Paper 2024/2010

Anonymous credentials from ECDSA

Matteo Frigo, Google
abhi shelat, Google
Abstract

Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is $>18$” without revealing any other attributes such as their name or date of birth. Despite inherent value for privacy-preserving authentication, anonymous credential schemes have been difficult to deploy at scale. Part of the difficulty arises because schemes in the literature, such as BBS+, use new cryptographic assumptions that require system-wide changes to existing issuer infrastructure. In addition, issuers often require digital identity credentials to be *device-bound* by incorporating the device’s secure element into the presentation flow. As a result, schemes like BBS+ require updates to the hardware secure elements and OS on every user's device. In this paper, we propose a new anonymous credential scheme for the popular and legacy-deployed Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme. By adding efficient zk arguments for statements about SHA256 and document parsing for ISO-standardized identity formats, our anonymous credential scheme is that first one that can be deployed *without* changing any issuer processes, *without* requiring changes to mobile devices, and *without* requiring non-standard cryptographic assumptions. Producing ZK proofs about ECDSA signatures has been a bottleneck for other ZK proof systems because standardized curves such as P256 use finite fields which do not support efficient number theoretic transforms. We overcome this bottleneck by designing a ZK proof system around sumcheck and the Ligero argument system, by designing efficient methods for Reed-Solomon encoding over the required fields, and by designing specialized circuits for ECDSA. Our proofs for ECDSA can be generated in 60ms. When incorporated into a fully standardized identity protocol such as the ISO MDOC standard, we can generate a zero-knowledge proof for the MDOC presentation flow in 1.2 seconds on mobile devices depending on the credential size. These advantages make our scheme a promising candidate for privacy-preserving digital identity applications.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Anonymous credentialsZKECDSAMDOC
Contact author(s)
matteof @ google com
shelat @ google com
History
2024-12-20: revised
2024-12-12: received
See all versions
Short URL
https://ia.cr/2024/2010
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/2010,
      author = {Matteo Frigo and abhi shelat},
      title = {Anonymous credentials from {ECDSA}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/2010},
      year = {2024},
      url = {https://eprint.iacr.org/2024/2010}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.