How to build privacy-preserving cryptographic protocols€¦ · 21/06/2017 · Cryptography to the Aid! Legal side of privacy. Laws and regulations – History Notion of privacy

Jan Camenisch

Principle Researcher TL Cryptography amp PrivacyIBM Research ndash Zurich

JanCamenischibmbizjancamenisch

How to build privacy-preserving cryptographic protocols

33 of cyber crimes including identity theft take less time than to make a cup of tea

10 Years ago your identity information on the black market was worth $150 Todayhellip

$15000000000 cost of identity theft worldwide (2015)

Attackers hide easily in the vast of cyberspace

Houston we have a problem

The problem is thishellip

The Problem is This Computers Never Forget

Data is stored by default Data mining gets ever better Apps built to use amp generate (too much) data New (ways of) businesses using personal data

Humans forget most things too quickly Paper collects dust in drawers But thatrsquos how we design and build applications

Learnings from Snowden ndash Take Aways

NSA collects massive amounts of data

Not by breaking encryption schemes But by openness amp insecurity of systems infiltration

However Snowden had limited access to docs (no crypt-analysis reports)

Many things doable by ordinary hackers or somewhat sophisticated crooks

CA compromise Stealing data at rest Extortion system manipulations

Some things of course require large budget and organization

FPGA ASICS Deliberate weakening of infrastructure (eg PRG standards) ndash btw a very bad idea

Wheres all my data

The ways of data are hard to understand

Devices operating systems amp apps are getting more complex and intertwined

Mashups Ad networks Machines virtual and realtime configured Not visible to users and experts Data processing changes constantly

rarr No control over data and far too easy to loose them

IoT makes this even worse

So it seems beach hurt is rather put on Venus

We need paradigm shift

build stuff for the moon rather than the sandy beach

Security amp Privacy is not a lost cause

That means Use only minimal data necessary Encrypt every bit ndash and keep it like that Attach usage policies to each bit

Good news Cryptography allows for that

Mix Networks

Priced OT

Private information retrieval

Onion Routing

e-voting

Confirmer signatures

Group signatures

Anonymous CredentialsOT with Access Control

Oblivious Transfer

Blind signatures

Secret Handshakes

Group signatures Pseudonym Systems

Searchable Encryption

Homomorphic Encryption

Cryptography to the Aid

Legal side of privacy

Laws and regulations ndash HistoryNotion of privacy has changes throughout history (Curtains shades etc)

Code of fair information practices (1973)

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Laws and regulations ndash History

Many laws follow the same principles US Privacy Act 1974

OECD Guidelines 1980

EU data protection directive 1995

General Data Protection Regulation (GDPR) 2018

But Often only own citizens are protected See eg US laws

Laws are always lagging behind technology often difficult to capture

OECD Privacy Principles

Collection LimitationThere should be limits to the collection of personal data and any such data obtained by lawful and fair means and where appropriate with the knowledge or consent of the data subject

Data QualityPersonal data should be relevant to the purposes for which they are to be used and to the extend necessary for those purposes should be accurate complete and kept up-to-date

Purpose SpecificationThe purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes

Use LimitationPersonal data should not be disclosed made available or otherwise used for purposes other than those specified under the preceding purpose specification principle

except with the consent of the data subject or by the authority of law

Security SafeguardsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access destruction use modification or disclosure

AccountabilityA data controller should be accountable for complying with measures that give effect to the principles stated above

OpennessThere should be a general policy of openness about developments practices and policies with respect to personal data

Individual ParticipationAn individual should have the right

to obtain from a data controller or otherwise confirmation of whether or not the data controller has data relating to him

to have communicated to him data relating to him within a reasonable time at a charge if any that is not excessive in a reasonable manner and Individual Participation in a form that is readily intelligible to him

to be given reasons if a request made under subparagraphs (a) and (b) is denied and to be able to challenge such denial and

to challenge data relating to him and if the challenge is successful to have the data erased rectified completed or amended

Laws Throughout the WorldPrivacy laws amp regulations vary widely throughout the world

European Data Protection Directive

privacy = fundamental human right requires all European Union countries to adopt similar comprehensive privacy laws revision in process (higher fines are foreseen)

US sets on self-regulation some sector-specific laws with relatively minimal protections

Constitutional law governs the rights of individuals wrt the government Tort (Schadenersatz) law governs disputes between private individuals or other private persons Federal Trade Commission (FTC) deals with consumer protection

HIPAA (Health Insurance Portability and Accountability Act 1996) COPPA (Childrenrsquos Online Privacy Protection Act 1998) GLB (Gramm-Leach-Bliley-Act 1999) rarr over 7000 State Legislations amp Enforcement activityClass Actions

Australia Privacy Act 1988 Amendment 2012

Notify users about collection Notice if data are sent overseas stronger access rights

In most countries fines are minimal

More information httpwwwinformationshieldcomintprivacylawshtml

The Worst Data Breaches of 2011535 breaches during 2011 that involve 304 million sensitive records(2013 601 breaches recorded involving 55 million records)

Sony ndash after over a dozen data breaches Sony faces class action lawsuits over its failure to protect over 100 million user records

Epsilon ndash 60 million customer emails addresses Sutter Physicians Services ndash stolen desktop contained 33 million patientsrsquo medical details

including name address phone number email address amp health insurance plan Tricare and SAIC ndash backup tapes were stolen from the car of a Tricare employee led to a

$49 billion lawsuit being filedPrivacy Rights Clearinghouse (PRC) (httpswwwprivacyrightsorgtop-data-breach-list-2011)

And the trend continues -(rarr Importance of strict privacy amp security policies (incl data retention)rarr Avoid ldquobreachesrdquo simply by properly encrypting sensitive data or better using privacy enhancing technologies

copy 2017 IBM CorporationJan Camenisch - CySeP 2017 - Summer School - Stockholm June 20 2017

Back to Rocket SciencePrivacy amp Security by design

Privacy by design

Communication layer TOR JAP etc

Authentication layer privacy-preserving attribute-based credentials

Application layer eVoting ePolls all apps should be done as ldquoprivacy by designrdquo

Authentication without identification

An example of ldquorocket sciencerdquo

Alice wants to watch a movie at Mplex

Movie Streaming Service

I wish to see Alice in Wonderland

I need proof of- subscription- be older than 12

Watching the movie with the traditional solution

ok heres - my eID - my subscription

Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018

Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016

This is a privacy and security problem - identity theft - profiling - discrimination

With OpenID and similar solution eg log-in with Facebook

Aha Alice is watching a 12+ movie

With OpenID and similar solution eg log-in with Facebook Aha you are

- Alicefacebookcom- born on Dec 12 1975- Alices friends are - Alices public profile is Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016

Authentication ndash Online Solution eg SAML WS-Federation OpenID Facebook Connect

1 access request

2 over 18

6 over 18

Privacy issuer knows who visits which website at which time(often from own records if not by correlating logs with website)Privacy issuer knows who visits which website at which time(often from own records if not by correlating logs with website)

Security issuance key online 247Security issuance key online 247

Private Credentials (aka Anonymous Credentials aka Privacy-ABCs)

best of both worlds

Privacy unlinkable transactions minimal information disclosure

Security offline issuer

Examples include IBM Identity Mixer and Microsoft U-Prove

With cryptography we can do much better

When Alice authenticates to the Movie StreamingService all the services learns is that Alice

has a subscription and is older than 12

and no more

Like PKI but better

One secret Identity (secret key)

Many Public Pseudonyms (public keys)

Privacy-protecting authentication with IBM Identity Mixer

Like PKI but better

Issuing a credential

Name = Alice DoeBirth date = April 3 1997

Privacy-protecting authentication with Privacy ABCs

Like PKI but does not send credential only minimal disclosure

- valid subscription - eID with age ge 12

Aha you are- older than 12- have a subscription

Movie Streaming ServiceMovie Streaming Service

(Public Verification Key of issuer)

Advantages of Identity Mixer

For Users privacy minimizing disclosure of personal data keeping their identities safe pseudonymousanonymous access

For Service Providers security accountability and compliance avoiding the risk of loosing personal data if it gets stolen compliance with legislation (access control rules personal data protection) strong authentication (cryptographic proofs replace usernamespasswords) user identification if required (under certain circumstances)

