Score:2

Crypto

How to exchange a credential whilst ensuring deniable authentification?

deb

4/24/23, 3:32 PM

This is a follow-up to this answer. The context & vocabulary used is that of a decentralized identity system.

Let $I$ be the issuer of a credential, $H$ the holder and $V$ the verifier. In this setting, $I$ signs a credential $C$ with their private key, and hands it over to $H$ for storage, who may then present it to $V$ to prove their identity.

One flaw remains in this system: if such were the intentions of $V$, nothing prevents them from giving the signed data contained in $C$ to a third-party, who could then verify & attest that the credential is authentic even though $H$ didn't give the credential themself.

How could this be avoided?

Note: regarding the link between this question and the answer cited above, I'm not sure if the question I asked about deniable authentication was formulated well enough: I wasn't interested in making the ZKP unreadable to third parties (I fear this is impossible if Bob / $V$ is part of the conspiracy), but my goal was to make the whole credential (passport, in that case) no longer provably authentic.

0 + 0

public-key

Score:2

Crypto

deb

4/24/23, 3:32 PM

The solution is rather simple; instead of letting $H$ give the general credential $C$ to $V$, the following steps could be taken:

$H$ sends $C$ to $I$, along with $V$'s public key.
$I$ checks that they signed the credential themself, takes the content, and signs it again with a ring signature made from $V$'s public key and $I$'s own private key. The resulting credential may be called $C_V$. It is sent back to $H$.
$H$ sends $C_V$ to $V$ as a proof of identity.

At this point, $V$ can trust the received credential, as the potential signers are $\{I, V\}$, and $V$ knows they didn't sign it. When $V$ tries to leak the data, they have no way of proving the data authentic.

0 + 0

Ilmari Karonen

4/24/23, 5:55 PM

The main disadvantage of this solution is that it requires $I$ to sign $C$ with a separate ring signature for each verifier $V$. In practice (if there are too many potential verifiers $V$ for $I$ to issue ring signatures for all of them in advance) that might require real-time communication between $H$ and $I$ (or at least between $H$ and some additional party entrusted by $I$ to perform step 2 on their behalf). But, as I noted in my comment on the original discussion, I'm not actually sure this *can* be done in general without such extra communication.

deb

4/25/23, 11:54 AM

@IlmariKaronen: Yes, that's problematic. I wish there has a way to "ring-sign" something only with (a) the non-signers' PKs and (b) the already-signed message with the SK. I might ask a question about that, at first sight it doesn't seem unfeasible and that would be a hell of an elegant solution. (edit: Or maybe it *is* unfeasible, but I don't know enough about the math behind signing to tell)

deb

4/25/23, 3:38 PM

It's done: https://crypto.stackexchange.com/q/97819/88017. I'm not really expecting any miracle, though.

deb

4/26/23, 9:12 AM

@IlmariKaronen: Looks like it's impossible without communication, you were right.

knaccc

4/26/23, 10:54 AM

Btw there is the partial solution of the issuer signing using sub-keys, which are rotated out after a period of time. The private keys for the rotated-out sub-keys are released so that anyone could forge the existence of a credential prior to that expiry. However, if the verifier records proof of knowledge of the credentials e.g. on a blockchain prior to the keys being rotated out, then this mechanism fails. See https://www.mit.edu/~specter/blog/2020/dkim/

Score:0

Crypto

Richard Thiessen

4/25/24, 1:32 AM

Use a zero knowledge proof that the signature exists rather than sending a signature directly.

The holder and verifier execute the protocol and this convinces the verifier that the signature exists without revealing it.

For signatures based on discrete log problems (Schnorr signatures, ED25519, ECDSA) this transformation is easy to do. If the Verifier has a known public key, the Holder can do this in a single message.

Other signature algorithms also allow existence ZKPs but may require arithmetic circuit proofs.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to exchange a credential whilst ensuring deniable authentification?

TH: จะแลกเปลี่ยนข้อมูลประจำตัวในขณะที่รับรองความถูกต้องที่ถูกปฏิเสธได้อย่างไร

RO: Cum se schimbă o acreditare, asigurând în același timp o autentificare refuzată?

RU: Как обменять учетные данные, гарантируя отрицательную аутентификацию?

VI: Làm cách nào để trao đổi thông tin xác thực trong khi vẫn đảm bảo xác thực có thể từ chối?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.