Security audit on this approach #27
Comments
|
@mikelodder7 are you able to respond to this query? |
|
Auditing in what way? |
|
The cryptography has been audited by the hyperledger maintainers which include cryptographers and crypto engineers. I don’t know who will audit the Json LD layer |
|
@jonnycrunch are you able to stipulate what additional layer you are referring to? If it is about the BLS to BBS+ public key conversion where we derive the generators for the signed messages from the BLS public key, then we have already had this approach reviewed by multiple cryptographers including the team responsible for the latest publications around BBS+ signatures |
|
BBS+ by itself seem perfectly fine to be audited under ursa, I'm concerned about the selecting points on the pair-friendly curve representing values derived from the JSON-LD layer. Are those truly random or can a pattern emerge such that I can infer the values based on distancing and patterns like in Ulam's spiral. So..... JSON-LD layer. |
|
@jonnycrunch thanks for clarifying, there is no point selection occurring at the JSON-LD layer, take for instance the |
|
Each message is then committed to its respective generator point when creating a BBS signature. |
|
@jonnycrunch this is the definition in our current draft of the scheme https://mattrglobal.github.io/bbs-signatures-spec/#name-dpktopk |
|
Hey, could be useful to reach some further clarification here.
|
|
@wyc good idea, by authors I mean those that are responsible for one of the most recent academic revisions of BBS+ signatures, see here https://www.researchgate.net/publication/306347781_Anonymous_Attestation_Using_the_Strong_Diffie_Hellman_Assumption_Revisited section 4.3. @mikelodder7 can provide more detail on this. |
|
The original authors of the BBS+ signature are Boneh, Boyen, and Shachum and has been improved many times but the cryptographers that @tplooker is referring are Jan Camenisch, Manu Drijvers, and Greg Niven, formerly at IBM Zurich, now at Dfinity. Manu Drijvers is one of the maintainers on the Ursa project. The BLS12-381 curve is quick becoming the pairing curve of choice. For example, it's going to be used for the Eth2.0 deployment. Its been endorsed by Dan Boneh and his group. Algorand is using it for their code. ZCash has deployed it on their main net. QED-IT is using on their blockchain. Dmitry Khovratovich has recommended it many times for use with Sovrin. Each of these groups or individuals are very well respected cryptographers. Thus I have no problem suggesting its use. Some rust implementations of the curve have been audited. As for our approach for deriving points, Hash to curve is being used with the public key and incremented counters as inputs. BLS12-381 operates in a prime field, and thus any generator in a prime is considered safe for use. By hashing to points in this way, we are effectively choosing values that are "nothing up our sleeve" and we couldn't possibly know the discrete log. Hope this helps. |
|
Seems like this is actually a request for an audit of
We might want to make this dependency a little clearer, but from a security perspective... it relies on sha256... https://json-ld.github.io/normalization/spec/#dfn-hash-algorithm and its defined, and implemented in a number of languages... Worth noting that if IPLD and JSON-LD both supported URDNA2015 they would both get the same level of "out of the box" support from this suite... |
|
@mikelodder7 @tplooker I'm not worried about the selection of the BLS12-381 nor the hash to curve, I'm wondering about the conversion of the JSON-LD into a block of messages and whether that leaks data. At first, I thought this was a numerical off-set from the incremented counters. But, looking at the spec this seems like a BBS+ signature over a group of Pedersen Commitments derived from the LD-signature which is the array statement from the n-quads and the counter is the position in the array. To be clear, I am NOT a cryptographer but I'm less worried about something up your sleeve as I am that we have a good understanding on the governance of adapting new approaches, or in this case combining them and not fully understanding them. I really, really like this approach. I just want a reason to like it even more. |
|
Right now, messages are Blake2b hashed which has stronger properties than sha256. In addition, a random nonce is added to signatures of high entropy. With that knowledge, I’m failing to see any leaks In Patterns or anywhere else |
|
@jonnycrunch are you volunteering to do an audit? I don't know how to make this issue actionable. |
|
This issue is stale, the base crypto is going through CFRG, and we will be documenting the relevant privacy and security issues associated with JSON-LD. |
Just curious who will be auditing this approach. Looking at the crate on BBS+ and Ursa, this appears to be an algorithmic association of the blinded attributes to the pair-wise curve, which seems like a layer on top of the BBS+ cryptography. If this becomes a work item, how will the approach be audited for vulnerabilities?
The text was updated successfully, but these errors were encountered: