Anonymous credentials: an illustrated primer (Part 2)
2 days ago
- #cryptography
- #anonymous-credentials
- #Privacy-Pass
- Anonymous credential systems involve an Issuer, Resources, and Users, with Users verifying their identity non-anonymously to the Issuer before anonymously showing credentials to Resources, preventing linkage by any party.
- Key features include constraining credentials to prevent cloning attacks via limited show counts and enhancing expressiveness to prove claims without leaking extra information.
- Privacy Pass is a widely deployed anonymous credential standard used by Cloudflare, Apple, Google, and others, offering simple single-use credentials based on blind signatures for bypassing CAPTCHAs and anti-abuse measures.
- The protocol involves credentials with fields like token type, metadata (MD), a unique serial number (SN), and a signature, where MD can bind a credential to specific applications such as websites or time periods.
- Privacy Pass supports two issuance protocols: publicly verifiable tokens using blind RSA signatures (requiring public keys) and privately verifiable tokens using oblivious MACs (requiring secret key sharing for verification) for faster performance.
- Session-specific credentials are an alternative flow where the User obtains a credential after receiving a challenge from the Resource, binding the credential to a specific session and preventing future use.
- Potential downsides include reliance on Issuer availability for real-time issuance and timing correlation attacks if timestamps are compared, though these may be mitigated in large-scale deployments.
- Privacy Pass is standardized but limited in features beyond single-use credentials, prompting interest in more powerful solutions like zero-knowledge credentials for broader applications such as age verification.