Privacy-Preserving Authentication: A Tutorial
Anna LysyanskayaBrown University
What is Authentication?
projo.comprojo.comToday’s news?
Who are you? Do you have asubscription?
It’s Bond. James Bond. Here’smy subscription.
What is Authentication?
projo.comprojo.comToday’s news?
Who are you? Do you have asubscription?
It’s Bond. James Bond. Here’smy subscription.
Identification
Digital signature
Signature Schemes
PK
Signature Schemes• Setup: I run a setup algorithm to obtain my
public key PK and secret key SK
PK
SK
Signature Schemes• Setup: I run a setup algorithm to obtain my
public key PK and secret key SK• Now I can sign (using SK):
– Sign(SK,m) σ (denoted σPK(m) )
• And you can verify it (using PK)– Verify(PK,m,σ) Yes/No
PK
Signature Schemes
• Security: no adversary can forge a signature even after seeing sigs on messages of his choice
m1
σPK(m1)
m2
σPK(m2)
...
...
m,σPK(m)
Secure if this is unlikely
PK
History of Signature Schemes
• 1970s1970s: invention of PK crypto, DH, RSA, Lamport, Merkle• Definition & first provably secure constructionDefinition & first provably secure construction: GMR84• Random-oracle-based constructionsRandom-oracle-based constructions: Fiat-Shamir, Schnorr,
GQ, Bellare-Rogaway, ...• LatticeLattice-based [GGH97], NTRU• Minimal assumptionsMinimal assumptions: Naor-Yung, Rompel (OWF) • Stateless and provably secure Stateless and provably secure
– under SRSA: Gennaro-Halevi-Rabin’99, Cramer-Shoup’99– under BDH: Boneh-Boyen [Eurocrypt 2004]
• Other flavorsOther flavors: group sigs, blind sigs [Chaum]• This talk: signatures that allow you to prove that you have a
signed document, efficiently, without revealing (too much) about the contents of the document [...,L02,CL04,CL05,...,BL12].
Using Signature Schemes
Today’s news?
Let me check that you havea valid subscription. Who are you?
James Bond. My σ.
Certificationauthority (CA)
I am James Bond. Pleasegive me a cert that I have
a ProJo subscription.
σ=σProJo(James Bond)PKProJo
Digitalsignature
Identification
projo.comprojo.com
projo.comprojo.com
Using Signature Schemes
Today’s news?
Let me check that you havea valid subscription. Who are you?
PKJB. My σ.
Certificationauthority (CA)
I am James Bond. Pleasegive me a cert that I have
a ProJo subscription.
σ=σProJo(James Bond)PKProJo
Digitalsignature
Identification
projo.comprojo.com
projo.comprojo.com
PKJB
PKJB
That’s how authentication with identification is done.
Why do you want to do it without?
How do you do it without?
Anonymous Access
projo.comprojo.comToday’s news?
Who are you? Do you have asubscription?
It’s Bond. James Bond.I can tell you, but then I’ll
have to kill you...
Anonymous Access
projo.comprojo.comToday’s news?
Show me your subscription.
Subscription #76590
Anonymous Access
projo.comprojo.comToday’s news?
Prove that you are authorized.
Here is a zero-knowledge proof
Zero-Knowledge Proof [GMR]
Let L be a language.
A zero-knowledge (ZK) proof system for L is a protocol between a prover P (can be computationally unbounded) and a verifier V (poly-time TM) such that:
(Completeness) For an x in L, P convinces V
(Soundness 1-ε) For any x not in L, no malicious P’ can cause V to accept with more than ε probability
(Zero-knowledge - informal) Everything V learns as a result of talking to P, he can learn without talking to P.
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
1. Each vertex colored red, green or blue
2. No monochromatic edges
Example: The Set of 3-ColorableGraphs
Is every graph 3-colorable?
Is every graph 3-colorable?
Is every graph 3-colorable?
Is every graph 3-colorable?
No...
ZK Proof of 3-Colorability
You are justtrying to trick me!This graph is not
3-colorable!
ZK Proof of 3-Colorability
You are justtrying to trick me!This graph is not
3-colorable!
ZK Proof of 3-Colorability
You are justtrying to trick me!This graph is not
3-colorable!
