Re: Longfellow ZK (google-zk) from Manu Sporny on 2025-06-26 (public-credentials@w3.org from June 2025)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 26 Jun 2025 14:58:48 -0400
To: Jaromil <jaromil@dyne.org>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAMBN2CSmYFZ1mxBPL2QsizGNOayaJH2qL=YdTecj43URZKPGoA@mail.gmail.com>

On Thu, Jun 26, 2025 at 8:08 AM Jaromil <jaromil@dyne.org> wrote:
> here I'm sharing my analysis of the "Longfellow ZK",
>
> https://news.dyne.org/longfellow-zero-knowledge-google-zk/

Jaromil, this is an excellent analysis -- very well written and
approachable. You simplified a number of concepts that I was
struggling with wrt. the RFC and paper.

I continue to struggle with a few unanswered (in my mind) questions:

How is the counter-signature (in the mDL transcript) of the mobile
device verified? I presume this is happening as well (otherwise, you
could just clone an mdoc and perform ZKPs using it without being
detected -- a large-scale sybil attack could be performed as a
result). I presume there are two ECDSA signature checks in the circuit
here? One by the issuer and one by the holder? Your diagram seems to
indicate one check, but I expect the holder ECDSA signature is hidden
in the circuit's logic?

As you know, for BBS, we can dynamically disclose messages without the
need for a cryptographic circuit. So, for BBS, if we had 30 properties
about a person, we could dynamically disclose any combination of those
w/o a cryptographic circuit. The cost for that is having to reveal
hashes for hidden messages in the derived proof. With Longfellow ZK,
do you just need one circuit for 30 properties (and if so, how big
would that be?)... or do you need one circuit for every combination of
messages you'd want to disclose? In other words, do you know what the
cost of dynamically disclosing a set of submessages is in Longfellow
ZK, or is that not supported?

Is it really post-quantum secure wrt. ECDSA? I get that the derived
proof is, but if a cryptographically relevant quantum computer appears
in the near future, all this "compatible with TEE/SE" stuff goes out
of the window, right? Sure, you could (theoretically) switch to a
post-quantum secure signature, but then there are no broadly available
HSMs that support that yet. I find the "post-quantum secure" argument
a bit weak at a "complete solution" level because if ECDSA is broken
by a cryptographically relevant quantum computer then ECDSA-based mDLs
as input become useless.

Why do you think "SD-JWT is a failing rule-by-standard operation"? I
have my own biased opinions, but would like to hear your reasoning.

Why do you think compression rates for the circuit are so high? Many
repetitions of the same bit sequences, yes, but why do you think that
is? It seems to indicate that we might be able to more efficiently
represent these circuits using a more efficient binary DSL.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Thursday, 26 June 2025 18:59:28 UTC