Re: [Taler] [address@hidden: 'Oh, that's an idea...': U.S. parents respond to China screen time ban]

[Jeff Burdges]

Yes, blind signatures would work for this, as would privacy pass’ OPRFs, but 
imho blind signatures and OPRFs are kinda a blunt instrument here.


As Jacob says, attributes always create ethical problems in anonymous 
authentication.  The W3C’s DID and VC schemes expressly wants end users to 
prove things like education, employment status, residency, age, etc.  It’s 
immediately clear this’ll be abused, say by employers wanting job applicants 
only from currently employed people.  Also too many attributes deanonymize 
users.

We should always encourage websites to not require any authentication for this 
reason, but..  It’s less bad when attributes “cost” the site requesting 
authentication. In this case, you simply have tokens for usage outside 
children’s hour, but permit usage by anyone during children’s hour.  There is 
no special feature that tells you the user’s age, just a bit seen by whether 
authentication works.  The site pays the "cost” of requesting user information 
that anyone who does not fit their exact profile gets rejected outright.  


Anonymous authentication has a “context” like a DNS name if a website wants 
want a stable identity, or maybe a DNS name and a date if the website wants 
people to have a fresh start every day, or kinda the purchase in some Taler use 
cases.  In Taler, only the user controls the “context”, meaning say they could 
buy the same article twice and read in twice pretending to be two different 
people.  There are many cases where you want the service to enforce the 
“context”, so that they know each user is unique and can ban miss-behaving 
users.  

Anonymous authentications via ring VRFs permits the developer to specify exact 
control over this “context”, so like every users gets a different identity in 
each chat room and on each day or whatever.  Although a downside is its a bit 
easier to add attributes besides ring membership.

We’re working on a paper that does ring VRFs with almost arbitrary ring 
structure with a groth16 proof of amortized 760ish constraints, and closer to 
300-400 looks likely, and maybe faster via Bootle-style proofs, aka 
bulletproofs.  Ain't the most DDoS resistant protocol, given the three Miller 
loops and final exponentiation from the pairings, but acceptable risk if you’ve 
some resources, and fast enough even smartphone users should not notice the 
delay.

In fact, group VRFs would be even faster here, just like group signatures are 
always much faster than ring signatures, but I only know group VRFs that admit 
another deanonymization channel by the issuer.


Anyways, there is no returning to the exchange/mint for tokens in with a ring 
VRF, although maybe ring specifications like Merkle root change ocasionally, 
requiring a heavier groth16 snark.  Instead, the ring VRF simply churns out 
fresh identities in whatever context gets requested. 

There is however a problem of authenticating the context, but what I’d suggest 
there is that TLS certificates embed whatever attributes like age the site 
requests. In other words, if a site wants over 18 then they must say so in 
their TLS certificate and users not over 18 could not create anonymous identity 
on that site because their own browser would not do so.  

Best,
Jeff




> On 4 Sep 2021, at 05:36, Richard Stallman <rms@gnu.org> wrote:
> 
> China's new rules for game servers, which limit use by minors to a
> certain amount of time on certain days of te week, are based on
> identifying all users to find out which ones are minors.
> 
> If this could be done by a special adults-only Taler coin, it could be
> implemented without identifying users.