Privacy-Preserving Authentication: A Tutorial

1
Privacy-Preserving Authentication A Tutorial

• Anna Lysyanskaya
• Brown University

2
What is Authentication?
Todays news?
projo.com
Who are you? Do you have a subscription?
Its Bond. James Bond. Heresmy subscription.
3
What is Authentication?
Todays news?
projo.com
Who are you? Do you have a subscription?
Its Bond. James Bond. Heresmy subscription.
Identification
Digital signature
4
Signature Schemes
5
Signature Schemes

• Setup I run a setup algorithm to obtain my
  public key PK and secret key SK

PK
PK
SK
6
Signature Schemes

• Setup I run a setup algorithm to obtain my
  public key PK and secret key SK
• Now I can sign (using SK)
• Sign(SK,m) ? s (denoted sPK(m) )
• And you can verify it (using PK)
• Verify(PK,m,s) ? Yes/No

7
Signature Schemes

• Security no adversary can forge a signature even
  after seeing sigs on messages of his choice

m1
m2
...
m,sPK(m)
sPK(m1)
sPK(m2)
...
PK
Secure if this is unlikely
8
History of Signature Schemes

• 1970s invention of PK crypto, DH, RSA, Lamport,
  Merkle
• Definition first provably secure construction
  GMR84
• Random-oracle-based constructions Fiat-Shamir,
  Schnorr, GQ, Bellare-Rogaway, ...
• Lattice-based GGH97, NTRU
• Minimal assumptions Naor-Yung, Rompel (OWF)
• Stateless and provably secure
• under SRSA Gennaro-Halevi-Rabin99,
  Cramer-Shoup99
• under BDH Boneh-Boyen Eurocrypt 2004
• Other flavors group sigs, blind sigs Chaum
• This talk signatures that allow you to prove
  that you have a signed document, efficiently,
  without revealing (too much) about the contents
  of the document ...,L02,CL04,CL05,...,BL12.

9
Using Signature Schemes
I am James Bond. Please give me a cert that I
havea ProJo subscription.
projo.com
ssProJo(James Bond)
PKProJo
Certification authority (CA)
Todays news?
?
Digital signature
projo.com
Let me check that you have a valid subscription.
Who are you?
James Bond. My s.
Identification
10
Using Signature Schemes
I am James Bond. Please give me a cert that I
havea ProJo subscription.
projo.com
PKJB
ssProJo(James Bond)
PKProJo
Certification authority (CA)
Todays news?
?
Digital signature
projo.com
Let me check that you have a valid subscription.
Who are you?
PKJB
?
PKJB. My s.
Identification
11
Thats how authentication with identification is
done.Why do you want to do it without?How do
you do it without?
12
Anonymous Access
Todays news?
projo.com
Who are you? Do you have a subscription?
Its Bond. James Bond.
I can tell you, but then Ill have to kill you...
13
Anonymous Access
Todays news?
projo.com
Show me your subscription.
Subscription 76590
14
Anonymous Access
Todays news?
projo.com
Prove that you are authorized.
Here is a zero-knowledge proof
15
Zero-Knowledge Proof GMR
Let L be a language. A zero-knowledge (ZK)
proof system for L is a protocol between a prover
P (can be computationally unbounded) and a
verifier V (poly-time TM) such that (Completenes
s) For an x in L, P convinces V (Soundness 1-e)
For any x not in L, no malicious P can cause V
to accept with more than e probability (Zero-know
ledge - informal) Everything V learns as a
result of talking to P, he can learn without
talking to P.
16
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
17
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
18
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
19
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
20
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
21
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
22
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
23
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
24
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
25
Example The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
26
Is every graph 3-colorable?
27
Is every graph 3-colorable?
28
Is every graph 3-colorable?
29
Is every graph 3-colorable?
No...
30
ZK Proof of 3-Colorability
31
ZK Proof of 3-Colorability
You are just trying to trick me! This graph is
not 3-colorable!
32
ZK Proof of 3-Colorability
You are just trying to trick me! This graph is
not 3-colorable!
33
ZK Proof of 3-Colorability
You are just trying to trick me! This graph is
not 3-colorable!
34
ZK Proof of 3-Colorability
35
ZK Proof of 3-Colorability
36
ZK Proof of 3-Colorability
37
ZK Proof of 3-Colorability
38
ZK Proof of 3-Colorability
If youre cheating, I have 1 in 11 chance to
catch you.
39
ZK Proof of 3-Colorability
I want better odds!
40
ZK Proof of 3-Colorability
41
ZK Proof of 3-Colorability
42
ZK Proof of 3-Colorability
43
ZK Proof of 3-Colorability
44
ZK Proof of 3-Colorability
45
ZK Proof of 3-Colorability
46
ZK Proof of 3-Colorability
47
ZK Proof of 3-Colorability
If we repeat 100 times and you are lying,
Ill surely catch you!
GMW86
48
Zero-Knowledge A Crash Course
Theorem GMW87 every L in NP has
a zero-knowledge proof system.
Proof. Reduce the language at hand to
graph 3-colorability (recall that 3-col is
NP-complete). Use Lemma
3-colorability has a zero-knowledge proof
system.
49
Zero-Knowledge A Crash Course
Theorem GMW every language in NP has
a zero-knowledge proof system.
Theorem FLS every language in NP has
anon-interactive ZK proof system (NIZK).
ZK POK a ZK proof of knowledge, ie V acceptsif
the prover knows a value that satisfies an NP
relation,e.g. a valid 3-coloring of a graph.
50
Accessing a Resource
PKJS
51
Using Credentials Anonymously
I am PKJS. Please give me a cert that I go
to High School.
sCAsCA(PKJS, High School)
PKJS
PKCA
Certification authority (CA)

• Zero-knowledge proof that
• I know SK, PK and s such that
• PK corresponds to SK
• Verify(PKCA,(PK. High School),s).

I need access to SIAM J on Computing, 172
Prove to me that you have a valid subscription!
PKJS
Online library
52
Using Credentials Anonymously
I am PKJS. Please give me a cert that I go
to Moses Brown School.
We already know that we can do it! Just reduce
the problem at hand to graph 3-col, and run a
ZKproof! Would be nice to do that
more efficiently.
sCAsCA(PKJS, Moses Brown)
PKJS
PKCA
Certification authority (CA)

• Zero-knowledge proof that
• I know SK, PK and s such that
• PK corresponds to SK
• Verify(PKCA,(PK. High School),s).

I need access to SIAM J on Computing, 172
Prove to me that you have a valid subscription!
PKJS
Online library
53
Obtaining Credentials Anonymously

• Zero-knowledge proof that
• I know SK, PK and s such that
• PK corresponds to SK
• Verify(PKCA,(PK. High School),s).

I need access to SIAM J on Computing, 172
Prove to me that you have a valid subscription!
PKJS
You are such a good customer, I want to also give
you a credential!
Online library
Anonymous credential signature issued to a
hidden value PK/SK the library never sees the
value it is signing
54
Secure 2PC A Crash Course

• Theorem Yao every function f(x,y) can be
  computed
• via a protocol between Alice holding input x, and
  Bobholding input y such that (informally)
• Alice receives output f(x,y) (even if Bob
  deviatesfrom the protocol, she receives f(x,y)
  for some well-defined y known to Bob in advance)
• Even if Alice maliciously deviates, she cannot
  learnmore than f(x,y) for some well-defined x
  known to herin advance
• Even if Bob maliciously deviates, he cannot
  learnanything about x.

55
Secure 2PC A Crash Course
2PC
x
y
Alice
Bob
f(x,y)
56
Obtaining Credentials Anonymously

• Zero-knowledge proof that
• I know SK, PK and s such that
• PK corresponds to SK
• Verify(PKCA,(PK. High School),s).

I need access to SIAM J on Computing, 172
Prove to me that you have a valid subscription!
PKJS
You are such a good customer, I want to also give
you a credential!
Online library
Anonymous credential signature issued to a
hidden value PK/SK the library never sees the
value it is signing
57
Signature Schemes with Efficient Protocols

• WE WANT a signature scheme that is
• efficient, provably secure
• has an efficient ZK proof of knowledge of a sig.
• has a secure two-party protocol for signing a
  hidden value
• WHY applications for authentication without
  identification, as well as group signatures,
  blind signatures, fair exchange of digital
  signatures, ...

58
Roadmap for This Talk

• Building blocks ?
• Main idea of off-line ecash CFN89 CL02
• Main idea of compact ecash CHL05
• Extensions CHL06,CHKLM06
• Technical details how to instantiate generalized
  ecash CL02,...BL12
• Extending to more complicated anonymous
  credentials

Warning there might be a pop quiz...
59
Anonymity Accountability Use Money!
BANK
Withdraw
Deposit
Spend
Alice
60
The Money Cycle

• Three protocols Withdraw, Spend, Deposit
• Desirable properties
• - cant forge/copy money
• - cant trace how cash was spent

61
Electronic Version
?

• Three protocols Withdraw, Spend, Deposit
• Desirable properties
• - cant forge/copy money
• - cant trace how cash was spent

62
Electronic Version

• Preventing copying/forgery - money is
  represented by data, data can be copied - not
  an issue if do electronic checks - but
  electronic checks provide no privacy
• Online e-cash Chaum
• - Bank maintains records of past transactions
• - Withdraw and Spend are unlinkable
• - during Deposit, test if the coin is unspent

63
Off-Line Ecash CFN89

• Algs Setup, Withdraw, Spend, Deposit,
  Identify - Setup sets up everyones keys
  (separately) - Identify if Alice spends
  more than she withdrew, her identity is
  discovered once the Merchant deposits the
  money (Merchant need not do this right
  away).
• Privacy colluding BM cant trace how a coin is
  spent.

64
History

• Chaum82 invented blind signatures, makes
  on-line ecash possible
• CFN,Brands off-line e-cash

65
Main Idea of Off-Line Ecash

• Recall digital signatures, secure 2-party
  computation, ZK proofs of knowledge

66
Main Idea of Off-Line Ecash

• Recall digital signatures, secure 2-party
  computation, ZK proofs of knowledge
• SETUP Signature key pair for Bank (pk,sk).
  Assume a PKI for all the users.
  Large prime Q.
• WITHDRAW
• SPEND

PKI, Q, pk
Alices SK x
2PC
sk
Random A,B lt Q ? ?pk(x,A,B)
0 lt new R lt Q e.g. RH(contract, rand)
A (the coins serial number) T xRB mod Q
(double-spending equation) NIZKPOK of (x,B,?)
such that 1. T xRB 2.
VerifySig(pk,(x,A,B), ?) TRUE
Deposit submit (A,R,T,proof) to the Bank
67
Main Idea of Off-Line Ecash

• Recall digital signatures, secure 2-party
  computation, ZK proofs of knowledge
• SETUP Signature key pair for Bank (pk,sk).
  Assume a PKI for all the users.
  Large prime Q.
• WITHDRAW
• SPEND

Suppose a coin is spent twice. Same coin gt same
A Spent twice two Rs, with high prob, R
? R T xRB mod Q, T xRBmod Q
solve for x, id and punish Alice
Privacy for Alice A,T random, proofs is ZK!
Alices SK x
2PC
sk
Random A,B lt Q ? ?pk(x,A,B)
0 lt new R lt Q e.g. RH(contract, rand)
A (the coins serial number) T xRB mod Q
(double-spending equation) NIZKPOK of (x,B,?)
such that 1. T xRB 2.
VerifySig(pk,(x,A,B), ?) TRUE
Deposit submit (A,R,T,proof) to the Bank
68
Compact Ecash

• Algs Setup, Withdraw, Spend, Deposit, Identify
• Withdraw a wallet with N coins
• Spend, deposit just one coin
• Want complexity of protocols O(log N), not O(N)

69
Compact Ecash Main Idea CHL05

• WITHDRAW N
• SPEND 1 for the ith time Let F( )( ) be a
  pseudorandom function family
• TBA how to instantiate using practical building
  blocks.

Suppose spent gtN coins gt repeating A
Fs(i) for some i A spent twice two random Rs,
with high prob, R ? R T xRFt(i),
T xRFt(i) solve for x, id and punish
Alice
PKI, Q, pk
Privacy for Alice A and T are
pseudorandom, Proofs are ZK
Alices SK x
2PC
sk
Random s,t ? ?pk(x,s,t)
new R lt Q
A Fs(i) (the coins serial number) T
xRFt(i) mod Q (double-spending
equation) NIZKPOK of (i,x,s,t,?) such that
1. 1 i N 2. A Fs(i) 3. T
xRFt(i) 4. VerifySig(pk,(x,s,t), ?) TRUE
Deposit submit (A,R,T,proof) to the Bank
70
ATTENTIONPOP QUIZ COMING UP!!!!
71
Generalized Ecash

• WITHDRAW
• SPEND

Alices SK x
2PC
sk
Random s,t ? ?pk(x,s,t)
Random s1,...,sL ? ?pk(x,s1,...,sL)
new R1,...,RM
new R lt Q
PRF evaluations A1Fsj(i1),...,A15Fsz(i15) Any
set of linear combinations T1 x?Rk Fsj(ij)
mod Q ... T10 x?Rk Fsj(ij) mod
Q NIZKPOK of (i,x,s1,...,sL,i1,...,i15, ... ,?)
s.t. 1. A1,...,A15,T1,...,T10 computed
correctly 2. VerifySig(pk,(x,s1,...,sL), ?)
TRUE
A Fs(i) (the coins serial number) T
xRFt(i) mod Q (double-spending
equation) NIZKPOK of (i,x,s,t,?) such that
1. 1 i N 2. A Fs(i) 3. T
xRFt(i) 4. VerifySig(pk,(x,s,t), ?) TRUE
Deposit submit (Ai,Ri,Ti,proof) to the
Bank
72
POP QUIZEach user is allowed to spend only up
to 100 coins with the Cheshire Cat. How to
instantiate Generalized Ecash to guarantee
this?Hint use multiple serial numbers
73
Preventing Money Laundering CHL06

• WITHDRAW N
• SPEND the ith coin this is the jth time with
  this Merchant
• Cannot be done with physical cash! Was an open
  problem too, for a while.

Suppose spend gtN coins gt repeating A1, catch
Alice! Suppose spend gt100 with CheshCat gt
repeating A2 Fs2(CheshCat,j) catch
Alice.
Privacy for Alice
Alices SK x
2PC
sk
s1,t1,s2,t2 ? ?pk(x,s1,t1,s2,t2)
new R lt Q
A1 Fs1(i), A2 Fs2(CheshCat,j) T1 xRFt1(i),
T2 xRFt2(CheshCat,j) NIZKPOK of
(i,x,s1,t1,j,s2,t2,?) such that 1. 1 i
N, 1 j 100 2. A1 Fs(i), A2
Fs2(CheshCat,j) 3. T1 xRFt(i), T2
xRFt2(CheshCat,j) 4. VerifySig(pk,(x,s1,t1,s
2,t2), ?) TRUE
Deposit submit (A1,A2,R,T1,T2,proof) to the Bank
74
POP QUIZ 2A user is allowed to spend up to 100
coins (tokens) per day. Each morning, her wallet
is reset. How to do this?Hint use a PRF with
two inputs, Fs(i,j)
75
Compact E-Tokens CHKLM06

• WITHDRAW
• SPEND the ith token on Day j
• A simple solution to the uncloneable group
  identification problem DDP06

Suppose spend gt100 coins on day j gt
repeating AFs(i,j) for some i gt catch Alice!
Privacy for Alice same as in compact ecash
Alices SK x
2PC
sk
Random s,t ? ?pk(x,s,t)
new R lt Q
A Fs(i,j) T xRFt(i,j) NIZKPOK of
(i,x,s,t,?) such that 1. 1 i 100 2.
A Fs(i,j) 3. T xRFt(i,j) 4.
VerifySig(pk,(x,s,t), ?) TRUE
Deposit submit (A,R,T,proof) to the Bank
76
POP QUIZ 3If you double-spend lt 4 e-tokens,
these e-tokens are linked, but your identity
cannot be traced. If you double-spend 4 times,
you are identified and your SK is
computed.Hint use multiple R1, ..., RL
77
Glitch Protection CHKLM06
Suppose spend N4 coins gt repeating AFs(i)
for some i (possibly for i1, i2, i3, i4)
gt L pops out of repeating A using T,
T, R, R gt link them together! gt
Fu(i) pops out of repeating A using Y, Y,
R, R gt each overspending gives x
r1z1 r2z2 r3z3 Z-Fu(i)

• WITHDRAW
• SPEND 1 for the ith time

Alices SK x
2PC
sk
s,t,u,v,L,z1,z2,z3 ? ?pk(x,s,t,u,v,L,z1,z2,z3)
R, r1, r2, r3
A Fs(i) T LRFt(i) Y Fu(i)RFv(i) Z x
r1z1 r2z2 r3z3 Fu(i) NIZKPOK of
(i,x,s,t,u,v,L,z1,z2,z3,?) such that 1. 1
i N 2. A Fs(i), T LRFt(i), Y
Fu(i)RFv(i) 3. Z x r1z1 r2z2 r3z3
Fu(i) 4. VerifySig(pk,(x,s,t,u,v,L,z1,z2,z3),
?)
78
Roadmap for This Talk

