Privacy-Preserving
Authentication: A Tutorial
Anna Lysyanskaya
Brown University
What is Authentication?
Today’s news?
Who are you? Do you have a
subscription?
It’s Bond. James Bond. Here’s
my subscription.
projo.com
What is Authentication?
Today’s news?
Who are you? Do you have a
subscription?
Identification
It’s Bond. James Bond. Here’s
my subscription.
Digital
signature
projo.com
Signature Schemes
Signature Schemes
• Setup: I run a setup algorithm to obtain my public
key PK and secret key SK
PK
SK
PK
Signature Schemes
• Setup: I run a setup algorithm to obtain my public
key PK and secret key SK
• Now I can sign (using SK):
– Sign(SK,m)  σ
(denoted σPK(m) )
• And you can verify it
(using PK)
– Verify(PK,m,σ)  Yes/No
PK
Signature Schemes
• Security: no adversary can forge a
signature even after seeing sigs on
messages of his choice
m
m21
m,σPK(m)
...
σPK(m1)
σPK
(m )
... 2
Secure if this is unlikely
PK
History of Signature Schemes
• 1970s: invention of PK crypto, DH, RSA, Lamport, Merkle
• Definition & first provably secure construction: GMR84
• Random-oracle-based constructions: Fiat-Shamir, Schnorr, GQ,
Bellare-Rogaway, ...
• Lattice-based [GGH97], NTRU
• Minimal assumptions: Naor-Yung, Rompel (OWF)
• Stateless and provably secure
– under SRSA: Gennaro-Halevi-Rabin’99, Cramer-Shoup’99
– under BDH: Boneh-Boyen [Eurocrypt 2004]
• Other flavors: group sigs, blind sigs [Chaum]
• This talk: signatures that allow you to prove that you have a
signed document, efficiently, without revealing (too much) about
the contents of the document [...,L02,CL04,CL05,...,BL12].
Using Signature Schemes
I am James Bond. Please
give me a cert that I have
a ProJo subscription.
σ=σProJo(James Bond)
Today’s news?

Digital
signature
Let me check
that you have
a valid subscription. Who are you?
Identification
James Bond. My σ.
projo.com
PKProJo
Certification
authority (CA)
projo.com
Using Signature Schemes
I am James Bond. Please
give me a cert that I have
a ProJo subscription.
PKJB
σ=σProJo(James Bond)
Today’s news?
PKJB

Identification

Digital
signature
Let me check
that you have
a valid subscription. Who are you?
PKJB. My σ.
projo.com
PKProJo
Certification
authority (CA)
projo.com
That’s how authentication
with identification is done.
Why do you want to do it
without?
How do you do it without?
Anonymous Access
Today’s news?
Who are you? Do you have a
subscription?
I can tell you, but then I’ll
It’s Bond. James Bond.
have to kill you...
projo.com
Anonymous Access
Today’s news?
Show me your subscription.
Subscription #76590
projo.com
Anonymous Access
Today’s news?
Prove that you are authorized.
Here is a zero-knowledge proof
projo.com
Zero-Knowledge Proof [GMR]
Let L be a language.
A zero-knowledge (ZK) proof system for L is a
protocol between a prover P (can be computationally
unbounded) and a verifier V (poly-time TM) such that:
(Completeness) For an x in L, P convinces V
(Soundness 1-ε) For any x not in L, no malicious P’ can
cause V to accept with more than ε probability
(Zero-knowledge - informal) Everything V learns as a
result of talking to P, he can learn without talking to P.
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Example: The Set of 3-Colorable
Graphs
1. Each vertex
colored red, green
or blue
2. No
monochromatic
edges
Is every graph 3-colorable?
Is every graph 3-colorable?
Is every graph 3-colorable?
Is every graph 3-colorable?
No...
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
You are just
trying to trick me!
This graph is not
3-colorable!
ZK Proof of 3-Colorability
You are just
trying to trick me!
This graph is not
3-colorable!
ZK Proof of 3-Colorability
You are just
trying to trick me!
This graph is not
3-colorable!
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
If you’re
cheating, I have
1 in 11 chance
to catch you.
ZK Proof of 3-Colorability
I want better
odds!
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
ZK Proof of 3-Colorability
If we repeat
100 times and you
are lying, I’ll
surely catch you!
[GMW86]
Zero-Knowledge: A Crash Course
Theorem [GMW87]: every L in NP has a
zero-knowledge proof system.
Proof. Reduce the language at hand to graph
3-colorability (recall that 3-col is NP-complete). Use:
Lemma: 3-colorability has a zero-knowledge proof
system.
Zero-Knowledge: A Crash Course
Theorem [GMW]: every language in NP has a
zero-knowledge proof system.
Theorem [FLS]: every language in NP has a
non-interactive ZK proof system (NIZK).
ZK POK: a ZK proof of knowledge, ie V accepts
if the prover knows a value that satisfies an NP relation,
e.g. a valid 3-coloring of a graph.
Accessing a Resource
I need access to SIAM
J on Computing, 17:2
PKJS
User
Prove to me that you have
a valid subscription!
Sure! Here’s a zero-knowledge
proof: ...
Online library
Using Credentials Anonymously
I am PKJS. Please
give me a cert that I go to
High School.
PKJS
PKJS
σCA=σCA(PKJS, High School)
PKCA
Certification
authority (CA)
I need access to SIAM
to me that
you have a
JProve
on Computing,
17:2
Zero-knowledge
that
validproof
subscription!
I know SK, PK and σ such that:
(1) PK corresponds to SK
(2) Verify(PKCA,(PK. High School),σ).
Online library
Using Credentials Anonymously
I am PKJS. Please
give me a cert that I go to
Moses Brown School.
PKJS
We already know that we can do it!
Just reduce the problem at hand
PKCA
σ
=σ
(PK
,
Moses
Brown)
JS
CA and
CA run
to graph 3-col,
a ZK
Certification
proof!
authority (CA)
Would be nice to do that more
I need access to SIAM
efficiently.
PKJS
to me that
you have a
JProve
on Computing,
17:2
Zero-knowledge
that
validproof
subscription!
I know SK, PK and σ such that:
(1) PK corresponds to SK
(2) Verify(PKCA,(PK. High School),σ).
Online library
Obtaining Credentials Anonymously
PKJS
PKJS
I am PKJS. Please
I
need
to SIAM
give me aaccess
cert that
I go to
Prove
to
me
that
you have a
J
on
Computing,
17:2
Moses Brown School.
Zero-knowledge
that
validproof
subscription!
I know SK, PK and σ such that:
(1) PK corresponds to SK
σCA=σ
(PKJS, Moses Brown)
CASchool),
(2) Verify(PKCA,(PK.
High
σ).
You are such a good customer,
I want to also give you a credential!
PKCA
Certification
authority (CA)
Online library
Anonymous credential = signature issued to a hidden
value PK/SK: the library never sees the value it is signing
Secure 2PC: A Crash Course
Theorem [Yao]: every function f(x,y) can be computed
via a protocol between Alice holding input x, and Bob
holding input y such that (informally):
(1) Alice receives output f(x,y) (even if Bob deviates
from the protocol, she receives f(x,y) for some welldefined y known to Bob in advance)
(2) Even if Alice maliciously deviates, she cannot learn
more than f(x,y) for some well-defined x known to her
in advance
(3) Even if Bob maliciously deviates, he cannot learn
anything about x.
Secure 2PC: A Crash Course
x
y
2PC
Alice
f(x,y)
Bob
Obtaining Credentials Anonymously
PKJS
PKJS
I am PKJS. Please
I
need
to SIAM
give me aaccess
cert that
I go to
Prove
to
me
that
you have a
J
on
Computing,
17:2
Moses Brown School.
Zero-knowledge
that
validproof
subscription!
I know SK, PK and σ such that:
(1) PK corresponds to SK
σCA=σ
(PKJS, Moses Brown)
CASchool),
(2) Verify(PKCA,(PK.
High
σ).
You are such a good customer,
I want to also give you a credential!
PKCA
Certification
authority (CA)
Online library
Anonymous credential = signature issued to a hidden
value PK/SK: the library never sees the value it is signing
Signature Schemes with
Efficient Protocols
•
WE WANT a signature scheme
that is
– efficient, provably secure
– has an efficient ZK proof of
knowledge of a sig.
– has a secure two-party protocol
for signing a hidden value
•
WHY: applications for
authentication without
identification, as well as group
signatures, blind signatures, fair
exchange of digital signatures, ...
Roadmap for This Talk
• Building blocks 
• Main idea of off-line ecash [CFN89 + CL02]
• Main idea of compact ecash [CHL05]
• Extensions [CHL06,CHKLM06]
• Technical details: how to instantiate generalized
ecash [CL02,...BL12]
• Extending to more complicated anonymous
credentials
Warning: there might be a pop quiz...
Anonymity + Accountability: Use Money!
BANK
TWO
Rivest
DOLLARS
TWO
TWO
Rivest
Alice
DOLLARS
Rivest
Spend $$$
Merchant
DOLLAR
The Money Cycle
BANK
Spend $$$
Alice
Merchant
• Three protocols: Withdraw, Spend, Deposit
• Desirable properties:
- can’t forge/copy money
- can’t trace how cash was spent
Electronic Version
BANK
Spend $$$
Alice
?
Merchant
• Three protocols: Withdraw, Spend, Deposit
• Desirable properties:
- can’t forge/copy money
- can’t trace how cash was spent
Electronic Version
BANK
Spend $$$
Alice
• Preventing copying/forgery:
Merchant
- money is represented by data, data can be copied
- not an issue if do electronic checks
- but electronic checks provide no privacy
• Online e-cash [Chaum]:
- Bank maintains records of past transactions
- Withdraw and Spend are unlinkable
- during Deposit, test if the coin is unspent
Off-Line Ecash [CFN89]
BANK
Spend $$$
Alice
Merchant
• Algs: Setup, Withdraw, Spend, Deposit,
Identify
- Setup sets up everyone’s keys (separately)
- Identify: if Alice spends more than she withdrew,
her identity is discovered once the Merchant
deposits the money (Merchant need not do this
right away).
• Privacy: colluding B&M can’t trace how a coin is spent.
History
• Chaum’82: invented blind signatures,
makes on-line ecash possible
• [CFN,Brands]: off-line e-cash
Main Idea of Off-Line Ecash
• Recall: digital signatures, secure 2-party computation, ZK proofs of
knowledge
Main Idea of Off-Line Ecash
• Recall: digital signatures, secure 2-party computation, ZK proofs of
knowledge
• SETUP: Signature key pair for Bank (pk,sk).
Assume a PKI for all the users.
Large prime Q.
PKI, Q, pk
• WITHDRAW:
Alice’s SK x
• SPEND:
Random A,B < Q
 =pk(x,A,B)
2PC
sk
BANK
0 < “new” R < Q
e.g. R=H(contract, rand)
A (the coin’s serial number)
T =x+RB mod Q (double-spending equation)
NIZKPOK of (x,B,) such that
1. T = x+RB
2. VerifySig(pk,(x,A,B), ) = TRUE
Deposit: submit
(A,R,T,proof)
to the Bank
Main Idea of Off-Line Ecash
• Recall: digital signatures, secure 2-party computation, ZK proofs of
Suppose a coin is spent twice.
knowledge
Same coin => same A
• SETUP: Signature key pair for Bank (pk,sk).
Privacy
for
Alice:
Spent
twice:
R’s,
Assume
a PKI
for alltwo
the
users.
with
prob,
R ≠ R’
A,T:
random,
Large prime
Q.high
T = x+RB
mod Q,
= x+R’Bmod Q
proofs
is T’ZK!
