This repository contains an implementation of a novel delegatable anonymous credentials (DAC) scheme presented in the paper Practical Delegatable Anonymous Credentials From Equivalence Class Signatures (PETS 2023), showcasing its performance and practicality.
The proposed DAC scheme provides anonymity for delegations, supports attributes, and is efficiently constructed using a new primitive called Structure-Preserving Signatures on Equivalence Classes on Updatable Commitments (SPSEQ-UC). This approach enables the owners of credentials to delegate them to other users, modeling hierarchies as encountered in public-key infrastructures (PKIs) while providing strong privacy guarantees for authentication and access control.
The implementation includes optimizations such as cross-set commitment aggregation and Schnorr-style discrete-logarithm zero-knowledge proofs and using Damgard's technique for obtaining malicious-verifier interactive zero-knowledge proofs of knowledge and etc., allowing for selective and efficient showings in the DAC without using costly zero-knowledge proofs (i.e., proving knowledge of signature and hidden attributes).
This implementation has not been audited and is not ready for a productive use. The library is provided for research-purpose only and is still not meant to be used in production.
The following system requirements must be met in order to run the code:
- Linux operating system
- x86_64 architecture
Note that the software has only been tested on Linux/x86_64 and may not work on other platforms.
Library is built on top of petlib and bplib . To install the development dependencies run the following commands inside the cloned repository:
-
Install nix with the required experimental features from determinate systems
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
-
Run:
nix develop
This will activate the development environment with the required dependencies.
To run the tests in a precisely defined python environment using Nix
nix develop -c pytest -s -v tests/
The source codes are in core file and is written in Python. Below, we describe each module:
-
set_commit.py : This module provides an implementation of set commitments that takes a set of messages in string format as input and outputs a set commitment and opening information. The module allows users to create a witness to open any subset of messages, and a verifier can use the witness to confirm that the subset is indeed a subset of the original message set.
SetCommitment
Additionally, the module implements a cross-set commitment. This feature enables the aggregation of witnesses across multiple commitments into a single witness,enables batching verification, which further enhances the efficiency of the implementation.
CrossSetCommitment(SetCommitment)
-
spseq_uc.py : This module provides an implementation of the SPSQE-UC signature scheme, which is referred to as EQC_Sign class. The scheme is a special signature scheme that can sign vectors of set commitments, which can be extended by additional set commitments. The signatures generated by the scheme also include a user's public key, which can be switched. Also, the module offers the ability to randomize the set commitment and to randomize and adapt the signature to it. This feature enables the creation of signatures and set commitments that are unlinkable and improves the privacy guarantees of the overall system.
-
util.py : This module provides all the common requirements for other schemes. It contains a collection of utility functions that are used across multiple modules in the system.
-
zkp.py : This module provides a collection of zero-knowledge proof (ZKP) implementations in Schnorr style. These include:
-
Schnorr (interactive) proof of the statement ZK(x ; h = g^x).
ZKP_Schnorr
-
Schnorr proof (non-interactive using Fiat-Shamir heuristic) of the statement ZK(x, m_1, ..., m_n; h = g^x and h_1^m_1...h_n^m_n) and a generalized version.
ZKP_Schnorr_FS
-
Damgard's technique that extend interactive proof for obtaining malicious-verifier interactive zero-knowledge proofs of knowledge.
Damgard_Transfor(ZKP_Schnorr)
-
-
dac.py : This module is provided as a DAC class in Python. It requires the above modules and has the following methods:
-
setup(self)
: Generates the public parameters of the DAC scheme, including the signing and set commitment and zero-knowledge proofs. It also creates objects of the underlying schemes. -
user_keygen(self, pp_dac)
: Generates a key pair for a user. -
nym_gen(self, pp_dac, usk, upk)
: Generates a new pseudonym and auxiliary information. -
issue_cred(self, pp_dac, attr_vector, sk, nym_u, k_prime, proof_nym_u)
: Issues a root credential to a user. -
proof_cred(self, pp_dac, nym_R, aux_R, cred_R, Attr, D)
: Generates a proof of a credential for a given pseudonym and selective disclosure D. -
verify_proof(self, pp_dac, proof, D)
: verify proof of a credential -
delegator(self, pp_dac, cred_u, A_l, l, sk_u, proof_nym)
anddelegatee(self, pp_dac, cred, A_l, sk_R, nym_R)
: Create a delegatable credential from userU
to a userR
.
-
An easy way to see how to use the library can be found on the tests.
I want to express my sincere thanks to Martin Schwaighofer for his support and assistance in using nix manager to build the library.
If you use our code, please cite our paper:
@misc{cryptoeprint:2022/680,
author = {Omid Mir and Daniel Slamanig and Balthazar Bauer and René Mayrhofer},
title = {Practical Delegatable Anonymous Credentials From Equivalence Class Signatures},
howpublished = {Cryptology ePrint Archive, Paper 2022/680},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/680}},
url = {https://eprint.iacr.org/2022/680}
}