Real World Crypto 2021 - Session 13: Invited Talk


Prev | Up | Next

Anna Lysyanskaya (Brown Uni) / Privacy-Preserving Authentication – From Theory to Practice video

What makes ‘you’, you?

Nowadays, this is embodied by cloud providers - you log-in to them, they do the rest
But here’s an alternative: “Self-sovereign Identity”

The term was introduced in The path to self-soverereign identity

But it isn’t very academic, and doesn’t mention David Chaum who in 1984 wrote A New Paradigm for Individuals in the Information Age in which individuals go by different pseudonyms on each service they use, and can ‘inject’ their pseudonym into the digitally signed credentials issued by those services without wrecking its signature

Tim Berners-Lee is also looking to do this with his SOLID concept

If you don’t care about privacy then existing digital signatures are just fine.
But for privacy-preserving cases you end up needing ZK proofs, secure two-party computation, etc.

Anonymous Credentials: you have a privacy-conscious user, and a verifier.
If you identify yourself with the same thing across sites (e.g. a certificate) then you lose anonymity eventually because all the verifications could be linked. Instead:

Commitment schemes could be: Pedersen, Fujisaki-Okamoto, Groth-Sahai

AnonCred systems can include other features:

Some implementations: DAA (present in TPM chipsets); Idemix; Hyperledger Indy

Is anything standardized? It’s tricky… cryptographers approaches to AnonCred systems is “too complex for a reasonable standard” (ie.. for non crypto-folk to get)

Maybe they just need rebranding… Mercurial Signature Scheme.
Here: rather sign one message, you sign a ‘representative of an equivalence class of messages’, using not one public key, but a ‘representative of an equivalence class fo public keys’
Property: for preservation of privacy, it must be hard to determine if two X’s belong to the same equivalence class.
For public keys, two PKs might be considered equivalent if they have the same underlying private key.

Alternative: Ring Signatures

Real-world application: Anonymous Hardware Attestation AHA
CA->Boot-loader->OS->App->Data with credentials at each stage signed up upstream.