Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers Authors Alberto Sonnino* Mustafa Al-Bassam* Shehar Bano* Sarah Meiklejohn* George Danezis* * University College London February 2019
The Authors Alberto Sonnino Mustafa Al-Bassam Bano Shehar Sarah Meiklejohn George Danezis � 2
Challenges in blockchains Strong integrity Poor privacy � 3
Challenges in blockchains Strong integrity Poor privacy send it to the blockchain write the contract anyone can verify � 4
Challenges in blockchains Can we issue credentials in this setting? send it to the blockchain write the contract anyone can verify � 5
What are we trying to do? • Issuing credentials through smart contracts write the contract … while preserving privacy � 6
What are we trying to do? • Issuing credentials through smart contracts write the contract some attributes … while preserving privacy � 7
What are we trying to do? • Issuing credentials through smart contracts write the contract credentials some attributes … while preserving privacy � 8
What are we trying to do? • Issuing credentials through smart contracts another contract credentials … while preserving privacy � 9
What are we trying to do? • Why is it hard? Attributes & signing key should be secret transactions are recorded on chain Credentials showing should be unlinkable In a decentralised setting � 10
What are we trying to do? • Why is it hard? attributes & signing key should be secret transactions are recorded on chain Credentials showing should be unlinkable In a decentralised setting � 11
What are we trying to do? • Why is it hard? attributes & signing key should be secret transactions are recorded on chain credentials showing should be unlinkable In a decentralised setting � 12
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 13
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 14
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 15
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 16
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 17
Introduction • Which properties do we need? Blindness Unlinkability Threshold Authority Authorities Non- Efficiency Interactivity � 18
So we built Coconut � 19
Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 20
Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 21
Introduction • What is Coconut? Contribution I Coconut credentials scheme Contribution II Coconut smart contract library & example of applications � 22
System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 23
System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 24
System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 25
System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 26
System Overview • How does Coconut work? request À Ã Õ Œ œ – — � issue À Ã Õ Œ œ – — � aggregate & À Ã Õ Œ œ – — � randomize show À Ã Õ Œ œ – — � authorities � 27
System Overview • Threshold authorities t n Users need to collect authorities only t shares � 28 OpenSSL Pri
System Overview • Threshold authorities honest authorities t n Users need to collect authorities only t shares � 29 OpenSSL Pri
Coconut Credentials Scheme • From where do coconuts come from? Coconut PS Signatures BLS Signatures � 30
Coconut Credentials Scheme • From where do coconuts come from? Coconut PS Signatures BLS Signatures • What do they look like? take an attribute: m m m compute: ( ) h H H ( ( c c m ) ) h h H c m m + x x + + m m y h x my y ) signature: ( ) & secret key: ( ( ( x y ) ) ) ( ( h ) x y h h , , h h x , , y σ σ σ , , � 31
Coconut Credentials Scheme • Communication protocol user authority verifier i i i À Ã Õ Œ œ – — � ( Λ , φ ) repeat times t À Ã Õ Œ œ – — � ( ˜ σ i ) À Ã Õ Œ œ – — � ( Θ , φ � ) � 32
Coconut Smart Contract Library • General purpose library contract info contract info À Ã Õ Œ œ – — � À Ã Õ Œ œ – — � create attributes attributes À Ã Õ Œ œ – — � À Ã Õ Œ œ – — � request credentials À Ã Õ Œ œ – — � issue credentials À Ã Õ Œ œ – — � authorities credentials À Ã Õ Œ œ – — � verify Ledger � 33
Applications • Privacy-preserving petitions proof of identity À Ã Õ Œ œ – — � happens citizen authorities credentials À Ã Õ Œ œ – — � only once À Ã Õ Œ œ – — � sign petition happens every create petition petition À Ã Õ Œ œ – — � vote campaign creator Ledger � 34
Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 35
Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 36
Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 37
Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 38
Performance • What is out there? The Coconut Smart contract library cryptographic library Python & Timing & benchmark Everything is released as open source software Applications https://github.com/asonnino/coconut Coin tumbler E-Petition (CRD proxy distribution ) � 39
Performance • How fast is Coconut? σ 2 [ms] √ Operation µ [ms] PrepareBlindSign 2.633 ± 0.003 sign BlindSign 3.356 ± 0.002 Unblind ± 0.002 0.445 AggCred ± 0.000 0.454 ProveCred 1.544 ± 0.001 verify VerifyCred ± 0.002 10.497 signing is fast, verifying takes 10ms � 40
Performance • What is the size of the credentials? 2 Group Elements No matter how many attributes… No matter how many authorities… � 41
Performance • How does Coconut scale? Number of authorities: n , Signature size: 132 bytes Transaction complexity size [B] Signature on public attribute: O ( n ) request credential 32 O ( n ) À issue credential 132 O ( 1 ) Ã verify credential 162 Signature on private attribute: O ( n ) issue request credential 516 O ( n ) À issue credential 132 O ( 1 ) Ã verify credential 355 verify Signing scales linearly, verifying is constant time � 42
Performance • Did you evaluate it in the real world? server client pick 10 locations across the world � 43
Performance • Did you evaluate it in the real world? 600 Public attribute Private attribute 500 400 Client Latency [ms] 300 200 100 0 1 2 3 4 5 6 7 8 9 10 Threshold parameter client latency VS number of authorities � 44
Performance • Did you evaluate it in the real world? Tokyo & Sidney 600 Public attribute Private attribute 500 400 Client Latency [ms] 300 200 100 Europe (close to client) 0 1 2 3 4 5 6 7 8 9 10 Threshold parameter client latency VS number of authorities � 45
Recommend
More recommend