advertisement

Privacy-Preserving Authentication: A Tutorial Anna Lysyanskaya Brown University What is Authentication? Today’s news? Who are you? Do you have a subscription? It’s Bond. James Bond. Here’s my subscription. projo.com What is Authentication? Today’s news? Who are you? Do you have a subscription? Identification It’s Bond. James Bond. Here’s my subscription. Digital signature projo.com Signature Schemes Signature Schemes • Setup: I run a setup algorithm to obtain my public key PK and secret key SK PK SK PK Signature Schemes • Setup: I run a setup algorithm to obtain my public key PK and secret key SK • Now I can sign (using SK): – Sign(SK,m) σ (denoted σPK(m) ) • And you can verify it (using PK) – Verify(PK,m,σ) Yes/No PK Signature Schemes • Security: no adversary can forge a signature even after seeing sigs on messages of his choice m m21 m,σPK(m) ... σPK(m1) σPK (m ) ... 2 Secure if this is unlikely PK History of Signature Schemes • 1970s: invention of PK crypto, DH, RSA, Lamport, Merkle • Definition & first provably secure construction: GMR84 • Random-oracle-based constructions: Fiat-Shamir, Schnorr, GQ, Bellare-Rogaway, ... • Lattice-based [GGH97], NTRU • Minimal assumptions: Naor-Yung, Rompel (OWF) • Stateless and provably secure – under SRSA: Gennaro-Halevi-Rabin’99, Cramer-Shoup’99 – under BDH: Boneh-Boyen [Eurocrypt 2004] • Other flavors: group sigs, blind sigs [Chaum] • This talk: signatures that allow you to prove that you have a signed document, efficiently, without revealing (too much) about the contents of the document [...,L02,CL04,CL05,...,BL12]. Using Signature Schemes I am James Bond. Please give me a cert that I have a ProJo subscription. σ=σProJo(James Bond) Today’s news? Digital signature Let me check that you have a valid subscription. Who are you? Identification James Bond. My σ. projo.com PKProJo Certification authority (CA) projo.com Using Signature Schemes I am James Bond. Please give me a cert that I have a ProJo subscription. PKJB σ=σProJo(James Bond) Today’s news? PKJB Identification Digital signature Let me check that you have a valid subscription. Who are you? PKJB. My σ. projo.com PKProJo Certification authority (CA) projo.com That’s how authentication with identification is done. Why do you want to do it without? How do you do it without? Anonymous Access Today’s news? Who are you? Do you have a subscription? I can tell you, but then I’ll It’s Bond. James Bond. have to kill you... projo.com Anonymous Access Today’s news? Show me your subscription. Subscription #76590 projo.com Anonymous Access Today’s news? Prove that you are authorized. Here is a zero-knowledge proof projo.com Zero-Knowledge Proof [GMR] Let L be a language. A zero-knowledge (ZK) proof system for L is a protocol between a prover P (can be computationally unbounded) and a verifier V (poly-time TM) such that: (Completeness) For an x in L, P convinces V (Soundness 1-ε) For any x not in L, no malicious P’ can cause V to accept with more than ε probability (Zero-knowledge - informal) Everything V learns as a result of talking to P, he can learn without talking to P. Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Example: The Set of 3-Colorable Graphs 1. Each vertex colored red, green or blue 2. No monochromatic edges Is every graph 3-colorable? Is every graph 3-colorable? Is every graph 3-colorable? Is every graph 3-colorable? No... ZK Proof of 3-Colorability ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable! ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable! ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable! ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability If you’re cheating, I have 1 in 11 chance to catch you. ZK Proof of 3-Colorability I want better odds! ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability ZK Proof of 3-Colorability If we repeat 100 times and you are lying, I’ll surely catch you! [GMW86] Zero-Knowledge: A Crash Course Theorem [GMW87]: every L in NP has a zero-knowledge proof system. Proof. Reduce the language at hand to graph 3-colorability (recall that 3-col is NP-complete). Use: Lemma: 3-colorability has a zero-knowledge proof system. Zero-Knowledge: A Crash Course Theorem [GMW]: every language in NP has a zero-knowledge proof system. Theorem [FLS]: every language in NP has a non-interactive ZK proof system (NIZK). ZK POK: a ZK proof of knowledge, ie V accepts if the prover knows a value that satisfies an NP relation, e.g. a valid 3-coloring of a graph. Accessing a Resource I need access to SIAM J on Computing, 17:2 PKJS User Prove to me that you have a valid subscription! Sure! Here’s a zero-knowledge proof: ... Online library Using Credentials Anonymously I am PKJS. Please give me a cert that I go to High School. PKJS PKJS σCA=σCA(PKJS, High School) PKCA Certification authority (CA) I need access to SIAM to me that you have a JProve on Computing, 17:2 Zero-knowledge that validproof subscription! I know SK, PK and σ such that: (1) PK corresponds to SK (2) Verify(PKCA,(PK. High School),σ). Online library Using Credentials Anonymously I am PKJS. Please give me a cert that I go to Moses Brown School. PKJS We already know that we can do it! Just reduce the problem at hand PKCA σ =σ (PK , Moses Brown) JS CA and CA run to graph 3-col, a ZK Certification proof! authority (CA) Would be nice to do that more I need access to SIAM efficiently. PKJS to me that you have a JProve on Computing, 17:2 Zero-knowledge that validproof subscription! I know SK, PK and σ such that: (1) PK corresponds to SK (2) Verify(PKCA,(PK. High School),σ). Online library Obtaining Credentials Anonymously PKJS PKJS I am PKJS. Please I need to SIAM give me aaccess cert that I go to Prove to me that you have a J on Computing, 17:2 Moses Brown School. Zero-knowledge that validproof subscription! I know SK, PK and σ such that: (1) PK corresponds to SK σCA=σ (PKJS, Moses Brown) CASchool), (2) Verify(PKCA,(PK. High σ). You are such a good customer, I want to also give you a credential! PKCA Certification authority (CA) Online library Anonymous credential = signature issued to a hidden value PK/SK: the library never sees the value it is signing Secure 2PC: A Crash Course Theorem [Yao]: every function f(x,y) can be computed via a protocol between Alice holding input x, and Bob holding input y such that (informally): (1) Alice receives output f(x,y) (even if Bob deviates from the protocol, she receives f(x,y) for some welldefined y known to Bob in advance) (2) Even if Alice maliciously deviates, she cannot learn more than f(x,y) for some well-defined x known to her in advance (3) Even if Bob maliciously deviates, he cannot learn anything about x. Secure 2PC: A Crash Course x y 2PC Alice f(x,y) Bob Obtaining Credentials Anonymously PKJS PKJS I am PKJS. Please I need to SIAM give me aaccess cert that I go to Prove to me that you have a J on Computing, 17:2 Moses Brown School. Zero-knowledge that validproof subscription! I know SK, PK and σ such that: (1) PK corresponds to SK σCA=σ (PKJS, Moses Brown) CASchool), (2) Verify(PKCA,(PK. High σ). You are such a good customer, I want to also give you a credential! PKCA Certification authority (CA) Online library Anonymous