Anonymous Credential Part 1: Brief Overview and History
This series of three parts was co-written by:
— Dr. Nuttawut Kongsuwan, Finema & QTFT
— Rachata Tosirisuk, Thailand Internet Exchange, Finema & QTFT
- Anonymous Credential Part 1: Brief Overview and History
- Anonymous Credential Part 2: Selective Disclosure and CL Signature
- Anonymous Credential Part 3: BBS+ Signature
An anonymous credential (Anoncred), which is also known as an attribute-based credential (ABC), is a concept for a digital credential that provides a credential holder maximal privacy and an ability to selectively disclose their personal information.
“the user can later prove to a third party that she possesses a credential containing a given attribute or role without revealing any other information stored in the credential.”
— IBM Research
For example, a credential contains five attributes: name, nickname, address, date of birth and ID number. Using an Anoncred, the credential holder can choose to reveal and hide any of their attributes to a third party. A zero-knowledge proof could also be used with the Anoncred to, e.g., prove that their age is above 20 years old.
In recent years, an Anoncred is also considered as a verifiable credential containing a set of credential attributes, called claims. An Anoncred has the following properties.
- Selective Disclosure: the credential holder is capable of minimally disclosing credential attributes (claims) while proving the validity of all hidden attributes.
- Verifiable Authorship: credential verifiers can validate who the credential issuer and holder are.
- Tamper-evident: credential verifiers can detect whether the credential has been altered.
- Anonymity: the credential holder is capable of maintaining thier anonymity while verifiably presenting the credential.
- Un-linkability: the credential issuer is incapable of tracking how and where the credential is presented.
- Non-correlating: a credential cannot be correlated by values other than the credential’s attributes (claims). As a result, credential verifiers are incapable of tracking whether a specific credential has been presented multiple times to the same or different verifiers.
Given the frequency of data breaches and the increasingly tightening data privacy regulations such as GDPR, the concept of Anoncreds is becoming more relevant than ever. In recent years, several big companies and startups have also started adopting Anoncreds, especially members of Decentralized Identity Foundation (DIF).
Here, we give a brief overview of theories for Anoncred and its application, of which we divide into four eras:
- 1985–2004: Theoretical Development
- 2005–2009: U-Prove vs Idemix
- 2010–2015: ABC4Trust Consortium
- 2016–2019: The Rise of Hyperledger
- 2020 and Beyond: The Age of Self-Sovereign Identity
To some extent, these eras are arbitrary since there are in fact significant overlaps. We also note that this article does not aim nor even attempt to provide an exhaustive review of this evolving field. This article wishes to give a friendly starting point for developers and cryptographers who want to apply Anoncreds in their work.
1985–2004: Theoretical Development
To the best of the authors’ knowledge, the original idea of Anoncreds was first invented and studied by David Chaum in 1985[Cha85], which defined general concepts based on information theoretic arguments. This idea was further developed by Ivan Bjerre Damgard in 1990 [Dam90] and Stefan Brands in 1995 [Bra95a, Bra95b]. Brands also compiled his work in his book [Bra00] which laid the foundation for U-Prove.
In a series of publications from 2001 to 2004 [CL01, CL02, CL03, CL04], Jan Camenisch and Anna Lysyanskaya developed an efficient signature scheme, known as CL signature, based on the strong RSA (SRSA) assumption. This scheme supports blocks of messages with a single signature and served as a building block for Identity Mixer (Idemix). However, since CL signature is a RSA-based signature scheme, its keys must be very long to provide sufficient security against ever faster prime factorization algorithms and computers.
This problem was addressed in 2004 where Dan Boneh, Xavier Boyen and Hovav Shacham developed a short group signature scheme, known as BBS signature [BBS04], which is based on the Strong Diffie-Hellman assumption. This signature scheme is built on pairing-based elliptic-curve cryptography and consequently requires much shorter keys, compared to RSA-based signature scheme. The BBS signature scheme was later improved in [ASM06, CDL16] and is now known as the BBS+ signature scheme.
It is also important to note a recent scheme for Anoncreds by a team at Microsoft Research. In 2020, they published a white paper that discusses implementation of Anoncreds using a transparent Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK), called Spartan [S20, CGSB20].
2005–2009: U-Prove vs Idemix
After early theoretical development, two competing realizations of Anoncreds emerged, namely U-Prove and Idemix.
