Real World Crypto 2021 - Session 13: Invited Talk
RWC2021 · Real World Crypto
Anna Lysyanskaya (Brown Uni) / Privacy-Preserving Authentication – From Theory to Practice video
What makes ‘you’, you?
- offline - I think, therefore I am (after Descartes)
- online - I login, therefore I am
Nowadays, this is embodied by cloud providers - you log-in to them, they do the rest
But here’s an alternative: “Self-sovereign Identity”
- no-one can act on your behalf - your crypto PK is needed for that
- you can make assertions on your identity without needy cloudy help
- no-one else controls your data
The term was introduced in The path to self-soverereign identity
But it isn’t very academic, and doesn’t mention David Chaum who in 1984 wrote A New Paradigm for Individuals in the Information Age in which individuals go by different pseudonyms on each service they use, and can ‘inject’ their pseudonym into the digitally signed credentials issued by those services without wrecking its signature
Tim Berners-Lee is also looking to do this with his SOLID concept
If you don’t care about privacy then existing digital signatures are just fine.
But for privacy-preserving cases you end up needing ZK proofs, secure two-party computation, etc.
Anonymous Credentials: you have a privacy-conscious user, and a verifier.
If you identify yourself with the same thing across sites (e.g. a certificate) then you lose anonymity eventually because all the verifications could be linked. Instead:
- user : give me access
- verifier : convince me you’re authorized
- user : here’s a ZK proof: a commitment C to my identity/secret key, and a ZK proof of knowledge of the CA’s signature on C’s content
Commitment schemes could be: Pedersen, Fujisaki-Okamoto, Groth-Sahai
AnonCred systems can include other features:
- attributes and selective disclosure;
- limited-use creds - applns in ecash like spend upto $X anonymously but not more;
- identity escrow - remain anonymous but permit selective decryptions in emergency
- revocation
Some implementations: DAA (present in TPM chipsets); Idemix; Hyperledger Indy
Is anything standardized? It’s tricky… cryptographers approaches to AnonCred systems is “too complex for a reasonable standard” (ie.. for non crypto-folk to get)
Maybe they just need rebranding… Mercurial Signature Scheme.
Here: rather sign one message, you sign a ‘representative of an equivalence class of messages’, using not one public key, but a ‘representative of an equivalence class fo public keys’
Property: for preservation of privacy, it must be hard to determine if two X’s belong to the same equivalence class.
For public keys, two PKs might be considered equivalent if they have the same underlying private key.
Alternative: Ring Signatures
Real-world application: Anonymous Hardware Attestation AHA
CA->Boot-loader->OS->App->Data with credentials at each stage signed up upstream.