3

This is a follow-up to this answer. The context & vocabulary used is that of a decentralized identity system.

Let $I$ be the issuer of a credential, $H$ the holder and $V$ the verifier. In this setting, $I$ signs a credential $C$ with their private key, and hands it over to $H$ for storage, who may then present it to $V$ to prove their identity.

One flaw remains in this system: if such were the intentions of $V$, nothing prevents them from giving the signed data contained in $C$ to a third-party, who could then verify & attest that the credential is authentic even though $H$ didn't give the credential themself.

How could this be avoided?

Note: regarding the link between this question and the answer cited above, I'm not sure if the question I asked about deniable authentication was formulated well enough: I wasn't interested in making the ZKP unreadable to third parties (I fear this is impossible if Bob / $V$ is part of the conspiracy), but my goal was to make the whole credential (passport, in that case) no longer provably authentic.

deb
  • 265
  • 2
  • 8

2 Answers2

2

The solution is rather simple; instead of letting $H$ give the general credential $C$ to $V$, the following steps could be taken:

  1. $H$ sends $C$ to $I$, along with $V$'s public key.
  2. $I$ checks that they signed the credential themself, takes the content, and signs it again with a ring signature made from $V$'s public key and $I$'s own private key. The resulting credential may be called $C_V$. It is sent back to $H$.
  3. $H$ sends $C_V$ to $V$ as a proof of identity.

At this point, $V$ can trust the received credential, as the potential signers are $\{I, V\}$, and $V$ knows they didn't sign it. When $V$ tries to leak the data, they have no way of proving the data authentic.

deb
  • 265
  • 2
  • 8
0

Use a zero knowledge proof that the signature exists rather than sending a signature directly.

The holder and verifier execute the protocol and this convinces the verifier that the signature exists without revealing it.

For signatures based on discrete log problems (Schnorr signatures, ED25519, ECDSA) this transformation is easy to do. If the Verifier has a known public key, the Holder can do this in a single message.

Other signature algorithms also allow existence ZKPs but may require arithmetic circuit proofs.

Richard Thiessen
  • 1,751
  • 9
  • 14