U-Prove
Based on cryptographic protocols designed by Stefan Brands, U-Prove was developed a user-centric identity management software that allows for digital identity to be efficiently tied to tamper-resistant devices such as smart cards [MV11]. Brands also founded Credentica in 2004 that further developed U-Prove. U-Prove was later acquired by Microsoft in 2008. U-Prove SDK is available in C#, Java and JavaScript whereas its specification can be found here [PZ13, Paq13].
Idemix
In 2002, Jan Camenisch and Els Van Herreweghen from IBM presented Identity Mixer (Idemix), an anonymous credential system based on the CL signature scheme that allows anonymous yet authenticated and accountable transactions [CH02]. Idemix source code in Java and specifications are available here [IBM09, IBM13].
Idemix have been integrated into several projects, including IRMA and Hyperledger Fabric. The design and implementation of Idemix also laid the groundwork for Anonymous Credential 1.0 in Hyperledger Indy and Hyperledger Ursa.
2010–2015: ABC4Trust Consortium
The goal of ABC4Trust is to address the federation and interchangeability of technologies that support trustworthy yet privacy-preserving Attribute-based Credentials (ABC).
Attribute-based Credentials for Trust (ABC4Trust) was an EU-funded project from 2010–2015 that defined a common, unified architecture and delivered open reference implementations of ABC (Anoncred) systems. Its consortium includes both Microsoft and IBM, and ABC4Trust integrates both U-Prove and Idemix into its architecture [SR14, RCS15]. It also included the two pilot projects in Patras, Greece and Söderhamn, Sweden. ABC4Trust promoted collaborations between the big players and accelerated advances in the field of Anoncreds. Its deliverables can be found here, and its Java source code is available in this repository.
2016–2019: The Rise of Hyperledger
With the rise (and hype) of the blockchain technology, the Linux Foundation founded Hyperledger, which is a collection of open-source blockchain projects. Hyperledger projects with Anoncreds are Hyperledger Fabric, Indy and Ursa.
Hyperledger Fabric
Hyperledger Fabric is the modular, permissioned blockchain framework designed for enterprise blockchain platforms. IBM cofounded Hyperledger Fabric in 2016 and has been its main contributors. Idemix was imported to the project and has been used to provide strong authentication as well as privacy-preserving features such as transactor anonymity and transaction unlinkability.
Hyperledger Indy & Ursa
An independent project that utilizes Anoncred was also developed by Evernym and Sovrin Foundation for building a Self-sovereign Identity (SSI) platform. In 2017, their code was later donated to Hyperledger, which became the Hyperledger Indy project. Cryptographic modules in Hyperledger Indy was then imported to Hyperledger Ursa, a project for managing shared cryptographic libraries.
The first version of the Anoncred system in Hyperledger Indy and Ursa is based on CL signature and is called Anonymous Credentials 1.0, of which cryptographic foundations are very similar to Idemix. We note that Jan Camenisch — one of the authors of CL signature and Idemix’s lead cryptographer—also helped with this project.
Identity Mixer is not directly re-implemented by Sovrin, but its cryptographic foundations are very similar. Sovrin’s implementation includes most of its extended features such as predicates, multi-credential, revocation and advanced issuance. One of the researchers who helped to create Identity Mixer is on Sovrin’s Technical Governance Board and has offered insight to keep the implementations aligned on goals and methods.
— Daniel Hardman, Secretary of Sovrin Technical Governance Board (September, 2018)
In 2019, Sovrin published the second version of their Anoncred system, called Anonymous Credentials 2.0, which was led by Michael Lodder, Brent Zundel, Dmitry Khovratovich. This version is based on BBS+ signature on BLS12–381 curve that allows for much smaller keys and signatures without sacrificing security.
2020 and Beyond: The Age of Self-Sovereign Identity
As of October 2020, Anoncreds have become a hot topic in Self-Sovereign Identity (SSI) community as Anoncreds enable crucial privacy-respecting mechanism for an SSI platform. CL signature has been recommended as one of the standard cryptographic proofs for Verifiable Credentials. Recently, Tobias Looker (Mattr) and Orie Steele (Transmute) also contributed to a draft for the W3C Recommendation on BBS+ signature for the Linked Data Proof specification.
Several startups have adopted Anoncreds for their products. These include Trinsic, MATTR, Transmute and Finema, to name a few. Anoncreds are now an exciting field that could make a real difference to the soon self-sovereign world.