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
If you’re cheating, I have1 in 11 chanceto catch you.
ZK Proof of 3-Colorability
I want betterodds!
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
If we repeat100 times and you
are lying, I’llsurely catch you!
[GMW86]
ZK Proof of 3-Colorability
Zero-Knowledge: A Crash Course
Theorem [GMW87]: every L in NP has azero-knowledge proof system.
Proof. Reduce the language at hand to graph3-colorability (recall that 3-col is NP-complete). Use:
Lemma: 3-colorability has a zero-knowledge proof system.
Zero-Knowledge: A Crash Course
Theorem [GMW]: every language in NP has azero-knowledge proof system.
Theorem [FLS]: every language in NP has anon-interactive ZK proof system (NIZK).
ZK POK: a ZK proof of knowledge, ie V acceptsif the prover knows a value that satisfies an NP relation,e.g. a valid 3-coloring of a graph.
Accessing a Resource
Online libraryUser
I need access to SIAM J on Computing, 17:2
Prove to me that you havea valid subscription!
Sure! Here’s a zero-knowledgeproof: ...
PKJS
Using Credentials Anonymously
Online library
I need access to SIAM J on Computing, 17:2 Prove to me that you have a
valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:
(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).
Certificationauthority (CA)
I am PKJS. Pleasegive me a cert that I go to
High School.
σCA=σCA(PKJS, High School)PKCA
PKJS
PKJS
Using Credentials Anonymously
Online library
I need access to SIAM J on Computing, 17:2 Prove to me that you have a
valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:
(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).
Certificationauthority (CA)
I am PKJS. Pleasegive me a cert that I go to
Moses Brown School.
σCA=σCA(PKJS, Moses Brown)PKCA
PKJS
PKJS
We already know that we can do it!Just reduce the problem at handto graph 3-col, and run a ZKproof!
Would be nice to do that moreefficiently.
Certificationauthority (CA)
I am PKJS. Pleasegive me a cert that I go to
Moses Brown School.
σCA=σCA(PKJS, Moses Brown)PKCA
PKJS
Obtaining Credentials Anonymously
Online library
I need access to SIAM J on Computing, 17:2 Prove to me that you have a
valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:
(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).
PKJS
You are such a good customer,I want to also give you a credential!
Anonymous credential = signature issued to a hiddenvalue PK/SK: the library never sees the value it is signing
Secure 2PC: A Crash Course
Theorem [Yao]: every function f(x,y) can be computedvia a protocol between Alice holding input x, and Bobholding input y such that (informally):
(1)Alice receives output f(x,y) (even if Bob deviatesfrom the protocol, she receives f(x,y) for some well-defined y known to Bob in advance)(2)Even if Alice maliciously deviates, she cannot learnmore than f(x,y) for some well-defined x known to herin advance(3) Even if Bob maliciously deviates, he cannot learnanything about x.
Secure 2PC: A Crash Course
2PC
x y
f(x,y)
Alice Bob
Certificationauthority (CA)
I am PKJS. Pleasegive me a cert that I go to
Moses Brown School.
σCA=σCA(PKJS, Moses Brown)PKCA
PKJS
Obtaining Credentials Anonymously
Online library
I need access to SIAM J on Computing, 17:2 Prove to me that you have a
valid subscription!Zero-knowledge proof thatI know SK, PK and σ such that:
(1) PK corresponds to SK(2) Verify(PKCA,(PK. High School),σ).
PKJS
You are such a good customer,I want to also give you a credential!
Anonymous credential = signature issued to a hiddenvalue PK/SK: the library never sees the value it is signing
Signature Schemes with Efficient Protocols
• WE WANT a signature scheme that is– efficient, provably secure– has an efficient ZK proof of
knowledge of a sig.– has a secure two-party protocol
for signing a hidden value
• WHY: applications for authentication without identification, as well as group signatures, blind signatures, fair exchange of digital signatures, ...
Roadmap for This Talk• Building blocks
• Main idea of off-line ecash [CFN89 + CL02]
• Main idea of compact ecash [CHL05]
• Extensions [CHL06,CHKLM06]
• Technical details: how to instantiate generalized ecash [CL02,...BL12]
• Extending to more complicated anonymous credentials
Warning: there might be a pop quiz...
