coconut threshold issuance selective disclosure
play

Coconut: Threshold Issuance Selective Disclosure Credentials with - PowerPoint PPT Presentation

Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019 The


  1. Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019

  2. The Authors Alberto Sonnino Mustafa Al-Bassam Bano Shehar Sarah Meiklejohn George Danezis � 2

  3. Challenges in blockchains Strong integrity Poor privacy � 3

  4. Challenges in blockchains Strong integrity Poor privacy send it to the blockchain write the contract anyone can verify � 4

  5. Challenges in blockchains Can we issue credentials in this setting? send it to the blockchain write the contract anyone can verify � 5

  6. What are we trying to do? • Issuing credentials through smart contracts write the contract … while preserving privacy � 6

  7. What are we trying to do? • Issuing credentials through smart contracts write the contract some attributes … while preserving privacy � 7

  8. What are we trying to do? • Issuing credentials through smart contracts write the contract credentials some attributes … while preserving privacy � 8

  9. What are we trying to do? • Issuing credentials through smart contracts another contract credentials … while preserving privacy � 9

  10. What are we trying to do? • Why is it hard? Attributes & signing key should be secret transactions are recorded on chain Credentials showing should be unlinkable In a decentralised setting � 10

  11. What are we trying to do? • Why is it hard? attributes & signing key should be secret transactions are recorded on chain Credentials showing should be unlinkable In a decentralised setting � 11

  12. What are we trying to do? • Why is it hard? attributes & signing key should be secret transactions are recorded on chain credentials showing should be unlinkable In a decentralised setting � 12

  13. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 13

  14. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 14

  15. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 15

  16. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 16

  17. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 17

  18. Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 18

  19. So we built Coconut � 19

  20. Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 20

  21. Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 21

  22. Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 22

  23. System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 23

  24. System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 24

  25. System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 25

  26. System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 26

  27. System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 27

  28. System Overview • Threshold authorities t n Users need to collect authorities only t shares � 28 OpenSSL Pri

  29. System Overview • Threshold authorities honest authorities t n Users need to collect authorities only t shares � 29 OpenSSL Pri

  30. Coconut Credentials Scheme • From where do coconuts come from? Coconut PS Signatures BLS Signatures � 30

  31. Coconut Credentials Scheme • From where do coconuts come from? Coconut PS Signatures BLS Signatures • What do they look like? take an attribute: m m m compute: ( ) h H H ( ( c c m ) ) h h H c m m + x x + + m m y h x my y ) signature: ( ) & secret key: ( ( ( x y ) ) ) ( ( h ) x y h h , , h h x , , y σ σ σ , , � 31

  32. Coconut Credentials Scheme • Communication protocol user authority verifier i i i À Ã Õ Œ œ – — � ( Λ , φ ) repeat times t À Ã Õ Œ œ – — � ( ˜ σ i ) À Ã Õ Œ œ – — � ( Θ , φ � ) � 32

  33. Coconut Smart Contract Library • General purpose library contract info contract info À Ã Õ Œ œ – — � À Ã Õ Œ œ – — � create attributes attributes À Ã Õ Œ œ – — � À Ã Õ Œ œ – — � request credentials À Ã Õ Œ œ – — � issue credentials À Ã Õ Œ œ – — � authorities credentials À Ã Õ Œ œ – — � verify Ledger � 33

  34. Applications • Privacy-preserving petitions proof of identity À Ã Õ Œ œ – — � happens citizen authorities credentials À Ã Õ Œ œ – — � only once À Ã Õ Œ œ – — � sign petition happens every create petition petition À Ã Õ Œ œ – — � vote campaign creator Ledger � 34

  35. Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 35

  36. Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 36

  37. Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 37

  38. Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 38

  39. Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 39

  40. Performance • How fast is Coconut? σ 2 [ms] √ Operation µ [ms] PrepareBlindSign 2.633 ± 0.003 sign BlindSign 3.356 ± 0.002 Unblind ± 0.002 0.445 AggCred ± 0.000 0.454 ProveCred 1.544 ± 0.001 verify VerifyCred ± 0.002 10.497 signing is fast, verifying takes 10ms � 40

  41. Performance • What is the size of the credentials? 2 Group Elements No matter how many attributes… No matter how many authorities… � 41

  42. Performance • How does Coconut scale? Number of authorities: n , Signature size: 132 bytes Transaction complexity size [B] Signature on public attribute: O ( n ) request credential 32 O ( n ) À issue credential 132 O ( 1 ) Ã verify credential 162 Signature on private attribute: O ( n ) issue request credential 516 O ( n ) À issue credential 132 O ( 1 ) Ã verify credential 355 verify Signing scales linearly, verifying is constant time � 42

  43. Performance • Did you evaluate it in the real world? server client pick 10 locations across the world � 43

  44. Performance • Did you evaluate it in the real world? 600 Public attribute Private attribute 500 400 Client Latency [ms] 300 200 100 0 1 2 3 4 5 6 7 8 9 10 Threshold parameter client latency VS number of authorities � 44

  45. Performance • Did you evaluate it in the real world? Tokyo & Sidney 600 Public attribute Private attribute 500 400 Client Latency [ms] 300 200 100 Europe (close to client) 0 1 2 3 4 5 6 7 8 9 10 Threshold parameter client latency VS number of authorities � 45

Recommend


More recommend