Privacy-Preserving Authentication: A Tutorial

Privacy-Preserving Authentication: A Tutorial

Anna LysyanskayaBrown University

What is Authentication?

projo.comprojo.comToday’s news?

Who are you? Do you have asubscription?

It’s Bond. James Bond. Here’smy subscription.

What is Authentication?

projo.comprojo.comToday’s news?

Who are you? Do you have asubscription?

It’s Bond. James Bond. Here’smy subscription.

Identification

Digital signature

Signature Schemes

PK

Signature Schemes• Setup: I run a setup algorithm to obtain my

public key PK and secret key SK

PK

SK

Signature Schemes• Setup: I run a setup algorithm to obtain my

public key PK and secret key SK• Now I can sign (using SK):

– Sign(SK,m) σ (denoted σPK(m) )

• And you can verify it (using PK)– Verify(PK,m,σ) Yes/No

PK

Signature Schemes

• Security: no adversary can forge a signature even after seeing sigs on messages of his choice

m1

σPK(m1)

m2

σPK(m2)

...

...

m,σPK(m)

Secure if this is unlikely

PK

History of Signature Schemes

• 1970s1970s: invention of PK crypto, DH, RSA, Lamport, Merkle• Definition & first provably secure constructionDefinition & first provably secure construction: GMR84• Random-oracle-based constructionsRandom-oracle-based constructions: Fiat-Shamir, Schnorr,

GQ, Bellare-Rogaway, ...• LatticeLattice-based [GGH97], NTRU• Minimal assumptionsMinimal assumptions: Naor-Yung, Rompel (OWF) • Stateless and provably secure Stateless and provably secure

– under SRSA: Gennaro-Halevi-Rabin’99, Cramer-Shoup’99– under BDH: Boneh-Boyen [Eurocrypt 2004]

• Other flavorsOther flavors: group sigs, blind sigs [Chaum]• This talk: signatures that allow you to prove that you have a

signed document, efficiently, without revealing (too much) about the contents of the document [...,L02,CL04,CL05,...,BL12].

Using Signature Schemes

Today’s news?

Let me check that you havea valid subscription. Who are you?

James Bond. My σ.

Certificationauthority (CA)

I am James Bond. Pleasegive me a cert that I have

a ProJo subscription.

σ=σProJo(James Bond)PKProJo

Digitalsignature

Identification

projo.comprojo.com

projo.comprojo.com

Using Signature Schemes

Today’s news?

Let me check that you havea valid subscription. Who are you?

PKJB. My σ.

Certificationauthority (CA)

I am James Bond. Pleasegive me a cert that I have

a ProJo subscription.

σ=σProJo(James Bond)PKProJo

Digitalsignature

Identification

projo.comprojo.com

projo.comprojo.com

PKJB

PKJB

That’s how authentication with identification is done.

Why do you want to do it without?

How do you do it without?

Anonymous Access

projo.comprojo.comToday’s news?

Who are you? Do you have asubscription?

It’s Bond. James Bond.I can tell you, but then I’ll

have to kill you...

Anonymous Access

projo.comprojo.comToday’s news?

Show me your subscription.

Subscription #76590

Anonymous Access

projo.comprojo.comToday’s news?

Prove that you are authorized.

Here is a zero-knowledge proof

Zero-Knowledge Proof [GMR]

Let L be a language.

A zero-knowledge (ZK) proof system for L is a protocol between a prover P (can be computationally unbounded) and a verifier V (poly-time TM) such that:

(Completeness) For an x in L, P convinces V

(Soundness 1-ε) For any x not in L, no malicious P’ can cause V to accept with more than ε probability

(Zero-knowledge - informal) Everything V learns as a result of talking to P, he can learn without talking to P.

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

1. Each vertex colored red, green or blue

2. No monochromatic edges

Example: The Set of 3-ColorableGraphs

Is every graph 3-colorable?

Is every graph 3-colorable?

Is every graph 3-colorable?

Is every graph 3-colorable?

No...

ZK Proof of 3-Colorability

You are justtrying to trick me!This graph is not

3-colorable!

ZK Proof of 3-Colorability

You are justtrying to trick me!This graph is not

3-colorable!

ZK Proof of 3-Colorability

You are justtrying to trick me!This graph is not

3-colorable!

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

If you’re cheating, I have1 in 11 chanceto catch you.

ZK Proof of 3-Colorability

I want betterodds!

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

ZK Proof of 3-Colorability

If we repeat100 times and you

are lying, I’llsurely catch you!

[GMW86]

ZK Proof of 3-Colorability

Zero-Knowledge: A Crash Course

Theorem [GMW87]: every L in NP has azero-knowledge proof system.

Proof. Reduce the language at hand to graph3-colorability (recall that 3-col is NP-complete). Use:

Lemma: 3-colorability has a zero-knowledge proof system.

Zero-Knowledge: A Crash Course

Theorem [GMW]: every language in NP has azero-knowledge proof system.

Theorem [FLS]: every language in NP has anon-interactive ZK proof system (NIZK).

ZK POK: a ZK proof of knowledge, ie V acceptsif the prover knows a value that satisfies an NP relation,e.g. a valid 3-coloring of a graph.

Accessing a Resource

Online libraryUser

I need access to SIAM J on Computing, 17:2

Prove to me that you havea valid subscription!

Sure! Here’s a zero-knowledgeproof: ...

PKJS

Using Credentials Anonymously

Online library

I need access to SIAM J on Computing, 17:2 Prove to me that you have a

valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:

(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).

Certificationauthority (CA)

I am PKJS. Pleasegive me a cert that I go to

High School.

σCA=σCA(PKJS, High School)PKCA

PKJS

PKJS

Using Credentials Anonymously

Online library

I need access to SIAM J on Computing, 17:2 Prove to me that you have a

valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:

(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).

Certificationauthority (CA)

I am PKJS. Pleasegive me a cert that I go to

Moses Brown School.

σCA=σCA(PKJS, Moses Brown)PKCA

PKJS

PKJS

We already know that we can do it!Just reduce the problem at handto graph 3-col, and run a ZKproof!

Would be nice to do that moreefficiently.

Certificationauthority (CA)

I am PKJS. Pleasegive me a cert that I go to

Moses Brown School.

σCA=σCA(PKJS, Moses Brown)PKCA

PKJS

Obtaining Credentials Anonymously

Online library

I need access to SIAM J on Computing, 17:2 Prove to me that you have a

valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:

(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).

PKJS

You are such a good customer,I want to also give you a credential!

Anonymous credential = signature issued to a hiddenvalue PK/SK: the library never sees the value it is signing

Secure 2PC: A Crash Course

Theorem [Yao]: every function f(x,y) can be computedvia a protocol between Alice holding input x, and Bobholding input y such that (informally):

(1)Alice receives output f(x,y) (even if Bob deviatesfrom the protocol, she receives f(x,y) for some well-defined y known to Bob in advance)(2)Even if Alice maliciously deviates, she cannot learnmore than f(x,y) for some well-defined x known to herin advance(3) Even if Bob maliciously deviates, he cannot learnanything about x.

Secure 2PC: A Crash Course

2PC

x y

f(x,y)

Alice Bob

Certificationauthority (CA)

I am PKJS. Pleasegive me a cert that I go to

Moses Brown School.

σCA=σCA(PKJS, Moses Brown)PKCA

PKJS

Obtaining Credentials Anonymously

Online library

I need access to SIAM J on Computing, 17:2 Prove to me that you have a

valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:

(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).

PKJS

You are such a good customer,I want to also give you a credential!

Anonymous credential = signature issued to a hiddenvalue PK/SK: the library never sees the value it is signing

Signature Schemes with Efficient Protocols

• WE WANT a signature scheme that is– efficient, provably secure– has an efficient ZK proof of

knowledge of a sig.– has a secure two-party protocol

for signing a hidden value

• WHY: applications for authentication without identification, as well as group signatures, blind signatures, fair exchange of digital signatures, ...

Roadmap for This Talk• Building blocks

• Main idea of off-line ecash [CFN89 + CL02]

• Main idea of compact ecash [CHL05]

• Extensions [CHL06,CHKLM06]

• Technical details: how to instantiate generalized ecash [CL02,...BL12]

• Extending to more complicated anonymous credentials

Warning: there might be a pop quiz...

Anonymity + Accountability: Use Money!

BANKBANK

AliceMerchant

With

draw $

$$

Spend $$$

Deposit $$$

TWO DOLLARSRivest

TWO DOLLARSRivest

TWO DOLLARSRivest

The Money Cycle

BANKBANK

AliceMerchant

With

draw $

$$

Spend $$$

Deposit $$$

• Three protocols: Withdraw, Spend, Deposit• Desirable properties:

- can’t forge/copy money - can’t trace how cash was spent

Electronic Version

BANKBANK

AliceMerchant

With

draw $

$$

Spend $$$

Deposit $$$

• Three protocols: Withdraw, Spend, Deposit• Desirable properties:

- can’t forge/copy money - can’t trace how cash was spent?

Electronic Version

BANKBANK

AliceMerchant

With

draw $

$$

Spend $$$

Deposit $$$

• Preventing copying/forgery: - money is represented by data, data can be copied - not an issue if do electronic checks - but electronic checks provide no privacy• Online e-cash [Chaum]: - Bank maintains records of past transactions - Withdraw and Spend are unlinkable - during Deposit, test if the coin is unspent

Off-Line Ecash [CFN89]

BANKBANK

AliceMerchant

With

draw $

$$

Spend $$$

Deposit $$$

• Algs: Setup, Withdraw, Spend, Deposit, Identify - Setup sets up everyone’s keys (separately) - Identify: if Alice spends more than she withdrew, her identity is discovered once the Merchant deposits the money (Merchant need not do this right away).• Privacy: colluding B&M can’t trace how a coin is spent.

History

• Chaum’82: invented blind signatures, makes on-line ecash possible

• [CFN,Brands]: off-line e-cash

Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK

proofs of knowledge

Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge

• SETUP: Signature key pair for Bank (pk,sk). Assume a PKI for all the users. Large prime Q.

• WITHDRAW:

• SPEND:

BANKBANK2PC sk

Alice’s SK xRandom A,B < Q

=pk(x,A,B)

0 < “new” R < Qe.g. R=H(contract, rand)

A (the coin’s serial number)T =x+RB mod Q (double-spending equation)

NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE

Deposit: submit (A,R,T,proof)to the Bank

PKI, Q, pk

Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge

• SETUP: Signature key pair for Bank (pk,sk). Assume a PKI for all the users. Large prime Q.

• WITHDRAW:

• SPEND:

BANKBANK2PC sk

Alice’s SK xRandom A,B < Q

=pk(x,A,B)

0 < “new” R < Qe.g. R=H(contract, rand)

A (the coin’s serial number)T =x+RB mod Q (double-spending equation)

NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE

Suppose a coin is spent twice.Same coin => same A Spent twice: two R’s, with high prob, R ≠ R’ T = x+RB mod Q, T’ = x+R’Bmod Q solve for x, id and punish Alice

Privacy for Alice:A,T: random,proofs is ZK!

Deposit: submit (A,R,T,proof)to the Bank

Compact Ecash

• Algs: Setup, Withdraw, Spend, Deposit, Identify• Withdraw: a wallet with N coins• Spend, deposit: just one coin• Want: complexity of protocols O(log N), not O(N)

BANKBANK

Alice Merchants

With

draw $

$$

Spend $$$

Deposit $$$

PKI, Q, pk

Compact Ecash: Main Idea [CHL05]• WITHDRAW $N:

• SPEND $1 for the ith time: Let F( )( ) be a pseudorandom function family

• TBA: how to instantiate using practical building blocks.

BANKBANK2PC sk

Alice’s SK xRandom s,t =pk(x,s,t)

new R < Q

A = Fs(i) (the coin’s serial number)T = x+RFt(i) mod Q (double-spending equation)

NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE

Deposit: submit (A,R,T,proof)to the Bank

Suppose spent >N coins => repeating A = Fs(i) for some iA spent twice: two random R’s, with high prob, R ≠ R’ T = x+RFt(i), T’ = x+R’Ft(i) solve for x, id and punish Alice

Privacy for Alice: A and T are pseudorandom,

Proofs are ZK

ATTENTION:

POP QUIZ COMING UP!!!!

Random s,t =pk(x,s,t)

Generalized Ecash• WITHDRAW:

• SPEND:

BANKBANK2PC sk

Alice’s SK xRandom s1,...,sL

=pk(x,s1,...,sL)

new R1,...,RM

PRF evaluations A1=Fsj(i1),...,A15=Fsz(i15)Any set of linear combinations

T1 = x+∑Rk Fsj(ij) mod Q ...

T10 = x+∑Rk’ Fsj’(ij’) mod Q

NIZKPOK of (i,x,s1,...,sL,i1,...,i15, ... ,) s.t. 1. A1,...,A15,T1,...,T10 computed correctly 2. VerifySig(pk,(x,s1,...,sL), ) = TRUE

new R < Q

A = Fs(i) (the coin’s serial number)T = x+RFt(i) mod Q (double-spending equation)

NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE

Deposit: submit ({Ai},{Ri},{Ti},proof)

to the Bank

POP QUIZ:

Each user is allowed to spend only up to 100 coins with the

Cheshire Cat. How to instantiate Generalized Ecash

to guarantee this?

Hint: use multiple serial numbers

Preventing Money Laundering [CHL06]

• WITHDRAW $N:

• SPEND the ith coin; this is the jth time with this Merchant

• Cannot be done with physical cash! Was an open problem too, for a while.

BANKBANK2PC sk

Alice’s SK xs1,t1,s2,t2

=pk(x,s1,t1,s2,t2)

new R < Q

A1 = Fs1(i), A2 = Fs2(CheshCat,j)T1 = x+RFt1(i), T2 = x+RFt2(CheshCat,j)NIZKPOK of (i,x,s1,t1,j,s2,t2,) such that 1. 1 ≤ i ≤ N, 1 ≤ j ≤ 100 2. A1 = Fs(i), A2 = Fs2(CheshCat,j) 3. T1 = x+RFt(i), T2 = x+RFt2(CheshCat,j) 4. VerifySig(pk,(x,s1,t1,s2,t2), ) = TRUE

Deposit: submit (A1,A2,R,T1,T2,proof)

to the Bank

Suppose spend >N coins => repeating A1, catch Alice!Suppose spend >100 with CheshCat => repeating A2 = Fs2(CheshCat,j) catch Alice.

Privacy for Alice

POP QUIZ 2:

A user is allowed to spend up to 100 coins (tokens) per day. Each morning, her

wallet is reset. How to do this?

Hint: use a PRF with two inputs, Fs(i,j)

Compact E-Tokens [CHKLM06]• WITHDRAW:

• SPEND the ith token on Day j

• A simple solution to the uncloneable group identification problem [DDP06]

BANKBANK2PC sk

Alice’s SK xRandom s,t =pk(x,s,t)

new R < Q

A = Fs(i,j)T = x+RFt(i,j)

NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ 100 2. A = Fs(i,j) 3. T = x+RFt(i,j) 4. VerifySig(pk,(x,s,t), ) = TRUE

Deposit: submit (A,R,T,proof)to the Bank

Suppose spend >100 coins on day j => repeating A=Fs(i,j) for some i => catch Alice!

Privacy for Alice: same as in compact ecash

POP QUIZ 3:

If you double-spend < 4 e-tokens, these e-tokens are

linked, but your identity cannot be traced. If you double-spend 4 times, you are identified and

your SK is computed.

Hint: use multiple R1, ..., RL

Glitch Protection [CHKLM06]• WITHDRAW:

• SPEND $1 for the ith time:

BANKBANK2PC sk

Alice’s SK xs,t,u,v,L,z1,z2,z3

=pk(x,s,t,u,v,L,z1,z2,z3)

R, r1, r2, r3

A = Fs(i)T = L+RFt(i)Y = Fu(i)+RFv(i)Z = x + r1z1 + r2z2 + r3z3 + Fu(i)

NIZKPOK of (i,x,s,t,u,v,L,z1,z2,z3,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i), T = L+RFt(i), Y = Fu(i)+RFv(i) 3. Z = x + r1z1 + r2z2 + r3z3 + Fu(i) 4. VerifySig(pk,(x,s,t,u,v,L,z1,z2,z3), )

Suppose spend N+4 coins => repeating A=Fs(i) for some i (possibly for i1, i2, i3, i4) => L pops out of repeating A using T, T’, R, R’ => link them together! => Fu(i) pops out of repeating A using Y, Y’, R, R’ => each overspending gives x + r1z1 + r2z2 + r3z3 = Z-Fu(i)

Roadmap for This Talk

• Building blocks

• Main idea of off-line ecash [CFN89 + CL02]

• Main idea of compact ecash [CHL05]

• Extensions [CHL06,CHKLM06]

• Technical details: how to instantiate generalized ecash

Compact Ecash with CL Sigs

• WITHDRAW:

• SPEND: BANKBANK2PC sk

Alice’s SK x

seeds s,t =pk(x,s,t)

new R < Q

• Pedersen and Fujisaki-Okamoto commitments:– If G is a group with generators g1,g2, …, gn, h commit to x1,x2,…xn:

C = g1x1g2

x2…gnxnhr for random r < |G|

– [Brands99,Camenisch98]: ZKPOKs of committed values w algebraic and Boolean props

• CL sigs [CL01,L02,CL02,CL04,...,CL50]:– Efficient, provably secure sig (Strong RSA [CL02], LRSW or SDHI [CL04])– Efficient protocol for getting a sig on a set of Ped- & FO-committed values

(x1,x2,...,xn)– Efficient protocol for proving knowledge of a sig on a set of committed values

CL

A = Fs(i), T = x+RFt(i) mod QCi,Cx,Cs,Ct : commitments to i,x,s,tZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE CL

Standard techniques[DY05]: Fs(i) = g1/(s+i+1)

??????

Compact Ecash with CL Sigs

• WITHDRAW:

• SPEND: BANKBANK2PC sk

Alice’s SK x

seeds s,t =pk(x,s,t)

CL

A = Fs(i), T = gx(Ft(i))R

Ci,Cx,Cs,Ct : commitments to i,x,s,tZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = gx(Ft(i))R

4. VerifySig(pk,(x,s,t), ) = TRUE CL

[DY05]: Fs(i) = g1/(s+i+1)Standard techniques

Suppose i’th coin is spent twice.Same coin => same A Spent twice: two random R’s, with high prob, R1 ≠ R2

T1 = gx(Ft(i))R1, T2 = gx(Ft(i))R2

solve for Ft(i) = (T1/T2)1/(R1-R2)

solve for gx = T1/(Ft(i)R1)

First Signature Scheme• (Sig scheme for messages of length ℓ(m),

security parameter k)• Key generation:

n = pq = (2p’+1)(2q’+1) of length ℓ(n)a, b, c QRn

• Signing m:e PRIMESℓ(m)+2 , s {0,1} ℓ(n)+ℓ(m)+k

solve for v such that ve = ambsc mod n• Verification of {m, σ = (s,e,v)}:

check that ve = ambsc mod ncheck the lengths of m,s,e

Provable Security

• Under the Strong RSA assumption– hard, on input an RSA modulus n, and a

value u, to compute (v,e) such that e > 1 and

ve=u

• I will skip the proof of security

And Now the Two Protocols

• Signature on a committed value

• ZK proof of knowledge of a signature

But First: Some Known Tools• Commitment scheme [Ped92,FO97]:

– PK: N = (2P’+1)(2Q’+1), g, h QRN

– Commit(x,r) = gxhr mod N

• ZK proof of knowledge of representations [S91]– protocol between a “prover” P and a “verifier” V – common input is some value C in some group where the

discrete logarithm problem is hard, and some generators g1, g2, ..., g15

– P knows how to represent C in terms of g1, g2, ..., g15 : C = g1

x1g2x2...g15

x15.

– P can convince V that he knows x1, x2, ..., x15 s.t. V learns nothing about them

– but with access to the P’s algorithm, can extract the representation.

• ZK proofs of equality of representations & other relations [S91,Brands99,CM99]

• ZK proof that a committed number lies in an integer interval [B00].