Anonymity + Accountability: Use Money!
BANKBANK
AliceMerchant
With
draw $
$$
Spend $$$
Deposit $$$
TWO DOLLARSRivest
TWO DOLLARSRivest
TWO DOLLARSRivest
The Money Cycle
BANKBANK
AliceMerchant
With
draw $
$$
Spend $$$
Deposit $$$
• Three protocols: Withdraw, Spend, Deposit• Desirable properties:
- can’t forge/copy money - can’t trace how cash was spent
Electronic Version
BANKBANK
AliceMerchant
With
draw $
$$
Spend $$$
Deposit $$$
• Three protocols: Withdraw, Spend, Deposit• Desirable properties:
- can’t forge/copy money - can’t trace how cash was spent?
Electronic Version
BANKBANK
AliceMerchant
With
draw $
$$
Spend $$$
Deposit $$$
• Preventing copying/forgery: - money is represented by data, data can be copied - not an issue if do electronic checks - but electronic checks provide no privacy• Online e-cash [Chaum]: - Bank maintains records of past transactions - Withdraw and Spend are unlinkable - during Deposit, test if the coin is unspent
Off-Line Ecash [CFN89]
BANKBANK
AliceMerchant
With
draw $
$$
Spend $$$
Deposit $$$
• Algs: Setup, Withdraw, Spend, Deposit, Identify - Setup sets up everyone’s keys (separately) - Identify: if Alice spends more than she withdrew, her identity is discovered once the Merchant deposits the money (Merchant need not do this right away).• Privacy: colluding B&M can’t trace how a coin is spent.
History
• Chaum’82: invented blind signatures, makes on-line ecash possible
• [CFN,Brands]: off-line e-cash
Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK
proofs of knowledge
Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge
• SETUP: Signature key pair for Bank (pk,sk). Assume a PKI for all the users. Large prime Q.
• WITHDRAW:
• SPEND:
BANKBANK2PC sk
Alice’s SK xRandom A,B < Q
=pk(x,A,B)
0 < “new” R < Qe.g. R=H(contract, rand)
A (the coin’s serial number)T =x+RB mod Q (double-spending equation)
NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE
Deposit: submit (A,R,T,proof)to the Bank
PKI, Q, pk
Main Idea of Off-Line Ecash• Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge
• SETUP: Signature key pair for Bank (pk,sk). Assume a PKI for all the users. Large prime Q.
• WITHDRAW:
• SPEND:
BANKBANK2PC sk
Alice’s SK xRandom A,B < Q
=pk(x,A,B)
0 < “new” R < Qe.g. R=H(contract, rand)
A (the coin’s serial number)T =x+RB mod Q (double-spending equation)
NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE
Suppose a coin is spent twice.Same coin => same A Spent twice: two R’s, with high prob, R ≠ R’ T = x+RB mod Q, T’ = x+R’Bmod Q solve for x, id and punish Alice
Privacy for Alice:A,T: random,proofs is ZK!
Deposit: submit (A,R,T,proof)to the Bank
Compact Ecash
• Algs: Setup, Withdraw, Spend, Deposit, Identify• Withdraw: a wallet with N coins• Spend, deposit: just one coin• Want: complexity of protocols O(log N), not O(N)
BANKBANK
Alice Merchants
With
draw $
$$
Spend $$$
Deposit $$$
PKI, Q, pk
Compact Ecash: Main Idea [CHL05]• WITHDRAW $N:
• SPEND $1 for the ith time: Let F( )( ) be a pseudorandom function family
• TBA: how to instantiate using practical building blocks.
BANKBANK2PC sk
Alice’s SK xRandom s,t =pk(x,s,t)
new R < Q
A = Fs(i) (the coin’s serial number)T = x+RFt(i) mod Q (double-spending equation)
NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE
Deposit: submit (A,R,T,proof)to the Bank
Suppose spent >N coins => repeating A = Fs(i) for some iA spent twice: two random R’s, with high prob, R ≠ R’ T = x+RFt(i), T’ = x+R’Ft(i) solve for x, id and punish Alice
Privacy for Alice: A and T are pseudorandom,
Proofs are ZK
ATTENTION:
POP QUIZ COMING UP!!!!
Random s,t =pk(x,s,t)
Generalized Ecash• WITHDRAW:
• SPEND:
BANKBANK2PC sk
Alice’s SK xRandom s1,...,sL
=pk(x,s1,...,sL)
new R1,...,RM
PRF evaluations A1=Fsj(i1),...,A15=Fsz(i15)Any set of linear combinations
T1 = x+∑Rk Fsj(ij) mod Q ...
T10 = x+∑Rk’ Fsj’(ij’) mod Q
NIZKPOK of (i,x,s1,...,sL,i1,...,i15, ... ,) s.t. 1. A1,...,A15,T1,...,T10 computed correctly 2. VerifySig(pk,(x,s1,...,sL), ) = TRUE
new R < Q
A = Fs(i) (the coin’s serial number)T = x+RFt(i) mod Q (double-spending equation)
NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE
Deposit: submit ({Ai},{Ri},{Ti},proof)
to the Bank
POP QUIZ:
Each user is allowed to spend only up to 100 coins with the
Cheshire Cat. How to instantiate Generalized Ecash
to guarantee this?
Hint: use multiple serial numbers
Preventing Money Laundering [CHL06]
• WITHDRAW $N:
• SPEND the ith coin; this is the jth time with this Merchant
• Cannot be done with physical cash! Was an open problem too, for a while.
BANKBANK2PC sk
Alice’s SK xs1,t1,s2,t2
=pk(x,s1,t1,s2,t2)
new R < Q
A1 = Fs1(i), A2 = Fs2(CheshCat,j)T1 = x+RFt1(i), T2 = x+RFt2(CheshCat,j)NIZKPOK of (i,x,s1,t1,j,s2,t2,) such that 1. 1 ≤ i ≤ N, 1 ≤ j ≤ 100 2. A1 = Fs(i), A2 = Fs2(CheshCat,j) 3. T1 = x+RFt(i), T2 = x+RFt2(CheshCat,j) 4. VerifySig(pk,(x,s1,t1,s2,t2), ) = TRUE
Deposit: submit (A1,A2,R,T1,T2,proof)
to the Bank
Suppose spend >N coins => repeating A1, catch Alice!Suppose spend >100 with CheshCat => repeating A2 = Fs2(CheshCat,j) catch Alice.
Privacy for Alice
POP QUIZ 2:
A user is allowed to spend up to 100 coins (tokens) per day. Each morning, her
wallet is reset. How to do this?
Hint: use a PRF with two inputs, Fs(i,j)
Compact E-Tokens [CHKLM06]• WITHDRAW:
• SPEND the ith token on Day j
• A simple solution to the uncloneable group identification problem [DDP06]
BANKBANK2PC sk
Alice’s SK xRandom s,t =pk(x,s,t)
new R < Q
A = Fs(i,j)T = x+RFt(i,j)
NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ 100 2. A = Fs(i,j) 3. T = x+RFt(i,j) 4. VerifySig(pk,(x,s,t), ) = TRUE
Deposit: submit (A,R,T,proof)to the Bank
Suppose spend >100 coins on day j => repeating A=Fs(i,j) for some i => catch Alice!
Privacy for Alice: same as in compact ecash
POP QUIZ 3:
If you double-spend < 4 e-tokens, these e-tokens are
linked, but your identity cannot be traced. If you double-spend 4 times, you are identified and
your SK is computed.
