The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back


W3C CCG Weekly Teleconference

Transcript for 2024-10-08

Our Robot Overlords are scribing.
Harrison_Tang: Welcome welcome everyone uh to this week's w3c ccg meeting uh today we're very excited to have a Jeremy and Andrea to uh come here and present uh on BBS plus signature schemes benchmarks.
Harrison_Tang: But before we uh go to the main agenda I just want to quickly remind everyone the code of ethics and professional conduct just want to make sure we have a constructive and helpful conversations here.
Harrison_Tang: A quick note about intellectual property anyone can participate in these calls however all substantive contributions to any ccg core items must be member of the ctg with a full IPR agreement signed so if you have any questions in regards to the IP notes intellectual property notes or the w3c account uh please feel free to just uh reach out to any of the cultures.
Harrison_Tang: Couple quick notes in regards to uh the calls uh these calls are automatically being recorded and transcribed and we will publish the meeting minutes the audio and video recording in the next 24 to 48 hours.
Harrison_Tang: We use TI chat if you the speaker so you can type in Q Plus to add yourself to the Q or Q minus to remove uh and you can uh.
Harrison_Tang: New question mark to see who is in the queue.
Harrison_Tang: Right so uh just want to take a quick moment for the introductions and reintroduction so if you're new to the community or you haven't been active and want to re-engage uh feel free to just unmute and uh introduce yourself.
<jaromil> ahoy!
Harrison_Tang: See mostly familiar faces so.
Harrison_Tang: Move on to the next topic.
Harrison_Tang: I think General can introduce himself once we get to the main presentations.
Harrison_Tang: All right uh announcements and reminders uh any new announcements or reminders.
Manu Sporny: Uh hi Harrison um yeah just a couple of um kind of notes uh on things that happened at the worldwide Web Consortium technical plenary that happened 2 weeks ago in the uh California DMV hackathon which included verifiable credentials uh and mdl uh last week um uh so the the high-level feedback from w3t pack is that uh the did working group work uh is going well that was a a good 2 days of full-day meetings um the work items are proceeding uh as plans you know real drama or anything you know we just kind of got down to to to making progress on did core and the did resolution specification so that went well um on the Wednesday there was a breakout session um multiple breakout sessions so like 40 breakout sessions um uh we did 1 on did method standardization um uh which got.
Manu Sporny: Decent bit of interest uh we suggested a web-based Ed method and ephemeral did method and a a truly decentralized uh did method um that uh proposal for working group Charter uh received no objections um we will of course know like the people in the room didn't object that doesn't mean there won't be people that object but largely it was uh positive feedback on having uh such a a working group uh as some of you know that did method standardization work is happening as a joint uh work item between ccg um uh trust over IP decentralized identity Foundation uh those meetings are happening regularly now.
Manu Sporny: The other thing that we put forward are a number of the specifications that are being incubated in the ccg uh things like render method uh confidence method um the uh uh hopefully in the future verifiable credentials over Wireless the verifiable credential barcode stuff um uh VC API uh those were all proposed as uh going standards track again um nobody in the room uh objected to uh that work proceeding that would probably be around next summer so still quite a ways from that for a recharter um uh and then finally the verifiable credential working group uh met um that went really well many of us got to meet uh Simone for the first time which was great um uh to meet him in in person as his role as the security uh lead at w3c um we uh have agreed to go into a second candidate recommendation with all the specifications we believe we're pretty much done.
Manu Sporny: Um with them at this point um and the only thing that we're really uh waiting on right now uh the only thing that we're really waiting on is uh Security review um uh on uh those specifications which we'll be working with uh the new uh newly chartered um security uh interest group uh saying on um we are hoping that uh by q1 of next year will be able to have uh standard uh standards w3c standards published for fiber credential data model uh the securing specifications uh status list um things like that um.
Manu Sporny: The other thing that happened was the uh California DMB hackathon.
Manu Sporny: They were 15 organizations that participated really great amazing use cases um uh the usage of verifiable credentials was around 10 out of the 15 organizations used the verifiable credential version of the driver's license uh the rest used the mdl there were in-person use cases uh many of them were online use cases um and so we got some really good feedback um from that uh Google was there Apple was there uh providing uh support uh along with uh us uh providing support for the verifiable credential stuff um and and and so and so forth so um good kind of momentum building uh confidence in the technology roll out to production uh that that sort of thing um I will also note that um uh Lucy uh Yang was there um.
Manu Sporny: As well as uh Clea and Gail Hodges from open ID Foundation um Sharon Lowe was there uh as as a judge um uh Lucy did an amazing job um you know keeping uh the whole event running on on the rails as did uh Gail so uh there's a another event the government hackathon in a in a month's time November 1st um but it was a really great turnout uh really good to see the community building things and uh rolling them into production uh that's it.
Harrison_Tang: Thank you man.
Harrison_Tang: Any other announcements or reminders.
Kaliya Young: Sure um just a reminder that internet identity Workshop is coming up at the end of the month.
Kaliya Young: Um October 29 to.
Kaliya Young: 31St bring your Halloween costumes it will be fun and um.
Kaliya Young: The other thing is on the day before you've got the community events there's like an interesting vrm event the shaping up um vendor relationship management Community has their Monday thing and I think the open ID Foundation has something too so um.
Kaliya Young: And just a reminder too we're committed to accessibility.
Kaliya Young: If you want to be there.
Kaliya Young: Um speak to us and we will help make that where are you.
Harrison_Tang: Thank you Clea.
Harrison_Tang: We will hold the ccg meeting uh that week so on on October 29th we will not have a ccg meeting because of the internet identity Workshop so I'll send out the calendar reminder.
Harrison_Tang: A weekend event.
Harrison_Tang: Okay any other announcements or reminders.
Harrison_Tang: All right so next week we'll have Carrie uh to talk about MIT digital credentials Consortium updates and then the week after we'll have Krista Allen uh come back and talk about uh his latest on Gordon envelope and Gordon's seal transport uh protocol.
Harrison_Tang: All right uh moving on um any updates uh in regards to the work items.
Harrison_Tang: So last calls for introductions announcements will work item related um topics.
Harrison_Tang: I think there's a working group around multi-format like multi key multi hash right like working group maybe we can collaborate with them.
Harrison_Tang: Oh cool great idea.
Harrison_Tang: Um any other topics people want bring up.
Harrison_Tang: All right let's get to the main agenda so today again very excited to have Jerry Mill and Andrea here to talk about the BBS plus signature scheme benchmarks uh I think they have shared with the ccg public list and then I also include a link to uh Jeremy blog post uh in the agenda uh that I sent out last week but uh without further Ado uh Jeremy please take it over.
Harrison_Tang: Yep we can see you and hear you.
Jaromil_☮️_Dyne.org: I guess you can see the screen and uh yeah I'll switch on the video but if there is any problem with the connection let me know that uh I'll save that but that bit of bandwidth.
Jaromil_☮️_Dyne.org: So uh I'm here with Andrea my colleague and um yeah we run we had fun running this Benchmark for the BBS briefly where we come from is a small Foundation based in Amsterdam.
Jaromil_☮️_Dyne.org: A lot from the w3c so we are very happy to be members now we grew enough through European projects our main um contractor is the European commission for which we have done several projects 1 Flagship success stories uh in ICT mostly.
Jaromil_☮️_Dyne.org: And we do this as you see with the interdisciplinary approach.
Jaromil_☮️_Dyne.org: Um everything we do is free and open source uh so everything you find in this presentation is running on code that you can download test.
Jaromil_☮️_Dyne.org: Well you are familiar with the licensing and the story of the group project 1 big more on top of this slide maybe is that most of the things you are going to see their implemented in C language.
Jaromil_☮️_Dyne.org: And this is the platform that we use to run the benchmarks that you are shown.
Jaromil_☮️_Dyne.org: It is grew GPL software that we are developing since 2018 most of it has been uh most of the research and development in it has been funded by European projects and today we are very happy to to to use it for for our work for our daily work it is relevant to say this because this is the main platform The Benchmark is running on it is a virtual machine is very portable so the computations are applicable.
Jaromil_☮️_Dyne.org: I mean we.
Jaromil_☮️_Dyne.org: Target also was so it runs on also in browser.
Jaromil_☮️_Dyne.org: Obviously these leads to different performances all performances that we we see today they are running on uh PC.
Jaromil_☮️_Dyne.org: I will give the specs later on.
Jaromil_☮️_Dyne.org: And last bit about us why uh we got here uh obviously I mean uh sheer passion for making things work well and making code uh transparent code run on most of our devices uh but also the fact that we are involved we are deeply involved in Europe and this initiative the European digital identity architecture reference framework eud are known as is running is shaking a little bit the the stages were um identity is um is discussed at least on this side of the pond and it is um yeah as you just I I put this slide you are all familiar with how and what an identity digital identity wallet should be doing this is the the framework in which it falls as a as a web mobile application slash web app that can be also implemented as.
Jaromil_☮️_Dyne.org: And um yeah these this initiative has had already.
Jaromil_☮️_Dyne.org: Some feedback uh also critical feedback which I think is the most valuable because that's the way to make it better and the most important feedback came from uh this bunch of people you can see among them some superheroes of cryptography so quite some authoritative names that made uh the commission notes that the algorithms used especially in a cryptographic level in the ldr are not really sound why I say this because that's really how I come to study BBS plus uh we are interested in these algorithm because it's mature.
Jaromil_☮️_Dyne.org: In my opinion could have been standardized a bit earlier but yeah here we are and um and it's a good substitute because it brings in the feature of unlabeled so this is the the real reason why we are here and and you know contributing and and sharing.
Jaromil_☮️_Dyne.org: This VBS uh plus Benchmark so the QR code is clickable I think um.
Jaromil_☮️_Dyne.org: There are slides um.
Jaromil_☮️_Dyne.org: I I'll share the slides at the end of this presentation and uh here you can find the article that uh uh that I wrote and circulated about this.
Jaromil_☮️_Dyne.org: Uh there is another relevant article that I will use as a reference uh in this Benchmark uh it's SD BLS we we made a new scheme uh which we are not proposing as a production ready for BBS plus but we had Farm demonstrating some other features that we believe should be in a uh digital identity credential uh selected disclosure credential scheme in particular threshold revocation while doing this we implemented a BLS signature with Selective disclosure uh protection from replay attacks uh several features you find into this article recently published the link is to the open publication by the way on axis.
Jaromil_☮️_Dyne.org: Here is because as a term of comparison in The Benchmark I also bring in this to show how faster is BBS plus that was anticipate the result so it makes sense actually to to look still look at BBS plus even if today BLS signatures can be done um in many other ways.
Jaromil_☮️_Dyne.org: So let's Dive In.
Jaromil_☮️_Dyne.org: Uh this is the fastest uh explained quickest explained part of the Benchmark uh this is what you see up is a bit of a.
Jaromil_☮️_Dyne.org: On where the benchmarks were running inside our VM um and yeah you have to consider that the VM uh has a direct syntax parser made in Lua which is um also a dialect of Lua in fact I overloaded a lot of operators so that it looks like Mathematica that's why we have students from mathematics working with us and and implementing algorithms like we as plus so we implemented it very similar to what um a proof in Sage or Mathematica would look like and um and it runs straight in production uh but you have still to consider that the benchmarks uh initialize from C alua VM so.
Jaromil_☮️_Dyne.org: Some things could be done faster.
Jaromil_☮️_Dyne.org: this is.
Jaromil_☮️_Dyne.org: Please keep our generation so uh just straight on hashing power um the generation takes uh almost 0.003 seconds.
Jaromil_☮️_Dyne.org: so you.
Jaromil_☮️_Dyne.org: See this the number of keys in 2 seconds a thousand keys were generated on in our tests.
Jaromil_☮️_Dyne.org: Issuance more interesting um first fact is that is definitely linear growth.
Jaromil_☮️_Dyne.org: Uh as you see in a thousand a thousand issued credentials uh will take also to verify uh pretty much the same time will take 1 second.
Jaromil_☮️_Dyne.org: For a thousand of them.
Jaromil_☮️_Dyne.org: So yeah the Layman um.
Jaromil_☮️_Dyne.org: That we will say here is really like 1 second to issue a thousand credentials.
Jaromil_☮️_Dyne.org: The presentation and verification are usually the trickiest as you know we are talking about zero knowledge proof um algorithm so um this is our results uh also published in the article uh you see that the growth of proving is steeper so verification will scale slightly better.
Jaromil_☮️_Dyne.org: I guess this difference is quite negligible but uh yeah we can say that uh verification takes uh less.
Jaromil_☮️_Dyne.org: And just to as I as I uh anticipated just to put it in perspective.
Jaromil_☮️_Dyne.org: Um sdbl is an implementation of bonelang sakam uh signatures so.
Jaromil_☮️_Dyne.org: Multiplications of our elliptic curves and in pairing uh which BBS plus Repro reproduces its own way uh but.
Jaromil_☮️_Dyne.org: This is like playing on playing on the same curve the BLS 3812 um this is the result of sdbs uh with issue proven verification uh we see clearly that BBS plus is 1 uh magnitude faster than a BLS signature implementation I think this is a relevant result it makes sense to use BBS plus not only because it's it's a a bit older and more tested uh well 1 could argue that BLS signatures are also quite tested on on top of a lot of Bank of a blockchain implementations but still um you know in the same conditions um with the default ROM uh settings so the the order of the curve and the generators that BBS plus is customizing with the default ones on the BBS 3812.
Jaromil_☮️_Dyne.org: Then um yeah we really have an improvement in performance.
Jaromil_☮️_Dyne.org: So again uh Layman result for this uh um Benchmark uh 1 second for 1,000 credential presentations almost a second and a half for a thousand credential verifications.
Jaromil_☮️_Dyne.org: Things can be optimized but this is what we got in our environment.
Jaromil_☮️_Dyne.org: Now to the Layman results very quick of the size sizes are quite good again I don't have here a comparison with sdbs but I can tell you as I brought the paper and and went through its implementation uh this is very very compact compared to what happens with uh BLS signatures uh so remarkably compact of course we are talking about the sort of compression of second order curve points using the zcash compression so taking only 1 coordinate it gets down to 96 bytes for public Keys 80 bytes for issued signatures and zero knowledge proofs down to 272 bites.
Jaromil_☮️_Dyne.org: Which is very interesting if you consider that a mobile wallet holding 100s in 100 kilobyte in 10 kilobyte sorry and proof will will fit into QR code and even most NFC tags.
Jaromil_☮️_Dyne.org: Which is not the case for our comparison implementation in BBs.
<andrea_d'intino_|_forkbomb_bv> SD-BLS sizes:
Jaromil_☮️_Dyne.org: So yes please.
Jaromil_☮️_Dyne.org: It grows linearly yes.
Andrea_D'Intino_|_Forkbomb_BV: Uh Jeremy I will shoot at the grow.
Jaromil_☮️_Dyne.org: Wait a second.
Andrea_D'Intino_|_Forkbomb_BV: I'm not 100% sure.
Jaromil_☮️_Dyne.org: Wait a second um.
Andrea_D'Intino_|_Forkbomb_BV: I can make a quick test but uh.
