Skip to content

Instantly share code, notes, and snippets.

@kunxian-xia

kunxian-xia/anon_cred.md

Last active July 23, 2018 08:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kunxian-xia/a926ec4969c7bcc0aa5b684b189bca25 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kunxian-xia/a926ec4969c7bcc0aa5b684b189bca25 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
anon_cred.md

BBS signature

  • Setup: generate a pairing-friendly curve G, and target group Gt, pairing func e: G x G -> Gt.

  • KeyGen: sk = (x), pk = (g^x).

  • Sign(m): sig = g^{1/(x+mprime)}, where mprime = H(m).

  • Verify(m, sig): check if e(pk * g^{H(m)}, g^sig) == e(g, g).

BBS+ signature

  • Setup: group G1, G2, Gt. pairing function e: G1 x G2 -> Gt.

    common params:

    • g0, g1, (g2, ..., g_{L+1}) are elements from G1.

    • h0 is a generator of G2.

  • KeyGen: sample x from uniform dist on Zp, output sk = x, pk = h0^x.

  • Sign(sk, m1, ..., mL): choose two random numbers e and s from Zp. Compute B = g0 * g1^s * (g2^m1 ... * g_{L+1}^mL), then let A = B^{1/(e+x)}. The sig is (A, e, s).

  • Verify(pk, m1, ..., mL, sig): decode sig as (A, e, s), and check if pairing(A, h0^e * pk) == pairing(B, h0).

Anonymous Credential

In an anonymous credential scheme there are three participants: issuer, user(prover), verifier. Issuer creates a certificate to user which contains a list of user's attributes and issuer's signature(use BBS+ signature). The user who is in possession of that credential can selectively disclose some parts to some verifier.

1. Issuance protocol

The issuance protocol is an interactive protocol which consists of the following steps:

  1. The issuer sends a random nonce to the user.

  2. The user creates a Credential Request using the public key of the issuer, user secret, and the nonce as input The request consists of a commitment to the user secret (can be seen as a public key) and a zero-knowledge proof of knowledge of the user secret key The user sends the credential request to the issuer

  3. The issuer verifies the credential request by verifying the zero-knowledge proof If the request is valid, the issuer issues a credential to the user by signing the commitment to the secret key together with the attribute values and sends the credential back to the user

  4. The user verifies the issuer's signature and stores the credential that consists of the signature value, a randomness used to create the signature, the user secret, and the attribute values

In short, this can be summarized in the following diagram:

Issuer -------------------- Prover

        -- nonce(BigNum)--> 
        
        <-- CredRequest --
        
        --- Credential --->

CredRequest contains a commitment Nym to user's master secret which is of the form g1^(ms) * g2^(credS) and a zk-PoK of Nym.

Credential contains the BBS+ signature on attributes and Nym.

type IssuerSecretKey BigNum

2. Proof protocol

References

[CL02]. J. Camenisch and A. Lysyanskaya. A Signature Scheme with Efficient Protocols. SCN 2002.

[CL04]. J. Camenisch and A. Lysyanskaya. Signature Schemes and Anonymous Credentials from Bilinear Maps. Crypto 2004.

[BBS04]. D. Boneh, X. Boyen, and H. Shacham. Short Group Signatures. Crypto 2004.

[BBS+]. Man Ho Au, Willy Susilo, and Yi Mu. Constant-Size Dynamic k-TAA. SCN 2006.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment