TIL there's a draft RFC for oblivious-PRF based blind signing scheme (so distinct from both old RSA type, and also Chaumian or Brands type using Schnorr ).


Some background on what this is and why it's interesting; first, see: "privacypass":


... an extension you can use to bypass captchas by using blinded tokens. I'm not sure of current real world status, especially w.r.t using Tor browser, which is where it's be *really* useful!



Now, this scheme ("OPRF") is really nice from my angle, because the protocol is really surprisingly simple (it's similar to say Schnorr blind sigs, but if anything, more intuitive). They summarize it very nicely here:


I was reminded of it today because thinking about use of the "DLEQ" primitive - discrete log equivalence proof - which is used in Joinmarket for "one time tokens" but is currently under discussion on the LN dev mailing list:



(click 'thread' to see whole discussion)

The difference between the Joinmarket and Lightning use cases (which are both about arranging to create transactions cooperatively, 'coinjoin' in some sense or other, but between untrusted entities), and the privacypass use case, is that the latter is client-server, which is the classic scenario for blind signing.

That second scenario applies both for Wasabi and Tumblebit.


Show thread

@waxwing Interesting indeed. One thing I proposed a long time ago is that Lightning watchtowers need to operate as a Chaumian bank, issuing many redeemable tokens in exchange for a single Lightning payment. Redeeming a token in this case means handing the watchtower a revoked state; to watch for. It looks to me this same token system can be used (rather than bearer RSA blind sigs or Schnorr blind sigs).

@ZmnSCPxj lets try, zero triple seven two, ping block 7?

@ZmnSCPxj Right. At some point soon I'll try to dig into the academic papers behind this OPRF stuff, at least somewhat; I'd like to get a stronger sense of where the theory currently is on the security of those constructions (there are existing rather nasty attacks on the Schnorr blind signing stuff, including Wager, as you probably remember).
It feels like an elegant way to do it, and I'm with you that we should slowly see this paradigm seep into second layer stuff; it makes sense.

@waxwing Yes, the typical proposed protection against the Wagnerian attack on blind Schnorr signing is to do mass amounts of blind signing sessions in parallel and the signer randomly failing almost all of them. This new construction also allows issuing multiple tokens at the same time, which is definitely something that a Lightning watchtower would want. So if this new construction manages to sidestep Wagner, then it is almost definitely a shoo-in for this application.

@waxwing Naively, it looks to me that Wagner does not quite apply to this token-issuance construction.

What looks to me to be attackable is the T = H(t); if you can find a set of t[0]...t[n] such that sum of H(t[i]) is equal to some H(t[target]), you get that t[target] "for free" by having the server sign t[0]..t[n].

But Wagner gets its speedup by taking only the lower bits at a time, reducing the need to birthday those, and the resulting H() is not a scalar whose bits you can hack that way.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!