[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] [CFRG] IACR ePrint "RSA Blind Signatures with Public Metadat
|
From: |
Jeff Burdges |
|
Subject: |
Re: [Taler] [CFRG] IACR ePrint "RSA Blind Signatures with Public Metadata" |
|
Date: |
Fri, 11 Aug 2023 10:42:59 +0200 |
There is an anonymity leakage when doing RSA blind signed payments with
different public keys for different denominations, what you call one key
for each public metadata. I think GNU Taler views this positively, in
that it prevents moving larger amounts non-anonymity, but many parties
view this negatively, like zcash, even if they cannot really move large
amounts anonymously either in practice.
Anyways, I'm dubious you've any anonymity left if your "universe of
public metadata is very large" (page 2), certainly if your VPN design
(GoogleOne?) requires spending multiple tokens in a linkable way.
It'd maybe be different for Tor where each new circuit should try being
really independent from the previous ones, and accesses only one site,
although even then traffic fingerprinting plus the a denomination or
metadata likely deanonymizes.
You pay a large CPU cost for doing metadata in the exponent like this,
vs say e=3, so you should closely evaluate using one key per metadata,
even if Google has no real interest in VPN users' anonymity.
In fact, you could enforce correct metadata using a cut & choose
protocol, vaguely like how GNU Taler enforces taxability, which then
permits using OPRFs like privacy pass. If your metadata is not too
sensitive, then this is going to be much less CPU and bandwidth than
anything else. This would not be strong enough if your metadata is
currency denominations in a payment scheme. Also OPRFs make key
management much worse.
Jeff
p.s. I'm afraid zero-knowledge proof people always pervert their
benchmarks with multi-threading (ugh!), so maybe I'm wrong about this
point, but..
Your verifier CPU time sounds only twice as fast as verifying similar
paring based schemes, but your signer CPU time sounds much higher.
There maybe a second verifier in a typical blind signed token scheme,
but not usually for a VPN one, and never more than two, ignoring
blockchains.
I'd therefore suspect pairing based schemes have less total CPU time,
although maybe your users pay this signer CPU time, maybe your verifiers
cannot have much CPU time available, etc. And maybe I'm just confused
by people doing multi-threaded benchmarks.
On Aug 11 2023, at 12:37 am, Ghous Amjad
<gamjad=40google.com@dmarc.ietf.org> wrote:
> Dear CFRG participants,
>
> Our paper titled "RSA Blind Signatures with Public Metadata" can now
> be found on ePrint (https://eprint.iacr.org/2023/1199)) which details
> our cryptographic assumptions and security proofs supporting
> the associated draft:
> https://datatracker.ietf.org/doc/draft-amjad-cfrg-partially-blind-rsa/01/.
>
> Please feel free to reach out to me or Kevin Yeo (CCed) if you have
> any questions or concerns regarding the paper.
>
> Best,
> Ghous Amjad
- Re: [Taler] [CFRG] IACR ePrint "RSA Blind Signatures with Public Metadata",
Jeff Burdges <=