Harrison_Tang: Hey man you have a similar question.
Manu Sporny: Yeah well no it uh uh just an answer uh they do grow so the way BBS um uh works is that um the more you hide the larger the signature the less you hide the smaller the signature uh and so the the bytes that are Mill showing are are accurate right um it it depends on the number of claims that you have in the credential and it depends on how many uh you're trying to hide uh but that is well within you know the the number that uh your emails uh showing on there um we also have um some this is fantastic work by the way our Mill Andre like this is this is this is great stuff it's really wonderful that you've done an independent uh you know review and demonstration of it the numbers that you're showing are very much in line with the numbers that that we found um but yeah we're happy to show some of the the um how how BBs um you know the signature sizes change based on what your uh.
Manu Sporny: The the amount of.
Manu Sporny: Um you know in.
Manu Sporny: That you're trying to uh disclosed but but they're they're the the the again going to this Layman's result like.
Manu Sporny: The lay.
Manu Sporny: Is like yeah they're really small signature sizes for what they're you know uh signing you you don't really get even close with many of the other you know approaches.
Jaromil_☮️_Dyne.org: Yes it's not super easy in my setup right now to open up the Benchmark terminal and show the Json uh it would be unwieldy now but uh well I can confirm from my understanding that selectively disclosures with multiple credentials will grow linearly uh yet there is not yet a SD BBS Plus.
Jaromil_☮️_Dyne.org: I know some people in Europe are paid to work on it um.
Jaromil_☮️_Dyne.org: And so when when there would be a format for SD uh we will see really like how how it fits into the protocol if they find any opportunity to to tame down the growth but my understanding is that it would grow linearly for each proof.
Andrea_D'Intino_|_Forkbomb_BV: Uh guys I am making test now it doesn't seem to me that they grow but uh maybe we can uh make some proper tests and share the results later.
Jaromil_☮️_Dyne.org: Yeah it depends what we are looking at but yeah I go on with the presentation then we look at um.
Jaromil_☮️_Dyne.org: Perhaps I can fire up here the The Benchmark terminal.
Jaromil_☮️_Dyne.org: Um okay are there any other questions about this part because I'm moving in the the last part of the presentation then.
Harrison_Tang: Oh wait I I have a question based on what you show so far BBS is better than BLS signature so my question is why would other applications like blockchains like use the BLS why don't they just move to the DBS.
Harrison_Tang: Or are there is like are there certain things that BLS do better than BBS or it's it's just a BBS is strictly better.
Jaromil_☮️_Dyne.org: I see a lot of people doing strange things so in in blockchain space.
Andrea_D'Intino_|_Forkbomb_BV: Uh do you want me to try to answer Jeremy.
Jaromil_☮️_Dyne.org: Yeah please Andrea.
Andrea_D'Intino_|_Forkbomb_BV: So uh uh Harrison we we wrote a paper the name of the paper is SD BLS standing for selected disclosure and they're basically we experimented through different phases we experimented different uh features.
Andrea_D'Intino_|_Forkbomb_BV: Uh and uh uh t tldr.
Andrea_D'Intino_|_Forkbomb_BV: Our uh our implementation as the as the BLS is slower is visibly slower than BBS plus but it offers features that BBS plus doesn't have for example revocation cryptographic revocation which is something we know that BBS team is working on.
Andrea_D'Intino_|_Forkbomb_BV: So it's it's uh if you compared speed only then BBS wins then if you look at a certain features there are other cryptographic schemes that offer features that aren't currently available in BBS Plus.
Jaromil_☮️_Dyne.org: Okay yes in the meantime.
Jaromil_☮️_Dyne.org: I I made.
Jaromil_☮️_Dyne.org: Some progress to fire up the terminal and we can look at the the Json row data later on if you want.
Jaromil_☮️_Dyne.org: And make some tests.
Jaromil_☮️_Dyne.org: Any other question until this part.
Jaromil_☮️_Dyne.org: So I have 1.
Jaromil_☮️_Dyne.org: I don't I'm not I'm not sure it's really irrelevant answer to your question but the only reason I would see in not using BBS plus is that because of its ROM setup and with that I mean because of the hardcoded generators.
Jaromil_☮️_Dyne.org: Mbps plus only BLS 381 uh 12 is implemented.
Jaromil_☮️_Dyne.org: And it is not transferable on bigger curves.
Jaromil_☮️_Dyne.org: So BLS as the advantage that I could go on on a bigger course achieving more bits and therefore more security.
Jaromil_☮️_Dyne.org: But still I will be in a framework that is not post-quantum secure.
Jaromil_☮️_Dyne.org: Um but yeah that that could be a reason that is more portable to use BLS.
Harrison_Tang: Got it thank you.
Jaromil_☮️_Dyne.org: Um the next um tests that I did uh is um attempt at privacy analysis I use 2 methods 1 I believe more interesting is measuring the Hamming distance between um BBS plus proofs.
Jaromil_☮️_Dyne.org: Generated on the same credential.
Jaromil_☮️_Dyne.org: And comparing them with the Hamming distance of random generators.
Jaromil_☮️_Dyne.org: Here that you.
