-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Availability of OPRF? #26
Comments
Hi,
No.
If this is the exact requirement, then You can combine (that was our intention) this construction with schemes like BBS+ to get anonymous credentials with attributes where the BBS+ credential has other user attributes and the issuer, in addition to BBS+ signature, gives a SyRA signature. You said threshold OPRF. Which part of would you want to thresholdize, |
Hi, thx for the reply, will definitely have a look at SyRA. Threshold OPRF because of the following. (Also wanted to ask whether this is a problem with respect to SyRA.) So in my setting, the user id Does that make sense? |
Had a look at SyRA. This looks very promising for my use case. One differentiation though, I think, is that in SyRA the issuer plays a central role. If I understand correctly, credentials issued by different issuers cannot be mixed. For example, I could not allow voters who received their credential from different issuers, to vote on the same poll. Is my understanding correct? |
This is achieved by SyRA.
I should have mentioned before but when using SyRA as (O)PRF,
You mean if a single voter got multiple credentials, one from each issuer, then correct. Their pseudonyms (or PRF output) on same |
Read further into the paper. Another noticeable difference: In SyRA, the user private key is chosen by the issuer. Hence, if the issuer is compromised, it could generate signatures on behalf of the user. In my imagined design, the user secret key is chosen by the user and not revealed to anyone. Generating a pseudonym is a separate step. Compromising the pseudonym issuer would only compromise anonymity, but not allow voting on behalf of the user. I'll write up a few more details below on what I have in mind. (Note that I have not been able to come up with a concrete and efficient realization of the protocol so far, but I think it's theoretically possible.) |
Target application: anonymous voting Step 1: U proves identity and obtains credential from CI Step 2: U obtains poll id from PO Step 3: U publishes vote on B
U publishes |
Correct, it hasn't been. But I discussed with one of the SyRA authors to add it but the implementation is going to be different than the one in the paper.
Do you assume CI can't be malicious, i.e. issue
Before PO generates
Finally, I need to look more into the OPRF with desired property. Will get back to you on this. |
I found an OPRF with committed inputs in this paper which allows oblivious evaluation of DY PRF on a committed input. Its described in steps 1 and 2 of the protocol in Fig 4 of the paper. Also in practice, PO might organize several polls, each with a new poll id and its permission to U to vote, which you call |
Nice to hear. Looking forward to that. Mind outlining what's the differences?
I now realize that there is a strong trust assumption on my CI as well. (I've created the design a while ago, so have to remind myself of the details...) My use case idea revolves around usage of the active authentication feature of digital passports. Basically, the goal is to turn a regular passport into a versatile digital credential. And the CI's job is to create that binding. Obviously, if the CI is not trustworthy, it could just issue credentials for any identity of its choice. Ideally, the CI is therefore also thresholdized or running in a TEE. Nevertheless, I wanted to ensure that the CI does not learn user secrets in any case. User secret keys of honest users should never leave the user device.
You are right. I missed that point. Otherwise, anyone could check whether
You are right. Technically |
Thanks for digging out that paper. It looks like an interesting approach.
The way I imagined it is that the PO uses a different OPRF key for each poll. This way, the pseudonyms are automatically scoped. The corresponding verification key can be considered as the unique global poll id. |
Overall, I need to reevaluate my design in comparison to SyRA, which I haven't been aware of. There seem to be the following core differences:
Because the |
It will be based on OT based multiplication, likely this one since we already do that for threshold BBS+ and SyRA signature has similar structure.
It doesn't matter that the CI learns the credential since the any usage of
This works in a very simple deployment where the verification key can just be published on bulletin board (BB).
By user secret, you mean
That would be true for SyRA as well if there are multiple CIs and they issue without checking if others issued as well. |
Perhaps I don't fully understand your proposed construction. What signature are you referring to here? I was assuming it is the signature created by the CI? For generating vote signatures, the user certainly needs to hold some secret. What is that secret comprised of in your proposal?
I agree the setup is a bit more complex because there is a corresponding secret PO key. For the public key, I think of it similar as a context string. I wouldn't think it needs to be particularly more costly to publish it in comparison to publishing a context string when using SyRA?
By user secret, i refer to usk in the paper. The user secret key.
No. The CI should not know how the user voted. In the OPRF approach this is ensured because the OPRF outputs look random to anybody not knowing the OPRF key. The main purpose of the CI is to certify the real user id and tie it to some secret so that later things can be signed / authenticated in relation to that id.
The poll organizer (PO) would be mandatory. It can be thought of as the party / committee hosting the poll.
I meant that the other way around. In SyRA, one cannot check whether two pseudonyms from different CIs belong to the same real world user. With the OPRF approach, the (with high probability) 1-to-1 mapping between real identity and pseudonym holds across CIs. |
I was referring to the SyRA signature (what SyRA calls user secret key) and optionally BBS signature (when you have other attributes besides
The above 2 signatures.
SyRA public keys are certainly bigger than a context string but depending on your exact workflow it might not matter.
Got it.
And its acceptable for CI to play that role as well (when using SyRA)?
I meant the same thing about SyRA. All CIs have to keep a shared state of user ids they have issued to.
Because there is only 1 PO? I think we CI was a threshold type role, above problems are solved as there is only a single secret key and no single CI learns which user-id requested? Does the user need to prove something to CI before getting a credential? |
I think it might work as well. The setup would change a bit. Like every application using the anonymous voting service would have to run their own CI (instead of their own PO). The downside is that real user identification is then at the application level, and users have to trust the application that they verify theirs users correctly.
Hm, why do CI's have to keep track of their users? I thought the SyRA CI is stateless? When I receive usk1 from CI1, and usk2, and generate sig1 and sig2, respectively, there is no way to check whether sig1 and sig2 belong to the same real user (i.e., are a duplicate vote)?
I meant per PO / poll. The point is that it doesn't matter if I use cred1 from CI1 or cred2 from CI2. The resulting pid (w.r.t. to a given poll) will be the same.
User should prove his real identity to the CI (e.g., using the passport's Active Authentication protocol), so that the CI can create a digital, verifiable credential for it. |
Not sure if I'm getting it. Are you suggesting to combine my approach with SyRA? In any case, thanks a lot for your plenty comments so far. Appreciate it a lot! |
Can the POs trust the CI to issue "valid" credentials?
Ok. That's what i was looking for.
Yes but only if needed. I explained above.
Thank you. Its been a very helpful discussion. Thanks for introducing me to OPRFs :)
Sure. |
Hi @matthiasgeihs . Sorry but I forgot to share that the threshold SyRA implementation has been added here. |
@lovesh Very cool, thx for letting me know. Had other priorities in the meantime, but this motivates me to pick this up again 👍 |
@matthiasgeihs Please check this. Here a share of the message ( |
OPRFs can be useful primitives in privacy-preserving protocols.
Does this library contain any OPRF implementations? If not, are there plans to include some in the future?
In particular, I'm looking for a verifiable threshold OPRF with committed inputs that can be composed with other primitives. For example, I'd like to be able to prove that for a given value
pid
, I posses a credential for a valueid
(i.e., a signaturesig = SIGN(id)
from a credential issuer) and thatOPRF(id) = pid
, without revealingid
.The text was updated successfully, but these errors were encountered: