[MINUTES] W3C CCG Credentials CG Call - 2024-10-08 from CCG Minutes Bot on 2024-10-08 (public-credentials@w3.org from October 2024)

From: CCG Minutes Bot <minutes@w3c-ccg.org>
Date: Tue, 08 Oct 2024 21:36:04 +0000
To: public-credentials@w3.org
Message-ID: <51749be6-f4ee-502c-5ac9-616da5a00779@w3c-ccg.org>

Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2024-10-08/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2024-10-08/audio.ogg

A video recording is also available at:

https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-10-08.mp4

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2024-10-08

Agenda:
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Oct&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
Harrison Tang, Kimberly Linson, Will Abramson
Scribe:
Our Robot Overlords and Our Robot Overlords
Present:
Harrison Tang, Andrea D'Intino | Forkbomb BV, Jaromil ☮️
Dyne.org, Hiroyuki Sano, Japan, TallTed // Ted Thibodeau (he/him)
(OpenLinkSw.com), Manu Sporny, Sam Smith, Stephan Baur, Simone
Ravaoli, Jeff O - HumanOS, Erica Connell, David Waite, Rashmi
Siravara, Jaroterm 💻, Will Abramson, Vanessa, Benjamin Young,
Kimberly Linson, David I. Lehn, Alex H, John Henderson, Kaliya
Young, Lucy Yang, PL-ASU, PL, David E Waite, Joe Andrieu,
jaromil, Geun-Hyung Kim, Susan Stroud

Our Robot Overlords are scribing.
Harrison_Tang: Welcome welcome everyone uh to this week's w3c ccg
meeting uh today we're very excited to have a Jeremy and Andrea
to uh come here and present uh on BBS plus signature schemes
benchmarks.
Harrison_Tang: But before we uh go to the main agenda I just want
to quickly remind everyone the code of ethics and professional
conduct just want to make sure we have a constructive and helpful
conversations here.
Harrison_Tang: A quick note about intellectual property anyone
can participate in these calls however all substantive
contributions to any ccg core items must be member of the ctg
with a full IPR agreement signed so if you have any questions in
regards to the IP notes intellectual property notes or the w3c
account uh please feel free to just uh reach out to any of the
cultures.
Harrison_Tang: Couple quick notes in regards to uh the calls uh
these calls are automatically being recorded and transcribed and
we will publish the meeting minutes the audio and video recording
in the next 24 to 48 hours.
Harrison_Tang: We use TI chat if you the speaker so you can type
in Q Plus to add yourself to the Q or Q minus to remove uh and
you can uh.
Harrison_Tang: New question mark to see who is in the queue.
Harrison_Tang: Right so uh just want to take a quick moment for
the introductions and reintroduction so if you're new to the
community or you haven't been active and want to re-engage uh
feel free to just unmute and uh introduce yourself.
<jaromil> ahoy!
Harrison_Tang: See mostly familiar faces so.
Harrison_Tang: Move on to the next topic.
Harrison_Tang: I think General can introduce himself once we get
to the main presentations.
Harrison_Tang: All right uh announcements and reminders uh any
new announcements or reminders.
Manu Sporny: Uh hi Harrison um yeah just a couple of um kind of
notes uh on things that happened at the worldwide Web Consortium
technical plenary that happened 2 weeks ago in the uh California
DMV hackathon which included verifiable credentials uh and mdl uh
last week um uh so the the high-level feedback from w3t pack is
that uh the did working group work uh is going well that was a a
good 2 days of full-day meetings um the work items are proceeding
uh as plans you know real drama or anything you know we just kind
of got down to to to making progress on did core and the did
resolution specification so that went well um on the Wednesday
there was a breakout session um multiple breakout sessions so
like 40 breakout sessions um uh we did 1 on did method
standardization um uh which got.
Manu Sporny: Decent bit of interest uh we suggested a web-based
Ed method and ephemeral did method and a a truly decentralized uh
did method um that uh proposal for working group Charter uh
received no objections um we will of course know like the people
in the room didn't object that doesn't mean there won't be people
that object but largely it was uh positive feedback on having uh
such a a working group uh as some of you know that did method
standardization work is happening as a joint uh work item between
ccg um uh trust over IP decentralized identity Foundation uh
those meetings are happening regularly now.
Manu Sporny: The other thing that we put forward are a number of
the specifications that are being incubated in the ccg uh things
like render method uh confidence method um the uh uh hopefully in
the future verifiable credentials over Wireless the verifiable
credential barcode stuff um uh VC API uh those were all proposed
as uh going standards track again um nobody in the room uh
objected to uh that work proceeding that would probably be around
next summer so still quite a ways from that for a recharter um uh
and then finally the verifiable credential working group uh met
um that went really well many of us got to meet uh Simone for the
first time which was great um uh to meet him in in person as his
role as the security uh lead at w3c um we uh have agreed to go
into a second candidate recommendation with all the
specifications we believe we're pretty much done.
Manu Sporny: Um with them at this point um and the only thing
that we're really uh waiting on right now uh the only thing that
we're really waiting on is uh Security review um uh on uh those
specifications which we'll be working with uh the new uh newly
chartered um security uh interest group uh saying on um we are
hoping that uh by q1 of next year will be able to have uh
standard uh standards w3c standards published for fiber
credential data model uh the securing specifications uh status
list um things like that um.
Manu Sporny: The other thing that happened was the uh California
DMB hackathon.