Jaromil_☮️_Dyne.org: 3 random generators different in comparison 1 is the prng in the room another 1 is the prng in the room seeded with random from random.org.
Jaromil_☮️_Dyne.org: And the the third 1 is openssl.
Jaromil_☮️_Dyne.org: So I put these in um in a graph where you see the frequency of distance.
Jaromil_☮️_Dyne.org: Recording distances and the white you see on the left and right it means that nothing has occurred outside of that uh distance.
Jaromil_☮️_Dyne.org: See that the frequency zooming in on uh just 10 samples so here are like it's very few samples uh it is restricted between a 1030 a 1080 which is absolutely normal this is visible also um on 100 samples.
Jaromil_☮️_Dyne.org: Where we have um this is group plot so there is some transparency so the the darkest color it means that there is overlapping.
Jaromil_☮️_Dyne.org: And um yeah let's let's keep an eye on this guy here on the on the right side uh Manu you've wrote about it in a male and I think you are right it's worth investigating uh when we get to um many more samples.
Jaromil_☮️_Dyne.org: Uh we see that there is uniform distribution.
Jaromil_☮️_Dyne.org: But there is still this guy here.
Jaromil_☮️_Dyne.org: It's a it's a sort of a spike.
Jaromil_☮️_Dyne.org: Around a thousand 140.
Jaromil_☮️_Dyne.org: Um I have no idea why that occurs.
Jaromil_☮️_Dyne.org: But it's consistent.
Jaromil_☮️_Dyne.org: Um Shannon averages yes please will.
Jaromil_☮️_Dyne.org: Harming distance is when you take 2 octets so 2 arrays of bytes.
Jaromil_☮️_Dyne.org: Uh let's zoom in to arrays of bits.
Jaromil_☮️_Dyne.org: And you put them on top of each other and you see if the bits are the same or not.
Jaromil_☮️_Dyne.org: If the bits are the same there is no distance.
Jaromil_☮️_Dyne.org: And if the bits in the same position change there is a distance.
Jaromil_☮️_Dyne.org: And it's used the even like down in in the in the kernel to and in the compiler to um compute difference between data on a bit resolution.
Jaromil_☮️_Dyne.org: So bits on top and yeah you know like there is never complete on a bit level there is never complete distance so the distance will be always lower than the length of the data you're comparing.
Jaromil_☮️_Dyne.org: But there will be a a a consistent number of distance between a random data.
Jaromil_☮️_Dyne.org: And if data is Not So Random then you will start seeing less distance.
Jaromil_☮️_Dyne.org: So the number will go down.
Jaromil_☮️_Dyne.org: Um Shannon entropy is measured on the.
Jaromil_☮️_Dyne.org: Um on the signal basically uh on the on the the entropy of the signal so how unpredictable it is let's say um that is well documented also on Wikipedia how it works we have a simple implementation in the room.
Jaromil_☮️_Dyne.org: I can show you the code later on it's not that big.
Jaromil_☮️_Dyne.org: Wrote it myself in C with pass it some tests this is my measurement of it so um the values are the same for random generated things.
Jaromil_☮️_Dyne.org: I mean the the the difference is negligible also here.
Jaromil_☮️_Dyne.org: And very close to each other so this is also a visualization with gnu plot of the values.
Jaromil_☮️_Dyne.org: Uh of shamanthy and you see the narrow I mean although we have some wiggling but it's between 098 and 0965 so.
Jaromil_☮️_Dyne.org: It's it's constantly good uh Shannon entropy values.
Jaromil_☮️_Dyne.org: So my conclusion is that the encoding of a BBS plus proof appears as random data to the outside Observer uh with the reserve that yeah it's worth investigating that random Spike around a thousand 140 on Hamming distance measurements.
Jaromil_☮️_Dyne.org: A future directions if I would have more time.
Jaromil_☮️_Dyne.org: What I would do.
Jaromil_☮️_Dyne.org: Uh and I we try but honestly this was done in August and we were on the beach and and uh yeah it's uh it's becoming busy again at work um but yeah the future directions i c 1 is fat seeing stress testing uh because in Zen room we implemented uh some easy functions for attacking uh cryptographic algorithms so far there has been used for implementing a cryptographic algorithms but since we have some clients that ask us to develop new algorithms and since we do that quite fast we would like to have a good testing pipeline um and um yeah we build some fudging uh stress testing Primitives uh if you don't know the matasano challenges they are a great exercises free online and um it's fun for cryptographers.
Jaromil_☮️_Dyne.org: they are.
Jaromil_☮️_Dyne.org: Is like shaan and also RSA signatures things that were proven in the past to be broken so in the matasano challenges there are like these techniques explained and you have to reimplement them so uh because we we all took those challenges then we implemented them in the room and now we have easy functions it will be as easy as uh running Hamming distance measurements uh of what you have seen so maybe in the future we will try what they consist of Imagine um the algorithm you change at a certain point of all the flow you change only the first bit of a signature or only the last bit of a signature or a random bit or you shift it of 1 bit.
Jaromil_☮️_Dyne.org: so you change.
Jaromil_☮️_Dyne.org: Things in the in the material and the in the data and you see if the algorithm holds if if it doesn't crashes if it's if it's not producing uh false results because even if a bit changes in a signature it should not validate.
