Re: [Cfrg] ZKP for proving ownership of a credential

Alec Edgington <alec.m.edgington@gmail.com> Wed, 03 June 2015 11:12 UTC

Return-Path: <alec.m.edgington@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF961A1B23 for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 04:12:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JP1yvVXjWNrV for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 04:12:17 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86481A1B20 for <cfrg@irtf.org>; Wed, 3 Jun 2015 04:12:16 -0700 (PDT)
Received: by wifw1 with SMTP id w1so17556694wif.0 for <cfrg@irtf.org>; Wed, 03 Jun 2015 04:12:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4GG718bz4HmI9Nzn65bViCaVKIOfwbYuXXwH0dgk2R8=; b=ZgCxebG+gpjW3hxd6qqj7dqBR0ZtRZfaL0XLjUanzgCP4pRD4N27W5iAwKGc4cWTg8 59WpjGt8ffYgH+Dd+pBoYycjXKaPxTuF3wUnR3dPWWnK30kq781Joageq1jR8kNUvWni SvELjXq5ulesDnuH0d4uF2v7QP4O3Y0io6ZxjX7GBQvrxAtSBtY0eC/hPbw7AHFhYHCr LU5ay/1ueXIaOuUumfxUsaEmDpVYqcN/Y/1DA0kUDk5O8e+R6ObATfTKT65Gzw5PJ58b 9XaiYXGvFLgEyHkW+vxa5o7tWsFzNbPuFV1+4IckrXYjosIdfbrnw/75ZUhNhZPklcyh iGlQ==
MIME-Version: 1.0
X-Received: by 10.180.76.228 with SMTP id n4mr39779770wiw.44.1433329935486; Wed, 03 Jun 2015 04:12:15 -0700 (PDT)
Received: by 10.194.221.74 with HTTP; Wed, 3 Jun 2015 04:12:15 -0700 (PDT)
In-Reply-To: <556E63DB.8090904@digitalbazaar.com>
References: <556E63DB.8090904@digitalbazaar.com>
Date: Wed, 03 Jun 2015 12:12:15 +0100
Message-ID: <CAEZx50WSrN_+NM5Mmp1NF2-nHy_+syzT9mN9g6jGbrzajqRLcQ@mail.gmail.com>
From: Alec Edgington <alec.m.edgington@gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Content-Type: multipart/alternative; boundary="f46d043c7b0ca6937d05179b2114"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Awf9vaKMInrIMmjAEfCM6PKLsCw>
Cc: Crypto Forum Research Group <cfrg@irtf.org>
Subject: Re: [Cfrg] ZKP for proving ownership of a credential
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 11:12:18 -0000

It sounds as if you may be after 'direct anonymous attestation' (DAA).
There are a number of protocols for this, the earlier ones based on RSA
(rather cumbersome), and the more modern ones (a.k.a. ECDAA) based on EC
pairings. Primitives to support these protocols are being introduced in the
TPM 2.0 standard, for example (though without specifying a specific
protocol). See for example http://eprint.iacr.org/2011/658.pdf for a
discussion of the security properties (and a suggested protocol).

The general idea is that the 'issuer' has a private and a public key; each
entity generates a secret key; there is an enrolment protocol where the
issuer and entity use their keys to generate a credential; later the entity
can use its secret key and the credential to sign an (anonymous)
attestation, which can be verified by the third party using the issuer's
public key. Controlled linkability of credentials is also possible.