Score:2

How to exchange a credential whilst ensuring deniable authentification?

cn flag
deb

This is a follow-up to this answer. The context & vocabulary used is that of a decentralized identity system.

Let $I$ be the issuer of a credential, $H$ the holder and $V$ the verifier. In this setting, $I$ signs a credential $C$ with their private key, and hands it over to $H$ for storage, who may then present it to $V$ to prove their identity.

One flaw remains in this system: if such were the intentions of $V$, nothing prevents them from giving the signed data contained in $C$ to a third-party, who could then verify & attest that the credential is authentic even though $H$ didn't give the credential themself.

How could this be avoided?


Note: regarding the link between this question and the answer cited above, I'm not sure if the question I asked about deniable authentication was formulated well enough: I wasn't interested in making the ZKP unreadable to third parties (I fear this is impossible if Bob / $V$ is part of the conspiracy), but my goal was to make the whole credential (passport, in that case) no longer provably authentic.

Score:2
cn flag
deb

The solution is rather simple; instead of letting $H$ give the general credential $C$ to $V$, the following steps could be taken:

  1. $H$ sends $C$ to $I$, along with $V$'s public key.
  2. $I$ checks that they signed the credential themself, takes the content, and signs it again with a ring signature made from $V$'s public key and $I$'s own private key. The resulting credential may be called $C_V$. It is sent back to $H$.
  3. $H$ sends $C_V$ to $V$ as a proof of identity.

At this point, $V$ can trust the received credential, as the potential signers are $\{I, V\}$, and $V$ knows they didn't sign it. When $V$ tries to leak the data, they have no way of proving the data authentic.

ar flag
The main disadvantage of this solution is that it requires $I$ to sign $C$ with a separate ring signature for each verifier $V$. In practice (if there are too many potential verifiers $V$ for $I$ to issue ring signatures for all of them in advance) that might require real-time communication between $H$ and $I$ (or at least between $H$ and some additional party entrusted by $I$ to perform step 2 on their behalf). But, as I noted in my comment on the original discussion, I'm not actually sure this *can* be done in general without such extra communication.
deb avatar
cn flag
deb
@IlmariKaronen: Yes, that's problematic. I wish there has a way to "ring-sign" something only with (a) the non-signers' PKs and (b) the already-signed message with the SK. I might ask a question about that, at first sight it doesn't seem unfeasible and that would be a hell of an elegant solution. (edit: Or maybe it *is* unfeasible, but I don't know enough about the math behind signing to tell)
deb avatar
cn flag
deb
It's done: https://crypto.stackexchange.com/q/97819/88017. I'm not really expecting any miracle, though.
deb avatar
cn flag
deb
@IlmariKaronen: Looks like it's impossible without communication, you were right.
knaccc avatar
es flag
Btw there is the partial solution of the issuer signing using sub-keys, which are rotated out after a period of time. The private keys for the rotated-out sub-keys are released so that anyone could forge the existence of a credential prior to that expiry. However, if the verifier records proof of knowledge of the credentials e.g. on a blockchain prior to the keys being rotated out, then this mechanism fails. See https://www.mit.edu/~specter/blog/2020/dkim/
Score:0
mx flag

Use a zero knowledge proof that the signature exists rather than sending a signature directly.

The holder and verifier execute the protocol and this convinces the verifier that the signature exists without revealing it.

For signatures based on discrete log problems (Schnorr signatures, ED25519, ECDSA) this transformation is easy to do. If the Verifier has a known public key, the Holder can do this in a single message.

Other signature algorithms also allow existence ZKPs but may require arithmetic circuit proofs.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.