1.4. Anonymous Credentials
Properties
- Selective disclosure - User may selectively disclose attributes
- Unforgeability - it is infeasible to present attribute credentials without having a certificate from the issuer.
- Privacy - A verifier does not learn more information from a presentation token, than the attribute information a user selectively reveals. Moreover, a presentation session cannot be linked to the corresponding issuance sessions and multiple presentation of the same credential are unlinkable.
- Weak Privacy - as privacy, but multiple presentations of the same credential can be linked.
Concept
- Commitment schemes
- CL-Signatures
- Blind Signatures
- Zero-Knowledge proofs
- Structure preserving signatures
- many more...
Issuance
- User: Commit to a message \(ID\), \(C \leftarrow Commit(ID)\)
- User: ZKPoK of representation of \(C\) (that the construction of the commitment is OK)
- Issuer: Sign the commitment \(\sigma \leftarrow Sign_{SK}(C)\) and send \(\sigma\) to the user.
Properties
- If the commitment scheme is hiding, then the issuer don't learns to message inside the commitment.
- If the commitment scheme is binding, then a user cannot change the message inside the signed commitment.
Presentation of a credential
ZKPoK of \(ID\) and \(C\) and \(\sigma\) such that \(C = Commit(ID)\) and \(Verify(\sigma, C) = 1\).
[1980s] - Chaum's idea - no actual construction, just a vision
[1990s] - general and inefficient construction, no security proofs
[2000s] - efficient constructions, various security assumptions, ROM and CRS model
[2010s] - pairings, standard model constructions, delegable AC, constructions mainly based on Groth-Sahai proofs
[2020s] - ???
Commercial projects
- IBM - Identity Mixer
- Microsoft - UProve
- Trusted Computing Group - DAA
State of the art
- Week privacy, Strong Privacy credential systems
- RSA, DL and Bilinear setting
- RO, CRS and Standard model constructions
- Credential systems with revocation
- Some systems combine domain pseudonymity
- Some systems offer relation proofs among attributes
- Delegable anonymous credentials
Bellare, Micciancio, Warinschi: ,,Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions''
Camenisch, Krenn, Lehmann, Mikkelsen, Neven, Pedersen: ,,Formal Treatment of Privacy-Enhancing Credential Systems''
Camenisch, Lysyanskaya: ,,Signature Schemes and Anonymous Credentials from Bilinear Maps''
Chaum, Pedersen: ,,Wallet databases with observers''
Chaum: ,,SECURITY WITHOUT IDENTIFICATION: TRANSACTION SYSTEMS TO MAKE BIG BROTHER OBSOLETE''
Cramer, Damgard, Schoenmakers: ,,Proofs of partial knowledge and simplified design of witness hiding protocols''
Cramer: ,,Modular Design of Secure yet Practical Cryptographic Protocols''
Feige, Fiat, Shamir: ,,Zero-knowledge Proofs of Identity''
Fiat-Shamir: ,,How to prove yourself: Practical Solutions to Identification and Signature Problems''
Goldwasser, Micali, Rackoff: ,,The Knowledge Complexity of Interactive Proof-Systems''
Kutyłowski, Shao: ,,Signing with Multiple ID's and a Single Key''
Rivest, Shamir, Adleman: ,,A Method for Obtaining Digital Signatures and Public-Key''
Schnorr: ,,Efficient Signature Generation by Smart Cards''
Federal Information Processing Standards Publication: Digital Signature Standard (DSS)
NIST FIPS PUB 186-4 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf