How can you use ZK-proofs and public key signatures in this situation?

jacobi_matrix

10/24/23, 11:00 AM

Let us say that we have 3 entities: an Issuer I , a user/prover P and a verifier V.

V trusts I but does not trust u
u wants to show that he respects some kind of property (eg. being over 18yo) to V without revealing their whole birth day
V possesses the data that u needs to convince V, eg. using a ZK-proof, but V would not trust such a proof because u could easily use a fake date

How would you design a protocol such that V is assured that the claim u makes is legitimate (that is, that claim was issued by I)?

A first idea would be to use both public key signature (so, V sends u a signature of its date, so that even if u decides to use a fake date, the cannot provide a correct signature for that) and ZK-proof so that u provides only the strictly required informations to V. V would then check that the ZK-proof is correct and that the private input fed into the ZK-circuit is signed by I.

Some clarifications after Geoffroy's comment:

the user u should be aware of what information V wants to know, so we can't just let V and I communicate cutting out the user
the user has one or more statements issued and signed by I and wants to convince V that a claim about a statement (eg. u wants to prove that he is 18yo, given a birth certificate/ID/passport signed by I) without revealing the entire statement.

Thanks in advance

134

1 + 2

zero-knowledge-proofs

zero-knowledge

Geoffroy Couteau

10/24/23, 12:15 PM

Your setting is not clear to me: does the issuer know the data as well? Why can't he just tell V that P is over 18yo, if V trusts them? Should anything be hidden from the issuer? More generally, since you mention ZK proofs: what exactly do you want to hide? A generic non-hiding solution would be: P convinces I that he is 18yo (e.g. using his passport), and I issues a signature on the message "P is 18yo" which it hands to P. Then P can use this as a credential with V.

jacobi_matrix

10/24/23, 12:48 PM

The issuer knows the data, but we want P to be aware and consent to what information is given to V, so you can't really just let V ask the issuer or the user is completely cut out. The idea is that I issues a (digital and signed) document that states P date of birth (as an example) and P wants to prove a claim on that statement (eg. P is 18yo) without revealing the day of birth, so the user hides his date of birth but still convinced the verifier that they are 18yo.

Score:1

Crypto

Geoffroy Couteau

10/25/23, 7:59 AM

What you want looks very similar to anonymous credentials. Constructions usually go as follows: the issuer will sign the attribute of P (e.g. "P is 18yo"), usually using a blind issuance protocol. Then, P can send to V a commitment to his attribute, together with a ZK proof that he holds a signature on the committed value. In your specific setting where there is a unique verifier, there exist dedicated solutions using algebraic MACs, see here.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can you use ZK-proofs and public key signatures in this situation?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.