The Crypto to Realise This and More

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

Zero-Knowledge Proofs

challenge is to do all this efficiently

Required Technologies

signature scheme

commitment scheme

zero-knowledge proofs

interactive proof between a prover and a verifier about the provers knowledge

properties

zero-knowledge

verifier learns nothing about the provers secret

proof of knowledge (soundness)

prover can convince verifier only if she knows the secret

completeness

if prover knows the secret she can always convince the verifier

CommitmentChallengeResponse

Given group ltggt and element y Є ltggt

Prover wants to convince verifier that she knows x st y = gx

such that verifier only learns y and g

t = gs yc

Proverrandom r t = gr

Verifier

random c

s = r - cx

notation PK(α) y = gα

Zero Knowledge Proofs of Knowledge of Discrete Logarithms

Zero Knowledge Proofs Proof of knowledge if a prover successfully convinces a verifier the secret is extractable

Prover might do protocol computation in any way it wants amp we cannot analyse code

Thought experiment

Assume we have prover as a black box rarr we can reset and rerun prover Need to show how secret can be extracted via protocol interface

t = gs yc = gs yc rarr yc-c = gs-s

rarr y = g(s-s)(c-c)

rarr x = (s-s)(c-c) mod q

srsquocrsquo

Zero Knowledge Proofs Security

Zero-knowledge property

If verifier does not learn anything (except the fact that Alice knows x = log g y )

Idea One can simulate whatever Bob ldquoseesrdquo

Choose random c s compute t = gs yc

if c = c send s = s otherwise restart

Problem if domain of c too large success probability becomes too small

One way to modify protocol to get large domain c

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

h = H(cv) s = r - cx

after having received c ldquorebootrdquo verifier

Choose random scompute t = gs yc

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

From Protocols To SignaturesSigning a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)

s = r - cx mod (q) - output (cs)

Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc

Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo

Signature SPK(α) y = gα (m)

Logical combinations

PK(αβ) y = gα and z = gβ and u = gβhα

PK(αβ) y = gα or z = gβ

Non-interactive (Fiat-Shamir heuristic rarr Schnorr Signatures)

SPK(α) y = gα (m)

Many Exponents

PK(αβγδ) y = gα hβzγkδuβ

Intervals and groups of different order (under SRSA)

PK(α) y = gα and α Є [AB]

Some Example Proofs and Their AnalysisLet g h C1 C2 C3 be group elements

Now what does the following mean

PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3

rarr Prover knows values α1 β1 α2 β2 β3 such that

C1= gα1hβ1 C2= gα2hβ2 and C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3

rarr α3 = a1 + a2 (mod q)

And what about PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3

rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3

rarr a3 = a1 + 5 a2 (mod q)

Some Example Proofs and Their Analysis

And PK(α1β4) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ4

C3 = C2α1hβ4 = (gα2hβ2)α1hβ4 = gα2middotα1hβ4+β2middotα1

C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3

rarr a3 = a1 middot a2 (mod q)

Let g h C1 C2 C3 be group elements

Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean

rarr Prover knows values α β1 β2 such that

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

rarr g1α1 = C2 g-α1h-β1 hβ2α1

C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Signature Scheme Functionality

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

ver(σ(m1 mk) ) = true

(m1 mk)

Signature Scheme Security

Unforgeability under AdaptiveChosen Message Attack

σ and mne mi st ver(σ m ) = true

RSA Signature Scheme ndash for reference

Rivest Shamir and Adlemann 1978

Secret Key two random primes p and q Public Key n = pq prime e and collision-free hash function H 01 -gt 01ℓ

Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)

s = H(m) d mod n

Verification of signature s on a message m Є 01 se = H(m) (mod n)

Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)

Verification signature on a message m Є 01

se = H(m) (mod n)

Wanna do proof of knowledge of signature on a message eg

PK (ms) se = H(m) (mod n)

But this is not a valid proof expression -(

Public key of signer RSA modulus n and ai b d Є QRn Secret key factors of n

To sign k a m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1 d = ce a1

m1 akmk bs mod n

Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption

CL-Signature Scheme

Recall d = ce a1m1a2m2 bs mod n

Observe Let c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie

(ce s = s-et) is also signature on m1 and m2

To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1

rarr proves d = cε a1micro1 a2m2b σ

Proving Knowledge of a CL-signature

signature scheme

commitment scheme

m 2-36-17 m є mmm

Commitment Scheme Functionality

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

Commitment Scheme Security

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

Hiding for all message m m

mmmmmm

Commitment Schemes

Group G = ltggt = lthgt of order q

To commit to element x Є Zq

Pedersen perfectly hiding computationally binding

choose r Є Zq and compute c = gxhr

ElGamal computationally hiding perfectly binding

choose r Є Zq and compute c = (gxhr gr)

To open commitment reveal x and r to verifier verifier checks if c = gxhr

Pedersens Scheme Choose r Є Zq and compute c = gxhr

Perfectly hiding

Let c be a commitment and u= logg h

Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)

= gx+urhr-r for any r Ie given c and x there always exist r such that c = gxhr

Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr

Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q

Pedersens Commitment Scheme

Proof m

Proof m = 2 bullm

Proof of Knowledge of Contents

Proof of Relations among Contents

Commitment Scheme Extended Features

Proof m

Proof m = 2 bullm

Let C1 = gmhr and C = gmhr then

PK(αβ) C = gβhα

PK(αβγ) C = gβhα ⋀ C = (g2)βhγ

Protocol building frameworks

Discrete log-based

CL-signatures (RSAECC) Schnorr proofs Pedersen Commitment CS-Verifiable Encryption

Structure preserving primitives tailored to Groth-Sahai proofs

Quantum Safe Latticed-based crypto not quite there yet

hellip Havenrsquot talked about modeling and proving security at all

UC-framework

Constructive Crypto

putting things together

Realizing Pseudonyms and Key Binding

Let G = ltggt = lthgt of order q

Users secret key random sk isin Zq

To compute a pseudonym Nym Choose random r isin Zq

Compute Nym = gskhr

Like PKI but better

Concept credentials

Realizing Issuance of Credential

Recall a signature (ces) on messages m1 mk

m1 mk Є 01ℓ e gt 2ℓ+1

d = ce a1m1 ak

mk bs mod n

Problem Pseudonym not in message space

Solution Sign secret key instead

rarr d = ce a1sk a2

m2 akmk bs mod n

New Problem how can we sign a secret message

( mj+1 mk)

σver(σ(m1 mk) ) = true

σ = sig((( mj+1 mk) ) Verification remains unchangedSecurity requirements basically the same as for signatures but

signer should not learn any information about m1 mj Forgery wrt message clear parts and opening of commitments

Signature Scheme Signing Hidden Messages

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

c = (dC a2name bsrdquo)1e mod nPK(micro1 σ

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

name bsrdquo + s (mod n)

C = a1sk bs

(cesrdquo) c = (dC a2

name bsrdquo)1e mod n

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

n ai b dWant to sign wrt Nym = gskhr

PK(micro1 ρσ )

Nym = gmicro1 hρ ⋀ C = a 1

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

Want to sign wrt Nym = gskhr

c = (dC a3name bsrdquo)1e mod n

stores Nym name

d = ce a1ska2

ra3name bsrdquo + s (mod n)

An Example Scenario

Polling Scenario and Requirements

Scenario Pollster(s) and a number of users Only registered user (eg students who took a course) can

voice opinion (eg course evaluation) User can voice opinion only once (subsequent attempts are

dropped) Users want to be anonymous A users opinion in different polls must not be linkable

Polling ndash Solution Registration

User generates pseudonym (ID for registration) User obtains credential on pseudonym stating that she is eligible for polls ie

d = ce a1ska2

r a3attr bs (mod n)

Credential can contain attributes (eg course ID) about her

(na1a2bd)

Polling ndash Solution Submit Poll

1 User generates domain pseudonym domain = pollID

2 User transforms credential

3 Transformed credential with a subset of the attributes User is anonymous and unlinkable Multiple opinions are detected because uniqueness of domain

pseudonym

Polling ndash Solution Polling

1 Domain pseudonym P = gdsk = H(pollID)sk

P1 = H(pollID1)sk and P2 = H(pollID2)sk are unlinakble

(under the Decisional Diffie-Hellman assumption amp random oracles)

2 User transforms credential c = c bsmod n with randomly chosen s

SPK(ε micro1 micro2 micro3σ) P = gdmicro1 ⋀ d = cε a1micro1 a2micro2a3micro3b σ (mod n)

⋀ micro1 micro2 micro3 Є 01ℓ ⋀ ε gt 2ℓ+1 (opinion)

There is moreHeres just a few examples

Inspector parameters

Inspection grounds

If car is broken ID with insurance needs be retrieved Can verifiably encrypt any certified attribute (optional) TTP is off-line amp can be distributed to lessen trust

Inspection

If Alice was speeding license needs to be revoked

There are many different use cases and many solutions Variants of CRL work (using crypto to maintain anonymity)

Accumulators Signing entries amp Proof

Limited validity ndash certs need to be updated For proving age a revoked drivers license still works

Revocation authority parameters

Revocation info

Revocation

World of Warcraft

Limits of anonymity possible (optional) If Alice and Eve are on-line together they are caught Use Limitation ndash anonymous until

If Alice used certs gt 100 times total or gt 10000 times with Bob

Alices cert can be bound to hardware token (eg TPM)

Concept Key-Binding amp Usage Control

Some Use Cases

Age verification

Movie streaming services Gaming industry Online gambling platforms Dating websites Social benefits for youngold people

Proving 12+ 18+ 21+ without disclosing the exact date of birth ndash privacy and compliance with age-related legislation

Use Case Anonymous Authentication

Use certificate anonymously

Server shall be unable to tell whether or not it is the same user

DNA Database

Simple case DB learns not who accesses DBBetter Oblivious Access to Database (OT with AC)

Server must not learn who accesses which record Still Alice can access only records she is authorized for

Use Case Anonymous Access to a Database

Subscriptions membership

Patent databases DNA databases NewsJournalsMagazines Transportation tickets toll roads Loyalty programs

Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)

Use case Direct Anonymous Attestation

Attestation of computer state by TPM (root of trust)

TPM measures boot sequence

TPM attest boot sequence to third party

Attestation based on cryptographic keys

Privacy needs to be protected rarr Different transaction must not be linkable

rarr Requires strong authentication of TPM but such that privacy of users and data be protected

Irsquom TPM123 and host runs software xyz

Direct Anonymous Attestation (Brickell Camenisch Chen - 2003)

Issuer

Verifier

Privacy Shield

Two crucial differences

1 One secret key - several public keys

2 Randomizable credentials original credential into new credentials that ldquolooks likerdquo a fresh credential

rarr different randomize credentials cannot be linked (anonymity)

rarr still credentials are unforgeable

Some context on DAA

RSA-based scheme standardized by TCG in 2004 later also in ISO

Replaced by ECC-based scheme in 2015 (both TCG and ISO)

DAA algorithm is split in TPM and host part ECC-based scheme only defined for TPM

New scheme supports multiple ECC-based DAA protocols (q-SDH LRSW based etc)

Scheme is really efficient TPM computes single exponentiation only

FIDO authenticator based on TPM DAA specified

PK(x) y = gx

How the TPM and the Host Sign Jointly (simplyfied)

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

TPM spec not speced (was TSS spec)

Healthcare Use CaseAnonymous consultations with specialists

online chat with at physician online consultation with IBM Watson to check eligibility

1 Alice proves she has insurance2 Alice describes symptoms 3 Alice gets credential that she is allowed to get treatment

Alice gets a health insurance credential

Insurance

Health portal

5 Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment

4 Alice gets treatment from physician hospital etc

Payment Use Case

Credential = Bank note

Double spending need to be preventeddetected

On-line or Off-line modi possible Money laundering can also be taken care of

merchant

deposits money

withdrawal

payment

Realizing On-Line eCash

eCash scenario amp requirements

Merchant

Deposit

Withdrawal

Requirements Anonymity Withdrawal and Deposit must be unlinkable No Double Spending Coin is bit-strings can be spend twice

Towards a Solution do it like paper money

Sign notes with digital signature scheme Note = (serial number value) Secure because

signature scheme can not be forged bank will accepts some serial number only once rarr on-line e-cash

Not anonymous because (cf paper solution) bit-string of signature is unique serial number is unique

100 100

Towards a Solution rarr on-line ecash

Use (more) cryptography

Hide serial number from bank when issuing eg sign commitment of serial number

Reveal serial number and proof knowledge of signature on commitment to serial number

