-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: pseudonyms supports in presentation #19
feat: pseudonyms supports in presentation #19
Conversation
Hi. Thanks for the PR.
Yes. But generally, the proofSpec (object of class
The Pedersen commitment is the
Can you tell me specifically where you need a pseudonym in the above diagram and why do you need them to be private?
The proof itself is proving that you know the secret key of the pseudonym. And pseudonyms are not yet integrated in the presentation spec but otherwise you can see this test.
Pseudonyms not bound to any attribute should definitely be outside of any credentials and be a top-level key like
The crypto logic needs bytearrays but while sending them in presentation, you should encode it to base64. Similarly for scope, it needs to be bytearray for crypto logic but in a presentation in can be kept as a string.
Have you seen this note? |
Thanks for the quick response 🙏
Ok, so that mean the pseudonym cannot be kept private... Is it hard to change that?
At the first step, registration, users send a hash of their university ID ( Then Privency sends users a VC containing the Whenever users want to vote they need to provide :
So, two options :
What do you think make the most sense between the two options, what's the easiest? If I need to go for option 2/, could you give me some clue as to which primitive in dock I can use for blind-signing? (I see there is a PR about coconut that you're working on which I may need...)
Yes, I noticed, and it's exactly the purpose of this PR: integrate pseudonyms in the presentation spec. How do I prove the order of presentation? Imagine the verifier requests many pseudonyms, how do the prover prove which corresponds to what in the presentation?
Good, that's what I did!
Ok good, that's what I did!
Hmm yes but I think there are tests in |
Yes, support needs to be built in the Rust library for this, and since the pseudonym itself is a commitment, proving its knowledge will likely require pairings which are expensive so lets try to avoid them.
Yes, let use bling signing. While requesting
This can be simply achieved by revoking
Have 2 keys
What do you think?
Some of them do but in your case its not needed. |
👍
👍 How to prove that the secretKey that is blind-signed is the same that was used to create the hash?
Hmm, I don't think so. Allow me to explain my reasoning. There are two VC:
In the university VC, there is a unique university ID per university member. Between Privency registration and voting, the university VC could be revoked, but Privency wouldn't know and wouldn't know what registration VC to revoke anyway, because the university ID is a private information between the Holder and the University, and Privency only knows a hash of the ID, and this is by design because we want to give as few information to Privency as possible. Privency should not alone be able to know who registered. If the university ID is long enough and truly cryptographically random, the only attack vector for Privency to know who registered would be for Privency to collude with the University and try all the hash of university ID to match them with Privency database. It's unfortunately impossible to make it more private, but we think this situation is acceptable. The most important is that no matter what, it is cryptographically impossible to know who voted what so long as the secretKey is strong enough and kept secret by the Holder. Now, when voting, Privency needs to verify that:
I need an equality check for my use-case, and blind-sign the university ID, not just the secret.
It looks good. For the attributes field, I'd go for the following:
But I'll do whatever you prefer! There is still something that I don't understand though. How does the verifier verifies that the pseudonym he extracts from the spec above corresponds to the
Thank you again for your help 🙏 |
The "hash" should serve as a pseudonym, right? The don't hash but commit to the attribute (which the psedonym is). Adding witness equality like this https://github.com/docknetwork/crypto-wasm-ts/blob/master/tests/composite-proofs/pseudonyms.spec.ts#L313 will ensure that above condition is met. It will generate an equality proof between the attribute the secret of the psedonym. From now on, i will assume whenever you say hash of attribute, you mean a an attribute bound pseudonym so please correct me when you really need a hash.
Yes, no need of this.
👍
Whats the revocation mechanism of the university VC? Accumulators? If yes then during voting, the user could prove that his university VC isn't revoked without revealing his university id. If the revocation mechanism is through an expiry date, then the user could do a range proof on the expiry date.
This is doable easily, right?
Thats better. Lets use this.
Correct.
The provided proof proves that user knows secret/attribute (and the attribute is same in case of bound) behind psedonym. So in |
604890f
to
7d03de4
Compare
Yes, sorry for some reasons I keep associating the pseudonym with a hash, but it's a pedersen commitment, not a hash. The thing I am wondering is how to send the blinded secretKey together with the proof that the secretKey is the same that was used to present the pseudonym? At this point, the secretKet is not yet part of a credential, but the witness equality you pointed seems to only work with attributes included in existing credentials. Am I mistaken?
👍
Technically the university VC must be a BBS+ VC for the proofs to work.
Yes!
For the
I'd do something similar with the
Good.
Makes sense. I implemented what you suggested, but I still get an error in the unit test that check whether the verification goes well:
I don't understand what's wrong... I have put some comments in the code. I almost finished the PR for the boundedPseudonyms, then I'll do unboundedPseudonyms and add some more tests and it will be ready for full review. |
This is regarding the request for
The revocation mechanism used is orthogonal to the DID method.
The CL sigs I have seen use RSA and with different group size than the one we use with elliptic curves so proving attribute equality would be difficult and we don't support that even in the Rust library.
This can have collisions for the key when the same bases are used to create many pseudonyms from different credentials. The pseudonym itself being the key is better as they are required to be unique (in a scope) and have a negligible chance of collision.
Will check. Can you please merge the latest master branch in your PR? Most of the new changes were part of this PR. These bring in support for additional schemes but should not impact your logic much. |
7d03de4
to
705d57a
Compare
It cannot work for two reasons:
There are two use-cases for our product:
At the beginning we will ship case 1/ - but the goal of the project is really 2/: we want to support any existing VCs - with as little limitations as possible. My idea would be the following:
That seems to work fine to me, so long as the university VC type is BBS+. Not so sure otherwise...
As of the As of the university VC, I am not sure which method is best yet. I want to support all the methods anyway.
Hmm... So, regarding my suggestion above, that means:
Which would mean we cannot support non-BBS+ university VC - am I correct?
Oh right, I didn't realize that! Changing this now.
I just rebased my branch, it is up to date! Thanks for checking. |
Sorry, i forgot about these details. So the flow should be this
Does the above work?
If the university VC is not of a supported scheme like BBS+, PS, BBS, above won't be possible at the moment and would be a significant effort even if we restrict the signature scheme of university VC to EdDSA, ECDSA. We will need to use a zk-SNARK to prove that you know a EdDSA signature and the attributes and that blinding has been done correctly and all this will be proved inside the snark circuit making it quite expensive.
Yes, you don't need it.
The problem with the status list isn't performance but the lack of privacy because the verifier will learn
Better in terms of?
I can't answer the question without knowing which sig scheme is being used in university VC but it's quite expensive and not supported atm for EdDSA, ECDSA.
Thanks |
That's right but before the registration VC is sent, we need to record certain information. Our product needs to keep track of an anonymized version of My original idea for that was for our product to request two pseudonyms before sending the
Nonce is useful to add randomness, especially for
I need to add a third attribute to this bounded pseudonym: yet another poll-specific nonce.
Alright, I can live with that restriction. BBS+ is where the community is heading anyway.
Even with these nonces and
The "registered user" could be yet another ID that is unique to each This value would never be used for voting or anything else and should be kept private by the holder. Yes the status list made of The most important for the product is that it should be cryptographically infeasible to know who voted what - so long as the secretKey is kept private by the voter, even if Privency and the University collude or if there is a data leak.
My requirements for the revocation mechanism of
The non-requirements for the revocation mechanism:
I am wondering if there is another revocation mechanism I simply missed that's already widely adopted?
I thank you! Love all the support you're providing! |
864f2ee
to
cf8d217
Compare
I just rebased and changed the "key" in the boundedPseudonyms presented Map to the decoded pseudonym instead of (basesForAttributes+basesForSecretKey). |
There is one additional thing that you need when using the nonce. The same user can register multiple times by using different nonces so it needs to be proven that the
This will cause the same problem as above. I think its reasonable to expect users to generate a different
Privency will know which "registered user" corresponds to which
The 2 already mentioned seem the most appropriate. There is a transparent construction of accumulators but I haven't looked at it much yet. |
Hmm true. Interesting approach. I'd want to look into that after the first product is out. Three nonces:
Advantages of doing so:
Though I admit, using these nonces is not critical for the first version of the product, especially if it is assumed that users use a different
Can I use accumulators without a ledger? I am not very familiar how it works. I just added support for unboundedPseudonyms. I am still not sure why the test does not pass (the "verify" function on the verifier side). I get |
1934a80
to
5dcb622
Compare
With this pre-registration VC, Privency would which student is willing to participate in the poll.
Like i mentioned before, if you are using the inequality proof, you can have just one poll specific pseudonym and thus only 1 nonce.
I have been meaning that Privency does not know the nonce. Because knowing the nonce makes brute forcing possible, eg
So for the first version, having the pseudonym
Yes. Infact this library does not assume a ledger. You can read more about accumulators here and here.
Added comments. Please don't force push for now. We can squash the commits later. |
Yes, Privency will know which
If the inequality proof solution can achieve good performance, it is a superior solution to the one I proposed. But I can't afford diving into Circom right now. (I am very fortunate you guys implemented the Pseudonym functionality already 👍 .) That's a great candidate for v2.
Yes, you're right, let's forget about the nonce for generating
Definitely yes. In the first version of the product, I will have a personal relationship with "the University" and I may be able to convince them to issue a cryptographically secure Also, there is another functionality where we handle the issuing of credentials for the University (or any group). In that case, I will have total freedom to issue a cryptographically secure
Nice! I will look into that. Thanks for the links.