Jaromil_☮️_Dyne.org: Uh it should not you know until you try.
Jaromil_☮️_Dyne.org: Another uh feature direction that I see is um coding the fastest BBS plus implementation in the west it would be great fun to do that and I hope I find the time to do that um I think the best way is to use lib blst.
Jaromil_☮️_Dyne.org: And the Target also was I believe this would lead to some very fast implementation will be interesting to compare with my benchmarks here and see what goes obviously this is a step later after standardization and uh I don't know if you could could sell in the industry because this is like end to end cryptographic algorithm so.
Jaromil_☮️_Dyne.org: We must see if if there will be need for such a big optimization but yeah it will blsd is better than our primitive Milagro we use Milagro um in the room the 1 written by Mike Scott uh then donated to the Apache Foundation as incubator we still use the original from Mike Scott uh which is a very nice primitive because it doesn't have any memory allocation um but leave the BLS is very popular in the crypto scene especially for zero knowledge proofs and it has Us in the optimizations both for arm and x86 platforms so it won't make sense it would be fun we have um.
Jaromil_☮️_Dyne.org: Vectors to compare with so maybe we will do it um yeah everything you have seen is based on um.
Jaromil_☮️_Dyne.org: On I forgot to mention on the latest BBS specification which came up came out like a month ago and um we have matched all the vectors and we are following very closely all new versions.
Jaromil_☮️_Dyne.org: uh so.
Jaromil_☮️_Dyne.org: We will manage to update also this if there is any new version we hope there will be not new version uh um and.
Jaromil_☮️_Dyne.org: Yeah last future direction will be interesting perhaps also for Forks at w3c to Benchmark our implementation of BBS inside browsers uh so their room can already uh compiled to asthma we use it a lot into as as a payload to browsers is like 2 megabytes less than 2 megabytes payload you can npm install Zen room already and it runs in browser so we can already run BBS Plus in browser uh but I just didn't bother to make the Benchmark comparison uh I guess it will be 1 order of magnitude is lower um it will be interesting to do uh just here again lack of time but if you're interested we can team up and um yeah we take stage students also for this so we can we can always put some young people on this tooling because it's well documented and not so hard to run um and then run it into a JavaScript environment.
Jaromil_☮️_Dyne.org: so that's all.
Jaromil_☮️_Dyne.org: Uh a bit of advertisement for our group uh I'm co-chairing a group at w3c I'm very happy about this is the the threat modeling community group uh together with Simon and AI who is here and uh yeah if you want to join us for Less technical things you are very welcome there uh fun fun trivia the threat.
<simone_onofri> we're also starting with Greg the work on VCDM
Jaromil_☮️_Dyne.org: Was born because we noticed that in the ldr um specification in Europe there was no threat model so so it's very hard to discuss about um you know security without a threat model and uh yeah that that would be probably 1 of the first things we will start working on.
Harrison_Tang: Thank you thanks a lot any questions.
Manu Sporny: Yeah this is.
Manu Sporny: A wonderful work uh why this is uh great to see um you know all of this stuff recreated by independent uh organizations uh it's going to be a a huge help to the security review that's going on at ITF and uh the worldwide Web Consortium um uh the you had mentioned in the article that you're also looking into um doing the same kind of uh kind of analysis on the w3c uh BBS data Integrity specifications do you uh was that did I misread that or um is there plans to kind of look at um the the higher level uh cryptographic protocol um because I think the analysis you've done today is the lower level of BBS kind of core cryptographic Primitives um uh what has to be done now of course is um either whether it's uh SD BLS or S Ebbs or or jwp or the data Integrity BBS uh crypto.
Manu Sporny: It's a w3c.
Manu Sporny: Um are you.
Manu Sporny: Planning on uh taking a look at uh those higher level kind of uh cryptographic protocols as as well.
Jaromil_☮️_Dyne.org: I think my colleague Andrea is more busy on that you consider that I will stay more on the cryptographic lower level and less on the protocol level and also because of the tools we are developing and the way we are working but Andreas has just some good news that the EC is also sponsoring us for um.
Jaromil_☮️_Dyne.org: A new project I I don't spoil it Andrea if you want to tell about it.
Andrea_D'Intino_|_Forkbomb_BV: Yes Man uh we are definitely looking at those very soon uh we got a small Grant to implement uh uh something that initially will be an aod ARF compliance tool.
Andrea_D'Intino_|_Forkbomb_BV: Is I hear a lot of noise.
Jaromil_☮️_Dyne.org: Go on we can hear you well.
Andrea_D'Intino_|_Forkbomb_BV: Okay um and actually in writing the application we got deeply inspired by uh the the VC playground as well as the can I can I vc.com.
Andrea_D'Intino_|_Forkbomb_BV: And uh we initially will focus only on audr but very very soon we going to move to uh different uh.
Andrea_D'Intino_|_Forkbomb_BV: Data formats and uh protocols so definitely yes and uh I will uh we will ping you regarding uh the VC API and we'll also ping you trying to get an interview from you on to give us feedback on what you like to see on this application.
<manu_sporny> That's great, wonderful!
Manu Sporny: No no problem happy to help.
