{"type":"rich","version":"1.0","title":"Joe Miyamoto Philips [ARCHIVE] wrote","author_name":"Joe Miyamoto Philips [ARCHIVE] (npub1rx…rdmna)","author_url":"https://yabu.me/npub1rxe6xx0tvp69u4ah8q7rl2v8yryawr9wv4zc2z2p59jupsdnnffslrdmna","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2021-02-03\n📝 Original message:\nHi all.\n\n\n\nI want to point out another application of Discrete-Log selling on PTLC\nlightning since I could not find anyone else mentioning it (in particular,\nI could not find in the Nadav Kohen's list here. [1] )\n\n\n\nThe protocol may be obvious to most of the members here, but I believe its\napplication has some impact on the way people make anonymity-focused\napplications with LN, so I want to have some feedback.\n\n\n\nIn short, by using ElGamal encryption, we can sell not only a discrete-log\nbut also an elliptic curve point which satisfies some requirements. This\nincludes KVAC [2] which is used for WabiSabi [3] and Signal app [4].\n\n\n\n\u003e disclaimer: I'm not a cryptography or math major, the following reasoning\nmight be wrong at the fundamental level. Please correct me if I'm wrong.\n\n\n\n## Notations\n\n\n\n* G ... Elliptic curve base point.\n\n* H ... some additional NUMS\n\n* x, X = x * G ... secret and public key\n\n\n\nFor ZKPoK, I will use Camenisch-Stadler like notation\n\nPK{ (secret values) : statements about secret values to prove. }\n\ne.g. For DLEQ proof. assume the verifier already have some points P_1, P_2\n\nPK{ (x, y) : P_1 =  x * G and P_2 = y * H and x = y }\n\n\n\n# Protocols\n\n\n\n## pay-for ElGamal decryption key\n\n\n\nQuick recap, ElGamal encryption for message M (= m * G) is\n\n(r * G, M + r * P)\n\nwhere r is some blinding factor and P is a shared secret (P = p * G)\n\n\n\nImagine the Buyer knows some point (X_h = x * H), and he wants another\npoint (X_g  = x * G).\n\nThe Seller knows x and he wants to sell the point X_g but he does NOT want\nto reveal its discrete log x to the buyer.\n\n(There is not much of a situation like this, but I will explain it later.)\n\n\n\nIn this case, the Seller can send its elgamal encryption and sell its\ndecryption key.\n\nSeller:\n\n* Generate ephemeral encryption key S = s * G\n\n* Encrypt X_g  with random blinding r ... (c1, c2) := (r * G, X_g + r * S)\n\n* Send (c1, c2) and S to the Buyer.\n\n* Also, send PK{(x, r, s) :  c1 = r * G and c2 = x * G + r * S and X_h = x\n* H }\n\n\n\nBuyer\n\n* Verifies the ZKPoK, he can be sure that the plaintext will be X_g that he\nwants.\n\n* Make a payment offer to the Seller with S.\n\n\n\nSeller\n\n* Receive the payment by revealing s\n\n\n\nBuyer\n\n* Decrypt the ciphertext by s to get the X_g ... (X_g := c2 - c1 * s)\n\n\n\n## Pay for Keyed Verification Anonymous Credential. (KVAC)\n\n\n\nWe assume MAC_{GGM} scheme for the KVAC. [2]\n\n\n\n* attributes encoded in the credential is m_1, ... m_n\n\n* secret keys for the issuer=verifier is r, x_0, x_1, ... x_n\n\n* Public params for the issuer are (C_x0 = x_0 * G + r * H), (X_1 = x_1 *\nG, ... X_n = x_n * G)\n\n\n\nThe credential is of the form (U, U') where U' = U * (x_0 + x_1 * m_1 + ...\n+ x_n * m_n)\n\n\n\nIssuer:\n\n* get random point `U`\n\n* compute U' = U * (x_0 + x_1 * m_1 + ... + x_n + m_n)\n\n* sends U and ElGamal encryption of U' to the Buyer with blinding factor k\nand ephemeral encryption key S.\n\n  * (c1, c2) = (k * G, U' + k * S)\n\n* Also send ZKPoK to tell the ciphertext is for correct U'\n\n  * PK{(x_0, ... x_n, x_0, r, k, s, U’) :  U' = U * (x_0 + x_1 * m_1 + ...\n+ x_n * m_n)  and  C_x0 = G * x_0 + H * r and X_1 = x_1 * G and ... and X_n\n= x_n * G and  c1 = k * G and c2 = U' + k * S }\n\n\n\nThen Buyer can buy s as the same as above.\n\n\n\n# Why this matters\n\n\n\nI believe that KVAC has great potential as a building block of anonymous\nweb apps.\n\nIts MAC-based construction is more performant and easy to prove the\nsecurity compared to the similar system for the PKI based anonymous\ncredentials (e.g. U-Prove [5] and ACL [6]).\n\nAnd it's a great fit for commercial purpose applications which do not have\nto cooperate with other entities when defining the protocol. (Which is not\nthe case for an Attribute based credential system in general.)\n\n\n\nThe reason so far it has not been used widely is, IMHO, it's because there\nis no way to charge its users anonymously. [7]\n\nAnother problem is Sybil attack. In general, the DoS protection is a great\nconcern for anonymous applications.\n\nSo we need users to commit something \"scarce\" to prevent it.\n\nIt is why Signal requires its users to register their telephone number\n(Maybe I'm wrong about this, not sure).\n\n(WabiSabi cleverly uses the user's UTXO as the scarce resource to mitigate\nthis problem.)\n\n\n\nAnd of course, these problems get fixed by LN, if users have to pay to get\ntheir service, the service does not have to ban the users by DoS-ing\nanymore. So I think the LN-based payment and KVAC-based app fits very well.\n\n\n\nThus, if the service wants to grant some right to do something with their\nserver resource to users in an unlinkable fashion, then I believe\nexchanging the credential in this way has a benefit.\n\n\n\n\n\nRegards,\n\n\n\nMiyamoto.\n\n\n\n P.S. I may have sent the same mail with a different address. Please ignore\nit.\n\n\n[1]:\nhttps://lists.linuxfoundation.org/pipermail/lightning-dev/2020-April/002647.html\n\n[2]: https://eprint.iacr.org/2013/516.pdf\n\n[3]: https://github.com/zkSNACKs/WabiSabi\n\n[4]: https://signal.org/blog/pdfs/signal_private_group_system.pdf\n\n[5]: https://www.microsoft.com/en-us/research/project/u-prove/\n\n[6]: https://core.ac.uk/download/pdf/193377167.pdf\n\n[7]: DuckDuckGo has an interesting solution for this. But it is not a\ngeneral solution for all kinds of apps and I doubt how good it works\ncompared to charging a fee by LN.\nhttps://spreadprivacy.com/duckduckgo-revenue-model/\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20210203/3ec104bc/attachment-0001.html\u003e"}