credential = signature issued to a hidden value PK/SK: the library never sees the value it is signing Signature Schemes with Efficient Protocols • WE WANT a signature scheme that is – efficient, provably secure – has an efficient ZK proof of knowledge of a sig. – has a secure two-party protocol for signing a hidden value • WHY: applications for authentication without identification, as well as group signatures, blind signatures, fair exchange of digital signatures, ... Roadmap for This Talk • Building blocks • Main idea of off-line ecash [CFN89 + CL02] • Main idea of compact ecash [CHL05] • Extensions [CHL06,CHKLM06] • Technical details: how to instantiate generalized ecash [CL02,...BL12] • Extending to more complicated anonymous credentials Warning: there might be a pop quiz... Anonymity + Accountability: Use Money! BANK TWO Rivest DOLLARS TWO TWO Rivest Alice DOLLARS Rivest Spend $$$ Merchant DOLLAR The Money Cycle BANK Spend $$$ Alice Merchant • Three protocols: Withdraw, Spend, Deposit • Desirable properties: - can’t forge/copy money - can’t trace how cash was spent Electronic Version BANK Spend $$$ Alice ? Merchant • Three protocols: Withdraw, Spend, Deposit • Desirable properties: - can’t forge/copy money - can’t trace how cash was spent Electronic Version BANK Spend $$$ Alice • Preventing copying/forgery: Merchant - money is represented by data, data can be copied - not an issue if do electronic checks - but electronic checks provide no privacy • Online e-cash [Chaum]: - Bank maintains records of past transactions - Withdraw and Spend are unlinkable - during Deposit, test if the coin is unspent Off-Line Ecash [CFN89] BANK Spend $$$ Alice Merchant • Algs: Setup, Withdraw, Spend, Deposit, Identify - Setup sets up everyone’s keys (separately) - Identify: if Alice spends more than she withdrew, her identity is discovered once the Merchant deposits the money (Merchant need not do this right away). • Privacy: colluding B&M can’t trace how a coin is spent. History • Chaum’82: invented blind signatures, makes on-line ecash possible • [CFN,Brands]: off-line e-cash Main Idea of Off-Line Ecash • Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge Main Idea of Off-Line Ecash • Recall: digital signatures, secure 2-party computation, ZK proofs of knowledge • SETUP: Signature key pair for Bank (pk,sk). Assume a PKI for all the users. Large prime Q. PKI, Q, pk • WITHDRAW: Alice’s SK x • SPEND: Random A,B < Q =pk(x,A,B) 2PC sk BANK 0 < “new” R < Q e.g. R=H(contract, rand) A (the coin’s serial number) T =x+RB mod Q (double-spending equation) NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE Deposit: submit (A,R,T,proof) to the Bank Main Idea of Off-Line Ecash • Recall: digital signatures, secure 2-party computation, ZK proofs of Suppose a coin is spent twice. knowledge Same coin => same A • SETUP: Signature key pair for Bank (pk,sk). Privacy for Alice: Spent twice: R’s, Assume a PKI for alltwo the users. with prob, R ≠ R’ A,T: random, Large prime Q.high T = x+RB mod Q, = x+R’Bmod Q proofs is T’ZK! • WITHDRAW: solve for Alice’s SKx,xid and punish Alice • SPEND: Random A,B < Q =pk(x,A,B) 2PC sk BANK 0 < “new” R < Q e.g. R=H(contract, rand) A (the coin’s serial number) T =x+RB mod Q (double-spending equation) NIZKPOK of (x,B,) such that 1. T = x+RB 2. VerifySig(pk,(x,A,B), ) = TRUE Deposit: submit (A,R,T,proof) to the Bank Compact Ecash BANK Spend $$$ Alice Merchants • Algs: Setup, Withdraw, Spend, Deposit, Identify • Withdraw: a wallet with N coins • Spend, deposit: just one coin • Want: complexity of protocols O(log N), not O(N) Compact Ecash: Main