Thank you! Looking at it now! OK, I won't force push. |
Here is the summary of how I would do the flow after our discussions. Registration to a specific poll:
User is voting:
Note:
|
Signed-off-by: lovesh <[email protected]>
If the
Does this step happen during the request of
This isn't needed because a pseudonym will be submitted later during voting anyway.
Privency can avoid sending these bases and thus the check as well.
Why would it be issued the second time for the same poll? Have added a test here for this use-case. There are comments in the test to explain my thinking. |
I just pushed the changes you requested, except for the reference to the bases (responded to your comments).
The need is to make sure the
During the same request flow. This step happens before
I don't know how to do that without the
The pseudonym submitted during voting is not the same as the one that is recorded. The Pseudonym that is used for voting should be unlinkable with the Pseudonym that was recorded during registration:
Good point. Having different bases is key to ensure privacy though. Somehow the frontend should verify that at all times.
Yea, I see.
Two different devices. (Though VC could be sync between them. I know Findy Agency does that in the Hyperledger realm. Does that exist for Dock wallet?). Or the user lost the
Thank you for doing the unit test for my use-case! |
In your test, I don't understand this part. Not understanding these witness equalities is why I was suggesting using |
The test i shared does that. Its the equality enforced here.
See this equality. I am creating the pseudonym from both
To get a registration VC, user has to submit a pseudonym to its
They are unlinkable (in the test).
This shouldn't be needed.
Yes. |
I assume you've read this so I won't describe the terminology. Witness equality (currently) is for proving the equality of messages in a Pedersen commitment without revealing them and uses a sigma protocol (Schnoor proof of knowledge). Eg. for 2 commitments
Its the index of the attribute in the above form.
BBS does not have a random value, BBS+ does, and thus the offset. The abstraction I will have here will hide these details.
Yes. |
👍
👍
" Say they later revoke the That is why, in my view Privency must re-issue the same secret in the
👍
👍 Thanks for the explanation on witness equality, it helps. For your comment on the bases in the spec, how do you want to proceed? Apart from that, I think the PR is ready on my side. I am trying to see how to interact with Dock Wallet as a verifier or an issuer, and I am not sure how to proceed. Which protocol is the wallet using? DIDcomm? What should I do to use the new Pseudonym functionality in Dock Wallet (request a Pseudonym)? |
Privency (issuer) will know if the same user is requesting a
Sorry about that, missed 2 comments. Replied now. Dock wallet does not support pseudonyms or most predicates in this repo yet. |
Not really, because this behavior would mean that once revoked, the user can never request a new But I think with your tremendous help and the unit test you wrote, I can implement this functionality now!
Looking at it now.
I am choosing between:
|
I switched my PR from "DRAFT" to "READY". |
Just changed from Btw I noticed some linting issue on files unrelated to my changes when running
Should I push it here? |
const unboundedPseudonym = this.unboundedPseudonyms[i]; | ||
const pseudonym = Pseudonym.new(unboundedPseudonym.baseForSecretKey, unboundedPseudonym.secretKey); | ||
const decodedBaseForSecretKey = PseudonymBases.decodeBaseForSecretKey(unboundedPseudonym.baseForSecretKey); | ||
const decodedPseudonym = PseudonymBases.decode(pseudonym.value); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is slightly misleading as pseudonym
is not a base. Better to define encode
, decode
on Pseudonym
. Use them above as well instead of pseudonym.base64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find it weird to have Pseudonym.encode(value)
and the decode
equivalent when both AttributeBoundPseudonym
and Pseudonym
derive from BytearrayWrapper
. The encode
and decode
static functions I use for AttributeBoundPseudonym are taken from Pseudonym in a very arbitrary way.
I'd find it more appropriate to use (static OR not) functions from BytearrayWrapper
.
Though I think it is just a question of style, I'll do whatever you prefer.
I just implemented it in Pseudonym
like you mentioned.
I will submit support for blind issuance in the anoncreds abstraction soon so you won't have to rely on lower level objects.
The wallet is closed source but I have asked if they can grant you access.
Sure. Please merge the latest master as well. |
70674e0
to
a4a8178
Compare
0032477
to
63aeffa
Compare
👍
Would be cool!
I just pushed the changes you requested, including the linting. |
Signed-off-by: lovesh <[email protected]>
Closes #18
Things I am not sure about and would particularly love your help with:
Statement.attributeBoundPseudonym
and sent in the proofSpec with the presentation already contain the pseudonym? If I understand well, it creates a Pedersen commitment but does not reveal the pseudonym? It is critical to me because in Privency protocol, it is sometimes necessary to keep pseudonyms private (full protocol description is here: https://github.com/privency/poc/tree/main/vc-flow#poc-to-prove-how-to-use-anoncred-for-counting-votes )attributeEqualities
(option I chose for now)?Known lacking elements (should be implemented before PR is ready)