Hint: use multiple R1, ..., RL
Glitch Protection [CHKLM06]• WITHDRAW:
• SPEND $1 for the ith time:
BANKBANK2PC sk
Alice’s SK xs,t,u,v,L,z1,z2,z3
=pk(x,s,t,u,v,L,z1,z2,z3)
R, r1, r2, r3
A = Fs(i)T = L+RFt(i)Y = Fu(i)+RFv(i)Z = x + r1z1 + r2z2 + r3z3 + Fu(i)
NIZKPOK of (i,x,s,t,u,v,L,z1,z2,z3,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i), T = L+RFt(i), Y = Fu(i)+RFv(i) 3. Z = x + r1z1 + r2z2 + r3z3 + Fu(i) 4. VerifySig(pk,(x,s,t,u,v,L,z1,z2,z3), )
Suppose spend N+4 coins => repeating A=Fs(i) for some i (possibly for i1, i2, i3, i4) => L pops out of repeating A using T, T’, R, R’ => link them together! => Fu(i) pops out of repeating A using Y, Y’, R, R’ => each overspending gives x + r1z1 + r2z2 + r3z3 = Z-Fu(i)
Roadmap for This Talk
• Building blocks
• Main idea of off-line ecash [CFN89 + CL02]
• Main idea of compact ecash [CHL05]
• Extensions [CHL06,CHKLM06]
• Technical details: how to instantiate generalized ecash
Compact Ecash with CL Sigs
• WITHDRAW:
• SPEND: BANKBANK2PC sk
Alice’s SK x
seeds s,t =pk(x,s,t)
new R < Q
• Pedersen and Fujisaki-Okamoto commitments:– If G is a group with generators g1,g2, …, gn, h commit to x1,x2,…xn:
C = g1x1g2
x2…gnxnhr for random r < |G|
– [Brands99,Camenisch98]: ZKPOKs of committed values w algebraic and Boolean props
• CL sigs [CL01,L02,CL02,CL04,...,CL50]:– Efficient, provably secure sig (Strong RSA [CL02], LRSW or SDHI [CL04])– Efficient protocol for getting a sig on a set of Ped- & FO-committed values
(x1,x2,...,xn)– Efficient protocol for proving knowledge of a sig on a set of committed values
CL
A = Fs(i), T = x+RFt(i) mod QCi,Cx,Cs,Ct : commitments to i,x,s,tZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE CL
Standard techniques[DY05]: Fs(i) = g1/(s+i+1)
??????
Compact Ecash with CL Sigs
• WITHDRAW:
• SPEND: BANKBANK2PC sk
Alice’s SK x
seeds s,t =pk(x,s,t)
CL
A = Fs(i), T = gx(Ft(i))R
Ci,Cx,Cs,Ct : commitments to i,x,s,tZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = gx(Ft(i))R
4. VerifySig(pk,(x,s,t), ) = TRUE CL
[DY05]: Fs(i) = g1/(s+i+1)Standard techniques
Suppose i’th coin is spent twice.Same coin => same A Spent twice: two random R’s, with high prob, R1 ≠ R2
T1 = gx(Ft(i))R1, T2 = gx(Ft(i))R2
solve for Ft(i) = (T1/T2)1/(R1-R2)
solve for gx = T1/(Ft(i)R1)
First Signature Scheme• (Sig scheme for messages of length ℓ(m),
security parameter k)• Key generation:
n = pq = (2p’+1)(2q’+1) of length ℓ(n)a, b, c QRn
• Signing m:e PRIMESℓ(m)+2 , s {0,1} ℓ(n)+ℓ(m)+k
solve for v such that ve = ambsc mod n• Verification of {m, σ = (s,e,v)}:
check that ve = ambsc mod ncheck the lengths of m,s,e
Provable Security
• Under the Strong RSA assumption– hard, on input an RSA modulus n, and a
value u, to compute (v,e) such that e > 1 and
ve=u
• I will skip the proof of security
And Now the Two Protocols
• Signature on a committed value
• ZK proof of knowledge of a signature
But First: Some Known Tools• Commitment scheme [Ped92,FO97]:
– PK: N = (2P’+1)(2Q’+1), g, h QRN
– Commit(x,r) = gxhr mod N
• ZK proof of knowledge of representations [S91]– protocol between a “prover” P and a “verifier” V – common input is some value C in some group where the
discrete logarithm problem is hard, and some generators g1, g2, ..., g15
– P knows how to represent C in terms of g1, g2, ..., g15 : C = g1
x1g2x2...g15
x15.
– P can convince V that he knows x1, x2, ..., x15 s.t. V learns nothing about them
– but with access to the P’s algorithm, can extract the representation.
• ZK proofs of equality of representations & other relations [S91,Brands99,CM99]
• ZK proof that a committed number lies in an integer interval [B00].
