[MINUTES] Data Integrity 2025-03-21 from msporny@digitalbazaar.com on 2025-03-21 (public-credentials@w3.org from March 2025)

From: <msporny@digitalbazaar.com>
Date: Fri, 21 Mar 2025 12:26:26 -0400
To: public-credentials@w3.org
Message-ID: <CAMBN2CQba7g_4CQGTCzxmuT2TZ=3BWcXJYhsQdWFNkUXEcxDVg@mail.gmail.com>
W3C Data Integrity Meeting Summary - 2025/03/21

*Topics Covered:*

   1.

   *ITF and BBS Presentations Update:* Greg Bernstein reported on
   successful presentations at the IETF, covering core specs for blind BBS
   signatures and pseudonyms. No major objections were raised, though the
   issue of "everlasting privacy" for pseudonyms was identified as needing
   further discussion and potential solutions. Related discussions included
   ARC (anonymous rate-limited credentials) and generalizing sigma protocols.
   Timeline for crypto panel review was discussed; blind BBS is almost ready,
   pseudonyms require more explanatory text and security/privacy details.
   2.

   *Privacy Pass Updates:* Sam Schlesinger provided updates on Privacy
   Pass, noting positive reception of ARC for potential adoption, but also
   expressing concerns about potential fragmentation with a new working group
   proposal from Martin Thompson. Discussions involved privately and publicly
   verifiable anonymous credentials and the potential standardization of a
   private BBS variant.
   3.

   *Everlasting Unlinkability in Pseudonyms:* A significant portion of the
   meeting focused on the concept of everlasting unlinkability in the context
   of pseudonyms, particularly in relation to the advent of cryptographically
   relevant quantum computers. The discussion highlighted that current
   pseudonyms, while unlinkable today, would become linkable with future
   quantum computing power, unless addressed. Various approaches and
   challenges were discussed, involving the use of post-quantum PRFs and the
   trade-off between performance and security.
   4.

   *Andrea Vesco's Hybrid Post-Quantum Data Integrity Crypto Suite
   Proposal:* Andrea Vesco presented a proposal for a hybrid digital
   signature scheme combining post-quantum and traditional public keys for
   credentials. The goal is to maintain security even if post-quantum
   cryptography proves flawed. The discussion centered on whether this
   approach adds value given the existing mechanisms in Data Integrity (proof
   sets and proof chains), with some questioning the necessity of tightly
   binding the two signature types.

*Key Points:*

   - The IETF presentations were well-received, with the exception of
   concerns regarding everlasting privacy in pseudonyms.
   - Achieving everlasting unlinkability in pseudonyms is crucial for
   maintaining user trust and is a high-priority issue requiring immediate
   attention.
   - The Privacy Pass group is considering integrating various anonymous
   credential approaches but faces challenges with potential fragmentation.
   - Andrea Vesco's proposed hybrid crypto suite was questioned regarding
   its value compared to existing Data Integrity mechanisms (proof sets and
   proof chains). The potential benefit of tighter binding of the quantum and
   post-quantum signatures is being debated.

Text: https://meet.w3c-ccg.org/archives/w3c-ccg-data-integrity-2025-03-21.md

Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-data-integrity-2025-03-21.mp4
*W3C Data Integrity Meeting - 2025/03/21 09:56 EDT - Transcript* *Attendees*

Andrea Vesco, Andrea Vesco's Presentation, Dave Longley, David C, Eddie
Dennis, Greg Bernstein, Hiroyuki Sano, Manu Sporny, Manu Sporny's
Presentation, Nivas, Parth Bhatt, Patrick St-Louis, Phillip Long, Sam
Schlesinger, Ted Thibodeau Jr, 김근형
*Transcript*

Manu Sporny: Hey, all morning. We'll get started in a couple of more
minutes.

Manu Sporny: Andre, do you want to cover your proposal that you sent? m
sorry I haven't been able to get back to you, but it would be good to cover
it today if you're okay with that. Okay, great.

Andrea Vesco: Yeah, for sure.

Andrea Vesco: It's not complete in the sense that as I told you, we started
with the first sections. I follow the template that I see all the other is
used.

Manu Sporny: Yep. Yes,…

Andrea Vesco: So I didn't draft the algorithms for the only reason that it
would be great to have some feedback before and then I can finish the first
version of the spec of course.

Manu Sporny: that sounds good. Of course. Yeah. and today we can maybe
provide some of that feedback.

Manu Sporny: I think the other thing that we have on the agenda today is
Greg is going to give us kind of an update on how ITF and the BBS
presentations went there and some next steps are there any other items that
people would like to cover during the call today? if not, then we'll go
ahead and get started. We'll Greg the readout from ITF first and…

Manu Sporny: then Andre will cover your hybrid postquantum data integrity
crypto suite. after that Greg over to you. how' ITF go?

