Michele Orrù
joint work with Ben Kreuter, Tancrède Lepoint, Mariana Raykova
Anonymous tokens are lightweight, single-use anonymous credentials.
… we focus on secret-key tokens with a private metadata bit.
\(\mathcal{U}\)
[CloudFlare]
[Tor User]
[CDN]
request
solution?
challenge
\(\mathcal{I}\)
\(\mathcal{W}\)
request
response
response / no
Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]
Website protection.
\(\mathcal{U}\)
[CloudFlare]
[Tor User]
[CDN]
request
solution?
\(\mathcal{I}\)
\(\mathcal{W}\)
request
response
response / no
Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]
CAPTCHA, CAPTCHA, CAPTCHA
Website protection.
Art credits: Marie Gutbub. [source]
\(\mathcal{U}\)
[CloudFlare]
[Tor User]
[CDN]
challenge
solution?
challenge
\(\mathcal{I}\)
\(\mathcal{W}\)
request
response
response + tokens / no
Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]
request
Website protection.
\(\mathcal{U}\)
[CloudFlare]
[Tor User]
[CDN]
request, token
\(\mathcal{I}\)
\(\mathcal{W}\)
request
response
Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]
response / no
Website protection.
Micro payments.
Challenge bypass on the Ristretto group. [Github]
Fraud prevention.
Fighting fraud using partially blind signatures. [Facebook Engeneering Blog]
Deprecating 3rd party cookies.
Building a more private web: A path towards making third party cookies obsolete. [Chromium Blog]
token?
✗
\(\mathcal{I}\)
𝒜
\(\mathcal{I}\)
token?
\(\dots\)
request, \(\sigma^{(b)}\)
\(\sigma^{(b)}\)
\(b\)
𝒜
\(\sigma \gets \langle \mathcal{U}(\mathsf{pp}, t), \mathcal{I}(\mathsf{sk}, b)\rangle\)
Issuance protocol:
Redemption algorithm:
\(\{0, 1,\perp\}\gets \mathcal{V}(\mathsf{sk}, t, \sigma)\)
𝒜
\(\mathcal{U}_1\)
\(\vdots\)
\((t_i, \sigma_i)\)
\(i\)
\(\mathcal{U}_2\)
\(\mathcal{U}_n\)
\(\mathcal{I}\)
𝒜
\((t_i, \sigma_i)_{i=1}^{\ell+1}\)
\(\vdots\)
\((\ell)\)
\((1)\)
\(\mathcal{I} (\mathsf{sk}, b\!=\!0)\)
\(\mathcal{I} (\mathsf{sk}, b\!=\!1)\)
\({\stackrel{\tiny\textsf{ind.}}{\equiv}}\)
fetch('https://iacr.org/.well-known/trust-token', {
trustToken: {
type: 'token-request',
issuer: 'ens.fr'
}
});
[Example derived from the original proposal.]
fetch('https://eprint.iacr.org/2020/072.pdf', {
trustToken: {
type: 'raw-token-redemption',
issuer: 'ens.fr'
}
});
1. Introduction
In some situations, it may only be necessary to check that a client
has been previously authorized by a service; without learning any
other information. Such lightweight authorization mechanisms can be
useful in quickly assessing the reputation of a client in latency-
sensitive communication.
[Draft version 00.]
\(W' := x T'\)
\(T'\)
\(W'\)
\(\cdots\) redemption \(\cdots\)
\(t, W\)
\(\Gamma := (p, \mathbb{G}, G)\)
\(r \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(W := r W'\)
\(X = xG\)
\(\pi := \mathsf{zkp}\left\{ x\begin{bmatrix}G\\T'\end{bmatrix} = \begin{bmatrix}X\\ W'\end{bmatrix}\right\} \)
, \(\pi\)
check \(\pi\)
\(W' := x T'\)
\(T'\)
\(W'\)
\(\cdots\) redemption \(\cdots\)
\(t, W\)
\(\Gamma := (p, \mathbb{G}, G)\)
\(r \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(W := r W'\)
\(X = xG\)
\(\pi := \mathsf{zkp}\left\{ x_b\begin{bmatrix}G\\T'\end{bmatrix} = \begin{bmatrix}X_b\\ W'\end{bmatrix}\right\} \)
\(W' := x_b T'\)
\(X = x_bG,~~ b \in \{0, 1\}\)
, \(\pi\)
check \(\pi\)
\(T'\)
\(W'\)
\(\cdots\) redemption \(\cdots\)
\(t, W\)
\(\Gamma := (p, \mathbb{G}, G)\)
\(r \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(W := r W'\)
\(r, s \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(S' := s^{-1}\mathsf{H}(t)\)
\(W' := x_0 T'\)
\(r W' \stackrel{?}{=} s V'\)
\(T'\)
\(W'\)
\(X_b = x_bG,~~ b \in \{0, 1\}\)
\(\Gamma := (p, \mathbb{G}, G)\)
\(S'\)
\(V' := x_1 S'\)
\(V'\)
\(W := x T' + yS'\)
\(\pi := \mathsf{zkp}\left\{x\begin{bmatrix}G\\T'\end{bmatrix} + y\begin{bmatrix}H\\S'\end{bmatrix} = \begin{bmatrix}X\\ W'\end{bmatrix}\right\} \)
\(W := r W'\)
\(S := r \mathsf{H}(T', s)\)
check \(\pi\)
\(T'\)
\(s, W'\)
, \(\pi\)
\(s \gets \{0, 1\}^\lambda;~ S' := \mathsf{H}(T', s)\)
\(X = xG +yH\)
\(\cdots\) redemption \(\cdots\)
\(t, S, W\)
\(\Gamma := (p, \mathbb{G}, G, H)\)
\(r \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(\pi := \mathsf{zkp}\left\{x_b\begin{bmatrix}G\\T'\end{bmatrix} + y_b\begin{bmatrix}H\\S'\end{bmatrix} = \begin{bmatrix}X_b\\ W'\end{bmatrix}\right\} \)
\(W := r W'\)
\(S := r \mathsf{H}(T', s)\)
check \(\pi\)
\(T'\)
\(s, W'\)
, \(\pi\)
\(X_b = x_bG +y_bH,~~ b \in \{0, 1\}\)
\(\cdots\) redemption \(\cdots\)
\(t, S, W\)
\(\Gamma := (p, \mathbb{G}, G, H)\)
\(r \gets \mathbb{Z}_p^*\)
\(T' := r^{-1}\mathsf{H}(t)\)
\(W := x_b T' + y_bS'\)
\(s \gets \{0, 1\}^\lambda;~ S' := \mathsf{H}(T', s)\)
\(W' := x T'\)
\(T'\)
\(W'\)
\(\cdots\) redemption \(\cdots\)
\(t, W\)
\(\Gamma := (p, \mathbb{G}, G)\)
\(r, \rho \gets \mathbb{Z}_p^*\)
\(T' := r(\mathsf{H}(t) - \rho G)\)
\(W := r^{-1} W' + \rho X\)
\(X = xG\)
#[test]
fn it_works() {
let mut csrng = rand::rngs::OsRng;
// generate a keypair
let keypair = KeyPair::generate(&mut csrng);
// get the public parameters
let pp = PublicParams::from(&keypair);
// client's first message (the blinded token)
let blinded_token = pp.generate_token(&mut csrng);
// server's reponse (the signed token) with hidden metadata bit 0
let signed_token = keypair.sign(&mut csrng, &blinded_token.to_bytes(), 0);
// clien'ts unbliding (the final token)
let token = blinded_token.unblind(signed_token);
assert!(token.is_ok());
// verification of the token
assert!(keypair.verify(&token.unwrap()).is_ok());
}
In Rust, using curve25519-dalek::Ristretto.
Check out [benchmarks report] for fancy stats.