Hey there, as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
https://github.com/freedomofpress/sigsum-ts
There's 100% coverage, and I've written many tests, though there likely still some niche case that I'm missing, but overall I'd plan to use it in a less experimental but still beta release in a few months. If no objections, will publish the package on npm in a few days! In many parts Ive just followed line by line the original Go code and translated in TS, in others I've taken a bit more liberty. I'll add support for JSON based formats for proofs and policies as anticipated in a previous thread.
Cheers, Giulio
Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
Nice!
A few comments after a first quick look.
Verification usually deals with public values only. So not sure what your threat model is, but I suspect that using constantTimeBufferEqual is overkill (in crypto.ts, verifyInclusionProof).
Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary?
Regards, /Niels
Hi, thanks for the quick feedback!
On 17/06/2025 11:44, Niels Möller via Sigsum-general wrote:
Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
as part of the work on WEBCAT I've rewritten a Sigsum verifier in browser-native TypeScript, this time that actually checks inclusion proofs ;)
Nice!
A few comments after a first quick look.
Verification usually deals with public values only. So not sure what your threat model is, but I suspect that using constantTimeBufferEqual is overkill (in crypto.ts, verifyInclusionProof).
I think you are right, will update before a first release :)
Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary?
It seemed more efficient, but I did not do any measurement, though I'll need to run the verifier in real time while a user is waiting a website to load. Do you think there's reasons not to do it, or that on the average it is likely more expensive to do the extra check every loop?
Cheers, Giulio
Giulio via Sigsum-general sigsum-general@lists.sigsum.org writes:
Not sure why you do incremental quorum check in https://github.com/freedomofpress/sigsum-ts/blob/main/src/verify.ts#L89, is it measurably expensive to verify more cosignatures than necessary?
[...] Do you think there's reasons not to do it, or that on the average it is likely more expensive to do the extra check every loop?
Can't say much about performance without actually measuring. To me, it just seems less complex to first iterate over the cosignatures, to get a list of witnesses with known keys and valid cosignatures. And only then check if that set satisfies the quorum.
In principle, one could also have the sender trim the proof and include only the cosignatures needed to satisfy the quorum. Assuming the client's policy is known.
Regards, /Niels
sigsum-general@lists.sigsum.org
-
Giulio -
Niels Möller