Idea [CHL05] • WITHDRAW $N: Suppose spent >N coins PKI, Q, pk => repeating Alice’s SK xA = Fs(i) for some i A spent twice: twofor random sk Privacy Alice: R’s, 2PC Random s,t withAhigh R ≠ R’ and Tprob, are pseudorandom, BANK =pk(x,s,t) Proofs ZK t(i) T = x+RFt(i), T’ =are x+R’F and punish Alice • SPEND $1 for the ithsolve time:for Letx, F(id )( ) be a pseudorandom function family new R < Q A = Fs(i) (the coin’s serial number) T = x+RFt(i) mod Q (double-spending equation) NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i) 3. T = x+RFt(i) 4. VerifySig(pk,(x,s,t), ) = TRUE • TBA: how to instantiate using practical building blocks. Deposit: submit (A,R,T,proof) to the Bank ATTENTION: POP QUIZ COMING UP!!!! Generalized Ecash • WITHDRAW: Alice’s SK x Random Random s1,...,s s,t L == pk(x,s pk(x,s,t) 1,...,sL) • 2PC sk BANK newRR1,...,R < QM new SPEND: PRF evaluations A1=Fsj(i1),...,A15=Fsz(i15) Any linear combinations A = Fset (i) of (the coin’s serial number) s Q T =Tx+RF (i)Rmod Qj) (mod double-spending equation) 1 = x+t∑ k Fsj(i ... Deposit: submit ’ NIZKPOK ofR(i,x,s,t,) such that ({Ai},{Ri},{Ti},proof) T10 = x+∑ k’ Fsj’(ij ) mod Q 1. 1 ≤ i ≤ N to the Bank 2. A = Fof s(i)(i,x,s ,...,s ,i ,...,i , ... ,) s.t. NIZKPOK 1 L 1 15 3. T = x+RF (i) t 1. A1,...,A15,T1,...,T10 computed correctly 4. TRUE 2. VerifySig(pk,(x,s,t), VerifySig(pk,(x,s ,...,s)),=) = TRUE 1 L POP QUIZ: Each user is allowed to spend only up to 100 coins with the Cheshire Cat. How to instantiate Generalized Ecash to guarantee this? Hint: use multiple serial numbers Preventing Money Laundering [CHL06] • • WITHDRAW $N: Suppose spend >N coins Alice’s SK x => repeating A1, catch Alice! sk Suppose spend >100 with CheshCat 2PC s1,t1,s2,t2 Privacy for Alice => repeating A21,t=1,s F2s2,t(CheshCat,j) =pk(x,s 2) catch Alice. BANK SPEND the ith coin; this is the jth time with this Merchant new R < Q A1 = Fs1(i), A2 = Fs2(CheshCat,j) T1 = x+RFt1(i), T2 = x+RFt2(CheshCat,j) Deposit: submit NIZKPOK of (i,x,s1,t1,j,s2,t2,) such that (A1,A2,R,T1,T2,proof) 1. 1 ≤ i ≤ N, 1 ≤ j ≤ 100 to the Bank 2. A1 = Fs(i), A2 = Fs2(CheshCat,j) 3. T1 = x+RFt(i), T2 = x+RFt2(CheshCat,j) 4. VerifySig(pk,(x,s1,t1,s2,t2), ) = TRUE • Cannot be done with physical cash! Was an open problem too, for a while. POP QUIZ 2: A user is allowed to spend up to 100 coins (tokens) per day. Each morning, her wallet is reset. How to do this? Hint: use a PRF with two inputs, Fs(i,j) Compact E-Tokens [CHKLM06] • WITHDRAW: Alice’s SK x Suppose spend >100 coins on day j => repeating A=Fs(i,j) for2PC some i Privacy for Random s,t Alice: same as in(x,s,t) compact ecash => catch Alice! =pk • sk BANK SPEND the ith token on Day j new R < Q A = Fs(i,j) T = x+RFt(i,j) NIZKPOK of (i,x,s,t,) such that 1. 1 ≤ i ≤ 100 2. A = Fs(i,j) 3. T = x+RFt(i,j) 4. VerifySig(pk,(x,s,t), ) = TRUE • Deposit: submit (A,R,T,proof) to the Bank A simple solution to the uncloneable group identification problem [DDP06] POP QUIZ 3: If you double-spend < 4 e-tokens, these e-tokens are linked, but your identity cannot be traced. If you double-spend 4 times, you are identified and your SK is computed. Hint: use multiple R1, ..., RL Glitch Protection [CHKLM06] • • WITHDRAW: Suppose spend N+4 coins => repeating A=Fs(i) for some i (possibly for i1, i2, i3, i4) => L pops out of repeating A using T, T’, R, R’ Alice’s SKtogether! x => link them => Fu(i)s,t,u,v,L,z pops out of repeating A 1,z2,z3 Y, Y’, R, R’ using =pk(x,s,t,u,v,L,z 1,z2,z3) => each overspending gives x + r1z1 + r2z2 + r3z3 = Z-Fu(i) th SPEND $1 for the i time: 2PC R, r1, r2, r3 A = Fs(i) T = L+RFt(i) Y = Fu(i)+RFv(i) Z = x + r1z1 + r2z2 + r3z3 + Fu(i) NIZKPOK of (i,x,s,t,u,v,L,z1,z2,z3,) such that 1. 