Deploying to gh-pages from @ 3354d42 🚀

hyperledger · Nov 9, 2023 · c8d019e · c8d019e
1 parent 56394ac
commit c8d019e
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/docs/index.html b/docs/index.html
@@ -480,6 +480,31 @@ <h4 id="generating-a-credential-definition-without-revocation-support"><a class=
   <span class="token property">"r_key"</span><span class="token operator">:</span> <span class="token null keyword">null</span>
 <span class="token punctuation">}</span>
 </code></pre>
+<div id="warning-1" class="notice warning"><a class="notice-link" href="#warning-1">WARNING</a><p>A weakness in this specification is that the <a class="term-reference" href="#term:issuer">Issuer</a> does not provide a
+key correctness proof to demonstrate that the generated private key is
+sufficiently strong enough to meet the unlinkability guarantees of AnonCreds.</p>
+<p>The proof should demonstrate that:</p>
+<ul>
+<li><code>p</code> and <code>q</code> are both prime numbers</li>
+<li><code>p</code> and <code>q</code> are not equal</li>
+<li><code>p</code> and <code>q</code> are the same, sufficiently large, size
+<ul>
+<li>For example, using two values both 1024 bits long is sufficient, whereas
+using one value 2040 bits long and the other 8 bits long is not.</li>
+</ul>
+</li>
+</ul>
+<p>The <a class="term-reference" href="#term:issuer">Issuer</a> <strong>SHOULD</strong> provide a published key correctness proof based
+on the approach described in <a path-0="www.brics.dk"path-1="RS"path-2="98"path-3="29"path-4="BRICS-RS-98-29.pdf"href="https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf" >Jan Camenisch and Markus Michels. Proving in
+zero-knowledge that a number is the product of two safe primes</a> (pages 12-13).
+In a future version of AnonCreds, the additional key correctness proof could be
+published separately or added to the <a class="term-reference" href="#term:credential-definition">Credential Definition</a> prior to
+publication. In the meantime, <a class="term-reference" href="#term:issuers">Issuers</a> in existing ecosystems can share
+such a proof with their ecosystem co-participants in an ad hoc manner.</p>
+<p>The lack of such a published key correctness proof allows a malicious <a class="term-reference" href="#term:issuer">Issuer</a> to deliberately generate a private key that lacks the requirements
+listed above, enabling the potential of a brute force attack that breaks the
+unlinkability guarantee of AnonCreds.</p>
+</div>
 <p>The <a class="term-reference" href="#term:credential-definition">Credential Definition</a> has the following format (based on this <a path-0="indyscan.io"path-1="tx"path-2="SOVRIN_MAINNET"path-3="domain"path-4="99654"href="https://indyscan.io/tx/SOVRIN_MAINNET/domain/99654" >example
 Credential Definition</a> on the Sovrin
 MainNet):</p>

diff --git a/spec/data_flow_setup.md b/spec/data_flow_setup.md
@@ -198,6 +198,37 @@ The [[ref: Private Credential Definition]] produced by the generation process ha
 }
 ```
 
+::: warning
+
+A weakness in this specification is that the [[ref: Issuer]] does not provide a
+key correctness proof to demonstrate that the generated private key is
+sufficiently strong enough to meet the unlinkability guarantees of AnonCreds.
+
+The proof should demonstrate that:
+
+- `p` and `q` are both prime numbers
+- `p` and `q` are not equal
+- `p` and `q` are the same, sufficiently large, size
+  - For example, using two values both 1024 bits long is sufficient, whereas
+  using one value 2040 bits long and the other 8 bits long is not.
+
+The [[ref: Issuer]] **SHOULD** provide a published key correctness proof based
+on the approach described in [Jan Camenisch and Markus Michels. Proving in
+zero-knowledge that a number is the product of two safe primes] (pages 12-13).
+In a future version of AnonCreds, the additional key correctness proof could be
+published separately or added to the [[ref: Credential Definition]] prior to
+publication. In the meantime, [[ref: Issuers]] in existing ecosystems can share
+such a proof with their ecosystem co-participants in an ad hoc manner.
+
+[Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number is the product of two safe primes]: https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf
+
+The lack of such a published key correctness proof allows a malicious [[ref:
+Issuer]] to deliberately generate a private key that lacks the requirements
+listed above, enabling the potential of a brute force attack that breaks the
+unlinkability guarantee of AnonCreds.
+
+:::
+
 The [[ref: Credential Definition]] has the following format (based on this [example
 Credential Definition](https://indyscan.io/tx/SOVRIN_MAINNET/domain/99654) on the Sovrin
 MainNet):