Skip to content

Latest commit

 

History

History
269 lines (218 loc) · 10.5 KB

schemes.md

File metadata and controls

269 lines (218 loc) · 10.5 KB
Raw
layout title banner
default
Schemes
bird.jpg
<style> .scheme-table { width: 100%; text-align: center; } .scheme-table th { background: black; word-wrap: break-word; text-align: center; } .scheme-table td:nth-child(1) { background: grey; color: black; } </style>

In this page we go over various proposed anonymous credential and token schemes.


We start our investigation with anonymous credentials schemes that have been specified and implemented. We first present the various schemes and their security properties in this table, and then we dive more in depth right below.


Scheme Type Attributes Public Verifiability Other notes
Privacy Pass Single-show ? No Perfect Unlinkability
Signal Creds Multi-show Yes No
Coconut Multi-show Yes Yes Complex attributes / Threshold Issuance
Idemix Multi-show ? ?
FB PrivateStats Single-show Yes No
U-Prove Single-show Yes ?
FB Blind Sigs Single-show ? Yes Perfect Unlinkability
aeonflux Multi-show Yes No

[DGST18]: Privacy Pass

Click for details

[CPZ19]: Signal Private Group System

Click for details

[SABM19]: Coconut

Click for details - [Implementation](https://github.com/asonnino/coconut) and [another implementation](https://gitlab.com/narodnik/darkwallet/-/tree/master/src/coconut) - Properties: Public Verifiability, Multi-show, Public/Private Attributes, Threshold Issuance - Based on: [PS signatures]({{site.baseurl}}/primitives.html#ps-signatures) & BGLS Signatures & Waters Signatures - Performance: - Credential Size: [132 bytes](https://sheharbano.com/assets/talks/talk_coconut.pdf) - Key size: TODO - Show size: [355 bytes](https://sheharbano.com/assets/talks/talk_coconut.pdf) - Prover time: [3.35 ms](https://sheharbano.com/assets/talks/talk_coconut.pdf) - Verifier time: [10.49 ms](https://sheharbano.com/assets/talks/talk_coconut.pdf)

[CH03]: Idemix

Click for details - [Implementation](prime.inf.tu-dresden.de/idemix/) - Properties: Constant Credential Size, Multi-show - Based on: [CL03]({{site.baseurl}}/schemes.html#cl03)

[HIJK21]: Facebook's PrivateStats

Click for details - Properties: Single-show, Public Attributes - Based on: - [(V)OPRF]({{site.baseurl}}/primitives.html#oprfs)

[PZ13]: U-Prove

Click for details - [U-Prove implementation](https://github.com/Microsoft/uprove-csharp-sdk) - Properties: Single-show, Public Attributes - Based on: [Brand's blind signature]({{site.baseurl}}/primitives.html#brands-blind-signature) - Notes: The U-Prove token is single-show, but can be shown multiple times to serve as a pseudonym.

Facebook's Blind Signatures

Click for details - [Implementation](https://github.com/siyengar/private-fraud-prevention) - Properties: Public Verifiability - Based on: [Blind RSA]({{site.baseurl}}/primitives.html#blind-rsa)

aeonflux

Click for details - [aeonflux] Implementation - Properties: Multi-show, Attributes - Based on: [KVAC]({{site.baseurl}}/primitives.html#kvac) - Performance: TODO



We now continue with credential schemes that have been proposed and can serve as a basis for more complete systems but have not been implemented yet.



[BL13]: Anonymous Credentials Light

Click for details - Based on: Abe-Okamoto - Properties: Attributes, Single-show - Notes: Small anonymous credentials that allow a user with a list of attributes (L_1, \dots, L_n)

[KVAC]: Keyed-Verification Anonymous Credentials

Click for details - Based on: [Algebraic MACs]({{site.baseurl}}/primitives.html#algebraic-macs) - Properties: Multi-show, Public Attributes, Selective Disclosure

[TAKS10]: BLAC: Revoking Repeatedly Misbehaving Anonymous Users ...

Click for details - Based on: [ZKPs]({{site.baseurl}}/primitives.html#zkps) & BBS+ Signatures - Related: [[BLACR]] *"BLACR: TTP-free blacklistable anonymous credentials with reputation ..."* - Related: [[AKTS07]] *"Blacklistable Anonymous Credentials: Blocking Misbehaving .."* - Properties: Blacklisting

[AMO08]: An Efficient Anonymous Credential System

Click for details - Based on: Bilinear Pairings, TODO - Properties: Strong-unlinkability, Attributes

[CL06]: Randomizable Proofs and Delegatable Anon Credentials

Click for details - Based on: [ZKPs]({{site.baseurl}}/primitives.html#zkps) - Related: [[CSF14]] *"Malleable Signatures: New Definitions and Delegatable Anonymous Credentials"* - Properties: Multi-show, Delegetable

[CL04]: Signature Schemes and Anonymous Credentials from ...

Click for details - Based on: [Group Signatures]({{site.baseurl}}/primitives.html#group-signatures) - Properties: TODO

[CL03]: A Signature Scheme with Efficient Protocols

Click for details - Based on: [ZKPs]({{site.baseurl}}/primitives.html#zkps) - Properties: Multi-show, Attributes - Notes: The distinguishing feature of a CL signature is that it allows a user to prove possession of a signature without revealing the underlying messages or even the signature itself using efficient zero-knowledge proofs of knowledge. As the proof is “zero-knowledge”, the user can repeat such a proof as many times as she wants and still it is not possible to link the individual proofs. - Related: [[CL01]] An Efficient System for Non-transferable Anonymous Credentials

[CL02]: Dynamic Accumulators and Application to Efficient, Revocable Credentials

Click for details - Based on: [Accumulators]({{site.baseurl}}/primitives.html#acc) - Properties: Revocation

[EPID]: Enhanced Privacy ID

Click for details - Based on: [BBS+ signatures]({{site.baseurl}}/primitives.html#blindsig-bbs) - Properties: Revocation

Tor Anonymous Res Tokens

Click for details - [Tor summary](https://blog.torproject.org/stop-the-onion-denial) and [proposed specification](https://lists.torproject.org/pipermail/tor-dev/2021-February/014517.html) - Properties: Single-show - Based on: [Blind RSA]({{site.baseurl}}/primitives.html#blindsigs)

[ZKSZ20]: EL PASSO: Privacy-preserving, Asynchronous Single Sign-On

Click for details - Based on: [PS signatures]({{site.baseurl}}/primitives.html#ps-signatures) - Properties: Multi-show, Selective Attribute Disclosure - Performance: - Show size: 414 bytes