1 ≤ i ≤ N 2. A = Fs(i), T = L+RFt(i), Y = Fu(i)+RFv(i) 3. Z = x + r1z1 + r2z2 + r3z3 + Fu(i) 4. VerifySig(pk,(x,s,t,u,v,L,z1,z2,z3), ) sk BANK Roadmap for This Talk • Building blocks • Main idea of off-line ecash [CFN89 + CL02] • Main idea of compact ecash [CHL05] • Extensions [CHL06,CHKLM06] • Technical details: how to instantiate generalized ecash Compact Ecash with CL Sigs • Pedersen and Fujisaki-Okamoto commitments: • CL sigs [CL01,L02,CL02,CL04,...,CL50]: – If G is a group with generators g1,g2, …, gn, h commit to x1,x2,…xn: C = g1x1g2x2…gnxnhr for random r < |G| – [Brands99,Camenisch98]: ZKPOKs of committed values w algebraic and Boolean props – Efficient, provably secure sig (Strong RSA [CL02], LRSW or SDHI [CL04]) – Efficient protocol for getting a sig on a set of Ped- & FO-committed values (x1,x2,...,xn) – Efficient protocol for proving knowledge of a sig on a set of committed values • WITHDRAW: Alice’s SK x seeds s,t =pk(x,s,t) • SPEND: new R < A = Fs(i), T = x+RFt(i) mod Q Ci,Cx,Cs,Ct : commitments to i,x,s,t ZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N Standard techniques 2. A = Fs(i) [DY05]: Fs(i) = g1/(s+i+1) 3. T = x+RFt(i) ?????? 4. VerifySig(pk,(x,s,t), ) = TRUE CL 2PC Q CL sk BANK Compact Ecash with CL Sigs Suppose i’th coin is spent twice. Same coin => same A Spent twice: two random R’s, with high prob, R1 ≠ R2 T1 = gx(Ft(i))R1, T2 = gx(Ft(i))R2 solve for Ft(i) = (T1/T2)1/(R1-R2) solve for gx = T1/(Ft(i)R1) • • WITHDRAW: SPEND: Alice’s SK x seeds s,t =pk(x,s,t) A = Fs(i), T = gx(Ft(i))R Ci,Cx,Cs,Ct : commitments to i,x,s,t ZKPOK of (i,x,s,t,) such that 0. They correspond to Ci,Cx,Cs,Ct 1. 1 ≤ i ≤ N Standard techniques 2. A = Fs(i) [DY05]: Fs(i) = g1/(s+i+1) 3. T = gx(Ft(i))R 4. VerifySig(pk,(x,s,t), ) = TRUE CL 2PC CL sk BANK First Signature Scheme • (Sig scheme for messages of length ℓ(m), security parameter k) • Key generation: n = pq = (2p’+1)(2q’+1) of length ℓ(n) a, b, c QRn • Signing m: e PRIMESℓ(m)+2 , s {0,1} ℓ(n)+ℓ(m)+k solve for v such that ve = ambsc mod n • Verification of {m, σ = (s,e,v)}: check that ve = ambsc mod n check the lengths of m,s,e Provable Security • Under the Strong RSA assumption – hard, on input an RSA modulus n, and a value u, to compute (v,e) such that e > 1 and ve=u • I will skip the proof of security And Now the Two Protocols • Signature on a committed value • ZK proof of knowledge of a signature But First: Some Known Tools • Commitment scheme [Ped92,FO97]: – PK: N = (2P’+1)(2Q’+1), g, h QRN – Commit(x,r) = gxhr mod N • ZK proof of knowledge of representations [S91] – protocol between a “prover” P and a “verifier” V – common input is some value C in some group where the discrete logarithm problem is hard, and some generators g1, g2, ..., g15 – P knows how to represent C in terms of g1, g2, ..., g15 : C = g1x1g2x2...g15x15. – P can convince V that he knows x1, x2, ..., x15 s.t. V learns nothing about them – but with access to the P’s algorithm, can extract the representation. • ZK proofs of equality of representations & other relations [S91,Brands99,CM99] • ZK proof that a committed number lies in an integer interval [B00]. Signature on a Committed Value 1. Commit to m: Cm= ambr mod n 2. Prove knldge of rep of Cm and correct lengths 4. Output s = r+t, e, v Cm Proof of knowledge Alice t,e,v 3. Pick random t, e. Solve for v in Signer ve = Cmbtc mod n Send (t,e,v) Proof of Knowledge of a Signature • Imagine that you are the PROVER! – Have m, σ = (v,e,s), s.t. ve = ambsc – For a random r, let u = vbr. – Note that ue= ambs+rec • so (u,e,s+re) is also a sig on m – Then c = uea-mb-s-re – Give u to the verifier and prove knowledge of representation of c in bases u,a,b; prove that these discrete logs are of the right length • (this version of this protocol due to [CG04]) Signature for Blocks of Messages • Wish to sign a block of messages, (m1,...,mL) – normally just use a hash function: • M = H(m1,...,mL), then sign M – not in this case: want efficient protocols • Variant of the other scheme: – Public key: n of length ℓ(n) same as before a1, ..., aL, b, c QRn – Signing (m1,...,mL): random e and s as before solve for v such that ve = a1m1... aLmLbsc mod n – Verification of {m1,...,mL, σ = (s,e,v)} : check ve and lengths, as before • Security follows from first scheme Signature on a Committed Block 1. Commit to m1,...,mL : Cm= a1m1...aLmLbr mod n 2. Prove knldge of rep of Cm and correct lengths 4. Output s = r+t, e, v Cm Proof of knowledge Alice t,e,v 3. Pick random t, e. Solve for v in Signer e v = Cmbtc mod n Send (t,e,v) Proof of Knowledge of a Signature • Imagine that you are the PROVER! – – – – – – Have m1,...,mL, σ = (v,e,s), s.t. ve = a1m1...aLmLbsc For a random r, let u = vbr. Note that ue= a1m1...aLmLbs+rec so (u,e,s+re) is also a sig on m1,...,mL Then c = uea1-m1...aL-mLb-s-re Give u to the verifier and prove knowledge of representation of c in bases u,a1,...,aL,b; prove that these discrete logs are of the right length Anonymous Credentials • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x) P, pk • Obtain cred: opening of P =pk(x) 2PC • Anonymously prove possession of credential: ZKPOK of (x,) such that VerifySig(pk,x,) = TRUE sk BANK Anonymous Credentials • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x) P, pk • Obtain cred: opening of P =pk(x) 2PC sk BANK • Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P): ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R) Anonymous Credentials w. Identity Escrow • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = EncryptCA(user’s real SK x) P, pk • Obtain cred: opening of P =pk(x) 2PC sk BANK • Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P): ZKPOK of (x,R,) such that 1. VerifySig(pk,x, ) = TRUE 2. P’ = Commit(x;R) Anonymous Ecash Credentials • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x) P, pk • Obtain cred: opening of P same as ecash 2PC sk • Spend under pseudonym P’ (not the same as pseudonym P): same as ecash, must prove that the secret x is inside the pseudonym was signed BANK Anonymous Credentials with Attributes • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x, attr A1,...An) P, pk • Obtain cred: opening of P =pk(x,A1,...,An) 2PC sk BANK • Anonymously prove possession of credential for pseudonym P’ (not the same as pseudonym P): ZKPOK of (x,A1,...,An,R,) such that 1. VerifySig(pk,(x,A1,...,An),) = TRUE 2. P’ = Commit(x;R) 3. Attributes satisfy desired relation Anonymous Credentials “Light” [BL12] • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x) P, pk • Obtain cred: opening of P P’ = Commit(x;R’), R’, =pk(P’) 2PC sk BANK • Anonymously prove possession of credential (can only do it once!): Reveal P’ and Anonymous Credentials “Light” [BL12] • SETUP: Signature key pair for Issuer (pk,sk). The user is anonymous, but known to the issuer under a pseudonym P = Commit(user’s real SK x) P, pk • Obtain cred: opening of P P’ = Commit(x;R’), R’, =pk(P’) 2PC sk BANK • Anonymously prove possession of credential (can only do it once!) under pseudonym P’’ (not the same as P or P’): Reveal P’ and ZK Prove that P’ and P’’ are commitments to the same value