Signature on a Committed Value

PKCm

t,e,v

Proof ofknowledge

1. Commit to m: Cm= ambr mod n

2. Prove knldge of rep of Cm

and correct lengths

3. Pick random t, e. Solve for v in ve = Cmbtc mod n

Send (t,e,v)

SignerAlice

4. Output s = r+t, e, v

Proof of Knowledge of a Signature

• Imagine that you are the PROVER! – Have m, σ = (v,e,s), s.t. ve = ambsc – For a random r, let u = vbr.– Note that ue= ambs+rec

• so (u,e,s+re) is also a sig on m

– Then c = uea-mb-s-re

– Give u to the verifier and prove knowledge of representation of c in bases u,a,b; prove that these discrete logs are of the right length

• (this version of this protocol due to [CG04])

Signature for Blocks of Messages

• Wish to sign a block of messages, (m1,...,mL)– normally just use a hash function:

• M = H(m1,...,mL), then sign M

– not in this case: want efficient protocols

• Variant of the other scheme:– Public key: n of length ℓ(n) same as before

a1, ..., aL, b, c QRn

– Signing (m1,...,mL): random e and s as beforesolve for v such that

ve = a1m1... aL

mLbsc mod n

– Verification of {m1,...,mL, σ = (s,e,v)} : check ve and lengths, as before

• Security follows from first scheme

Signature on a Committed Block

PKCm

t,e,v

Proof ofknowledge

1. Commit to m1,...,mL : Cm= a1

m1...aLmLbr mod n

2. Prove knldge of rep of Cm

and correct lengths

3. Pick random t, e. Solve for v in ve = Cmbtc mod n

Send (t,e,v)

SignerAlice

4. Output s = r+t, e, v

Proof of Knowledge of a Signature

• Imagine that you are the PROVER! – Have m1,...,mL, σ = (v,e,s), s.t. ve =

a1m1...aL

mLbsc

– For a random r, let u = vbr.

– Note that ue= a1m1...aL

mLbs+rec

– so (u,e,s+re) is also a sig on m1,...,mL

– Then c = uea1-m1...aL

-mLb-s-re

– Give u to the verifier and prove knowledge of representation of c in bases u,a1,...,aL,b; prove that these discrete logs are of the right length

Anonymous Credentials• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)

• Obtain cred:

• Anonymously prove possession of credential:

BANKBANK2PC sk

opening of P

=pk(x)

ZKPOK of (x,) such that VerifySig(pk,x,) = TRUE

P, pk

Anonymous Credentials• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)

• Obtain cred:

• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):

BANKBANK2PC sk

opening of P

=pk(x)

ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R)

P, pk

Anonymous Credentials w. Identity Escrow• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = EncryptCA(user’s real SK x)

• Obtain cred:

• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):

BANKBANK2PC sk

opening of P

=pk(x)

ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R)

P, pk

Anonymous Ecash Credentials• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)

• Obtain cred:

• Spend under pseudonym P’ (not the same as pseudonym P):

BANKBANK2PC sk

opening of P

same as ecash

same as ecash, must prove that thesecret x is inside the pseudonym wassigned

P, pk

Anonymous Credentials with Attributes• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x, attr A1,...An)

• Obtain cred:

• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):

BANKBANK2PC sk

opening of P

=pk(x,A1,...,An)

ZKPOK of (x,A1,...,An,R,) such that 1. VerifySig(pk,(x,A1,...,An),) = TRUE 2. P’ = Commit(x;R) 3. Attributes satisfy desired relation

P, pk

Anonymous Credentials “Light” [BL12]• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)

• Obtain cred:

• Anonymously prove possession of credential (can only do it once!):

BANKBANK2PC sk

opening of PP’ = Commit(x;R’),

R’, =pk(P’)

Reveal P’ and

P, pk

Anonymous Credentials “Light” [BL12]• SETUP: Signature key pair for Issuer (pk,sk).

The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)

• Obtain cred:

• Anonymously prove possession of credential (can only do it once!) under pseudonym P’’ (not the same as P or P’):

BANKBANK2PC sk

opening of PP’ = Commit(x;R’),

R’, =pk(P’)

Reveal P’ and ZK Prove that P’ and P’’ are commitmentsto the same value

P, pk