• WITHDRAW:
solve for
Alice’s
SKx,xid and punish Alice
• SPEND:
Random A,B < Q
 =pk(x,A,B)
2PC
sk
BANK
0 < “new” R < Q
e.g. R=H(contract, rand)
A (the coin’s serial number)
T =x+RB mod Q (double-spending equation)
NIZKPOK of (x,B,) such that
1. T = x+RB
2. VerifySig(pk,(x,A,B), ) = TRUE
Deposit: submit
(A,R,T,proof)
to the Bank
Compact Ecash
BANK
Spend $$$
Alice
Merchants
• Algs: Setup, Withdraw, Spend, Deposit, Identify
• Withdraw: a wallet with N coins
• Spend, deposit: just one coin
• Want: complexity of protocols O(log N), not O(N)
Compact Ecash: Main Idea [CHL05]
•
WITHDRAW $N:
Suppose spent >N coins PKI, Q, pk
=> repeating
Alice’s
SK xA = Fs(i) for some i
A spent twice:
twofor
random
sk
Privacy
Alice: R’s,
2PC
Random s,t
withAhigh
R ≠ R’
and Tprob,
are pseudorandom,
BANK
 =pk(x,s,t)
Proofs
ZK t(i)
T = x+RFt(i),
T’ =are
x+R’F
and punish Alice
• SPEND $1 for the ithsolve
time:for
Letx,
F(id
)( ) be a pseudorandom function family
new R < Q
A = Fs(i) (the coin’s serial number)
T = x+RFt(i) mod Q (double-spending equation)
NIZKPOK of (i,x,s,t,) such that
1. 1 ≤ i ≤ N
2. A = Fs(i)
3. T = x+RFt(i)
4. VerifySig(pk,(x,s,t), ) = TRUE
•
TBA: how to instantiate using practical building blocks.
Deposit: submit
(A,R,T,proof)
to the Bank
ATTENTION:
POP QUIZ COMING UP!!!!
Generalized Ecash
•
WITHDRAW:
Alice’s SK x
Random
Random
s1,...,s
s,t L
 ==
pk(x,s
pk(x,s,t)
1,...,sL)
•
2PC
sk
BANK
newRR1,...,R
< QM
new
SPEND:
PRF evaluations A1=Fsj(i1),...,A15=Fsz(i15)
Any
linear
combinations
A = Fset
(i) of
(the
coin’s
serial number)
s
Q
T =Tx+RF
(i)Rmod
Qj) (mod
double-spending
equation)
1 = x+t∑
k Fsj(i
...
Deposit: submit
’
NIZKPOK
ofR(i,x,s,t,)
such that
({Ai},{Ri},{Ti},proof)
T10 = x+∑
k’ Fsj’(ij ) mod Q
1. 1 ≤ i ≤ N
to the Bank
2. A = Fof
s(i)(i,x,s ,...,s ,i ,...,i , ... ,) s.t.
NIZKPOK
1
L 1
15
3.
T
=
x+RF
(i)
t
1. A1,...,A15,T1,...,T10 computed correctly
4.
TRUE
2. VerifySig(pk,(x,s,t),
VerifySig(pk,(x,s ,...,s)),=)
= TRUE
1
L
POP QUIZ:
Each user is allowed to spend
only up to 100 coins with the
Cheshire Cat. How to
instantiate Generalized Ecash
to guarantee this?
Hint: use multiple serial numbers
Preventing Money Laundering [CHL06]
•
•
WITHDRAW $N:
Suppose spend >N coins
Alice’s
SK x
=> repeating
A1, catch Alice!
sk
Suppose spend
>100
with
CheshCat
2PC
s1,t1,s2,t2
Privacy
for Alice
=> repeating
A21,t=1,s
F2s2,t(CheshCat,j)
 =pk(x,s
2)
catch Alice.
BANK
SPEND the ith coin; this is the jth time with this Merchant
new R < Q
A1 = Fs1(i), A2 = Fs2(CheshCat,j)
T1 = x+RFt1(i), T2 = x+RFt2(CheshCat,j)
Deposit: submit
NIZKPOK of (i,x,s1,t1,j,s2,t2,) such that
(A1,A2,R,T1,T2,proof)
1. 1 ≤ i ≤ N, 1 ≤ j ≤ 100
to the Bank
2. A1 = Fs(i), A2 = Fs2(CheshCat,j)
3. T1 = x+RFt(i), T2 = x+RFt2(CheshCat,j)
4. VerifySig(pk,(x,s1,t1,s2,t2), ) = TRUE
•
Cannot be done with physical cash! Was an open problem too, for a while.
POP QUIZ 2:
A user is allowed to spend up to
100 coins (tokens) per day.
Each morning, her wallet is
reset. How to do this?
Hint: use a PRF with two inputs, Fs(i,j)
Compact E-Tokens [CHKLM06]
•
WITHDRAW:
Alice’s
SK x
Suppose
spend
>100 coins on day j
=> repeating
A=Fs(i,j)
for2PC
some i
Privacy
for
Random
s,t Alice:
same
as
in(x,s,t)
compact ecash
=> catch
Alice!

=pk
•
sk
BANK
SPEND the ith token on Day j
new R < Q
A = Fs(i,j)
T = x+RFt(i,j)
NIZKPOK of (i,x,s,t,) such that
1. 1 ≤ i ≤ 100
2. A = Fs(i,j)
3. T = x+RFt(i,j)
4. VerifySig(pk,(x,s,t), ) = TRUE
•
Deposit: submit
(A,R,T,proof)
to the Bank
A simple solution to the uncloneable group identification problem [DDP06]
POP QUIZ 3:
If you double-spend < 4 e-tokens,
these e-tokens are linked, but your
identity cannot be traced. If you
double-spend 4 times, you are
identified and your SK is computed.
Hint: use multiple R1, ..., RL
Glitch Protection [CHKLM06]
•
•
WITHDRAW:
Suppose spend N+4 coins
=> repeating A=Fs(i) for some i
(possibly for i1, i2, i3, i4)
=> L pops out of repeating A
using T, T’, R, R’
Alice’s
SKtogether!
x
=> link them
=> Fu(i)s,t,u,v,L,z
pops out of
repeating A
1,z2,z3
Y, Y’, R, R’
 using
=pk(x,s,t,u,v,L,z
1,z2,z3)
=> each overspending gives
x + r1z1 + r2z2 + r3z3 = Z-Fu(i)
th
SPEND $1 for the i time:
2PC
R, r1, r2, r3
A = Fs(i)
T = L+RFt(i)
Y = Fu(i)+RFv(i)
Z = x + r1z1 + r2z2 + r3z3 + Fu(i)
NIZKPOK of (i,x,s,t,u,v,L,z1,z2,z3,) such that
1. 1 ≤ i ≤ N
2. A = Fs(i), T = L+RFt(i), Y = Fu(i)+RFv(i)
3. Z = x + r1z1 + r2z2 + r3z3 + Fu(i)
4. VerifySig(pk,(x,s,t,u,v,L,z1,z2,z3), )
sk
BANK
Roadmap for This Talk
• Building blocks 
• Main idea of off-line ecash [CFN89 + CL02]
• Main idea of compact ecash [CHL05]
• Extensions [CHL06,CHKLM06]



• Technical details: how to instantiate generalized
ecash
Compact Ecash with CL Sigs
•
Pedersen and Fujisaki-Okamoto commitments:
•
CL sigs [CL01,L02,CL02,CL04,...,CL50]:
– If G is a group with generators g1,g2, …, gn, h commit to x1,x2,…xn:
C = g1x1g2x2…gnxnhr for random r < |G|
– [Brands99,Camenisch98]: ZKPOKs of committed values w algebraic and Boolean props
– Efficient, provably secure sig (Strong RSA [CL02], LRSW or SDHI [CL04])
– Efficient protocol for getting a sig on a set of Ped- & FO-committed values (x1,x2,...,xn)
– Efficient protocol for proving knowledge of a sig on a set of committed values
•
WITHDRAW:
Alice’s SK x
seeds s,t
 =pk(x,s,t)
•
SPEND:
new R <
A = Fs(i), T = x+RFt(i) mod Q
Ci,Cx,Cs,Ct : commitments to i,x,s,t
ZKPOK of (i,x,s,t,) such that
0. They correspond to Ci,Cx,Cs,Ct
1. 1 ≤ i ≤ N
Standard techniques
2. A = Fs(i) [DY05]: Fs(i) = g1/(s+i+1)
3. T = x+RFt(i)
??????
4. VerifySig(pk,(x,s,t), ) = TRUE
CL
2PC
Q
CL
sk
BANK
Compact Ecash with CL Sigs
Suppose i’th coin is spent twice.
Same coin => same A
Spent twice: two random R’s,
with high prob, R1 ≠ R2
T1 = gx(Ft(i))R1, T2 = gx(Ft(i))R2
solve for Ft(i) = (T1/T2)1/(R1-R2)
solve for gx = T1/(Ft(i)R1)
•
•
WITHDRAW:
SPEND:
Alice’s SK x
seeds s,t
 =pk(x,s,t)
A = Fs(i), T = gx(Ft(i))R
Ci,Cx,Cs,Ct : commitments to i,x,s,t
ZKPOK of (i,x,s,t,) such that
0. They correspond to Ci,Cx,Cs,Ct
1. 1 ≤ i ≤ N
Standard techniques
2. A = Fs(i) [DY05]: Fs(i) = g1/(s+i+1)
3. T = gx(Ft(i))R
4. VerifySig(pk,(x,s,t), ) = TRUE
CL
2PC
CL
sk
BANK
First Signature Scheme
• (Sig scheme for messages of length
ℓ(m), security parameter k)
• Key generation:
n = pq = (2p’+1)(2q’+1) of length ℓ(n)
a, b, c  QRn
• Signing m:
e  PRIMESℓ(m)+2 , s  {0,1} ℓ(n)+ℓ(m)+k
solve for v such that ve = ambsc mod n
• Verification of {m, σ = (s,e,v)}:
check that ve = ambsc mod n
check the lengths of m,s,e
Provable Security
• Under the Strong RSA assumption
– hard, on input an RSA modulus n, and a
value u, to compute (v,e) such that e > 1 and
ve=u
• I will skip the proof of security
And Now the Two Protocols
• Signature on a committed value
• ZK proof of knowledge of a signature
But First: Some Known Tools
• Commitment scheme [Ped92,FO97]:
– PK: N = (2P’+1)(2Q’+1), g, h  QRN
– Commit(x,r) = gxhr mod N
• ZK proof of knowledge of representations [S91]
– protocol between a “prover” P and a “verifier” V
– common input is some value C in some group where the discrete
logarithm problem is hard, and some generators g1, g2, ..., g15
– P knows how to represent C in terms of g1, g2, ..., g15 :
C = g1x1g2x2...g15x15.
– P can convince V that he knows x1, x2, ..., x15 s.t. V learns nothing
about them
– but with access to the P’s algorithm, can extract the
representation.
• ZK proofs of equality of representations & other relations
[S91,Brands99,CM99]
• ZK proof that a committed number lies in an integer
interval [B00].
Signature on a Committed Value
1. Commit to m:
Cm= ambr mod n
2. Prove knldge
of rep of Cm
and correct
lengths
4. Output
s = r+t, e, v
Cm
Proof of
knowledge
Alice
t,e,v
3. Pick random t, e.
Solve for v in
Signer
ve = Cmbtc mod n
Send (t,e,v)
Proof of Knowledge of a Signature
• Imagine that you are the PROVER! 
– Have m, σ = (v,e,s), s.t. ve = ambsc
– For a random r, let u = vbr.