Greg Bernstein: IATF is very interesting…

Greg Bernstein: because sometimes a quiet room is a good thing. there were
three presentations all in a row. We got put before most of the
controversial stuff so we were not at risk of getting pushed off the
agenda. So, we gave a briefing which I went over last week on the core spec
blind BBS signatures and pseudonyms and we're pretty well organized
compared to some of the efforts.

Greg Bernstein: the one interesting thing at the beginning of the session
because there's been some controversy about some of the combiners combining
postquantum and traditional the chairs were getting a little upset with
people for they were reminding people it's a research group and this is an
odd thing about the CFRG. G what they produce has the weight of standards
but they claim they're not standards but that's a silly since people look
to them as they are standards. but we're managed to steer away from any of
those controversies. we have very good cryptographer support and such like
that.

Greg Bernstein: So the three presentations went The issue on everlasting
privacy for pseudonyms did not come up besides us mentioning it. And that's
mostly what I'm kind of interested in talking about because we started
talking about some solutions. Sam introduced us to Jonathan Catz. And I
know Dave was like, "Why didn't think Dave had some comments? Why didn't
they think about this issue before with cryptography?" and we're kind of,
not pushing the limits of cryptography.

Greg Bernstein: we have a very good specific application, And so the idea,
previous pseudonym systems didn't think about everlasting unlinkability as
we'd call it. this only is an issue when a cryptographically relevant
quantum computer comes up. so we can circle around back to that. But the
gist of our work was looked on fine. People think it needs to happen.
00:05:00

Greg Bernstein: After we the folks presented ARC is anonymous rate limited
credentials. This is a three-party model. It's to support privacy pass but
it uses similar technology. And proof protocols a one party model really.
it's at least do involve people. It's got a issuer and a verifier. So,…

Greg Bernstein: so it's privately.

Sam Schlesinger: That's not my impression.

Sam Schlesinger: My impression is that it uses a MAC and it's privately
verifiable.

Greg Bernstein: Yeah there's a whole class of things that are related to
BBS that come under the notion of key verification…

Sam Schlesinger: I think they just distribute the key to two parties in this

Greg Bernstein: which means that the issuer is sharing the private key or
has to share the private key or be the same as the verifier. And so these
are much different than the verifiable credential situation. Because of
that the overlap in using sigma protocols and…

Andrea Vesco: That's it.

Greg Bernstein: even variance of BBS folks kind of are interested in these
and look at The good thing about the ARC proposal is they pointed out,
keeping things separate and not necessarily slowing down BBS. And that was
reiterated by some of the comments from the room, particularly Dedra
Connelly was saying, "Okay, we see that this uses some of the same stuff,
but let's not slow down BBS and things like that."

Greg Bernstein: So that was because we had talked before with those folks
once again no controversies were raised much except for impact on S
progress. The third related talk was about generalizing sigma protocols or
implementing within even signals username, which is a form of pseudonym.
There is an underlying zero knowledge proof technique known as sigma
protocols. they're the most efficient.

Greg Bernstein: They require discrete logs. So they're not postquantum
secure, but they're very efficient and they're used in multiple places and
they have not been standardized on their own. And so a paper about that
came up or a proposal for that and we've been working with that author
that's Mik Oruru and so that was the third kind of related thing and
pseudonyms or blidening signatures may contain hooks to allow for that.

Greg Bernstein: Once again we are making sure though that we don't get
slowed down but we can architect our in internal breakdown of function
calls within blind BBS and pseudonyms so that we can call to a more general
proof mechanism like that and that could be helpful if we trying to get
either more everlasting privacy out of pseudonyms because there's some
potential solutions for that. none are quite optimal yet, or if we're
trying to do something that has just at least postquantum type security
that we attach to things the unlinkability aspects. Any questions?

Greg Bernstein: monu

Manu Sporny: Yeah. Yeah. I mean, a statement and then some questions. So,
we'll come back around to the everlasting privacy thing. I think it's
important for us to just kind of bring that up in this meeting. but going
back to the presentation specifically around BBS and pseudonyms and those
specs, I'm hearing that you're saying there didn't seem to be any push back
on the direction of the specifications right now.
00:10:00

Manu Sporny: No objections that people are raising that are like you're
doing it wrong, do it this other way. Anything like that come up during the
meeting that we should talk about?

Greg Bernstein: No, no,…

Greg Bernstein: no. we have been pretty darn safe as far as the
cryptography and to get the workg groupoup adoption. That's where we had a
lot of external cryptographers who chimed in. They did take a look and so
our goal is to get try and…

Greg Bernstein: get these things into crypto panel review quickly because
that can take a while and…

Manu Sporny: Yeah. Was there a timeline that they mentioned for that Greg?