In Part 2, we will explore mathematics of selective disclosure and CL signature. This is followed by mathematics of BBS+ signature in Part 3.
References
[Cha85] David Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030–1044, October 1985.
[Dam90] Ivan Bjerre Damgard. Payment systems and credential mechanism with provable security against abuse by individuals. In Shafi Goldwasser, editor, Advances in Cryptology — CRYPTO ’88, volume 403 of Lecture Notes in Computer Science, pages 328–335. Springer Verlag, 1990.
[Bra95a] Stefan Brands. Restrictive Binding of Secret-Key Certificates. In Guillou L.C., Quisquater JJ., editor, Advances in Cryptology— EUROCRYPT ’95, volume 921 of Lecture Notes in Computer Science, pages 231–247. Springer Verlag, 1995.
[Bra95b] Stefan Brands. Secret-key certificates. Technical Report CS-R9510, CWI, September 1995.
[Bra00] Stefan Brands. Rethinking public key infrastructures and digital certificates: building in privacy. MIT Press, 2000.
[CL01] Jan Camenisch and Anna Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 93–118. Springer Verlag, 2001.
[CH02] Jan Camenisch and Els Van Herreweghen. Design and implementation of the idemix anonymous credential system. Proceedings of the 9th ACM conference on Computer and communications security, 2002.
[CL02] Jan Camenisch and Anna Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 61–76. Springer, 2002.
[CL03] Jan Camenisch and Anna Lysyanskaya. A signature scheme with efficient protocols. In Stelvio Cimato, Clemente Galdi, and Giuseppe Persiano, editors, Security in Communication Net- works, Third International Conference, SCN 2002, volume 2576 of Lecture Notes in Computer Science, pages 268–289. Springer Verlag, 2003.
[BBS04] Dan Boneh, Xavier Boyen and Hovav Shacham. Short Group Signatures. In M. Franklin, editor, Advances in Cryptology — CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 41–55. Springer Verlag, 2004.
[CL04] Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In Matthew K. Franklin, editor, Advances in Cryptology — CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 56–72. Springer Verlag, 2004.
[ASM06] Man Ho Au, Willy Susilo, and Yi Mu. Constant-size dynamic k-TAA. International conference on security and cryptography for networks. Springer, Berlin, Heidelberg, 2006.
[IBM09] Bichsel, Patrik, Carl Binding, Jan Camenisch, Thomas Groß, Tom Heydt-Benjamin, Dieter Sommer, and Greg Zaverucha. Cryptographic protocols of the identity mixer library. IBM Research, Tech. Rep. RZ 3730, Tech. Rep., 2009.
[MV11] Wojciech Mostowski and Pim Vullers. Efficient U-Prove implementation for anonymous credentials on smart cards. International Conference on Security and Privacy in Communication Systems. Springer, Berlin, Heidelberg, 2011.
[Paq13] Christian Paquin. U-Prove Technology Overview V1.1 (Revision 2). Microsoft Corporation, 2013.
[PZ13] Christian Paquin and Greg Zaverucha. U-Prove Cryptographic Specification V1.1 (Revision 3). Technical Report, Microsoft Corporation, 2013.
[IBM13] Specification of the Identity Mixer Cryptographic Library Version 2.3.4. IBM Research — Zurich, 2013.
[SR14] Ahmad Sabouri and Kai Rannenberg. ABC4Trust: protecting privacy in identity management by bringing privacy-ABCs into real-life. IFIP International Summer School on Privacy and Identity Management. Springer, Cham, 2014.
[RCS15] Kai Rannenberg, Jan Camenisch and Ahmad Sabouri. Attribute-based credentials for trust. Identity in the Information Society, Springer, 2015.
[CDL16] Jan Camenisch, Manu Drijvers, and Anja Lehmann. Anonymous attestation using the strong diffie hellman assumption revisited. International Conference on Trust and Trustworthy Computing. Springer, Cham, 2016.
[S20] Srinath Setty. Spartan: Efficient and general-purpose zkSNARKs without trusted setup. Microsoft Research, 2020.
[CGSB20] Melissa Chase, Esha Ghosh, Srinath Setty, and Daniel Buchner. Zero-knowledge credentials with deferred revocation checks. Microsoft Research & Microsoft Identity, 2020.
