<div dir="ltr">This design evolved out of a prior design based on RSA blind signatures. The switch to curve based cryptography significantly simplified implementation from an engineering point of view. All of the cryptography was pretty easy to implement using implementations of p256 in golang and javascript.<br><br>If anyone is inventing a protocol that calls for blinded RSA, I think they would be far happier using a curve based OPRF.</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div>Signal/WhatsApp/Phone: +1650-862-5992</div><div><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Nov 11, 2017 at 11:52 AM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Nice elliptic curve / zero-knowledge protocol:<br>
<br>
<a href="https://medium.com/@alxdavids/privacy-pass-6f0acf075288" rel="noreferrer" target="_blank">https://medium.com/@alxdavids/<wbr>privacy-pass-6f0acf075288</a><br>
<a href="https://privacypass.github.io/" rel="noreferrer" target="_blank">https://privacypass.github.io/</a><br>
<br>
The underlying crypto looks to me like a "blinded" VRF ("blinded" in<br>
the sense of "blind signatures", since VRFs can be viewed as a type of<br>
signature). It's being called a "verifiable oblivious PRF", perhaps<br>
because it was arrived at by adding the "verifiable" property to an<br>
"oblivious PRF" rather than vice versa?<br>
<br>
For efficiency it's batched, so that a single "signature" is a proof<br>
for multiple VRF outputs.<br>
<br>
The VRF is used to blind-issue anonymous credentials (i.e. the server<br>
signs nonces, but is blind to the nonce or signature values, and the<br>
client checks that the signature is "verifiably unique" to prevent the<br>
server from tagging the signature in some way).<br>
<br>
These credentials are less sophisticated than most "anonymous<br>
credentials" schemes in the literature: They don't prove anything<br>
beyond "the server gave me a credential", and are single-use because<br>
multiple presentations would be linkable.<br>
<br>
But that's sufficient for proving that a Tor user solved a captcha, so<br>
this seems like a great match of problem to a (relatively) simple and<br>
efficient solution.<br>
<br>
<br>
Trevor<br>
______________________________<wbr>_________________<br>
Curves mailing list<br>
<a href="mailto:Curves@moderncrypto.org">Curves@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/curves" rel="noreferrer" target="_blank">https://moderncrypto.org/<wbr>mailman/listinfo/curves</a><br>
</blockquote></div><br></div>