Manu Sporny: The crypto pen will be

Greg Bernstein:

Greg Bernstein: that's to push. for pseudonyms we're missing explanatory
text and we need security and privacy. blind is almost ready to go because
it's got all those sections and we just added the test vectors.

Manu Sporny: Mhm. Yep.

Greg Bernstein: So I want to try and get it in sooner because of we know
crypto panel review takes a while.

Manu Sporny: And then I think with the pseudonym stuff, we've got to
address the everlasting privacy bit before I think we're ready to push that
crypto panel review. Sam, you're on the queue. Go ahead, please. …

Sam Schlesinger: I thought Patrick was before me.

Manu Sporny: I'm sorry. Go ahead, Patrick. I was not looking at the raised
hands.

Patrick St-Louis: I think you mention I was just going to ask a question
about everlasting tsunami synonyms.

Manu Sporny: Pseudonyms. We'll get to that in a bit,…

Patrick St-Louis: So you mentioned we'll get to it.

Manu Sporny: Patrick. Yeah.

Patrick St-Louis: So that's why I lowered my hand.

Manu Sporny: Okay, got it. go ahead, Sam.

Sam Schlesinger: Yeah, I just wanted to update on things in privacy pass
because there was some related discussion that I don't think that Greg was
maybe there for. so basically Apple brought ARC to privacy pass thinking
about adoption.

Greg Bernstein: No, I was not at privacy.

Greg Bernstein: Too fast.

Sam Schlesinger: There was pretty positive reception about the general
idea. McKel and my colleague Stephen presented a presentation on Sigma
protocols and sort of the class of use anonymous credentials privately
verifiable and publicly verifiable that you can implement with the intent
with that presentation was really to give the group an idea of the type of
things that are possible and the types of things that they could
potentially design and…

Greg Bernstein: Yeah. Okay.

Sam Schlesinger: implement in privacy pass.

Sam Schlesinger: However, Martin heard it and was like, "We should have a
bos about this and make a whole new working group." And I was like, whoa,
whoa." " we have Privacy Pass. let's take a step back." and I don't know
what'll come of that. someone in that room could get really excited and
want that new working group, but I really think that Spice and Privacy Pass
are sufficient. to that end,…

Manu Sporny: This is Martin Thompson.

Manu Sporny: Okay.

Sam Schlesinger: Yeah. Yeah. Yeah. the area chair. and…

Manu Sporny: Yep. Mhm.

Sam Schlesinger: and so okay, yeah, there's maybe some weirdness there,…

Greg Bernstein: Okay.

Sam Schlesinger: but I really don't think we'll end up with another working
group given the very strong overlap between what that would be and Spice
and Privacy Pass. but I replied on the mailing list to ARC. I think there
are some serious privacy concerns with ARC.

Sam Schlesinger: We have an alternative proposal that we haven't
standardized yet, but we have an implementation and a design online. that
uses sort of what Greg was alluding to, sort of the private variations of
BBS. hopefully we're going to standardize that for the next ITF. yeah. and
then we talked a bit about sort of the publicly verifiable stuff inside of
privacy pass. I think Watson lad might have a standard that he wants to
push in that vein and we might get a publicly verifiable standard in inside
of privacy pass. However, I think given all the overlap with spice and
everything it's not clear that that's the best place to do things.

Sam Schlesinger: I don't know. Curious about people's thoughts.

Manu Sporny: Interesting. …

Manu Sporny: I've got thoughts, but I don't know if they would be very
helpful at this point. Where are you thinking of landing the document you
were talking about the

Sam Schlesinger: that draft. Yeah. So, the private BBS draft would be sort
of an alternative to the ARC draft.

Sam Schlesinger: So, we'd hopefully have that as a joint standard ideally
between us and Apple and in private. Yeah. We would have to go through the
CFR.

Manu Sporny: And you CFRG I mean that feels like it would Yeah.

Manu Sporny: Okay. What were you thinking for spice?
00:15:00

Sam Schlesinger: I think in the spice world you guys my understanding is
that that's where a lot of the BBS work is targeting, right? No.

Manu Sporny:

Manu Sporny: No. I mean it depends on…

Sam Schlesinger: Okay. I totally missed my gosh.

Manu Sporny: who you ask but I don't think many of us are participating in
the spice group. there are issues there that I think we can go into later.

Sam Schlesinger: Yeah, there's so much fragmentation in the anonymous
credentials community. It's very sad, but I wanted to understand.

Manu Sporny: Okay. All right. That sounds good. I mean not to say that some
variation of it might pop up in spice…

Greg Bernstein: Relax. Get up there.

Manu Sporny: but that's yet more fragmentation.

Manu Sporny: Poss yeah yeah possibly I mean I don't think and…

Sam Schlesinger: So in other words,…

Sam Schlesinger: another working group for these technologies actually
might be appropriate in that case. okay.

Manu Sporny: that's a failure mode too right because it's yet more
fragmentation.

Sam Schlesinger: Yeah. I mean, I certainly don't have the bandwidth to
chair it. I hope that other people have bandwidth cuz I'm running

Manu Sporny: M All Good to know. I mean I think the most important thing is
that the cryptographic primitives get standardized at CFRG and then if it
fragments. but the important thing is at least the core cryptography that's
being used in all the fragments is the base stuff's the same. Right? that's
the one saving grace of all of this work is that hopefully we can just
agree to the baseline crypto in CFRG and then whichever communities want to
use that baseline crypto can do so.

Manu Sporny: Okay.

Sam Schlesinger: Yeah, I should clarify this is not using the publicly
verifiable DBS work.

Sam Schlesinger: The stuff that I'm is sort of more in the line of the ARC
privately verifiable

Manu Sporny: Yeah. Yeah.

Greg Bernstein: The one

Manu Sporny: But I mean, it's like that I don't know enough about it to
have a good opinion, but it feels like that stuff the low-level crypto bits
of it should probably be CFRG and then, who knows where ARC lands.

Sam Schlesinger: Yeah, that's

Manu Sporny: Anything else before we go into the everlasting unlinkability
discussion?

Greg Bernstein: thing that I think why it should be at the CFRG the
privately verifiable or the key verification is it does have the serious
cryptographic analysis part and one reason way back I don't know a year ago
or more particularly when this thing called sharp was even before BBS sharp
which is a non-pairing kind two-party model Thank you, Sam. is that you
have to really do another security analysis. I mean, because you've taken
out the pairings and such like that.

Greg Bernstein: And so, there was a whole separate BBS draft on that I
wasn't involved with, but that's why if you talk to BBS authors,…

Greg Bernstein: they don't want to pull that back into the BBS core because
it would require another security analysis and things like that. So, good
stuff, but it's kind of separate.

Manu Sporny: But they do claim everlasting unlinkability.

Manu Sporny: Is that right? I'm cry I'm forgetting the details. I thought
that was one of the things that they were or maybe they were just claiming
everlasting privacy and not the unlikable.

Greg Bernstein: Unlink. …

Greg Bernstein: they're limited use and so I mean when I floated the idea
when we're going to get together with Sam and potentially Jonathan Katz and
when I floated the issue that's where Jonathan had some ideas but Go ahead,
Sam.

Sam Schlesinger: I can give a rough summary. So you end up having sort of
everlasting unlinkability for a subset of the use cases. for pseudonyms
specifically you do not get everlasting anonymity. So in particular for
some protocols where we're just sort that's quite Cuz because the rate
limiting tokens. no. So I think you get no everlasting unlinkability from
private BBS. It's sort of has the same problems as Yes.

Manu Sporny: And this is the same orange BBS Sharp work, right? When you
say private BBS, or are you talking about something else?

Sam Schlesinger: I'm not familiar with that. We have our own sort of
variant.
00:20:00

Manu Sporny: Okay. All right. Yeah, the BBS sharp stuff is from Orange in
the EU.

Manu Sporny: The telecom provider R\&D done there. okay,…

Sam Schlesinger: Yeah. What's the issues with the script analysis?

Manu Sporny: But good to know for the private BBS.

Sam Schlesinger: And we've published a security proof looking for feedback.
No one's given us feedback on it

Greg Bernstein: Okay. Yes.

Manu Sporny: All right. let me time box the everlasting unlinkability
stuff. Greg, you were providing an update like a last words thing before we
moved on? were you able to cover everything you needed to before we move
on? I'm going to time box this for about maybe 10 or 15 minutes because we
need to get to Andre's data integrity postquantum hybrid proposal as well.
So, just to get everyone on the same page, we've mentioned this phrase
everlasting unlinkability a number of times. So, just to make sure everyone
understands what that means.

Manu Sporny: and this has to do when there is a cryptographically relevant
quantum computer. So that basically means there exists a quantum computer
that is powerful enough that it can undo some of the crypto that we use
today. So for example, example ECDSA would be broken when a
cryptographically relevant quantum computer comes along. meaning that
everything blows up like it's totally insecure right now. that is why NIST
had these post-quantum competitions to come up with a new type of
cryptography that a quantum computer can't break.

Manu Sporny: There are new standards that have been released MLDDSA the
stateless hashbased stuff new types of cryptography have been released that
even if a cryptographically relevant quantum computer comes along it can't
be broken now and so now all of us are rushing to try and create these
hybrid schemes and trying to move over our digital signature schemes and
everything so that when that day comes Some people think it'll never be
here. Other people it's going to happen in six months. who knows when that
day comes, our entire cryptography, protect protection mechanism we use on
the internet doesn't fall apart. So, with BBS is not, postquantum secure.

Manu Sporny: and help me out here Greg and Dave and Sam it does have
everlasting privacy but after the fact you can't discover who generated the
signatures but you can generate a bunch of them with a cryptographically
relevant quantum computer with these eudony we have. one of the mechanisms
that we're using, if there were a cryptographically relevant quantum
computer, the pseudonyms are, unlinkable today.

Manu Sporny: but if someone were to store those presentations for the
pseudonyms and a cryptographically relevant quantum computer came along
that quantum computer would be able to unmask the pseudonym. so basically
it would be able to link people in the future. so currently using our
current technology, no quantum computers, you can't link pseudonyms. If a
quantum computer were to come along and that quantum computer were to take
multiple different presentations that someone were to have made with a
pseudonym, then those presentations could be correlated and linked
together. And so that's the thing that we're looking at right now.

Manu Sporny: And to be very clear and again I think this is right signal
people use signal and people trust signal to be unlinkable and have all
these qualities signal doesn't even protect against this. So the pseudonyms
that are used in signal if someone were to capture your messages and the
pseudonyms when a cryptographically relevant quantum computer comes along
you can be correlated is my current understanding there okay so coming back
to the pseudonym thing I'm just going to speak for myself I think it's
vital that we address
00:25:00

Manu Sporny: this issue because what people are expecting with pseudonyms
is to be unlinkable. They are unlinkable today, but if a cryptographically
relevant quantum computer came around then you wouldn't be unlinkable
anymore in and the worst thing is that in you could go back you could
capture stuff today and then correlate people in the future. So we need to
get to hopefully something that provides this thing called everlasting
unlinkability so that even if someone were to capture these presentations
people wouldn't be able to link them in the future with a quantum multiple
hands up. go ahead Patrick.

Patrick St-Louis: I'm based on what you just said I'm just trying to
understand from the basic level…

Patrick St-Louis: what does it mean and it sounds to me like it just means
unlinkable identifier with a quantum ready crypto suite underneath.

Manu Sporny: No, I'm going to Yeah,…

Manu Sporny: not specific enough. Patrick, we can go into why that's not
necessarily what's going on. go ahead, Dave.

Dave Longley: Yeah, I just wanted to make a comment that the attack here
requires crossverifier collusion. So what we're talking about is a number
of these presentations would have been made to different verifiers.
different contexts each one of those contexts or verifiers would have
received a different presentation and today those are computationally
unlinkable. But when you have a cryptorelevant quantum computer in the
future, it would have the computing power to undo that and unmask that. So
I think it's important for people to understand that that's how it would
work. and I think the other key piece that's important to understand is if
you weren't using any pseudonyms, your presentations would all be
unlinkable.

Dave Longley: But that leads to a separate problem which is then verifiers
don't have any way to rate limit or put the stops on a dishonest holder
that's able to come up with a system to effectively say share or sell their
credentials which a number of other solutions today have. So it's important
to have in S both unlinkable pres proofs and unlinkable pseudonyms to have
a complete solution.

Manu Sporny: Plus one to that. go ahead, Greg. …

Greg Bernstein: Was Sam ahead of me?

Sam Schlesinger:

Manu Sporny: the Google says no or the Google Meet says no.

Greg Bernstein: So one of the reasons why we wanted this is because BBS and
the portion of what we call BBS proofs that go from holder to verifier.
They are zero knowledge proofs of knowledge. Each new one you generate,
they have the weight of a signature. You verify them against the original
issuers's public key. Each one that you generate uses new randomness like
true random numbers and hence even if people break BBS with a quantum rebel
of a computer, all that means is they can forge a signature.

Greg Bernstein: They can't go back and look at your presentation of At
least the cryptographic part. Whatever you reveal is revealed. So, we got
to keep telling people that because it's like if you give somebody your
driver's license ID, game's over. If you're just telling them you're over
18, different story, So what that means is we have this very very nice
property. The cryptographic arc artifact that we present to verifiers is
truly link And I don't say everlasting private because they're not breaking
cryptography in the sense and reading secret messages.

Greg Bernstein: That's why before we were using everlasting privacy and
people say you don't have everlasting privacy that's terrible. It's like
what do you mean even so that's one point the other point is the quantum
relevant computers are breaking public key would break our current notions
of public key cryptography not AES and not hash functions. So that means we
still have other ways to strengthen things maybe not as efficient. Third
thing is right now in pseudonyms we use one piece of randomness in our what
we call A possible solution is to add more pieces of randomness.
00:30:00

Greg Bernstein: Then into this issue of, you added 10 pieces of randomness,
that means you can only use the thing 10 times and such like that. And we
hate the idea of having to reissue. So there's limited use on link,
everlasting privacy that this is what I was talking with Jonathan Katz and
Basillus, but we don't like that in the credential community. We want to
just issue the credential and not have to reissue credentials, right? The
batch issuing we don't like. Okay.

Manu Sporny: All right, thanks for that, Hopefully, Patrick, that would
explained a bit more on why it's not as, straightforward as a postquantum
crypto suite. it's different than that. it's the fundamental we have to
fundamentally change the way that we generate the signature. and it is
still not postquantum secure, but it is postquantum everlasting unlinkable.
go ahead, Sam.

Sam Schlesinger: I guess there's sort of a way to slice that in the middle
where if you were to have a postquantum PRF for the pseudonym generation
then it would still not be crackable and you don't necessarily need
information theoretic hiding which by some argument you actually might be
able to argue that you require n random values and thus you need an
infinite size credential so I think if there were a way to integrate a
postquantum PRF for these pseudonym generation, which maybe is just
implausible, thinking about it right now, it seems quite hard. but it would
be a way to get around the larger slashreissuing problem.

Manu Sporny: Plus one of that.

Andrea Vesco: Yeah, thank just to understand what is the reason behind your
idea to work on let's say changing how BBS is working today to reach a
quantum secure state in the sense that there are also some very new
literature results that propose options for having credential

Andrea Vesco: ials, anonymous credential with full capability of selective
disclosure and also blind signature for the issuer just for example I will
put some link in the chat for you to check and these are basing latis why I
am mentioning This is only me because in the European project we are
working on and I'm personally coordinating we reach the first
implementation opensource of this schema based on latis that provide you
full capability of selecting this closure.

Andrea Vesco: Let me also link this for you if you want to check. Of
course, the implementation need to be hard optimized. But from the
functional point of view is quite similar to just to understand why you are
thinking about changing BBS and not looking at other options.

Greg Bernstein: Oops.

Manu Sporny: Go ahead, Greg. you're can

Greg Bernstein: We are looking to enhance the pseudonym feature to give it
more everlasting privacy. at the same time or to give it stronger
unlinkability than it might have otherwise without making the scheme too
much heavier, I'm not sure if this is a similar piece of work but I've been
following the work that Oliver Sanders team has been doing and they have a
lattisbased technique that does blind selective disclosure blind and such
like that and they claim that it can do a form of pseudonyms.
00:35:00

Greg Bernstein: those are a little bit more future and all those techniques
are bigger than BBS. So we're kind of at this point where we're trying to
stay BBS is so darn efficient and useful. This is a important feature to go
with Once you have unlinkable proofs, as Dave said, you need something like
a pseudonym.

Greg Bernstein: In many cases, we'd like that pseudonym to be stronger in
its unlinkable properties without going to either adding in a full ZKP or
something huge having to go to future cryptography yet.

Manu Sporny: Yeah, and I was going to answer the kind of the process side
of that. Andre, it's because all these new, preprints and mechanisms would
take 5 to seven years to standardize. they need to have CFRG review. you
need to have, quite a bit of years of literature, on the approach before
they can even be considered to standardized at ITF. so we're talking about
a small change, to a subfeature of a BBS specification that is already
almost through, the standardization process.

Manu Sporny: So maybe another year to get it through the standardization
process versus switching to a lattis based anonymous credential approach
which would take 5 to seven years to get through the standardization
process. so it's kind of a time timing thing. We will need to do a
postquantum full from the ground up a postquantum secure mechanism.

Greg Bernstein: Yep.

Manu Sporny: we have to do that work but we have other work that we need to
finish off so that we have pseudonyms at all so we have unlinkable
signatures at all in the five to seven years leading up to the postquantum
standard go ahead Sam and…

Manu Sporny: and last word Sam because we got to switch to Andre's work as
Milk.

Sam Schlesinger: Yeah, I'll be short.

Sam Schlesinger: On my end, I do not have the requirement to be
standardized to deploy. for me, it's a performance thing. If there is a,
highly performant postquantum solution, I would be very happy to deploy it.
yeah.

Manu Sporny: Yes, plus one to that as we are going to switch gears over to
a proposal that Andre has put together for a new data integrity crypto
suite that does a hybrid signatures. It does elliptic curve and…

Manu Sporny: postquantum signatures using a data integrity crypto suite. I
don't know if you want to share the link to that spec in the chat channel.
Andre and then over to you. Please u take us through your work.

