Coconut: Threshold Issuance Selective Disclosure Credentials with - - PowerPoint PPT Presentation

coconut threshold issuance selective disclosure
SMART_READER_LITE
LIVE PREVIEW

Coconut: Threshold Issuance Selective Disclosure Credentials with - - PowerPoint PPT Presentation

May 15, 2023 33 likes •558 views

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019 The

slide-1
SLIDE 1

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers

Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis*

* University College London

February 2019

slide-2
SLIDE 2

The Authors

2

Mustafa Al-Bassam Alberto Sonnino Bano Shehar Sarah Meiklejohn George Danezis

slide-3
SLIDE 3

Challenges in blockchains

3

Strong integrity Poor privacy

slide-4
SLIDE 4

Challenges in blockchains

4

send it to the blockchain anyone can verify write the contract

Strong integrity Poor privacy

slide-5
SLIDE 5

Challenges in blockchains

5

send it to the blockchain anyone can verify write the contract

Can we issue credentials in this setting?

slide-6
SLIDE 6
  • Issuing credentials through smart contracts

What are we trying to do?

6

… while preserving privacy

write the contract

slide-7
SLIDE 7
  • Issuing credentials through smart contracts

What are we trying to do?

7

… while preserving privacy

write the contract some attributes

slide-8
SLIDE 8
  • Issuing credentials through smart contracts

What are we trying to do?

8

… while preserving privacy

credentials write the contract some attributes

slide-9
SLIDE 9
  • Issuing credentials through smart contracts

What are we trying to do?

9

… while preserving privacy

another contract credentials

slide-10
SLIDE 10
  • Why is it hard?

What are we trying to do?

10

transactions are recorded on chain Attributes & signing key should be secret Credentials showing should be unlinkable

In a decentralised setting

slide-11
SLIDE 11
  • Why is it hard?

What are we trying to do?

11

transactions are recorded on chain attributes & signing key should be secret Credentials showing should be unlinkable

In a decentralised setting

slide-12
SLIDE 12
  • Why is it hard?

What are we trying to do?

12

transactions are recorded on chain attributes & signing key should be secret credentials showing should be unlinkable

In a decentralised setting

slide-13
SLIDE 13
  • Which properties do we need?

Introduction

13

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-14
SLIDE 14
  • Which properties do we need?

Introduction

14

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-15
SLIDE 15
  • Which properties do we need?

Introduction

15

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-16
SLIDE 16
  • Which properties do we need?

Introduction

16

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-17
SLIDE 17
  • Which properties do we need?

Introduction

17

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-18
SLIDE 18
  • Which properties do we need?

Introduction

18

Blindness Unlinkability Threshold Authority Authorities Non- Interactivity Efficiency

slide-19
SLIDE 19

So we built Coconut

19

slide-20
SLIDE 20

Introduction

20

  • What is Coconut?

Contribution I Contribution II

Coconut credentials scheme Coconut smart contract library & example of applications

slide-21
SLIDE 21

Introduction

21

  • What is Coconut?

Contribution I Contribution II

Coconut credentials scheme Coconut smart contract library & example of applications

slide-22
SLIDE 22

Introduction

22

  • What is Coconut?

Contribution I Contribution II

Coconut credentials scheme Coconut smart contract library & example of applications

slide-23
SLIDE 23
  • How does Coconut work?

System Overview

23

request

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

issue aggregate & randomize

authorities

À Ã Õ Œ œ – —

show

slide-24
SLIDE 24
  • How does Coconut work?

System Overview

24

request

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

issue aggregate & randomize

authorities

À Ã Õ Œ œ – —

show

slide-25
SLIDE 25
  • How does Coconut work?

System Overview

25

request

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

issue aggregate & randomize

authorities

À Ã Õ Œ œ – —

show

slide-26
SLIDE 26
  • How does Coconut work?

System Overview

26

request

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

issue aggregate & randomize

authorities

À Ã Õ Œ œ – —

show

slide-27
SLIDE 27
  • How does Coconut work?

System Overview

27

request

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

issue aggregate & randomize

authorities

À Ã Õ Œ œ – —

show

slide-28
SLIDE 28
  • Threshold authorities

System Overview

28

authorities

OpenSSL

Pri

n t Users need to collect

  • nly t shares
slide-29
SLIDE 29
  • Threshold authorities

System Overview

29

authorities

OpenSSL

Pri

n honest authorities t Users need to collect

  • nly t shares
slide-30
SLIDE 30
  • From where do coconuts come from?

Coconut Credentials Scheme

30

BLS Signatures PS Signatures

Coconut

slide-31
SLIDE 31
  • From where do coconuts come from?

Coconut Credentials Scheme

31

  • What do they look like?