Jaromil_☮️_Dyne.org: Yes some handholding in the in the quantity of literature uh is is always welcome and and yeah the project is an exciting project it was the brainchild also of purya and it's of course learning from the w3c attitude because I remember clearly uh 1 of the first things that came out with the worldwide web was a a validator of HTML Pages very useful hosted by so we want a validator for all this and uh we'll go through of course I mean this this will be very useful uh for BBS Plus for the Audi is the first thing.
Jaromil_☮️_Dyne.org: But um Andre I don't know if I should say it but really I mean I I would never suggest um a client to use the odf for for credentials I I don't even go to test the sdj sdj implementation from a cryptographic.
Jaromil_☮️_Dyne.org: point of.
Jaromil_☮️_Dyne.org: Uh uh you know BBS plus should be definitely the the 1 considered.
Andrea_D'Intino_|_Forkbomb_BV: We all agreed SMS.
Andrea_D'Intino_|_Forkbomb_BV: It would be ARF SMS.
Harrison_Tang: Simone I think you're on the queue.
Jaromil_☮️_Dyne.org: If anyone wants to dig deeper into the.
Jaromil_☮️_Dyne.org: the point.
Jaromil_☮️_Dyne.org: Questions were posed about the scalability we can on a on a terminal.
Manu Sporny: Yeah on on the scalability I have um 1 1 Edition but before before I do that going back to kind of Wes's um sorry um will abramson's uh question around the Hamming distance it's a really interesting for those of you that you know don't don't uh aren't steeped in in cryptography it's a really interesting measure on whether or not the cryptography is actually working uh let me see if I can hopefully I can screen share um here um so like this is a picture of a penguin right this is tux Linux Linux penguin um and if we're going to encrypt it what we would expect to see once we encrypted it is something that looks like this it's just like noise like you can't tell that there that's the penguin that was like encrypted um and this is an example of like you know having good Hamming distance uh when you do that kind of check um but there was a uh there was a security failure many years ago where when you encrypted that image.
Manu Sporny: Would get something like this.
Manu Sporny: This is an example of like really poor Hamming distance like you know exactly what has been encrypted even though it's gone through a quote unquote you know block Cipher encrypted encryption algorithm so when um when yaml was talking about Hamming distance this is the type of thing that he was measuring he wanted to make sure we were in this in this case which is what he showed with that nice uh curve um instead of this case where you would not have seen that nice curve you would have seen something uh else um when it came to kind of Hamming distance so it's 1 of those really neat things that you can kind of check uh to see if you're uh encryption and cryptography is working the way you think it's it's working um as for the um the uh the proof size chain changing um I think Andrea was correct the signature size the initial signature size on BBS doesn't change so the when the initial signature doesn't change but I believe the.
<andrea_d'intino_|_forkbomb_bv> let me check
Manu Sporny: Change as you reveal or or hide more information because you have to uh include um the um uh the the hidden kind of values in a in a way and that adds to the the the derived signature um the the the zero knowledge proof um that's it.
Our Robot Overlords are scribing.
Jaromil_☮️_Dyne.org: Um I shared other computer but I yeah I'm back no can you hear me.
Manu Sporny: Yep yeah we can hear you.
Harrison_Tang: Yeah you're back yeah I think uh.
Jaromil_☮️_Dyne.org: So I was showing I just run again the.
Jaromil_☮️_Dyne.org: Benchmark so this is the terminal of the benchmark.
Jaromil_☮️_Dyne.org: And I want to proceed all around.
Jaromil_☮️_Dyne.org: Yeah this is the how The Benchmark is done it's a simple script you find in.
Jaromil_☮️_Dyne.org: I I.
Jaromil_☮️_Dyne.org: Committed to the to the source code so you will find it in the test Benchmark BBs.
Jaromil_☮️_Dyne.org: Maybe some feeding with the bill.
Jaromil_☮️_Dyne.org: You'll get this eventually I forgot to mention that shake 256 or sha 256 um are pretty much the same.
Jaromil_☮️_Dyne.org: so I just.
Jaromil_☮️_Dyne.org: Take which is also known as shortly.
Jaromil_☮️_Dyne.org: As hashing for BBs.
Jaromil_☮️_Dyne.org: yeah this.
Jaromil_☮️_Dyne.org: Were the timings.
Jaromil_☮️_Dyne.org: And and the sizes I get here.
Jaromil_☮️_Dyne.org: The size benchmarks.
Jaromil_☮️_Dyne.org: Here the proofs each proof is is it takes.
Jaromil_☮️_Dyne.org: Let's say this is the context and then the public key the the signature.
Jaromil_☮️_Dyne.org: From the issuer the message.
Jaromil_☮️_Dyne.org: And uh uh ivy.
Jaromil_☮️_Dyne.org: And um so the norms.
Jaromil_☮️_Dyne.org: And yeah this is for each message.
Jaromil_☮️_Dyne.org: So proof will be produced.
Jaromil_☮️_Dyne.org: For each new message and signature it is not aggregated at least from what I can see.
Jaromil_☮️_Dyne.org: There is a possibility to aggregate um signatures in in um in BLS space.