Manu Sporny: They were 15 organizations that participated really
great amazing use cases um uh the usage of verifiable credentials
was around 10 out of the 15 organizations used the verifiable
credential version of the driver's license uh the rest used the
mdl there were in-person use cases uh many of them were online
use cases um and so we got some really good feedback um from that
uh Google was there Apple was there uh providing uh support uh
along with uh us uh providing support for the verifiable
credential stuff um and and and so and so forth so um good kind
of momentum building uh confidence in the technology roll out to
production uh that that sort of thing um I will also note that um
uh Lucy uh Yang was there um.
Manu Sporny: As well as uh Clea and Gail Hodges from open ID
Foundation um Sharon Lowe was there uh as as a judge um uh Lucy
did an amazing job um you know keeping uh the whole event running
on on the rails as did uh Gail so uh there's a another event the
government hackathon in a in a month's time November 1st um but
it was a really great turnout uh really good to see the community
building things and uh rolling them into production uh that's it.
Harrison_Tang: Thank you man.
Harrison_Tang: Any other announcements or reminders.
Kaliya Young: Sure um just a reminder that internet identity
Workshop is coming up at the end of the month.
Kaliya Young: Um October 29 to.
Kaliya Young: 31St bring your Halloween costumes it will be fun
and um.
Kaliya Young: The other thing is on the day before you've got
the community events there's like an interesting vrm event the
shaping up um vendor relationship management Community has their
Monday thing and I think the open ID Foundation has something too
so um.
Kaliya Young: And just a reminder too we're committed to
accessibility.
Kaliya Young: If you want to be there.
Kaliya Young: Um speak to us and we will help make that where
are you.
Harrison_Tang: Thank you Clea.
Harrison_Tang: We will hold the ccg meeting uh that week so on on
October 29th we will not have a ccg meeting because of the
internet identity Workshop so I'll send out the calendar
reminder.
Harrison_Tang: A weekend event.
Harrison_Tang: Okay any other announcements or reminders.
Harrison_Tang: All right so next week we'll have Carrie uh to
talk about MIT digital credentials Consortium updates and then
the week after we'll have Krista Allen uh come back and talk
about uh his latest on Gordon envelope and Gordon's seal
transport uh protocol.
Harrison_Tang: All right uh moving on um any updates uh in
regards to the work items.
Harrison_Tang: So last calls for introductions announcements will
work item related um topics.
Harrison_Tang: I think there's a working group around
multi-format like multi key multi hash right like working group
maybe we can collaborate with them.
Harrison_Tang: Oh cool great idea.
Harrison_Tang: Um any other topics people want bring up.
Harrison_Tang: All right let's get to the main agenda so today
again very excited to have Jerry Mill and Andrea here to talk
about the BBS plus signature scheme benchmarks uh I think they
have shared with the ccg public list and then I also include a
link to uh Jeremy blog post uh in the agenda uh that I sent out
last week but uh without further Ado uh Jeremy please take it
over.
Harrison_Tang: Yep we can see you and hear you.
Jaromil_☮️_Dyne.org: I guess you can see the screen and uh yeah
I'll switch on the video but if there is any problem with the
connection let me know that uh I'll save that but that bit of
bandwidth.
Jaromil_☮️_Dyne.org: So uh I'm here with Andrea my colleague and
um yeah we run we had fun running this Benchmark for the BBS
briefly where we come from is a small Foundation based in
Amsterdam.
Jaromil_☮️_Dyne.org: A lot from the w3c so we are very happy to
be members now we grew enough through European projects our main
um contractor is the European commission for which we have done
several projects 1 Flagship success stories uh in ICT mostly.
Jaromil_☮️_Dyne.org: And we do this as you see with the
interdisciplinary approach.
Jaromil_☮️_Dyne.org: Um everything we do is free and open source
uh so everything you find in this presentation is running on code
that you can download test.
Jaromil_☮️_Dyne.org: Well you are familiar with the licensing and
the story of the group project 1 big more on top of this slide
maybe is that most of the things you are going to see their
implemented in C language.
Jaromil_☮️_Dyne.org: And this is the platform that we use to run
the benchmarks that you are shown.
Jaromil_☮️_Dyne.org: It is grew GPL software that we are
developing since 2018 most of it has been uh most of the research
and development in it has been funded by European projects and
today we are very happy to to to use it for for our work for our
daily work it is relevant to say this because this is the main
platform The Benchmark is running on it is a virtual machine is
very portable so the computations are applicable.
Jaromil_☮️_Dyne.org: I mean we.
Jaromil_☮️_Dyne.org: Target also was so it runs on also in
browser.
Jaromil_☮️_Dyne.org: Obviously these leads to different
performances all performances that we we see today they are
running on uh PC.
Jaromil_☮️_Dyne.org: I will give the specs later on.
Jaromil_☮️_Dyne.org: And last bit about us why uh we got here uh
obviously I mean uh sheer passion for making things work well and
making code uh transparent code run on most of our devices uh but
also the fact that we are involved we are deeply involved in
Europe and this initiative the European digital identity
architecture reference framework eud are known as is running is
shaking a little bit the the stages were um identity is um is
discussed at least on this side of the pond and it is um yeah as
you just I I put this slide you are all familiar with how and
what an identity digital identity wallet should be doing this is
the the framework in which it falls as a as a web mobile
application slash web app that can be also implemented as.
Jaromil_☮️_Dyne.org: And um yeah these this initiative has had
already.
Jaromil_☮️_Dyne.org: Some feedback uh also critical feedback
which I think is the most valuable because that's the way to make
it better and the most important feedback came from uh this bunch
of people you can see among them some superheroes of cryptography
so quite some authoritative names that made uh the commission
notes that the algorithms used especially in a cryptographic
level in the ldr are not really sound why I say this because
that's really how I come to study BBS plus uh we are interested
in these algorithm because it's mature.
Jaromil_☮️_Dyne.org: In my opinion could have been standardized a
bit earlier but yeah here we are and um and it's a good
substitute because it brings in the feature of unlabeled so this
is the the real reason why we are here and and you know
contributing and and sharing.
Jaromil_☮️_Dyne.org: This VBS uh plus Benchmark so the QR code is
clickable I think um.
Jaromil_☮️_Dyne.org: There are slides um.
Jaromil_☮️_Dyne.org: I I'll share the slides at the end of this
presentation and uh here you can find the article that uh uh that
I wrote and circulated about this.
Jaromil_☮️_Dyne.org: Uh there is another relevant article that I
will use as a reference uh in this Benchmark uh it's SD BLS we we
made a new scheme uh which we are not proposing as a production
ready for BBS plus but we had Farm demonstrating some other
features that we believe should be in a uh digital identity
credential uh selected disclosure credential scheme in particular
threshold revocation while doing this we implemented a BLS
signature with Selective disclosure uh protection from replay
attacks uh several features you find into this article recently
published the link is to the open publication by the way on axis.
Jaromil_☮️_Dyne.org: Here is because as a term of comparison in
The Benchmark I also bring in this to show how faster is BBS plus
that was anticipate the result so it makes sense actually to to
look still look at BBS plus even if today BLS signatures can be
done um in many other ways.
Jaromil_☮️_Dyne.org: So let's Dive In.
Jaromil_☮️_Dyne.org: Uh this is the fastest uh explained quickest
explained part of the Benchmark uh this is what you see up is a
bit of a.
Jaromil_☮️_Dyne.org: On where the benchmarks were running inside
our VM um and yeah you have to consider that the VM uh has a
direct syntax parser made in Lua which is um also a dialect of
Lua in fact I overloaded a lot of operators so that it looks like
Mathematica that's why we have students from mathematics working
with us and and implementing algorithms like we as plus so we
implemented it very similar to what um a proof in Sage or
Mathematica would look like and um and it runs straight in
production uh but you have still to consider that the benchmarks
uh initialize from C alua VM so.
Jaromil_☮️_Dyne.org: Some things could be done faster.
Jaromil_☮️_Dyne.org: this is.
Jaromil_☮️_Dyne.org: Please keep our generation so uh just
straight on hashing power um the generation takes uh almost 0.003
seconds.
Jaromil_☮️_Dyne.org: so you.
Jaromil_☮️_Dyne.org: See this the number of keys in 2 seconds a
thousand keys were generated on in our tests.
Jaromil_☮️_Dyne.org: Issuance more interesting um first fact is
that is definitely linear growth.
Jaromil_☮️_Dyne.org: Uh as you see in a thousand a thousand
issued credentials uh will take also to verify uh pretty much the
same time will take 1 second.
Jaromil_☮️_Dyne.org: For a thousand of them.
Jaromil_☮️_Dyne.org: So yeah the Layman um.
Jaromil_☮️_Dyne.org: That we will say here is really like 1
second to issue a thousand credentials.
Jaromil_☮️_Dyne.org: The presentation and verification are
usually the trickiest as you know we are talking about zero
knowledge proof um algorithm so um this is our results uh also
published in the article uh you see that the growth of proving is
steeper so verification will scale slightly better.
Jaromil_☮️_Dyne.org: I guess this difference is quite negligible
but uh yeah we can say that uh verification takes uh less.
Jaromil_☮️_Dyne.org: And just to as I as I uh anticipated just to
put it in perspective.
Jaromil_☮️_Dyne.org: Um sdbl is an implementation of bonelang
sakam uh signatures so.
Jaromil_☮️_Dyne.org: Multiplications of our elliptic curves and
in pairing uh which BBS plus Repro reproduces its own way uh but.
Jaromil_☮️_Dyne.org: This is like playing on playing on the same
curve the BLS 3812 um this is the result of sdbs uh with issue
proven verification uh we see clearly that BBS plus is 1 uh
magnitude faster than a BLS signature implementation I think this
is a relevant result it makes sense to use BBS plus not only
because it's it's a a bit older and more tested uh well 1 could
argue that BLS signatures are also quite tested on on top of a
lot of Bank of a blockchain implementations but still um you know
in the same conditions um with the default ROM uh settings so the
the order of the curve and the generators that BBS plus is
customizing with the default ones on the BBS 3812.
Jaromil_☮️_Dyne.org: Then um yeah we really have an improvement
in performance.
Jaromil_☮️_Dyne.org: So again uh Layman result for this uh um
Benchmark uh 1 second for 1,000 credential presentations almost a
second and a half for a thousand credential verifications.
Jaromil_☮️_Dyne.org: Things can be optimized but this is what we
got in our environment.
Jaromil_☮️_Dyne.org: Now to the Layman results very quick of the
size sizes are quite good again I don't have here a comparison
with sdbs but I can tell you as I brought the paper and and went
through its implementation uh this is very very compact compared
to what happens with uh BLS signatures uh so remarkably compact
of course we are talking about the sort of compression of second
order curve points using the zcash compression so taking only 1
coordinate it gets down to 96 bytes for public Keys 80 bytes for
issued signatures and zero knowledge proofs down to 272 bites.
Jaromil_☮️_Dyne.org: Which is very interesting if you consider
that a mobile wallet holding 100s in 100 kilobyte in 10 kilobyte
sorry and proof will will fit into QR code and even most NFC
tags.
Jaromil_☮️_Dyne.org: Which is not the case for our comparison
implementation in BBs.
<andrea_d'intino_|_forkbomb_bv> SD-BLS sizes:
Jaromil_☮️_Dyne.org: So yes please.
Jaromil_☮️_Dyne.org: It grows linearly yes.
Andrea_D'Intino_|_Forkbomb_BV: Uh Jeremy I will shoot at the
grow.
Jaromil_☮️_Dyne.org: Wait a second.
Andrea_D'Intino_|_Forkbomb_BV: I'm not 100% sure.
Jaromil_☮️_Dyne.org: Wait a second um.
Andrea_D'Intino_|_Forkbomb_BV: I can make a quick test but uh.
Harrison_Tang: Hey man you have a similar question.
Manu Sporny: Yeah well no it uh uh just an answer uh they do
grow so the way BBS um uh works is that um the more you hide the
larger the signature the less you hide the smaller the signature
uh and so the the bytes that are Mill showing are are accurate
right um it it depends on the number of claims that you have in
the credential and it depends on how many uh you're trying to
hide uh but that is well within you know the the number that uh
your emails uh showing on there um we also have um some this is
fantastic work by the way our Mill Andre like this is this is
this is great stuff it's really wonderful that you've done an
independent uh you know review and demonstration of it the
numbers that you're showing are very much in line with the
numbers that that we found um but yeah we're happy to show some
of the the um how how BBs um you know the signature sizes change
based on what your uh.
Manu Sporny: The the amount of.
Manu Sporny: Um you know in.
Manu Sporny: That you're trying to uh disclosed but but they're
they're the the the again going to this Layman's result like.
Manu Sporny: The lay.
Manu Sporny: Is like yeah they're really small signature sizes
for what they're you know uh signing you you don't really get
even close with many of the other you know approaches.
Jaromil_☮️_Dyne.org: Yes it's not super easy in my setup right
now to open up the Benchmark terminal and show the Json uh it
would be unwieldy now but uh well I can confirm from my
understanding that selectively disclosures with multiple
credentials will grow linearly uh yet there is not yet a SD BBS
Plus.
Jaromil_☮️_Dyne.org: I know some people in Europe are paid to
work on it um.
Jaromil_☮️_Dyne.org: And so when when there would be a format for
SD uh we will see really like how how it fits into the protocol
if they find any opportunity to to tame down the growth but my
understanding is that it would grow linearly for each proof.
Andrea_D'Intino_|_Forkbomb_BV: Uh guys I am making test now it
doesn't seem to me that they grow but uh maybe we can uh make
some proper tests and share the results later.
Jaromil_☮️_Dyne.org: Yeah it depends what we are looking at but
yeah I go on with the presentation then we look at um.
Jaromil_☮️_Dyne.org: Perhaps I can fire up here the The Benchmark
terminal.
Jaromil_☮️_Dyne.org: Um okay are there any other questions about
this part because I'm moving in the the last part of the
presentation then.
Harrison_Tang: Oh wait I I have a question based on what you show
so far BBS is better than BLS signature so my question is why
would other applications like blockchains like use the BLS why
don't they just move to the DBS.
Harrison_Tang: Or are there is like are there certain things that
BLS do better than BBS or it's it's just a BBS is strictly
better.
Jaromil_☮️_Dyne.org: I see a lot of people doing strange things
so in in blockchain space.
Andrea_D'Intino_|_Forkbomb_BV: Uh do you want me to try to answer
Jeremy.
Jaromil_☮️_Dyne.org: Yeah please Andrea.
Andrea_D'Intino_|_Forkbomb_BV: So uh uh Harrison we we wrote a
paper the name of the paper is SD BLS standing for selected
disclosure and they're basically we experimented through
different phases we experimented different uh features.
Andrea_D'Intino_|_Forkbomb_BV: Uh and uh uh t tldr.
Andrea_D'Intino_|_Forkbomb_BV: Our uh our implementation as the
as the BLS is slower is visibly slower than BBS plus but it
offers features that BBS plus doesn't have for example revocation
cryptographic revocation which is something we know that BBS team
is working on.
Andrea_D'Intino_|_Forkbomb_BV: So it's it's uh if you compared
speed only then BBS wins then if you look at a certain features
there are other cryptographic schemes that offer features that
aren't currently available in BBS Plus.
Jaromil_☮️_Dyne.org: Okay yes in the meantime.
Jaromil_☮️_Dyne.org: I I made.
Jaromil_☮️_Dyne.org: Some progress to fire up the terminal and we
can look at the the Json row data later on if you want.
Jaromil_☮️_Dyne.org: And make some tests.
Jaromil_☮️_Dyne.org: Any other question until this part.
Jaromil_☮️_Dyne.org: So I have 1.
Jaromil_☮️_Dyne.org: I don't I'm not I'm not sure it's really
irrelevant answer to your question but the only reason I would
see in not using BBS plus is that because of its ROM setup and
with that I mean because of the hardcoded generators.
Jaromil_☮️_Dyne.org: Mbps plus only BLS 381 uh 12 is implemented.
Jaromil_☮️_Dyne.org: And it is not transferable on bigger curves.
Jaromil_☮️_Dyne.org: So BLS as the advantage that I could go on
on a bigger course achieving more bits and therefore more
security.
Jaromil_☮️_Dyne.org: But still I will be in a framework that is
not post-quantum secure.
Jaromil_☮️_Dyne.org: Um but yeah that that could be a reason that
is more portable to use BLS.
Harrison_Tang: Got it thank you.
Jaromil_☮️_Dyne.org: Um the next um tests that I did uh is um
attempt at privacy analysis I use 2 methods 1 I believe more
interesting is measuring the Hamming distance between um BBS plus
proofs.
Jaromil_☮️_Dyne.org: Generated on the same credential.
Jaromil_☮️_Dyne.org: And comparing them with the Hamming distance
of random generators.
Jaromil_☮️_Dyne.org: Here that you.
Jaromil_☮️_Dyne.org: 3 random generators different in comparison
1 is the prng in the room another 1 is the prng in the room
seeded with random from random.org.
Jaromil_☮️_Dyne.org: And the the third 1 is openssl.
Jaromil_☮️_Dyne.org: So I put these in um in a graph where you
see the frequency of distance.
Jaromil_☮️_Dyne.org: Recording distances and the white you see on
the left and right it means that nothing has occurred outside of
that uh distance.
Jaromil_☮️_Dyne.org: See that the frequency zooming in on uh just
10 samples so here are like it's very few samples uh it is
restricted between a 1030 a 1080 which is absolutely normal this
is visible also um on 100 samples.
Jaromil_☮️_Dyne.org: Where we have um this is group plot so there
is some transparency so the the darkest color it means that there
is overlapping.
Jaromil_☮️_Dyne.org: And um yeah let's let's keep an eye on this
guy here on the on the right side uh Manu you've wrote about it
in a male and I think you are right it's worth investigating uh
when we get to um many more samples.
Jaromil_☮️_Dyne.org: Uh we see that there is uniform
distribution.
Jaromil_☮️_Dyne.org: But there is still this guy here.
Jaromil_☮️_Dyne.org: It's a it's a sort of a spike.
Jaromil_☮️_Dyne.org: Around a thousand 140.
Jaromil_☮️_Dyne.org: Um I have no idea why that occurs.
Jaromil_☮️_Dyne.org: But it's consistent.
Jaromil_☮️_Dyne.org: Um Shannon averages yes please will.
Jaromil_☮️_Dyne.org: Harming distance is when you take 2 octets
so 2 arrays of bytes.
Jaromil_☮️_Dyne.org: Uh let's zoom in to arrays of bits.
Jaromil_☮️_Dyne.org: And you put them on top of each other and
you see if the bits are the same or not.
Jaromil_☮️_Dyne.org: If the bits are the same there is no
distance.
Jaromil_☮️_Dyne.org: And if the bits in the same position change
there is a distance.
Jaromil_☮️_Dyne.org: And it's used the even like down in in the
in the kernel to and in the compiler to um compute difference
between data on a bit resolution.
Jaromil_☮️_Dyne.org: So bits on top and yeah you know like there
is never complete on a bit level there is never complete distance
so the distance will be always lower than the length of the data
you're comparing.
Jaromil_☮️_Dyne.org: But there will be a a a consistent number of
distance between a random data.
Jaromil_☮️_Dyne.org: And if data is Not So Random then you will
start seeing less distance.
Jaromil_☮️_Dyne.org: So the number will go down.
Jaromil_☮️_Dyne.org: Um Shannon entropy is measured on the.
Jaromil_☮️_Dyne.org: Um on the signal basically uh on the on the
the entropy of the signal so how unpredictable it is let's say um
that is well documented also on Wikipedia how it works we have a
simple implementation in the room.
Jaromil_☮️_Dyne.org: I can show you the code later on it's not
that big.
Jaromil_☮️_Dyne.org: Wrote it myself in C with pass it some tests
this is my measurement of it so um the values are the same for
random generated things.
Jaromil_☮️_Dyne.org: I mean the the the difference is negligible
also here.
Jaromil_☮️_Dyne.org: And very close to each other so this is also
a visualization with gnu plot of the values.
Jaromil_☮️_Dyne.org: Uh of shamanthy and you see the narrow I
mean although we have some wiggling but it's between 098 and 0965
so.
Jaromil_☮️_Dyne.org: It's it's constantly good uh Shannon entropy
values.
Jaromil_☮️_Dyne.org: So my conclusion is that the encoding of a
BBS plus proof appears as random data to the outside Observer uh
with the reserve that yeah it's worth investigating that random
Spike around a thousand 140 on Hamming distance measurements.
Jaromil_☮️_Dyne.org: A future directions if I would have more
time.
Jaromil_☮️_Dyne.org: What I would do.
Jaromil_☮️_Dyne.org: Uh and I we try but honestly this was done
in August and we were on the beach and and uh yeah it's uh it's
becoming busy again at work um but yeah the future directions i c
1 is fat seeing stress testing uh because in Zen room we
implemented uh some easy functions for attacking uh cryptographic
algorithms so far there has been used for implementing a
cryptographic algorithms but since we have some clients that ask
us to develop new algorithms and since we do that quite fast we
would like to have a good testing pipeline um and um yeah we
build some fudging uh stress testing Primitives uh if you don't
know the matasano challenges they are a great exercises free
online and um it's fun for cryptographers.
Jaromil_☮️_Dyne.org: they are.
