decentralized-identity / bbs-signature

The BBS Signature Scheme
https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html
Apache License 2.0
79 stars 26 forks source link

Adding U in the proof value. #233

Closed BasileiosKal closed 1 year ago

BasileiosKal commented 1 year ago

Opening to track a suggestion made by @andrewwhitehead in PR #230.

The idea IMU is to add U (total number of undisclosed messages) in the proof, i.e.,

proof = (A', Abar, D, c, e^, r2^, r3^, s^, *U*, (m^_1, ..., m^_U)).

This will add some redundancy in case the proof gets accidentally truncated (or malformed in general).

BasileiosKal commented 1 year ago

Personally not sure how useful this will be above the transport layer however this would potentially make the suggestion in #227 easier to apply.

tplooker commented 1 year ago

I'm a -1 to this proposal for the following reasons

This issue does raise a good point that we could omit L from proof verify and deduce it based on length(m^_1, ..., m^_U) when decoding the proof.

tmarkovski commented 1 year ago

This was suggested at the start of this work item as well, as the previous implementations of BBS+ used this approach. In my mind, U is part of the public proof parameters along with the presentation header ph, and does not need to be encoded in the proof itself.

BasileiosKal commented 1 year ago

Discussed on the WG call 9th of January. Consensus is that rn the added redundancy is useful in some rare cases. Will discuss closing this issue in the next WG call, with the potential of reopening after #227 is resolved

BasileiosKal commented 1 year ago

Discussed in the WG call 23d of January. Closing the issue with the potential of reopening after #227. Will also look into adding an implementation note describing this solution as a potential mitigation if one is needed.

Wind4Greg commented 1 year ago

Like this. I was doing something like this in my code but deriving U from the L value.