• Building blocks ?
• Main idea of off-line ecash CFN89 CL02 ?
• Main idea of compact ecash CHL05 ?
• Extensions CHL06,CHKLM06 ?
• Technical details how to instantiate generalized
  ecash

79
Compact Ecash with CL Sigs

• Pedersen and Fujisaki-Okamoto commitments
• If G is a group with generators g1,g2, , gn, h
  commit to x1,x2,xn C g1x1g2x2gnxnhr
  for random r lt G
• Brands99,Camenisch98 ZKPOKs of committed
  values w algebraic and Boolean props
• CL sigs CL01,L02,CL02,CL04,...,CL50
• Efficient, provably secure sig (Strong RSA
  CL02, LRSW or SDHI CL04)
• Efficient protocol for getting a sig on a set of
  Ped- FO-committed values (x1,x2,...,xn)
• Efficient protocol for proving knowledge of a sig
  on a set of committed values

• WITHDRAW
• SPEND

CL
new R lt Q
A Fs(i), T xRFt(i) mod Q Ci,Cx,Cs,Ct
commitments to i,x,s,t ZKPOK of (i,x,s,t,?) such
that 0. They correspond to Ci,Cx,Cs,Ct
1. 1 i N 2. A Fs(i) 3. T
xRFt(i) 4. VerifySig(pk,(x,s,t), ?) TRUE
Standard techniques
CL
80
Compact Ecash with CL Sigs
Suppose ith coin is spent twice. Same coin gt
same A Spent twice two random Rs, with
high prob, R1 ? R2 T1 gx(Ft(i))R1, T2
gx(Ft(i))R2 solve for Ft(i)
(T1/T2)1/(R1-R2) solve for gx
T1/(Ft(i)R1)

• WITHDRAW
• SPEND

CL
A Fs(i), T gx(Ft(i))R Ci,Cx,Cs,Ct
commitments to i,x,s,t ZKPOK of (i,x,s,t,?) such
that 0. They correspond to Ci,Cx,Cs,Ct
1. 1 i N 2. A Fs(i) 3. T
gx(Ft(i))R 4. VerifySig(pk,(x,s,t), ?) TRUE
Standard techniques
DY05 Fs(i) g1/(si1)
CL
81
First Signature Scheme

• (Sig scheme for messages of length l(m), security
  parameter k)
• Key generation n pq (2p1)(2q1) of
  length l(n) a, b, c ? QRn
• Signing m e ? PRIMESl(m)2 , s ? 0,1
  l(n)l(m)k solve for v such that ve ambsc mod
  n
• Verification of m, s (s,e,v) check that ve
  ambsc mod n check the lengths of m,s,e

82
Provable Security

• Under the Strong RSA assumption
• hard, on input an RSA modulus n, and a value u,
  to compute (v,e) such that e gt 1 and
  veu
• I will skip the proof of security

83
And Now the Two Protocols

• Signature on a committed value
• ZK proof of knowledge of a signature

84
But First Some Known Tools

• Commitment scheme Ped92,FO97
• PK N (2P1)(2Q1), g, h ? QRN
• Commit(x,r) gxhr mod N
• ZK proof of knowledge of representations S91
• protocol between a prover P and a verifier V
• common input is some value C in some group where
  the discrete logarithm problem is hard, and some
  generators g1, g2, ..., g15
• P knows how to represent C in terms of g1, g2,
  ..., g15 C
  g1x1g2x2...g15x15.
• P can convince V that he knows x1, x2, ..., x15
  s.t. V learns nothing about them
• but with access to the Ps algorithm, can extract
  the representation.
• ZK proofs of equality of representations other
  relations S91,Brands99,CM99
• ZK proof that a committed number lies in an
  integer interval B00.

