What is the purpose of sending verifying keys in ReencryptionRequest?

[fjarri]

(making the discussion in Discord a little more permanent)

Currently, the structure of ReencryptionRequest is roughly as follows:

hrac
alice_verifying_key (avk)
publisher_verifying_key (pvk)
bob_verifying_key (bvk)
encrypt(hrac | kfrag | sign(hrac | kfrag, pvk))
    where kfrag = [kfrag_data | sign(kfrag_data, avk)]

Ursula has no side channels to obtain either of these verifying keys. The only side channel available is the blockchain, where she can check that the given HRAC is paid for. So, it seems that the only purpose of avk and pvk is for Bob to say "I can't decrypt the kfrag, but I know who signed it". Which is really just error checking. bvk is not really used at all.

So my question is: is there a security purpose for sending these verifying keys? What kind of attack is prevented by Ursula checking these signatures?

One important thing is that we do not use the HRAC structure (keccak(pvk | bvk | label)) at all. We could sign the whole request with bvk, and pass the label with the request, thus ensuring that the request is sent by the same person for whom the policy was issued - if that's something we want to do.

The reason for sending avk is even more unclear. Why would Ursula care if the kfrag is made by the person Bob claims it is? Is it just error-checking again?

[fjarri]

Bundling alice_verifying_key seems to be a historical artefact, as discussed in Discord:

kprasch — Today at 08:55
@Bogdan re #2812 I'm thinking that avk being passed to ursula was historically used to authenticate a particular kfrag that ursula was storing in her DB.  In that model, the side-channel was essentially alice sending the signed kfrag to ursula.   Am I making sense in thinking this?
Do you think "error checking" alone is compelling enough to keep these keys in the RR?

damonC — Today at 09:05
It is amazing how much complexity is being resolved

Bogdan — Today at 09:05
I guess that makes sense, if Ursula could obtain Alice's key from some other source
I don't think it's really worth it to pass the avk, since Bob will be able to verify the resulting cfrag against avk anyway. If Bob had to contact Ursula, the main work has been done already, failing a little bit earlier because avk doesn't match won't get you back all that time spent on establishing connection.
Maybe the difference would be that if avk doesn't match on Bob's side, he doesn't know whether it's Ursula sending an incorrect cfrag, or he sent an incorrect (encrypted) kfrag
But then again, if Ursula wants to play these games, she can just claim that avk is incorrect. Not sure what the benefit would be.

jMyles (NU Flute Guy) — Today at 09:14
True, but that can also be resolved on chain at some point - matching the avk provides forward compatibility with that scenario.

Bogdan — Today at 09:15
The reencryption request is transient and isn't stored, so when we are able to do that, we'll just change the format

jMyles (NU Flute Guy) — Today at 09:21
Sure, that seems sufficient.  But it's not quite the same, as Alices who have already disappeared won't be able to make the on-chain commitment.

But yeah, I think that's OK.

kprasch — Today at 09:34
In this case I'm in favor of removal on the basis that this is another historical artifact.

jMyles (NU Flute Guy) — Today at 09:35
There's a very fuzzy line between "historical artifact" and forward compatibility, though.

But in this particular case, I agree with removal.

The jury is still out on publisher_verifying_key bundled in TreasureMap

[KPrasch]

Publisher verifying key can be explained away by the same history since it was split away from alice verifying key while trying to mimic the existing API.

[fjarri]

It is not exactly analogous, since it is a part of HRAC. So, theoretically, we can check that it corresponds to the HRAC and Bob's key (but we will have to pass the label with the request)