Re: [Secdispatch] The BBS Signature Scheme
Yoav Nir <ynir.ietf@gmail.com> Sat, 21 May 2022 20:17 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61F4EC1D3C7B for <secdispatch@ietfa.amsl.com>; Sat, 21 May 2022 13:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.087
X-Spam-Level:
X-Spam-Status: No, score=-7.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fz-xWuX9MduY for <secdispatch@ietfa.amsl.com>; Sat, 21 May 2022 13:17:37 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B62BC1D3C72 for <secdispatch@ietf.org>; Sat, 21 May 2022 13:17:37 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id k126-20020a1ca184000000b003943fd07180so6043753wme.3 for <secdispatch@ietf.org>; Sat, 21 May 2022 13:17:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=p6JnqAzIh8W/iHyhjXOmkXo3d0MamdPLRXYw+Mb+a7g=; b=HxrpifZu4kMgIKw2XfyxQEWDnAdtRghvOcP0Z5WlJQ2tBSCu2tMuS6gMwCUTCvLd5D 0YxIT200LClSYEnNcURmlSKZ52SYLZm9hEGb8JT7VRLAPUnmQBJ1EeY0s9TjnBPYrM94 kJoYvynYompd1oowdHsryEahYDxths+m2NXh1MpB6XeVzWUWIzJKfJ1Rbm4duiGdwIjE T/KFMpiDLLJyFmeDNk6lIJz/JB3evYZFElLTLNMZiundrJGfkFe7MAUZLsYm8dJ5zU1J UC9QFLQdEQIvvn06hsypMU7RSVr0W5tIGtYawwdWNMyk2QWJGgELEComOct4hX/mpfs4 hSog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=p6JnqAzIh8W/iHyhjXOmkXo3d0MamdPLRXYw+Mb+a7g=; b=dozOZD1O7jlXxBFhkwB/dz9lRzWn4bqDOJvjozX1ZhrcUHBcbKYpiAh5dv+4FAGz2B a7pKSW6VfVtTifDHkrSq7HXi8098Eu2wPCE7bhUEEUJ/l+O3YoUj9YNBKfWH7SOCljQn h+kPCxucVsvGHZeL4oOxk+lg/a/lHs8dZpfiETXuGgoGKvYupRm3TfkQrH7SCbMHCnfR Hzl98cp4tnk8b9FEjQjCVv1L8RsCjtCcXba0xOe4cTcnDtGVDKKOgWFEvd8GYGLhUOXu w5/U48JbYMC/C4XDH1S+c2YP88UmgKnsfItK5kXhvYqnq/Bq6QOfXlDss5HZfRKIreMD DSZA==
X-Gm-Message-State: AOAM532DShn6/3h++YQseYwgBggLcnDqcd//wfAKRvoz/Bf72Peblk7g xJaob1BEL4FDiC0uO+C2RmXRKnrjjNc=
X-Google-Smtp-Source: ABdhPJy7vhHhNxoGFUQExT1niI6UCTxXNG3vJ0oVcFyzU36DGq9yloJxUu+0iFUZPdde4CuOXT5pPw==
X-Received: by 2002:a05:600c:3b0a:b0:394:6373:6c45 with SMTP id m10-20020a05600c3b0a00b0039463736c45mr13763401wms.69.1653164254955; Sat, 21 May 2022 13:17:34 -0700 (PDT)
Received: from smtpclient.apple (84.94.37.215.cable.012.net.il. [84.94.37.215]) by smtp.gmail.com with ESMTPSA id z17-20020a05600c03d100b0039732f1b4a3sm5572069wmd.14.2022.05.21.13.17.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 May 2022 13:17:34 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <FEB9AA27-633B-43B0-BAA2-4065E70F6F16@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AA9B0B1A-1BE5-434B-85E8-CF45A9C19A3C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Sat, 21 May 2022 23:17:32 +0300
In-Reply-To: <CAMm+LwjbrWrQ582C54SFWqbnn=sBBCXN5m0QEdjgwUDr5SRFMg@mail.gmail.com>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <SY4P282MB127415FCB32DF543727ADE8C9DD29@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM> <CABcZeBN2Js_JG2XMYxQq-fPfiUZH90C+WSmy=5Ngita9xwvugw@mail.gmail.com> <CAMm+LwgWekoJegWQMDGksJsMKHgWVaK=dqD8QWYY-o1WBBX4hg@mail.gmail.com> <BAC91133-3602-4013-B55E-6B3840538946@gmail.com> <CAMm+LwjbrWrQ582C54SFWqbnn=sBBCXN5m0QEdjgwUDr5SRFMg@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/uzoycSGBrMm-ZW-_0JXIWHrpRiU>
Subject: Re: [Secdispatch] The BBS Signature Scheme
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2022 20:17:41 -0000
If they had a draft with the title “Using BBS Signatures in TLS” then SecDispatch would be the place to ask which WG is the right one for that. As it is, it’s just an algorithm, so it should go to CFRG with maybe a talk at SAAG. I don’t see what SecDispatch has to dispatch. And I though the tictoc WG was supposed to produce the time machine. > On 21 May 2022, at 18:54, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > > SECDISPATCH is what I meant to write. > > When is Elon getting us that edit button for email? > > On Sat, May 21, 2022 at 9:58 AM Yoav Nir <ynir.ietf@gmail.com <mailto:ynir.ietf@gmail.com>> wrote: > SECDIR is just the people doing SECDIR reviews. If you want to ask of a certain primitive whether it would be useful for PKIX, TLS, IPsec, SSH or whatever other protocol IETF people are working on, the place where all these people meet is SAAG. > > And also CFRG. > > >> On 21 May 2022, at 5:54, Phillip Hallam-Baker <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote: >> >> I had the same thought except that CFRG is IRTF and so the question they are going to ask is whether anyone is interested in using the primitives. And that seems more SECDIR than SAAG. >> >> They do have an application motivating some of this. >> >> >> >> On Fri, May 20, 2022 at 10:07 PM Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote: >> This should definitely go to CFRG. >> >> I think it might be useful to present in SAAG (not SECDISPATCH) so people are aware that a primitive like this exists and could use it in their protocols. I would focus on those functions not the math, which, as before, belongs in CFRG. >> >> -Ekr >> >> >> >> On Fri, May 20, 2022 at 5:13 PM Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org <mailto:40mattr.global@dmarc.ietf.org>> wrote: >> Hi All, >> >> The editors, WG members of the Applied Cryptography WG <https://identity.foundation/working-groups/crypto.html> at the Decentralized Identity Foundation (DIF) and I would like to discuss the following draft during the SecDispatch session at IETF 114. One possibility is for this to be considered as a work item for the CFRG, since it pertains to cryptography and there are already multiple drafts related to it located here, including Pairing Friendly Curves <https://www.ietf.org/archive/id/draft-irtf-cfrg-pairing-friendly-curves-10.html> and BLS Signatures <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-04>. Security AD Roman Danyliw had suggested that we present this work to SecDispatch. >> >> Draft: https://identity.foundation/bbs-signature/draft-bbs-signatures.html <https://identity.foundation/bbs-signature/draft-bbs-signatures.html> >> Repository: https://github.com/decentralized-identity/bbs-signature <https://github.com/decentralized-identity/bbs-signature> >> >> Below is a brief blurb extracted from the introduction of the draft that introduces the work's purpose. >> >> --- >> >> A digital signature scheme is a fundamental cryptographic primitive that is used to provide data integrity and verifiable authenticity in various protocols. The core premise of digital signature technology is built upon asymmetric cryptography whereby the possessor of a private key is able to sign a message, and where anyone in possession of the public key corresponding to the private key is able to verify the signature. >> >> The BBS signature scheme, deriving its name from the original authors of the underlying academic works from Dan Boneh, Xavier Boyen and Hovav Shacham provide multiple additional unique properties, three key ones are: >> >> **Selective Disclosure** - The scheme allows a signer (issuer) to sign multiple messages and produce a single -constant size- output signature. An intermediary (prover) then possessing the messages and the signature can generate a proof whereby they can choose which messages to disclose, while leaking no-information about the un-disclosed messages. The proof itself guarantees the integrity and authenticity of the disclosed messages (e.g. that they were originally signed by the issuer). >> >> **Unlinkable Proof Presentations** - The proofs generated by the scheme are known as zero-knowledge, proofs-of-knowledge of the signature, meaning a verifying party in receipt of a proof is unable to determine which signature was used to generate the proof, removing a common source of correlation. In general each proof generated is indistinguishable from random even for two proofs generated from the same signature. >> >> **Proof of Possession** - The proofs generated by the scheme prove to a verifier that the party who generated the proof (prover) was in possession of a signature without revealing it. The scheme also supports binding a presentation header to the generated proof. The presentation header can include arbitrary information such as a cryptographic nonce, an audience/domain identifier to ensure the generated proof can only be used appropriately, including providing a way for a verifier to detect a replay attack. >> >> --- >> >> There are numerous applications for BBS signatures due to these unique properties, some of which are starting to be elaborated on here <https://identity.foundation/bbs-signature/draft-bbs-signatures.html#name-usecases>. >> >> This work is also related to the JWP BoF session requested for IETF 114 <https://datatracker.ietf.org/doc/bofreq-miller-json-web-proofs/>, which is a JSON-based cryptographic representation format extending the JOSE family of standards designed to support schemes like BBS signatures. >> >> Thanks, >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> >> >> Tobias Looker >> MATTR >> CTO >> +64 (0) 27 378 0461 >> tobias.looker@mattr.global <mailto:tobias.looker@mattr.global> >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0> >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0> >> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0> >> >> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. >> >> _______________________________________________ >> Secdispatch mailing list >> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org> >> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch> >> _______________________________________________ >> Secdispatch mailing list >> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org> >> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch> >> _______________________________________________ >> Secdispatch mailing list >> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org> >> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch> >
- [Secdispatch] The BBS Signature Scheme Tobias Looker
- Re: [Secdispatch] The BBS Signature Scheme Eric Rescorla
- Re: [Secdispatch] The BBS Signature Scheme Phillip Hallam-Baker
- Re: [Secdispatch] The BBS Signature Scheme Phillip Hallam-Baker
- Re: [Secdispatch] The BBS Signature Scheme Yoav Nir