[curves] PrivacyPass

zaki at manian.org zaki at manian.org
Sat Nov 11 09:05:07 PST 2017

This design evolved out of a prior design based on RSA blind signatures.
The switch to curve based cryptography significantly simplified
implementation from an engineering point of view. All of the cryptography
was pretty easy to implement using implementations of p256 in golang and

If anyone is inventing a protocol that calls for blinded RSA, I think they
would be far happier using a curve based OPRF.

Signal/WhatsApp/Phone: +1650-862-5992

On Sat, Nov 11, 2017 at 11:52 AM, Trevor Perrin <trevp at trevp.net> wrote:

> Nice elliptic curve / zero-knowledge protocol:
> https://medium.com/@alxdavids/privacy-pass-6f0acf075288
> https://privacypass.github.io/
> The underlying crypto looks to me like a "blinded" VRF ("blinded" in
> the sense of "blind signatures", since VRFs can be viewed as a type of
> signature).  It's being called a "verifiable oblivious PRF", perhaps
> because it was arrived at by adding the "verifiable" property to an
> "oblivious PRF" rather than vice versa?
> For efficiency it's batched, so that a single "signature" is a proof
> for multiple VRF outputs.
> The VRF is used to blind-issue anonymous credentials (i.e. the server
> signs nonces, but is blind to the nonce or signature values, and the
> client checks that the signature is "verifiably unique" to prevent the
> server from tagging the signature in some way).
> These credentials are less sophisticated than most "anonymous
> credentials" schemes in the literature:  They don't prove anything
> beyond "the server gave me a credential", and are single-use because
> multiple presentations would be linkable.
> But that's sufficient for proving that a Tor user solved a captcha, so
> this seems like a great match of problem to a (relatively) simple and
> efficient solution.
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20171111/52aaf22a/attachment.html>

More information about the Curves mailing list