Re: [Cfrg] ZKP for proving ownership of a credential
Vadym Fedyukovych <vf@unity.net> Fri, 05 June 2015 17:41 UTC
Return-Path: <vf@unity.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825671A0115 for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2015 10:41:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.788
X-Spam-Level:
X-Spam-Status: No, score=0.788 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIzcEet9rCaK for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2015 10:41:55 -0700 (PDT)
Received: from vc.unity.net (tr.unity.net [195.24.140.242]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047DE1A00FE for <cfrg@irtf.org>; Fri, 5 Jun 2015 10:41:55 -0700 (PDT)
Received: from vf by vc.unity.net with local (Exim 4.80) (envelope-from <vf@unity.net>) id 1Z0van-0000n4-3j; Fri, 05 Jun 2015 20:39:41 +0300
Date: Fri, 05 Jun 2015 20:39:41 +0300
From: Vadym Fedyukovych <vf@unity.net>
To: Paul Lambert <paul@marvell.com>
Message-ID: <20150605173941.GA23793@vc.unity.net>
References: <556E63DB.8090904@digitalbazaar.com> <D193B311.6A3A7%paul@marvell.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="koi8-r"
Content-Disposition: inline
In-Reply-To: <D193B311.6A3A7%paul@marvell.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: vf@unity.net
X-SA-Exim-Scanned: No (on vc.unity.net); SAEximRunCond expanded to false
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QreDAIDqAECiMNP40brqm_6LuFg>
Cc: Crypto Forum Research Group <cfrg@irtf.org>
Subject: Re: [Cfrg] ZKP for proving ownership of a credential
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 17:41:58 -0000
On Wed, Jun 03, 2015 at 02:33:43AM +0000, Paul Lambert wrote: > > > On 6/2/15, 7:18 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: > > >Hi all, > > > >I'm currently involved in some work in a Community Group at W3C called > >the Credentials CG as well as the Web Payments Interest Group at W3C. An > >executive summary of what the Credentials CG is trying to do is here: > > > >https://docs.google.com/document/d/1Nq543-Am1hQUIZ2hhzAFl8KexvIEBwDDc_f3Ik > >z1opQ/edit > > > >We have a subset of credentials, like proof of citizenship ("this person > >is a citizen of the United Kingdom") and proof of age ("this person is > >above the age of 21"), that we believe could be asserted without leaking > >information that could be used by colluding websites* to identify the > >individual with the credential. We're trying to avoid having a single > >identifier associated w/ these credentials that can be used to track > >individuals between sites. > > > >Clearly, at some point it's impossible to protect the privacy of the > >individual or organization because information like a government issued > >ID or name is shared in the credential. However, those are not the use > >cases we're focused on with this particular question. > > > >We have a hunch that perhaps some form of Zero Knowledge Proof could be > >used with the credential, such that: > > > >1. The issuer of the credential (a government) could issue a > > credential to a recipient (a citizen). The credential would > > contain an assertion (this person is a citizen of the United > > Kingdom). The credential would also contain a credential-specific > > ZKP algorithm and some public ZKP initialization vectors of some > > kind. > >2. The recipient (the citizen) would separate out the /private/ > > credential-specific ZKP algorithm and store it. The recipient > > would also store the /public/ credential with ZKP initialization > > vectors. > >3. A verifier (3rd party website, like the BBC) would then request > > a credential proving UK citizenship. > Unless the credential is different each time it is provided to a third > party the recipient is trackable. It depends on credential type. This holds for a blind signature (u-prove) such that recipient produces a challenge verifiable with equality-of-two-logarithms relation. This does not hold for a strong RSA -based credentials scheme. > This problem has been ?solved' to some degree by P1609.2 for automotive > applications. > > > Paul > > > >The recipient and verifier > > would then go through a number of ZKP iterations until the > > verifier was satisfied. > > > >The end result is that the recipient has proven their citizenship while > >the verifier has ensured that it checked this particular property of an > >individual before delivering a service to them. > > > >Unfortunately, we don't have any experts in ZKPs in the group and need > >to have a chat with someone that is an expert. Preferably, someone that > >knows if it is possible to construct a ZKP that could be used in this way. > > > >If there is a more promising cryptographic approach than using a ZKP, > >we'd love to hear about that as well. Any ideas? > > > >-- manu > > > >* The one big caveat to this is that a simple ask of an email address, > > browser fingerprinting, supercookies, defeats this mechanism. > > However, I believe our mandate in the future is going to be > > "don't make privacy worse on the Web". > > > >-- > >Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > >Founder/CEO - Digital Bazaar, Inc. > >blog: Web Payments: The Architect, the Sage, and the Moral Voice > >https://manu.sporny.org/2015/payments-collaboration/ > >
- [Cfrg] ZKP for proving ownership of a credential Manu Sporny
- Re: [Cfrg] ZKP for proving ownership of a credent… Paul Lambert
- Re: [Cfrg] ZKP for proving ownership of a credent… Manu Sporny
- Re: [Cfrg] ZKP for proving ownership of a credent… William Whyte
- Re: [Cfrg] ZKP for proving ownership of a credent… Tony Arcieri
- Re: [Cfrg] ZKP for proving ownership of a credent… Alec Edgington
- Re: [Cfrg] ZKP for proving ownership of a credent… Paul Lambert
- Re: [Cfrg] ZKP for proving ownership of a credent… Tony Arcieri
- Re: [Cfrg] ZKP for proving ownership of a credent… David Jacobson
- Re: [Cfrg] ZKP for proving ownership of a credent… Vadym Fedyukovych