Jaromil_☮️_Dyne.org: Is like shaan and also RSA signatures things
that were proven in the past to be broken so in the matasano
challenges there are like these techniques explained and you have
to reimplement them so uh because we we all took those challenges
then we implemented them in the room and now we have easy
functions it will be as easy as uh running Hamming distance
measurements uh of what you have seen so maybe in the future we
will try what they consist of Imagine um the algorithm you change
at a certain point of all the flow you change only the first bit
of a signature or only the last bit of a signature or a random
bit or you shift it of 1 bit.
Jaromil_☮️_Dyne.org: so you change.
Jaromil_☮️_Dyne.org: Things in the in the material and the in the
data and you see if the algorithm holds if if it doesn't crashes
if it's if it's not producing uh false results because even if a
bit changes in a signature it should not validate.
Jaromil_☮️_Dyne.org: Uh it should not you know until you try.
Jaromil_☮️_Dyne.org: Another uh feature direction that I see is
um coding the fastest BBS plus implementation in the west it
would be great fun to do that and I hope I find the time to do
that um I think the best way is to use lib blst.
Jaromil_☮️_Dyne.org: And the Target also was I believe this would
lead to some very fast implementation will be interesting to
compare with my benchmarks here and see what goes obviously this
is a step later after standardization and uh I don't know if you
could could sell in the industry because this is like end to end
cryptographic algorithm so.
Jaromil_☮️_Dyne.org: We must see if if there will be need for
such a big optimization but yeah it will blsd is better than our
primitive Milagro we use Milagro um in the room the 1 written by
Mike Scott uh then donated to the Apache Foundation as incubator
we still use the original from Mike Scott uh which is a very nice
primitive because it doesn't have any memory allocation um but
leave the BLS is very popular in the crypto scene especially for
zero knowledge proofs and it has Us in the optimizations both for
arm and x86 platforms so it won't make sense it would be fun we
have um.
Jaromil_☮️_Dyne.org: Vectors to compare with so maybe we will do
it um yeah everything you have seen is based on um.
Jaromil_☮️_Dyne.org: On I forgot to mention on the latest BBS
specification which came up came out like a month ago and um we
have matched all the vectors and we are following very closely
all new versions.
Jaromil_☮️_Dyne.org: uh so.
Jaromil_☮️_Dyne.org: We will manage to update also this if there
is any new version we hope there will be not new version uh um
and.
Jaromil_☮️_Dyne.org: Yeah last future direction will be
interesting perhaps also for Forks at w3c to Benchmark our
implementation of BBS inside browsers uh so their room can
already uh compiled to asthma we use it a lot into as as a
payload to browsers is like 2 megabytes less than 2 megabytes
payload you can npm install Zen room already and it runs in
browser so we can already run BBS Plus in browser uh but I just
didn't bother to make the Benchmark comparison uh I guess it will
be 1 order of magnitude is lower um it will be interesting to do
uh just here again lack of time but if you're interested we can
team up and um yeah we take stage students also for this so we
can we can always put some young people on this tooling because
it's well documented and not so hard to run um and then run it
into a JavaScript environment.
Jaromil_☮️_Dyne.org: so that's all.
Jaromil_☮️_Dyne.org: Uh a bit of advertisement for our group uh
I'm co-chairing a group at w3c I'm very happy about this is the
the threat modeling community group uh together with Simon and AI
who is here and uh yeah if you want to join us for Less technical
things you are very welcome there uh fun fun trivia the threat.
<simone_onofri> we're also starting with Greg the work on VCDM
Jaromil_☮️_Dyne.org: Was born because we noticed that in the ldr
um specification in Europe there was no threat model so so it's
very hard to discuss about um you know security without a threat
model and uh yeah that that would be probably 1 of the first
things we will start working on.
Harrison_Tang: Thank you thanks a lot any questions.
Manu Sporny: Yeah this is.
Manu Sporny: A wonderful work uh why this is uh great to see um
you know all of this stuff recreated by independent uh
organizations uh it's going to be a a huge help to the security
review that's going on at ITF and uh the worldwide Web Consortium
um uh the you had mentioned in the article that you're also
looking into um doing the same kind of uh kind of analysis on the
w3c uh BBS data Integrity specifications do you uh was that did I
misread that or um is there plans to kind of look at um the the
higher level uh cryptographic protocol um because I think the
analysis you've done today is the lower level of BBS kind of core
cryptographic Primitives um uh what has to be done now of course
is um either whether it's uh SD BLS or S Ebbs or or jwp or the
data Integrity BBS uh crypto.
Manu Sporny: It's a w3c.
Manu Sporny: Um are you.
Manu Sporny: Planning on uh taking a look at uh those higher
level kind of uh cryptographic protocols as as well.
Jaromil_☮️_Dyne.org: I think my colleague Andrea is more busy on
that you consider that I will stay more on the cryptographic
lower level and less on the protocol level and also because of
the tools we are developing and the way we are working but
Andreas has just some good news that the EC is also sponsoring us
for um.
Jaromil_☮️_Dyne.org: A new project I I don't spoil it Andrea if
you want to tell about it.
Andrea_D'Intino_|_Forkbomb_BV: Yes Man uh we are definitely
looking at those very soon uh we got a small Grant to implement
uh uh something that initially will be an aod ARF compliance
tool.
Andrea_D'Intino_|_Forkbomb_BV: Is I hear a lot of noise.
Jaromil_☮️_Dyne.org: Go on we can hear you well.
Andrea_D'Intino_|_Forkbomb_BV: Okay um and actually in writing
the application we got deeply inspired by uh the the VC
playground as well as the can I can I vc.com.
Andrea_D'Intino_|_Forkbomb_BV: And uh we initially will focus
only on audr but very very soon we going to move to uh different
uh.