Jaromil_☮️_Dyne.org: But the proofs I don't think so.
<andrea_d'intino_|_forkbomb_bv> @manu I found something funky: it appears that the proof size decreases proportionally to the amount of elements disclosed :-|
Jaromil_☮️_Dyne.org: I was obviously not ready to answer these questions so.
<manu_sporny> Yes, that's correct Andrea :)
Jaromil_☮️_Dyne.org: Sometimes with cryptography you get so deep into 1 direction that you crawl back into the other is like sort of difficult but yeah uh feel free for anyone that remembers Lua feel free to play around with the benchmark.
Jaromil_☮️_Dyne.org: Uh this is literally all the Benchmark the room is like an interactive shell so you know it works like this octet random and uh um oops uh I should have said octet.
<manu_sporny> The more you hide, the larger the proof. The less you hide, the smaller the proof (at least, with BBS+)
Jaromil_☮️_Dyne.org: Uh whatever and then print em you show.
<andrea_d'intino_|_forkbomb_bv> no, I take back what I said
Jaromil_☮️_Dyne.org: So it it is Lua.
Jaromil_☮️_Dyne.org: You see this was the random in HEX.
Jaromil_☮️_Dyne.org: And this is the random in binary and this is literally the language that we use in.
Jaromil_☮️_Dyne.org: Room so if you go and read the Keygen.
<andrea_d'intino_|_forkbomb_bv> no I take back again.. I was right the first time!
Jaromil_☮️_Dyne.org: Implementation of our benchmark.
Jaromil_☮️_Dyne.org: you'll see.
Jaromil_☮️_Dyne.org: There is a bit of a boilerplate this is clock for measuring the speed.
Jaromil_☮️_Dyne.org: But really the common is Keyon here and then this is all down here is um.
Jaromil_☮️_Dyne.org: Um all you know putting it into a a format like new plot will take it.
<andrea_d'intino_|_forkbomb_bv> if you disclose 1 element from the array, the length is 10, if you disclose 3 elements, the length is 7
Jaromil_☮️_Dyne.org: So it is fairly easy and sizes is really the simplest.
Jaromil_☮️_Dyne.org: so you can.
Jaromil_☮️_Dyne.org: Hope through this create more proofs and see it really grows linearly we don't have um functions for other functions for the BBS.
<andrea_d'intino_|_forkbomb_bv> (10 and 7 are for representation purposes)
Jaromil_☮️_Dyne.org: And by the way if you're interested we have.
Jaromil_☮️_Dyne.org: DBS implementation in Z code.
Jaromil_☮️_Dyne.org: Which is this.
Jaromil_☮️_Dyne.org: So that's how we use BBS this is the implementation inside the room is create BBS Keys these are code commands.
<harrison_tang> so manu is correct in that the more you hide, the larger the size?
Jaromil_☮️_Dyne.org: And uh they can take arguments.
Jaromil_☮️_Dyne.org: So that's how we make it used by International Engineers so you can play with Zen code and create multiple.
Jaromil_☮️_Dyne.org: Anyway yeah this for the Curious ones to fiddle with.
<andrea_d'intino_|_forkbomb_bv> @manu "the more you hide" - probably correct
Jaromil_☮️_Dyne.org: This is the.
Jaromil_☮️_Dyne.org: I'll paste it.
Harrison_Tang: Cool thank you you're welcome.
Harrison_Tang: Any other questions.
Harrison_Tang: So it's also uh clarify the chat so in BBS is it true that the more you hide the larger the proof size is that true like just because I think there's multiple chats like happening.
Andrea_D'Intino_|_Forkbomb_BV: I did some tests.
Andrea_D'Intino_|_Forkbomb_BV: I can uh if you like I can share my screen and show you what we're looking at.
Andrea_D'Intino_|_Forkbomb_BV: That we generated a signatures with an array of 3 elements.
Andrea_D'Intino_|_Forkbomb_BV: Uh in this case the elements are above 18 Italian and Professor 3 strings.
https://github.com/dyne/zenroom inside test/benchmarks/bbs
Andrea_D'Intino_|_Forkbomb_BV: And if you want to create a proof where you only disclose 1 element.
Andrea_D'Intino_|_Forkbomb_BV: Uh the proof is going to be bigger.
Andrea_D'Intino_|_Forkbomb_BV: By disclosing 3 Elements which is counterintuitive but I believe it matches what manager said The more you hide.
Andrea_D'Intino_|_Forkbomb_BV: The more uh you the longer the longer it is.
Harrison_Tang: Got it thank you.
Andrea_D'Intino_|_Forkbomb_BV: It's not it's not the amount of elements you want to disclose that makes it uh makes the proof bigger it's the amount of elements you want to hide so you want not to disclose.
Harrison_Tang: Got it thank you thanks a lot for clarification.
Harrison_Tang: All right any last uh comment or question.
Harrison_Tang: I think we're at a time.
<econnell> Thank you!
Harrison_Tang: Well thank you thank you uh ymo thank you Andrea uh for jumping on here this is a great discussion so thanks a lot.
Harrison_Tang: All right this concludes this week's ccg meeting thanks.
Andrea_D'Intino_|_Forkbomb_BV: Thanks for having us.