– Note that ue= ambs+rec
• so (u,e,s+re) is also a sig on m
– Then c = uea-mb-s-re
– Give u to the verifier and prove knowledge
of representation of c in bases u,a,b; prove
that these discrete logs are of the right
length
• (this version of this protocol due to [CG04])
Signature for Blocks of Messages
• Wish to sign a block of messages, (m1,...,mL)
– normally just use a hash function:
• M = H(m1,...,mL), then sign M
– not in this case: want efficient protocols
• Variant of the other scheme:
– Public key: n of length ℓ(n) same as before
a1, ..., aL, b, c  QRn
– Signing (m1,...,mL): random e and s as before
solve for v such that
ve = a1m1... aLmLbsc mod n
– Verification of {m1,...,mL, σ = (s,e,v)} : check ve and
lengths, as before
• Security follows from first scheme
Signature on a Committed Block
1. Commit to m1,...,mL :
Cm= a1m1...aLmLbr mod n
2. Prove knldge
of rep of Cm
and correct
lengths
4. Output
s = r+t, e, v
Cm
Proof of
knowledge
Alice
t,e,v
3. Pick random t, e.
Solve for v in
Signer e
v = Cmbtc mod n
Send (t,e,v)
Proof of Knowledge of a Signature
• Imagine that you are the PROVER! 
–
–
–
–
–
–
Have m1,...,mL, σ = (v,e,s), s.t. ve = a1m1...aLmLbsc
For a random r, let u = vbr.
Note that ue= a1m1...aLmLbs+rec
so (u,e,s+re) is also a sig on m1,...,mL
Then c = uea1-m1...aL-mLb-s-re
Give u to the verifier and prove knowledge of
representation of c in bases u,a1,...,aL,b; prove
that these discrete logs are of the right
length
Anonymous Credentials
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x)
P, pk
• Obtain cred:
opening of P
 =pk(x)
2PC
• Anonymously prove possession of credential:
ZKPOK of (x,) such that
VerifySig(pk,x,) = TRUE
sk
BANK
Anonymous Credentials
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x)
P, pk
• Obtain cred:
opening of P
 =pk(x)
2PC
sk
BANK
• Anonymously prove possession of credential for pseudonym P’ (not
the same as pseudonym P):
ZKPOK of (x,R,) such that
1. VerifySig(pk,x, ) = TRUE
2. P’ = Commit(x;R)
Anonymous Credentials w. Identity Escrow
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = EncryptCA(user’s real SK x)
P, pk
• Obtain cred:
opening of P
 =pk(x)
2PC
sk
BANK
• Anonymously prove possession of credential for pseudonym P’ (not
the same as pseudonym P):
ZKPOK of (x,R,) such that
1. VerifySig(pk,x, ) = TRUE
2. P’ = Commit(x;R)
Anonymous Ecash Credentials
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x)
P, pk
• Obtain cred:
opening of P
same as ecash
2PC
sk
• Spend under pseudonym P’ (not the same as pseudonym P):
same as ecash, must prove that the
secret x is inside the pseudonym was
signed
BANK
Anonymous Credentials with Attributes
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x, attr A1,...An)
P, pk
• Obtain cred:
opening of P
 =pk(x,A1,...,An)
2PC
sk
BANK
• Anonymously prove possession of credential for pseudonym P’ (not the
same as pseudonym P):
ZKPOK of (x,A1,...,An,R,) such that
1. VerifySig(pk,(x,A1,...,An),) = TRUE
2. P’ = Commit(x;R)
3. Attributes satisfy desired
relation
Anonymous Credentials “Light” [BL12]
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x)
P, pk
• Obtain cred:
opening of P
P’ = Commit(x;R’),
R’,  =pk(P’)
2PC
sk
BANK
• Anonymously prove possession of credential (can only do it once!):
Reveal P’ and 
Anonymous Credentials “Light” [BL12]
• SETUP: Signature key pair for Issuer (pk,sk).
The user is anonymous, but known to the issuer under a
pseudonym P = Commit(user’s real SK x)
P, pk
• Obtain cred:
opening of P
P’ = Commit(x;R’),
R’,  =pk(P’)
2PC
sk
BANK
• Anonymously prove possession of credential (can only do it once!)
under pseudonym P’’ (not the same as P or P’):
Reveal P’ and 
ZK Prove that P’ and P’’ are commitments
to the same value