Anonymous Credentials
A zero knowledge proof signature algorithm
Last updated
A zero knowledge proof signature algorithm
Last updated
The anonymous credential scheme is a part of the Ontology Crypto library that provides several cryptography related utilities for the Ontology network. The main features provided by the crypto library basically revolve around digital signature. It provides general APIs for processing digital signatures and keys.
There are three parties involved in an anonymous credential scheme, namely the issuer, the user (prover), and the verifier.
The issuer provides a certificate to the user. This certificate contains a list of the user's attributes and the issuer's signature (using BBS+signature). This protocol is formally called credential issuance protocol. The user who is in possession of the credentials can selectively disclose some parts to a verifier. This protocol is formally called credential presentation protocol.
Setup: Groups and Pairing function where and are both of order . Common parameters:
is the generator of
is the generator of
are elements from
KeyGen: A sample from uniform distribution on , output
Sign: Two random numbers and are selected from . First is calculated, and then is computed. The signature is
Verify : Decode as , and check if and whether
Given an array of the attribute names AttributeNames
, the issuer's key pair is generated in the following manner:
The following are the reference data structures for the issuer's key pair:
Issuance protocol is an interactive protocol that consists of the following steps:
The issuer sends a random nonce to the user
The user creates a credential request using the public key, the secret, and the nonce. This request consists of a commitment to the user secret (can be seen as a public key), and a zero-knowledge proof of the knowledge of the user secret key. The user sends this credential request to the issuer
The issuer verifies the credential request by verifying the zero-knowledge proof If the request is valid, the issuer issues a credential to the user by signing the commitment to the secret key along with the attribute values and then sends the credential back to the user
The user verifies the issuer's signature and stores the credential that consists of the signature value, a randomness used to create the signature, the user secret, and the attribute values
The following diagram represents the interaction between the user and the issuer:
Credential contains the BBS+signature
on the attributes and the Nym
The user generates the credential request using the attribute values and the nonce as input. The process is as follows:
The data structure of the credential request is of the following manner:
Calculate B = g1 · HRand^s · Nym · MulAll(HAttrs[i]^(Attrs[i]))
Compute A = B^(1/(e+x))
The data structure of a credential looks something like:
In the presentation protocol, the prover tries to convince the verifier that they are aware of some secret input, such that some hypothetical predicate is true. A typical example of a predicate is that the prover is in possession of an anonymous credential, and they can selectively disclose certain attributes while hiding the other attributes.
The information that is available to the user is:
BBS +signature (A, B, e, s)
Extra input
(D, I) : Attribute predicate, describes what attributes will be disclosed. If D[j] == 1
, I[j] = attrs[j] = aj
, else I[j] = null
The selective disclosure proof can be generated in the following manner:
_A/B' = A'^(-e) · HRand^r2
g1 · MulAll(hi^ai_reveal) = (B')^r3 · HRand^(-s') · HSk^(-sk) ·MulAll(hi^(-ai_hidden))
, where hi
stands for HAttrs[i]
The proof can be generated as follows:
Here is the reference data structure for the zero knowledge proof:
The verifier has the following input information available:
The verification algorithm proceeds as in the following manner:
Check if A' != 1
in G1; if false, return false
.
the i
above, first MulAll( )
belongs to _D
, where D[i]==0(false)
the i
above, second MulAll( )
belongs to D
, where D[i]==1(true)
Check if c == c'
: if false, return false
. Otherwise return true
.
In this subsection, we will look at an example of the non-interactive proof of knowledge protocol which proves that the public key is generated as specified in the BBS + signature scheme. That is, . This means the prover proves the knowledge of such that and . It is assumed that are all public.
The protocol that we provide is a standard sigma protocol. It involves three steps, which are commit, challenge, and response. Sigma protocol is an interactive protocol and can be modified to be a non-interactive zero knowledge proof by using the well-known Fiat-Shamir heuristic. The proof
Select a random element from , and compute
Select a random element from , and compute
Generate non-interactive proof of knowledge Here,
r
: A random element from
t1
: Computed as
t2
: Computed as
C
:
s
:
4. Select an array of elements from from AttributeNames
. Next, calculate HAttrs[i] = random(G1)
for each attribute in AttributeNames
5. Select two random elements HRand
And HSk
from
6. The issuer's public key is set to ipk = (w, _g1, _g2, π, HAttrs, AttributeNames, HRand, HSk)
, and the private key is set to isk = x
7. Return isk
and ipk
The credential request CredRequest contains a commitment to user's secret key which is of the form and a zk-PoK
of the
Select a random element sk from as the user's master secret key
Calculate , which represents the commitment to the user's master secret
Generate the zero knowledge proof in the following manner-
Select a random element from which acts as the user's master secret
Calculate
Compute the challenge
Compute the response
After receiving the credential request from the user, the issuer verifies and generates credentials for the user. The credential is generated using the issuer's private key as follows:
Select two random elements from
Return the credential
User's secret key and its commitment
Attribute values
Randomize A : Select a random element from , and compute
Calculate
Select an element from
Calculate ,
Generate zero knowledge proof such that-
The output is where
: from the signer
: obtained by parsing
Check if e(A', w) == e(_A, g2)
; if false, return false
. This is for A.
Parse : {c, s_sk, {s_ai}, s_e, s_r2, s_r3, s_s', nonce} <- π
; if failed, return false
.
~ : ~t1 = A'^s_e · HRand^s_r2 · (_A/B')^(-c)
. This is for e, r2.
~ : (B')^s_r3 · HRand^s_s' · HSk^(-s_sk) · MulAll(hi^(-s_ai)) · (g1·MulAll(hi^ai))^(-c)
This is for r3, s', gsk, ai of _D.
: c' = H(nonce, H(A', _A, B', nym, ~t1, ~t2, g1, HRand, h1, ... , hL, w), (D, I))