85
Signature on a Committed Value
1. Commit to m Cm ambr mod n
PK
Proof of knowledge
2. Prove knldge of rep of Cm and correct
lengths
3. Pick random t, e. Solve for v in
ve Cmbtc mod n Send (t,e,v)
Signer
Alice
4. Output s rt, e, v
86
Proof of Knowledge of a Signature

• Imagine that you are the PROVER! ?
• Have m, s (v,e,s), s.t. ve ambsc
• For a random r, let u vbr.
• Note that ue ambsrec
• so (u,e,sre) is also a sig on m
• Then c uea-mb-s-re
• Give u to the verifier and prove knowledge of
  representation of c in bases u,a,b prove that
  these discrete logs are of the right length
• (this version of this protocol due to CG04)

87
Signature for Blocks of Messages

• Wish to sign a block of messages, (m1,...,mL)
• normally just use a hash function
• M H(m1,...,mL), then sign M
• not in this case want efficient protocols
• Variant of the other scheme
• Public key n of length l(n) same as before
  a1, ..., aL, b, c ? QRn
• Signing (m1,...,mL) random e and s as
  beforesolve for v such that ve a1m1...
  aLmLbsc mod n
• Verification of m1,...,mL, s (s,e,v) check
  ve and lengths, as before
• Security follows from first scheme

88
Signature on a Committed Block
1. Commit to m1,...,mL Cm a1m1...aLmLbr mod
n
PK
Proof of knowledge
2. Prove knldge of rep of Cm and correct
lengths
3. Pick random t, e. Solve for v in
ve Cmbtc mod n Send (t,e,v)
Signer
Alice
4. Output s rt, e, v
89
Proof of Knowledge of a Signature

• Imagine that you are the PROVER! ?
• Have m1,...,mL, s (v,e,s), s.t. ve
  a1m1...aLmLbsc
• For a random r, let u vbr.
• Note that ue a1m1...aLmLbsrec
• so (u,e,sre) is also a sig on m1,...,mL
• Then c uea1-m1...aL-mLb-s-re
• Give u to the verifier and prove knowledge of
  representation of c in bases u,a1,...,aL,b prove
  that these discrete logs are of the right length

90
Anonymous Credentials

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x)
• Obtain cred
• Anonymously prove possession of credential

P, pk
opening of P
2PC
sk
? ?pk(x)
ZKPOK of (x,?) such that VerifySig(pk,x,?)
TRUE
91
Anonymous Credentials

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x)
• Obtain cred
• Anonymously prove possession of credential for
  pseudonym P (not the same as pseudonym P)

P, pk
opening of P
2PC
sk
? ?pk(x)
ZKPOK of (x,R,?) such that 1.
VerifySig(pk,x, ?) TRUE 2. P Commit(xR)
92
Anonymous Credentials w. Identity Escrow

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P EncryptCA(users real SK x)
• Obtain cred
• Anonymously prove possession of credential for
  pseudonym P (not the same as pseudonym P)

P, pk
opening of P
2PC
sk
? ?pk(x)
ZKPOK of (x,R,?) such that 1.
VerifySig(pk,x, ?) TRUE 2. P Commit(xR)
93
Anonymous Ecash Credentials

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x)
• Obtain cred
• Spend under pseudonym P (not the same as
  pseudonym P)

P, pk
opening of P
2PC
sk
same as ecash
same as ecash, must prove that thesecret x is
inside the pseudonym was signed
94
Anonymous Credentials with Attributes

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x, attr A1,...An)
• Obtain cred
• Anonymously prove possession of credential for
  pseudonym P (not the same as pseudonym P)

P, pk
opening of P
2PC
sk
? ?pk(x,A1,...,An)
ZKPOK of (x,A1,...,An,R,?) such that 1.
VerifySig(pk,(x,A1,...,An),?) TRUE 2. P
Commit(xR) 3. Attributes satisfy desired
relation
95
Anonymous Credentials Light BL12

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x)
• Obtain cred
• Anonymously prove possession of credential (can
  only do it once!)

P, pk
opening of P
2PC
sk
P Commit(xR), R, ? ?pk(P)
Reveal P and ?
96
Anonymous Credentials Light BL12

• SETUP Signature key pair for Issuer (pk,sk).
  The user is anonymous, but known to
  the issuer under a pseudonym
  P Commit(users real SK x)
• Obtain cred
• Anonymously prove possession of credential (can
  only do it once!) under pseudonym P (not the
  same as P or P)

P, pk
opening of P
2PC
sk
P Commit(xR), R, ? ?pk(P)
Reveal P and ? ZK Prove that P and P are
commitmentsto the same value
97
(No Transcript)