BLS Signatures PS Signatures h h h H H H( ( (c c cm

m m)

) ) σ σ σ ( ( (h h h, , ,h h hx

x x+ + +m m my y y)

) )

m m m

take an attribute: compute: signature: & secret key: (

( (x x x, , ,y y y) ) )

Coconut

slide-32
SLIDE 32
  • Communication protocol

Coconut Credentials Scheme

32

user authority verifier

repeat times

À Ã Õ Œ œ – — À Ã Õ Œ œ – — À Ã Õ Œ œ – —

i i i

t

( ˜ σi)

(Λ, φ) (Θ, φ)

slide-33
SLIDE 33
  • General purpose library

Coconut Smart Contract Library

33

issue

Ledger

request create verify

À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – — À Ã Õ Œ œ – —

À Ã Õ Œ œ – —

À Ã Õ Œ œ – — À Ã Õ Œ œ – —

contract info contract info attributes attributes credentials credentials credentials

authorities

slide-34
SLIDE 34
  • Privacy-preserving petitions

Applications

34

vote

Ledger

petition creator citizen

proof of identity

authorities

À Ã Õ Œ œ – — À Ã Õ Œ œ – —

credentials sign petition

À Ã Õ Œ œ – — À Ã Õ Œ œ – —

create petition

happens every campaign happens

  • nly once
slide-35
SLIDE 35
  • What is out there?

Performance

35

The Coconut cryptographic library

Python & Timing benchmark &

Smart contract library https://github.com/asonnino/coconut Everything is released as open source software Applications Coin tumbler E-Petition (CRD proxy distribution )

slide-36
SLIDE 36
  • What is out there?

Performance

36

The Coconut cryptographic library

Python & Timing benchmark &

Smart contract library https://github.com/asonnino/coconut Everything is released as open source software Applications Coin tumbler E-Petition (CRD proxy distribution )

slide-37
SLIDE 37
  • What is out there?

Performance

37

The Coconut cryptographic library

Python & Timing benchmark &

Smart contract library https://github.com/asonnino/coconut Everything is released as open source software Applications Coin tumbler E-Petition (CRD proxy distribution )

slide-38
SLIDE 38
  • What is out there?

Performance

38

The Coconut cryptographic library

Python & Timing benchmark &

Smart contract library https://github.com/asonnino/coconut Everything is released as open source software Applications Coin tumbler E-Petition (CRD proxy distribution )

slide-39
SLIDE 39
  • What is out there?

Performance

39

The Coconut cryptographic library

Python & Timing benchmark &

Smart contract library https://github.com/asonnino/coconut Everything is released as open source software Applications Coin tumbler E-Petition (CRD proxy distribution )

slide-40
SLIDE 40
  • How fast is Coconut?

Performance

40

signing is fast, verifying takes 10ms verify sign

Operation µ [ms] √ σ2 [ms]

PrepareBlindSign 2.633 ± 0.003 BlindSign 3.356 ± 0.002 Unblind 0.445 ± 0.002 AggCred 0.454 ± 0.000 ProveCred 1.544 ± 0.001 VerifyCred 10.497 ± 0.002

slide-41
SLIDE 41

Performance

41

  • What is the size of the credentials?

No matter how many attributes…

2 Group Elements

No matter how many authorities…

slide-42
SLIDE 42
  • How does Coconut scale?

Performance

42

Signing scales linearly, verifying is constant time

Number of authorities: n, Signature size: 132 bytes

Transaction complexity size [B]

Signature on public attribute: request credential O(n) 32 À issue credential O(n) 132 Ã verify credential O(1) 162 Signature on private attribute: request credential O(n) 516 À issue credential O(n) 132 Ã verify credential O(1) 355

issue verify

slide-43
SLIDE 43
  • Did you evaluate it in the real world?

Performance

43

pick 10 locations across the world server client

slide-44
SLIDE 44
  • Did you evaluate it in the real world?

Performance

44

client latency VS number of authorities

1 2 3 4 5 6 7 8 9 10

Threshold parameter

100 200 300 400 500 600

Client Latency [ms]

Public attribute Private attribute

slide-45
SLIDE 45
  • Did you evaluate it in the real world?

Performance

45

client latency VS number of authorities

1 2 3 4 5 6 7 8 9 10

Threshold parameter

100 200 300 400 500 600

Client Latency [ms]

Public attribute Private attribute

Europe

(close to client)

Tokyo & Sidney

slide-46
SLIDE 46

What else is in the paper?