Andrea_D'Intino_|_Forkbomb_BV: Data formats and uh protocols so
definitely yes and uh I will uh we will ping you regarding uh the
VC API and we'll also ping you trying to get an interview from
you on to give us feedback on what you like to see on this
application.
<manu_sporny> That's great, wonderful!
Manu Sporny: No no problem happy to help.
Jaromil_☮️_Dyne.org: Yes some handholding in the in the quantity
of literature uh is is always welcome and and yeah the project is
an exciting project it was the brainchild also of purya and it's
of course learning from the w3c attitude because I remember
clearly uh 1 of the first things that came out with the worldwide
web was a a validator of HTML Pages very useful hosted by so we
want a validator for all this and uh we'll go through of course I
mean this this will be very useful uh for BBS Plus for the Audi
is the first thing.
Jaromil_☮️_Dyne.org: But um Andre I don't know if I should say it
but really I mean I I would never suggest um a client to use the
odf for for credentials I I don't even go to test the sdj sdj
implementation from a cryptographic.
Jaromil_☮️_Dyne.org: point of.
Jaromil_☮️_Dyne.org: Uh uh you know BBS plus should be definitely
the the 1 considered.
Andrea_D'Intino_|_Forkbomb_BV: We all agreed SMS.
Andrea_D'Intino_|_Forkbomb_BV: It would be ARF SMS.
Harrison_Tang: Simone I think you're on the queue.
Jaromil_☮️_Dyne.org: If anyone wants to dig deeper into the.
Jaromil_☮️_Dyne.org: the point.
Jaromil_☮️_Dyne.org: Questions were posed about the scalability
we can on a on a terminal.
Manu Sporny: Yeah on on the scalability I have um 1 1 Edition
but before before I do that going back to kind of Wes's um sorry
um will abramson's uh question around the Hamming distance it's a
really interesting for those of you that you know don't don't uh
aren't steeped in in cryptography it's a really interesting
measure on whether or not the cryptography is actually working uh
let me see if I can hopefully I can screen share um here um so
like this is a picture of a penguin right this is tux Linux Linux
penguin um and if we're going to encrypt it what we would expect
to see once we encrypted it is something that looks like this
it's just like noise like you can't tell that there that's the
penguin that was like encrypted um and this is an example of like
you know having good Hamming distance uh when you do that kind of
check um but there was a uh there was a security failure many
years ago where when you encrypted that image.
Manu Sporny: Would get something like this.
Manu Sporny: This is an example of like really poor Hamming
distance like you know exactly what has been encrypted even
though it's gone through a quote unquote you know block Cipher
encrypted encryption algorithm so when um when yaml was talking
about Hamming distance this is the type of thing that he was
measuring he wanted to make sure we were in this in this case
which is what he showed with that nice uh curve um instead of
this case where you would not have seen that nice curve you would
have seen something uh else um when it came to kind of Hamming
distance so it's 1 of those really neat things that you can kind
of check uh to see if you're uh encryption and cryptography is
working the way you think it's it's working um as for the um the
uh the proof size chain changing um I think Andrea was correct
the signature size the initial signature size on BBS doesn't
change so the when the initial signature doesn't change but I
believe the.
<andrea_d'intino_|_forkbomb_bv> let me check
Manu Sporny: Change as you reveal or or hide more information
because you have to uh include um the um uh the the hidden kind
of values in a in a way and that adds to the the the derived
signature um the the the zero knowledge proof um that's it.
Our Robot Overlords are scribing.
Jaromil_☮️_Dyne.org: Um I shared other computer but I yeah I'm
back no can you hear me.
Manu Sporny: Yep yeah we can hear you.
Harrison_Tang: Yeah you're back yeah I think uh.
Jaromil_☮️_Dyne.org: So I was showing I just run again the.
Jaromil_☮️_Dyne.org: Benchmark so this is the terminal of the
benchmark.
Jaromil_☮️_Dyne.org: And I want to proceed all around.
Jaromil_☮️_Dyne.org: Yeah this is the how The Benchmark is done
it's a simple script you find in.
Jaromil_☮️_Dyne.org: I I.
Jaromil_☮️_Dyne.org: Committed to the to the source code so you
will find it in the test Benchmark BBs.
Jaromil_☮️_Dyne.org: Maybe some feeding with the bill.
Jaromil_☮️_Dyne.org: You'll get this eventually I forgot to
mention that shake 256 or sha 256 um are pretty much the same.
Jaromil_☮️_Dyne.org: so I just.
Jaromil_☮️_Dyne.org: Take which is also known as shortly.
Jaromil_☮️_Dyne.org: As hashing for BBs.
Jaromil_☮️_Dyne.org: yeah this.
Jaromil_☮️_Dyne.org: Were the timings.
Jaromil_☮️_Dyne.org: And and the sizes I get here.
Jaromil_☮️_Dyne.org: The size benchmarks.
Jaromil_☮️_Dyne.org: Here the proofs each proof is is it takes.
Jaromil_☮️_Dyne.org: Let's say this is the context and then the
public key the the signature.
Jaromil_☮️_Dyne.org: From the issuer the message.
Jaromil_☮️_Dyne.org: And uh uh ivy.
Jaromil_☮️_Dyne.org: And um so the norms.
Jaromil_☮️_Dyne.org: And yeah this is for each message.
Jaromil_☮️_Dyne.org: So proof will be produced.
Jaromil_☮️_Dyne.org: For each new message and signature it is not
aggregated at least from what I can see.
Jaromil_☮️_Dyne.org: There is a possibility to aggregate um
signatures in in um in BLS space.
Jaromil_☮️_Dyne.org: But the proofs I don't think so.
<andrea_d'intino_|_forkbomb_bv> @manu I found something funky:
it appears that the proof size decreases proportionally to the
amount of elements disclosed :-|
Jaromil_☮️_Dyne.org: I was obviously not ready to answer these
questions so.
<manu_sporny> Yes, that's correct Andrea :)
Jaromil_☮️_Dyne.org: Sometimes with cryptography you get so deep
into 1 direction that you crawl back into the other is like sort
of difficult but yeah uh feel free for anyone that remembers Lua
feel free to play around with the benchmark.
Jaromil_☮️_Dyne.org: Uh this is literally all the Benchmark the
room is like an interactive shell so you know it works like this
octet random and uh um oops uh I should have said octet.
<manu_sporny> The more you hide, the larger the proof. The less
you hide, the smaller the proof (at least, with BBS+)
Jaromil_☮️_Dyne.org: Uh whatever and then print em you show.
<andrea_d'intino_|_forkbomb_bv> no, I take back what I said
Jaromil_☮️_Dyne.org: So it it is Lua.
Jaromil_☮️_Dyne.org: You see this was the random in HEX.
Jaromil_☮️_Dyne.org: And this is the random in binary and this is
literally the language that we use in.
Jaromil_☮️_Dyne.org: Room so if you go and read the Keygen.
<andrea_d'intino_|_forkbomb_bv> no I take back again.. I was
right the first time!
Jaromil_☮️_Dyne.org: Implementation of our benchmark.
Jaromil_☮️_Dyne.org: you'll see.
Jaromil_☮️_Dyne.org: There is a bit of a boilerplate this is
clock for measuring the speed.
Jaromil_☮️_Dyne.org: But really the common is Keyon here and then
this is all down here is um.
Jaromil_☮️_Dyne.org: Um all you know putting it into a a format
like new plot will take it.
<andrea_d'intino_|_forkbomb_bv> if you disclose 1 element from
the array, the length is 10, if you disclose 3 elements, the
length is 7
Jaromil_☮️_Dyne.org: So it is fairly easy and sizes is really the
simplest.
Jaromil_☮️_Dyne.org: so you can.
Jaromil_☮️_Dyne.org: Hope through this create more proofs and see
it really grows linearly we don't have um functions for other
functions for the BBS.
<andrea_d'intino_|_forkbomb_bv> (10 and 7 are for representation
purposes)
Jaromil_☮️_Dyne.org: And by the way if you're interested we have.
Jaromil_☮️_Dyne.org: DBS implementation in Z code.
Jaromil_☮️_Dyne.org: Which is this.
Jaromil_☮️_Dyne.org: So that's how we use BBS this is the
implementation inside the room is create BBS Keys these are code
commands.
<harrison_tang> so manu is correct in that the more you hide, the
larger the size?
Jaromil_☮️_Dyne.org: And uh they can take arguments.
Jaromil_☮️_Dyne.org: So that's how we make it used by
International Engineers so you can play with Zen code and create
multiple.
Jaromil_☮️_Dyne.org: Anyway yeah this for the Curious ones to
fiddle with.
<andrea_d'intino_|_forkbomb_bv> @manu "the more you hide" -
probably correct
Jaromil_☮️_Dyne.org: This is the.
Jaromil_☮️_Dyne.org: I'll paste it.
Harrison_Tang: Cool thank you you're welcome.
Harrison_Tang: Any other questions.
Harrison_Tang: So it's also uh clarify the chat so in BBS is it
true that the more you hide the larger the proof size is that
true like just because I think there's multiple chats like
happening.
Andrea_D'Intino_|_Forkbomb_BV: I did some tests.
Andrea_D'Intino_|_Forkbomb_BV: I can uh if you like I can share
my screen and show you what we're looking at.
Andrea_D'Intino_|_Forkbomb_BV: That we generated a signatures
with an array of 3 elements.
Andrea_D'Intino_|_Forkbomb_BV: Uh in this case the elements are
above 18 Italian and Professor 3 strings.
https://github.com/dyne/zenroom inside test/benchmarks/bbs
Andrea_D'Intino_|_Forkbomb_BV: And if you want to create a proof
where you only disclose 1 element.
Andrea_D'Intino_|_Forkbomb_BV: Uh the proof is going to be
bigger.
Andrea_D'Intino_|_Forkbomb_BV: By disclosing 3 Elements which is
counterintuitive but I believe it matches what manager said The
more you hide.
Andrea_D'Intino_|_Forkbomb_BV: The more uh you the longer the
longer it is.
Harrison_Tang: Got it thank you.
Andrea_D'Intino_|_Forkbomb_BV: It's not it's not the amount of
elements you want to disclose that makes it uh makes the proof
bigger it's the amount of elements you want to hide so you want
not to disclose.
Harrison_Tang: Got it thank you thanks a lot for clarification.
Harrison_Tang: All right any last uh comment or question.
Harrison_Tang: I think we're at a time.
<econnell> Thank you!
Harrison_Tang: Well thank you thank you uh ymo thank you Andrea
uh for jumping on here this is a great discussion so thanks a
lot.
Harrison_Tang: All right this concludes this week's ccg meeting
thanks.
Andrea_D'Intino_|_Forkbomb_BV: Thanks for having us.

Received on Tuesday, 8 October 2024 21:36:12 UTC