Anonymous because of commitments scheme and zero-knowledge proof

100100

100 100

Security

Anonymity

Bank does not learn during withdrawal

Bank amp Shop do not learn c e when spending

Unforgeability

User can use serial number only once

Realizing Off-Line eCash

Making e-cash offline ndash basic issue

On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once

Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared

100100

Towards off-line signatures

Not Linkable

Seems like a paradox but crypto is all about solving paradoxical problems -)

Goalndash spending coin once OKndash spending coin twice anonymity is revoked

Not Linkable

Off-line E-cash

Main Idea Include id r in credential ( r hidden from bankissuer) Upon spending

reveal and t = id + r u with u randomly chosen by merchant and prove relation

t wont reveal anything about id However given two (or more) equations (for the same id r)

t1 = id + r u1 t2 = id + r u2 one can solve for id

Off-line E-cash Withdrawal

choose random r s and compute

C = a1a2

C + proof d = ce C a3nym bsrdquo mod n

(cesrdquo+s) st d = ce a1a2

r a3nym bsrdquo + s (mod n)

(cesrdquo)

choose random u

ucompute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)

d a1= cε a2

ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro

t c proof

Off-line E-cash Payment

PK(ε micro ρ σ) d a1= cε a2

1 d = cε a1 a2

ρa3micro b σ (mod n)

=gt (c ε σ) is a signature on ( micro ρ)

2 gt = gρ+umicro =gt t = ρ + u micro mod q ie t was computed correctly

u t proof

Є L If so 1 t = ρ + u micro (mod q)

2 t = ρ + u micro (mod q)

solve for ρ and micro=gt micro = nym because of proof

Off-line E-cash Deposit

Off-line E-cash Security

Unforgeable no more coins than s

otherwise one can forge signatures or proofs are not sound

if coins with same appears with different us =gt reveals nym

Anonymity and r are hidden from signer upon withdrawal t does not reveal anything about nym (is blinded by r) proof proof does not reveal anything

Extensions

K-spendable cash

Multiple serial numbers and randomizers per coin

Use PRF to generate serial number and randomizers from seed in coin

Money laundering preventions

Must not spend more that $10000 dollars with same party

Essentially use additional coin defined per merchant that controls this

Conclusion

Conclusions

Roadmap Explain possibilities to engineers policy makers etc Usable prototypes Public infrastructure for privacy protection

Challenges Internet services get paid with personal data (inverse incentive) End users are not able to handle their data (user interfaces) Security technology typically invisible and hard to sell Solutions seems easier without privacy and security

Towards a secure information society Society changes quickly and gets shaped by technology Consequences are hard to grasp (time will show) We must inform and engage in a dialog

Letrsquos do some rocket science together

For information wwwzurichibmcomidemix idemixdemomybluemixnet

jcazurichibmcom JanCamenisch ibmbizJanCamenisch

Thank youeMail jcazurichibmcomLinks

ndash wwwabc4trusteundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash githubcomp2abcengine amp abc4trusteuidemix

Securing Credit Card Payments

Purchase of $1550

Number 123456789Expiration 082015

Expiration 082015ldquoAllow amazoncom up to $300weekrdquo

clearinghouse

Expiration 082015ldquoTransfer $862 to expediacomrdquo

Purchase of $862

Expiration 082015ldquoTransfer $862 toexpediacomrdquo

The credit card data is never revealed to the merchant only to the credit card provider

Bank issues a classic credit card User registers at a special portal to obtain the Identity Mixer credential User derives a token allowing that store to withdraw the money Users cannot be linked across purchasesshops Stored credit card info useless to hackers

Attestation extended

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Many other different use case any IoT Industry 40 Home Appliances Metering

Attempt at Solving Attestation

Issuer

(TPM or Platform Manufacturer)

Verifier

(Bank eShop Tax authority hellip)

Problem using traditional certificates all transactions of the same platform become linkable -(

Not Rocket Science

Issuer

VerifierTwo crucial differences

Issuer

Verifier

Privacy Shield

Status DAA 2017

Wersquove identified some security issues these got fixed in latest TPM spec

See our paper at IEEE SampP 2017 with full specifications and security proof

PK(x) y = gx

Conclusions

Device authentication more relevant than ever

Data parsimony is key to obtain security

Fancy crypto can realize this today

More public awareness and discussion needed

33 of cyber crimes including identity theft take less time than to make a cup of tea

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Wheres all my data

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Mix Networks

Priced OT

Onion Routing

e-voting

Group signatures

Oblivious Transfer

Blind signatures

Secret Handshakes

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

NoticeAwareness

ChoiceConsent

AccessParticipation

IntegritySecurity

EnforcementRedress

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Privacy by design

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 access request

2 over 18

6 over 18

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

best of both worlds

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

and no more

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Like PKI but better

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

EncryptionSchemes

SignatureSchemes

CommitmentSchemes

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

signature scheme

commitment scheme

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

properties

zero-knowledge

completeness

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

t = gs yc

Verifier

random c

s = r - cx

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Thought experiment

srsquocrsquo

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

t = gs yc

Prover

random r

t = gr

Verifier

random cv h = H(cv)

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

send s s

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

t = gs yc

Proverrandom r

t = gr

Verifier

random cs = r - cx

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

SPK(α) y = gα (m)

Many Exponents

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C1= gα1hβ1

g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2

C2 = gα2 hβ2

α2 = α1 + a1-1 (mod q)

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

signature schemes

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Key Generation

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

(m1 mk)

σ = sig((m1 mk) )

Signing

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

σ = sig((m1 mk) )

Verification

(m1 mk)

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

m1 akmk bs mod n

CL-Signature Scheme

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

signature scheme

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

commitment scheme

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

m 2-36-17 m є mmm

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

m 2-36-17

m 3-21-11m є mmm

m є mmm

Binding

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

mmmmmm

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Commitment Schemes

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Perfectly hiding

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Proof m

Proof m = 2 bullm

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Proof m

Proof m = 2 bullm

PK(αβ) C = gβhα

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Discrete log-based

UC-framework

Constructive Crypto

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Compute Nym = gskhr

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Like PKI but better

Concept credentials

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

d = ce a1m1 ak

mk bs mod n

rarr d = ce a1sk a2

m2 akmk bs mod n

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

( mj+1 mk)

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

PK(micro1 σ )

C = a 1micro1 b

C = a1sk bs

C name

n ai b d

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C = a1sk bs

(cesrdquo)

n ai b d

) C = a 1

micro1 b σ

C name

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

d = ce a1sk a2

C = a1sk bs

n ai b d

PK(micro1 σ )

C = a 1micro1 b

C name

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

PK(micro1 ρσ )

micro1 a 2ρ b

Nym = gskhr

C = a1sk a2

n ai b d

C Nym name

stores Nym name

d = ce a1ska2

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

An Example Scenario

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

d = ce a1ska2

r a3attr bs (mod n)

(na1a2bd)

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

pseudonym

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Inspection grounds

Inspection

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Revocation info

Revocation

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

World of Warcraft

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Some Use Cases

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Age verification

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

DNA Database

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Some context on DAA

PK(x) y = gx

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

PK (x) y = gx

PK (x r) y = gxhz

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

random r1

t = gr1 t random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

random r1

t = gr1 t

random cc

random r2

t = thr2t

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

random r1

t = gr1 t

random c

s1= r1 - c x

random r2

t = thr2t

s2= r2 - c z

t = ycgs1hs2

PK (x) y = gx

PK (x m) y = gxhz

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Insurance

Health portal

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Payment Use Case

merchant

deposits money

withdrawal

payment

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Merchant

Deposit

Withdrawal

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

100 100

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

100100

100 100

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Security

Anonymity

Unforgeability

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

100100

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Not Linkable

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Off-line E-cash

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

C = a1a2

(cesrdquo)

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

choose random u

d a1= cε a2

t c proof

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

1 d = cε a1 a2

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

u t proof

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Extensions

K-spendable cash

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Conclusion

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Purchase of $1550

clearinghouse

Purchase of $862

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

garage

insurer

road infrastructure

sellermanufacturer

parts provider

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Not Rocket Science

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Issuer

Verifier

Privacy Shield

Status DAA 2017

PK(x) y = gx

Conclusions

Status DAA 2017

PK(x) y = gx

Conclusions

Documents

How to build privacy-preserving cryptographic protocols€¦ · 21/06/2017 · Cryptography to the Aid! Legal side of privacy. Laws and regulations – History Notion of privacy