Andrea Vesco: Yes. Yeah.

Andrea Vesco: Thank you. let me share the screen. Hi. I think you see my
screen. so that's really our first time we went through the process of
drafting aspect. So I'm pretty sure that there are errors or something that
can be for sure improved. So I'm here just to present the idea behind these
crypto suites and receive the feedback and give you of course the links to
comment with issues or to request whatever you want. Really we are open to
discuss if this available idea or not.
00:40:00

Andrea Vesco: essentially the idea of this crypto suite is to combine
postquantum and the traditional public keys for the purpose of producing
hybrid digital signature for credentials such that in the near future
before let's say the CRQC come along we can in

Andrea Vesco: case of a flow in Latis or any other postquantum theory come
up we can at least have the traditional security provided by a CDA or a
DDSA. So in this first draft we started with the example we use the same
templates that we see all the other crypto suite has used. So we started
with some example just instrumental in introducing then the idea of public
keys composite JUK in particular.

Andrea Vesco: so the classical one that you can understand very quickly
with the curve 256 384 the Edwards curve and also the jazz wiki for MLDDSA
the level security level one three and five and then we arrived to

Andrea Vesco: let's say the core of this idea is to define the composite
JUK in which you essentially compose the two public keys within a composite
JUK structure in which following some ideas that comes from the work in ETF
in particular on the lamps working group we also added the algorithm ID
that compose the name of the postquantum and traditional algorithms that we
will use for creating the hybrid signature. And here we made some example
composing the SA44 with PH 156 curve.

Andrea Vesco: also VSA 65 with this curve and then we move to MLGSA 87 but
with C 384. of course you can do the same also with Edidward 65 and
Edidward 448 in case you use level five MLSA 87. And the last example we
define was in particular the use of compos in a controller document in
which you essentially have these composite JV type with the true public
keys.

Andrea Vesco: In this particular example, composing 65 with wids and MS
MLDDSA 44 with Edwards for assertion authentication method. then the proof
representation. So we selected but again open to discuss the experiment
MLDDSA CDSA 2025 in case you compose MLDDSA with CDSA or ADSA and this is
the data integrity tool.

Andrea Vesco: the algorithms are quite simple. But before starting drafting
this part we really would like to know if you see value if you have ideas
to improve it if you think that it's completely useless and so it's better
to stop here and that's it. Thank you.

Manu Sporny: All right. thank you for putting the time into, creating the
specification and, proposing and, the examples help immensely. So, a huge
help there. the one thing I didn't quite understand is why you didn't just
use proof sets to do what you're doing. And this might be a big gap in my
knowledge around hybrid signature schemes.
00:45:00

Andrea Vesco: Yeah, please.

Manu Sporny: So the let me share my screen. one second.

Manu Sporny: so data integrity has this concept of proof sets and a proof
set allows you to take a single payload like this hello world example and
it allows you to add multiple proofs to the payload. meaning you can sign
the same payload and attach proofs for ECDSA or EDDDSA BBS or selective
disclosure ECDSA. And so you can just keep adding proofs to the set and the
redential when you present the proofs you can include any number of the
ones in the set.

Manu Sporny: So for example, if you wanted a postquantum signature on top
of an ECDSA one. So let's say this first one is an ECDSA one and the second
one is a postquantum one. a verifier could ask for a credential and they
could say I want to see a proof set that includes both ECDSA and EDDDSA.
and then when the software presents the payload it would include both of
those in the proof. so I think we have a solution already that is simpler
that would only require someone to specify the ECDSA crypto suite and then
some postquantum suite like MLDDSA.

Manu Sporny: And if the issuer were to sign with both ECDSA and MLDDSA,
then I think we would have an acceptable hybrid scheme. but I don't know if
you're doing something with the cryptography that binds the two things
together more strongly. I would imagine you are binding the two things
together more strongly maybe in the proof.

Manu Sporny: But that's the only potential benefit that I could see with
kind of mixing things in the way that you did. So, let me stop there and
get your feedback on that

Andrea Vesco: Yeah. no,…

Andrea Vesco: you're perfectly right in the sense that what we want to
reach is what is called the weak non-separability. The point is that we
need to provide the verifier an evidence and the ALG ID is an artifact to
provide this evidence to the verifier of the willingness of the order or of
the issuer that they want to and they used an rid So receiving a composite
JBUK means that the verifier must verify the signature as an hybrid
signature and so cannot simply rely on one of the two but they have to
verify both just to reduce the

Andrea Vesco: the impact of a stripping pin.

Manu Sporny: Go ahead, Greg.

