-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Named message generators #68
Comments
In particular - this could be made into an issuer-specific (public key-specific) generator, potentially alleviating security concerns with the other generators being universal. |
@andrewwhitehead I really like the thinking here I agree there are many applications of generators within BBS signatures for special purposes. IMO in order to keep the core draft simple I think we leave operations that involve using generators with a contract like proposed in #64, put simply the core draft should not be aware of any specific application of a particular generator. Instead we can profile on top of the core draft a "bound" variant of the BBS signature scheme that defines the generator used for cryptographic holder binding and the likes |
+1. This is definitely very usefully. An issue IMO is how we define those special purpose generators. Would the generators used for blind signatures be considered "special purpose" in that case?? If yes this would be more complicated than just defining specific use and identifiers for 5-10 generators. Finally, shouldn't we also try to define the "special" messages corresponding to those "special" generators?? One way could be:
The generators used for blinding will not be considered "special", which avoids many complexities. @andrewwhitehead is this what you had in mind?? |
The difficult complexity arises when we want to start tracking the allocation of ordinary message generators in certain contexts for special purposes, my inclination is to instead keep these seperate. For instance we dont want a situation to arise where a prover tries to fool a verifier into saying here is a proof from a "bound" BBS signature where the first message is un-revealed but because that generator is used in the same way as "non bound" BBS signatures some other mechanism would have to be used by the verifier to disambiguate that they are truely looking at a proof generated from a "bound" BBS signature. |
The counter problem this creates is because the number of message generators is effectively un-bounded how do we ensure when we select "special generators" that they do not collide with message generators? |
This complexity gets even hard to solve for if we want to support arbitrary blind message signing but also maintain conceptually different generators (e.g a set of message generators and a set of blind message generators) |
I probably shouldn't include the
I think I agree with this.
Also makes sense.
At the moment I think it would be best to define the general concept of 'extension generators' and how to create them independent of the curve being used (ie. hash a URI to a group element, perhaps), in the core draft. Then extensions to the BBS draft can simply say something like "define the credential index generator as an extension generator with URI http://...". Depending on uptake the implementations might cache certain generators that are frequently used. I don't think we need to add any specific instances of these generators to the core draft currently. Naming-wise we could also distinguish between 'ordered' and 'unordered' generators. |
We just need to select them randomly or based on a hash. The chance of collision is on the same order as with selecting a secret key, I believe.
I'm not really sure what you're getting at here, the generators are the same in any case. It seems reasonable that the issuer will only accept commitments for certain known message generators depending on the protocol being executed. Incidentally parties should never be sending message generators themselves, they should only be referred to or known implicitly. |
Ah ok, I think I understand better now. Thanks you! So the concept is to define an alternative way of creating generators, something like Two things worry me though.
IMO if the definition of special generators does not raise complexity too much, it can be useful including it to the spec but only as a point that other profiles and specs can expand upon and we should make it clear that this is the case, i.e., that applications must not define their own special generators. |
For blind signatures, I think there is benefit in allowing the use of any arbitrary generator, to support use cases like in issue #29 (and more specifically here) where a “message” generator for one signature could become a “commitment” generator for another.
Definitely. We must document that in the spec. |
Technically any message generator can be used in a commitment. I'm just saying that from a business logic and security perspective the issuer should only be issuing blinded signatures in specific use cases, and the holder will basically be told what form the commitment should take. In fact all the cases I can think of work better with named generators than with positional ones, because they can better restrict the interpretation of the message – for example, as a linked secret, instead of just 'message 1'. |
Right. So i guess the question i have (although this may be better discussed separately) is will the blind signatures extension define specific generator URIs to be used, i.e., only named generators, which may not allow the above use case but increase simplicity and security or will blind signatures be able to use any generator increasing flexibility, and leave the exact definition of the named generator URIs to another spec (like a profile or a registry)?? Regardless I think the concept of the "special" named generators is worth documenting in the spec. I do agree that many use cases will benefit from it. As i said applications should not define their own named generators but technically an Issuer could, as long as the verifier can validate that those named generators are as defined from the issuer. I would prefer to just say that only other specs can define URIs for named generators though (maybe even an IANA registry??). This also has the advantage that those specs can define the necessary DSTs. |
I don't think the blind signatures extension needs to refer to any specific generators except Agree that applications should not be defining their own named generators (or whatever we call them), I think it's more of an ecosystem-level concept, and it makes sense to me to have a registry for them. I'm not sure what kind of DST is required, maybe it should just be the BBS signature scheme identifier as with the current generators? |
Currently, I don't think any special mechanism for 'named' generator creation needs to be defined, as we can define everything in terms of
|
As a further update following #70, it looks like there is no avoiding If we do decide to replace |
Even if we decide to change |
Closing as I believe this is allowed by the current spec, and the implementation becomes an application concern. |
I'm finding that it would be beneficial to define generators more generally, instead of just having
H_0
for blind signatures andH_1 ... H_n
for indexed messages. Extensions to the BBS signature scheme may want to reserve one or more message indexes for particular purposes (wallet binding, revocation, etc), but this leads to conflict when multiple extensions are used at once. You would likely need to define a new signature scheme for every supported combination in order to specify what message indexes are used for what purpose.Instead, I believe we can define special-purpose message generators which have unique identifiers rather than indexes. You can also think of these as 'unordered' generators, with standard usage that is consistently defined across various credential schemas. A few potential uses that I've identified:
We could also reformulate a couple things in these terms:
H_0
becomes the 'blinded signature' or 'commitment' generatorP1
could be replaced by a 'base point' generator - freeing it up to be used as a holder binding generator as in Holder Binding #37 (NB. in this case the associated message would always be1
)These generators might be defined either specific to an issuer key or globally by adding a unique identifier to the hash-to-curve input. Some thought would be needed here to define the process exactly. For debugging purposes, messages tied to these generators might also be represented as a dictionary while numbered messages are represented as a list, for example:
The text was updated successfully, but these errors were encountered: