Seminario: "Multi-holder BBS anonymous credentials " - Andrea Flamini
Seminario della serie "Seminari CrypTO", in collaborazione con Telsy SpA, centro di competenza in crittografia e cybersecurity del Gruppo TIM che opera nel perimetro di TIM Enterprise
"Multi-holder BBS anonymous credentials"
(work in progress with Eysa Lee and Anna Lysyanskaya)
Andrea Flamini
Università di Trento
Giovedì 11 Luglio 2024 - ore 11:30
Aula Buzano - Dipartimento di Scienze Matematiche
Politecnico di Torino
Abstract: Anonymous credentials (AC) are digital credentials that are issued to holders allowing them to prove statements about their identity in a privacy preserving way. More specifically, the holders can present the same AC multiple times to verifiers while keeping the presentations unlinkable/anonymous.
The unlinkability of presentation increases the level of privacy of the holder, however, as a side effect, it makes it impossible for a holder to track the use of a stolen credential. Therefore it is even more crucial that the ACs are securely stored. An approach to increase the security of storage, is to store the credential in multiple devices so that even if some of the devices are corrupt, the adversary can not steal the credential and use it.
In our work we define the concept of “multi-holder anonymous credential scheme” that allows the issuance of shards of credentials to different holders that can present such credentials executing a threshold presentation protocol, while keeping their shards of credential private. We define the security properties of multi-holder AC schemes, namely the unforgability and unlinkability of presentation, and also the identifible abort in the presentation protocol execution.
Finally we design a multi-holder AC scheme which is compatible with the BBS AC scheme described by Tessaro and Zhu at EuroCrypt 2023, meaning that 1) the issuance of a multi-holder BBS credential is performed by computing a secret sharing of a BBS credential, and that 2) the presentation of the multi-holder BBS credential has the same structure of a presentation of a BBS credential. We prove the scheme concurrently secure according to our security notions.
