generate the proof, removing a common source of
> correlation. In general each proof generated is indistinguishable from
> random even for two proofs generated from the same signature.
>
> **Proof of Possession** - The proofs generated by the scheme prove to a
> verifier that the party who generated the proof (prover) was in possession
> of a signature without revealing it. The scheme also supports binding a
> presentation header to the generated proof. The presentation header can
> include arbitrary information such as a cryptographic nonce, an
> audience/domain identifier to ensure the generated proof can only be used
> appropriately, including providing a way for a verifier to detect a replay
> attack.
>
> ---
>
> There are numerous applications for BBS signatures due to these unique
> properties, some of which are starting to be elaborated on here
> <https://identity.foundation/bbs-signature/draft-bbs-signatures.html#name-usecases>
> .
>
> This work is also related to the JWP BoF session requested for IETF 114
> <https://datatracker.ietf.org/doc/bofreq-miller-json-web-proofs/>, which
> is a JSON-based cryptographic representation format extending the JOSE
> family of standards designed to support schemes like BBS signatures.
>
> Thanks,
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
>
>
> *Tobias Looker*
>
> MATTR
> CTO
>
> +64 (0) 27 378 0461
> tobias.looker@mattr.global
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
> [image: Mattr on LinkedIn]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>
>
> [image: Mattr on Twitter]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>
>
> [image: Mattr on Github]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>
>
>
> This communication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email