Greg Bernstein: I have a similar question because I've been following all
the stuff about hybrid key encapsulation mechanisms where it's very
particular that we combine these things together in a particular way but I
didn't see any discussion of combining signatures. it's one thing to
specify that you want something signed with both algorithms, but I'm not
sure for signatures, that piece saying you want it signed with two things
is one story. But do the algorithms actually combine the signatures in some
way or are you really just specifying you want two signatures?

Manu Sporny: Andre, I think that question was for you. So, is the proof
binding both signatures together in some way?

Andrea Vesco: Yeah, sorry.
00:50:00

Andrea Vesco: Yeah. Yeah. So, sorry.

Greg Bernstein: Does have a hybrid signature?

Greg Bernstein: It just came out with a new thing for hybrid to jump the
queue.

Andrea Vesco: Let me open share another document. Yeah. I can anyway. Yeah,
we combine essentially you have the message hand you can ash this is
another discussion and then you sign their encoding of the object ID
associated with the ALG id combined with the message.

Andrea Vesco: So you put this artifact also in the signature and you
provide the evidence providing the composite JB to the verifier. At that
point you essentially combine the two algorithms in a single signature
hybrid signature and the verifier if received for example only a
postquantum or only a traditional signature reject the verification.

Andrea Vesco: I'll try to make it clear in the algorithm section also this
part.

Manu Sporny: Okay, got it.

Manu Sporny: Okay. that is helpful to understand that that is going further
up on the stack though,…

Andrea Vesco: Okay.

Manu Sporny: Let I'm going to assert this more strongly than I feel about
it, Andre, but I don't see the value of doing that. why from a security
standpoint if you are a verifier and you are verifying a credential and the
issuer that the credential is coming from and if that issuer did a elliptic
signature on it and a postquantum signature on it or a quantum signature on
it and a postquantum signature on it why do I as a verifier care if those
two signatures are bound together or they're not to me the issuer sign both
of them

Manu Sporny: one with a pre-quat and one with a postquantum, mechanism. if
that is important, so now I'm going to argue, against myself. presuming
that there's value there. and again, it might just be my complete I don't
understand, the problem space well enough. if there is value there there is
also a mechanism in data integrity called whoops let me share again there's
also this proof chain concept where you can provide in a proof chain.

Manu Sporny: So this thing right here allows you to cryptographically link
two signatures together where the postquantum signature would include a
link to the quantum signature in so again we wouldn't need a new type of
you crypto suite. there is this way to chain signatures together and link
them together.

Manu Sporny: if there is value in doing that and again I don't quite
understand what the value there at the application layer would go ahead
Greg.

Greg Bernstein: I do want to remind folks that when we produce a signature,…

Greg Bernstein: data integrity signature, we include that over things like
the crypto suite and the verification method. So people that signature gets
bound to the identifier that we're using a particular signature method and
a signature type the crypto suite so what you were saying about we're
binding the algorithm ids with the signature that's part of every crypto
suite we have. I just wanted to make sure that was clear. you can't leave
out that step.

Manu Sporny: Andre, I think at least what I'm saying and I think Greg might
be I haven't heard anyone disagree with my viewpoint. I would love to hear
if someone disagrees with my viewpoint is that I believe we have the
primitives already in data integrity that you have in your specification.
we bind the algorithm parameters in the signature both quantum and
postquantum. we have the capability of linking signatures together as a
generalized thing in data integrity.
00:55:00

Manu Sporny: And we already have the elliptic curve the signature suite and
really need help on the postquantum crypto suites but once that's there I
believe those are functionally equivalent to what you have in your
specification but are simpler because we don't have to define new hybrid
key formats and we don't have to define a new hybrid signature and proof
format. my last thoughts on it before we have to end the call.

Manu Sporny: Happy to of course continue the discussion over the next
couple of weeks. high level thoughts on the feedback. Andre

Andrea Vesco: I have to check that my looking at…

Andrea Vesco: what you were presenting. What about if someone strip the
second signature?

Manu Sporny: Let's take up that conversation next week because we're
whatever seven minutes over. Clearly these meetings are taking more time
than the 30-minut check-ins that we were having, which is great. it's
totally fine. we're covering some really good ground. So I'm probably just
going to expand the meeting to be an hour from here on out. and if we don't
use all the time, that's fine. So Andrea will pick up this conversation
next week. so you have some time to think about it and we have some time to
think about it. and then we'll cover anything else that we need to as well.

Andrea Vesco: Thank you. Bye.

Manu Sporny: I think the highest priority thing that the group needs to
solve for is this everlasting unlinkability thing in That's the most
immediate high priority thing we need to address. Okay.

Manu Sporny: that's it for the call today. Thank you everyone for the
wonderful discussion as always and we will see you next week. Take care.
Bye.
Meeting ended after 00:57:11 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Friday, 21 March 2025 16:26:36 UTC