46

Full cryptographic scheme Smart contract library evaluation

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers

Alberto Sonnino University College London Mustafa Al-Bassam University College London Shehar Bano University College London George Danezis University College London The Alan Turing Institute Abstract

We present Coconut, a novel selective disclosure cre- dential scheme supporting distributed threshold issuance, public and private attributes, re-randomization, and mul- tiple unlinkable selective attribute revelations. Coconut can be used by modern blockchains to ensure confiden- tiality, authenticity and availability even when a subset of credential issuing authorities are malicious or offline. We implement and evaluate a generic Coconut smart contract library for Chainspace and Ethereum; and present three applications related to anonymous payments, electronic petitions, and distribution of proxies for censorship resis-
  • tance. Coconut uses short and computationally efficient
credentials, and our evaluation shows that most Coconut cryptographic primitives take just a few milliseconds on average, with verification taking the longest time (10 mil- liseconds).

1 Introduction

Selective disclosure credentials [15, 17] allow the is- suance of a credential to a user, and the subsequent unlinkable revelation (or ‘showing’) of some of the at- tributes it encodes to a verifier for the purposes of au- thentication, authorization or to implement electronic
  • cash. However, established schemes have shortcomings.
Some entrust a single issuer with the credential signa- ture key, allowing a malicious issuer to forge any cre- dential or electronic coin. Other schemes do not provide the necessary re-randomization or blind issuing proper- ties necessary to implement modern selective disclosure
  • credentials. No existing scheme provides all of threshold
distributed issuance, private attributes, re-randomization, and unlinkable multi-show selective disclosure. The lack of full-featured selective disclosure cre- dentials impacts platforms that support ‘smart con- tracts’, such as Ethereum [40], Hyperledger [14] and Chainspace [3]. They all share the limitation that ver- ifiable smart contracts may only perform operations recorded on a public blockchain. Moreover, the secu- rity models of these systems generally assume that in- tegrity should hold in the presence of a threshold number
  • f dishonest or faulty nodes (Byzantine fault tolerance);
it is desirable for similar assumptions to hold for multiple credential issuers (threshold aggregability). Issuing credentials through smart contracts would be very desirable: a smart contract could conditionally issue user credentials depending on the state of the blockchain,
  • r attest some claim about a user operating through the
contract—such as their identity, attributes, or even the balance of their wallet. This is not possible, with cur- rent selective credential schemes that would either en- trust a single party as an issuer, or would not provide appropriate re-randomization, blind issuance and selec- tive disclosure capabilities (as in the case of threshold signatures [5]). For example, the Hyperledger system supports CL credentials [15] through a trusted third party issuer, illustrating their usefulness, but also their fragility against the issuer becoming malicious. Coconut addresses this challenge, and allows a subset
  • f decentralized mutually distrustful authorities to jointly
issue credentials, on public or private attributes. Those credentials cannot be forged by users, or any small subset
  • f potentially corrupt authorities. Credentials can be re-
randomized before selected attributes being shown to a verifier, protecting privacy even in the case all authorities and verifiers collude. The Coconut scheme is based on a threshold issuance signature scheme, that allows partial claims to be aggregated into a single credential. Mapped to the context of permissioned and semi-permissioned blockchains, Coconut allows collections of authorities in charge of maintaining a blockchain, or a side chain [5] based on a federated peg, to jointly issue selective dis- closure credentials. Coconut uses short and computationally efficient cre- dentials, and efficient revelation of selected attributes and verification protocols. Each partial credentials and the

arXiv:submit/2158644 [cs.CR] 20 Feb 2018

Applications evaluation and benchmarking Coin tumbler, CRD proxy applications

slide-47
SLIDE 47

Limitations & Future Works

47

  • Would you like to contribute?

Limitation I Limitation II

Adding and removing authorities is complicated. Can we do better than re-running the key generation algorithm? Current key generation algorithms are complex to implement. Can we design a key generation algorithm for blockchains?

slide-48
SLIDE 48

Limitations & Future Works

48

  • Would you like to contribute?

Limitation I Limitation II

Adding and removing authorities is complicated. Can we do better than re-running the key generation algorithm? Current key generation algorithms are complex to implement. Can we design a key generation algorithm for blockchains?

slide-49
SLIDE 49

Limitations & Future Works

49

  • What is the next milestone?

A general framework allowing nodes to execute any kind of threshold cryptography?

slide-50
SLIDE 50

Conclusion

50

  • What did we talk about?

Coconut credentials scheme Coconut smart contract library & example of applications

Contribution I Contribution II

slide-51
SLIDE 51

Conclusion

51

  • Main take-aways

Threshold issuance Sweet for blockchains Randomizable Multi-use & unlinkability

slide-52
SLIDE 52

Alberto Sonnino alberto.sonnino@ucl.ac.uk https://sonnino.com

Thank you for your attention

This work is supported in part by EPSRC Grant EP/M013286/1, the EU H2020 DECODE project (grant agreement number 732546), and The Alan Turing Institute.

https://github.com/asonnino/coconut