siyengar / private-fraud-prevention Goto Github PK

Hi
I'm glad that Facebook™ is working on anonymous credentials to protect the privacy of its users!
Reading the source code I had a few concerns:

The token which is generated here:

then blinded here:

In [1]: import crypto
In [8]: import os
In [9]: token = os.urandom(16)
In [10]: blind = os.urandom(16)
In [3]: sk = crypto.get_rsa_key(None)
In [5]: pk = crypto.get_public_key(None)
In [12]: blinded_message = crypto.blind_message(pk, token, blind)
In [19]: signature = crypto.sign_message(sk, blinded_message)
In [20]: signature = crypto.unblind_message(pk, signature, blind)
In [21]: crypto.validate_signature(pk, token, signature)
Out[21]: True
In [34]: signature2 = (int.from_bytes(signature, 'big')**2 % pk.n).to_bytes(512, 'big')
In [35]: token2 = (int.from_bytes(token, 'big')**2 % pk.n).to_bytes(32, 'big')
In [36]: crypto.validate_signature(pk, token2, signature2)
Out[36]: True

Even more importantly, is it correct to say that right now the client is asking for the entropy to the server, including token and blinding factor? Wouldn't this break unlinkability?

Hope this will be useful to you, cheers!

After perusing this file, I've noticed that there are many complicated potentially misleading statements. At least It was quite a hard reading because of ambiguity and imlicitly stated terms.I can and would like to make it more simple as well as to untangle puzzled explanation, thus hopefully making this pretty complicated scientific subject as much straightforward as possible. But I will need your help, specificity the authors and editors of this text since it requires knowledge about resources and projects mentioned here.

Have you maybe considered using a hash of the URL for e, the RSA public exponent?

Like, if we want to sign the equivalent of "this blinded nonce touched me, on the way to URL" we could do:
e = 1 | hash(URL) | 1 # we concatenate a 1 bit at the start to make sure all exponents are of equal length, and at the end to make sure the exponent is odd
d = e^-1 % phi(N)
signature = (nonce^d % N, URL)

Obviously I don't have a security proof, but it "seems" secure, right? Hope this helps :-)

kh19043906067flml