Signature on a Committed Value
PKCm
t,e,v
Proof ofknowledge
1. Commit to m: Cm= ambr mod n
2. Prove knldge of rep of Cm
and correct lengths
3. Pick random t, e. Solve for v in ve = Cmbtc mod n
Send (t,e,v)
SignerAlice
4. Output s = r+t, e, v
Proof of Knowledge of a Signature
• Imagine that you are the PROVER! – Have m, σ = (v,e,s), s.t. ve = ambsc – For a random r, let u = vbr.– Note that ue= ambs+rec
• so (u,e,s+re) is also a sig on m
– Then c = uea-mb-s-re
– Give u to the verifier and prove knowledge of representation of c in bases u,a,b; prove that these discrete logs are of the right length
• (this version of this protocol due to [CG04])
Signature for Blocks of Messages
• Wish to sign a block of messages, (m1,...,mL)– normally just use a hash function:
• M = H(m1,...,mL), then sign M
– not in this case: want efficient protocols
• Variant of the other scheme:– Public key: n of length ℓ(n) same as before
a1, ..., aL, b, c QRn
– Signing (m1,...,mL): random e and s as beforesolve for v such that
ve = a1m1... aL
mLbsc mod n
– Verification of {m1,...,mL, σ = (s,e,v)} : check ve and lengths, as before
• Security follows from first scheme
Signature on a Committed Block
PKCm
t,e,v
Proof ofknowledge
1. Commit to m1,...,mL : Cm= a1
m1...aLmLbr mod n
2. Prove knldge of rep of Cm
and correct lengths
3. Pick random t, e. Solve for v in ve = Cmbtc mod n
Send (t,e,v)
SignerAlice
4. Output s = r+t, e, v
Proof of Knowledge of a Signature
• Imagine that you are the PROVER! – Have m1,...,mL, σ = (v,e,s), s.t. ve =
a1m1...aL
mLbsc
– For a random r, let u = vbr.
– Note that ue= a1m1...aL
mLbs+rec
– so (u,e,s+re) is also a sig on m1,...,mL
– Then c = uea1-m1...aL
-mLb-s-re
– Give u to the verifier and prove knowledge of representation of c in bases u,a1,...,aL,b; prove that these discrete logs are of the right length
Anonymous Credentials• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)
• Obtain cred:
• Anonymously prove possession of credential:
BANKBANK2PC sk
opening of P
=pk(x)
ZKPOK of (x,) such that VerifySig(pk,x,) = TRUE
P, pk
Anonymous Credentials• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)
• Obtain cred:
• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):
BANKBANK2PC sk
opening of P
=pk(x)
ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R)
P, pk
Anonymous Credentials w. Identity Escrow• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = EncryptCA(user’s real SK x)
• Obtain cred:
• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):
BANKBANK2PC sk
opening of P
=pk(x)
ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R)
P, pk
Anonymous Ecash Credentials• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)
• Obtain cred:
• Spend under pseudonym P’ (not the same as pseudonym P):
BANKBANK2PC sk
opening of P
same as ecash
same as ecash, must prove that thesecret x is inside the pseudonym wassigned
P, pk
Anonymous Credentials with Attributes• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x, attr A1,...An)
• Obtain cred:
• Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P):
BANKBANK2PC sk
opening of P
=pk(x,A1,...,An)
ZKPOK of (x,A1,...,An,R,) such that 1. VerifySig(pk,(x,A1,...,An),) = TRUE 2. P’ = Commit(x;R) 3. Attributes satisfy desired relation
P, pk
Anonymous Credentials “Light” [BL12]• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)
• Obtain cred:
• Anonymously prove possession of credential (can only do it once!):
BANKBANK2PC sk
opening of PP’ = Commit(x;R’),
R’, =pk(P’)
Reveal P’ and
P, pk
Anonymous Credentials “Light” [BL12]• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x)
• Obtain cred:
• Anonymously prove possession of credential (can only do it once!) under pseudonym P’’ (not the same as P or P’):
BANKBANK2PC sk
opening of PP’ = Commit(x;R’),
R’, =pk(P’)
Reveal P’ and ZK Prove that P’ and P’’ are commitmentsto the same value
P, pk