Non-transferable anonymous credentials
First Claim
1. A method for accepting from a user an assertion of at least one anonymous credential (AC) granted to a party having a master secret;
- said master secret comprising a private key, s, of a public/private key encryption pair and said public key, EU, generated by a commitment algorithm, C, performed on private key, s, and denoted C(s), said assertion repeated at least once, said method comprising the steps;
receiving said assertion from said user;
for said received assertion and each repeated instance, thereof;
receiving from said user an initiation of a multi-party protocol in which a prover provides a proof of knowledge of said master secret;
verifying said proof;
wherein said proof is a zero knowledge proof of knowledge;
accepting said at least one AC only if said verifying step is successful, wherein requiring successful completion of said proof for said received assertion and each repeated instance, thereof before accepting said at least one AC prevents transferring said at least one AC without also transferring said master secret, andsaid at least one AC granted by an organization Oi based on receiving a request for each of said at least one AC, (Oi;
;
xi) from a party, authenticating an identity of said party, generating a message, mi=<
C(s), (Oi;
;
xi)>
, generating a signed message σ
i=Soi(mi) wherein Soi is a public signing key of said Oi, and sending σ
i to said party.
2 Assignments
0 Petitions
Accused Products
Abstract
An anonymous credential system which requires a user who is asserting a credential to have knowledge of the master key of the user who was originally granted that credential. In order for a user to transfer the ability to assert any one of their credentials to another user, they must also transfer their master key to that same user. The master key, however, provides such unlimited rights to its holder that a user is strongly motivated not to share their master key with anyone else. In this manner, anonymous credentials become non-transferrable because a user cannot transfer a credential without transferring their entire electronic identity.
33 Citations
20 Claims
-
1. A method for accepting from a user an assertion of at least one anonymous credential (AC) granted to a party having a master secret;
- said master secret comprising a private key, s, of a public/private key encryption pair and said public key, EU, generated by a commitment algorithm, C, performed on private key, s, and denoted C(s), said assertion repeated at least once, said method comprising the steps;
receiving said assertion from said user; for said received assertion and each repeated instance, thereof;
receiving from said user an initiation of a multi-party protocol in which a prover provides a proof of knowledge of said master secret;verifying said proof; wherein said proof is a zero knowledge proof of knowledge; accepting said at least one AC only if said verifying step is successful, wherein requiring successful completion of said proof for said received assertion and each repeated instance, thereof before accepting said at least one AC prevents transferring said at least one AC without also transferring said master secret, and said at least one AC granted by an organization Oi based on receiving a request for each of said at least one AC, (Oi;
;
xi) from a party, authenticating an identity of said party, generating a message, mi=<
C(s), (Oi;
;
xi)>
, generating a signed message σ
i=Soi(mi) wherein Soi is a public signing key of said Oi, and sending σ
i to said party. - View Dependent Claims (2, 3, 4, 5, 6)
- said master secret comprising a private key, s, of a public/private key encryption pair and said public key, EU, generated by a commitment algorithm, C, performed on private key, s, and denoted C(s), said assertion repeated at least once, said method comprising the steps;
-
7. A method of processing at least one anonymous credential (AC) granted to a party having a master secret, DU, comprising the steps:
-
receiving from a user an assertion of said at least one AC; receiving from said user an encryption key E″
;sending a random number, R, to said user; receiving A=E″
(DU⊕
R) from said user;receiving from said user an initiation of an interactive zero knowledge proof of knowledge of said master secret; verifying said proof of knowledge; accepting said at least one AC only if said verifying step is successful, and wherein requiring successful completion of said proof of knowledge before accepting said at least one AC prevents transferring said at least one AC without also transferring said master secret, and including E″
, R and A to provide a non-transferrable session. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for accepting from a user an assertion of at least one anonymous credential (AC) granted to a party having a master secret, said master secret comprising a private key, s, of a public/private encryption pair and said public key, EU, generated by a commitment algorithm, C, performed on private key, s, and denoted C(s), said assertion repeated at least once, wherein each of said at least one AC is granted by an organization, Oi, in accordance with a method comprising the steps:
-
receiving said assertion from said user; for said received assertion and each repeated instance, thereof;
receiving from said user an initiation of a multi-party protocol in which a prover provides a proof of knowledge of said master secret;verifying said proof; wherein said proof is a zero knowledge proof of knowledge; accepting said at least one AC only if said verifying step is successful, wherein requiring successful completion of said proof for said received assertion and each repeated instance thereof, before accepting said at least one AC, prevents transferring said at least one AC without also transferring said master secret, and said at least one AC granted by an organization Oi being based on receiving a request from a party for said each of said at least one AC, (Oi;
;
xi), receiving a random number, r, from said party, and sending to said party a message, Soi(Oi;
;
xi, r), wherein Soi is a private signing key of Oi, and wherein Soi(Oi;
;
xi, r) allows linking of a plurality of assertions of (Oi;
;
xi), said linking performed by a doorkeeper receiving said plurality of assertions.
-
-
20. A method for accepting from a user an assertion of at least one anonymous credential (AC) granted to a party having a master secret, said method comprising:
-
receiving said assertion from said user; for said received assertion and each repeated instance, thereof;
receiving from said user an initiation of a multi-party protocol in which a prover provides a proof of knowledge of said master secret;verifying said proof, said verifying said proof comprises said user revealing a discrete logarithm modulo a large prime, q, of a first value, v, relative to a second value, u, said verifying step further comprising; receiving from said user a pair (u, v) such that t∈
Zq and v=ut;choosing a first random value c∈
Zq, and a second random value, s∈
Zq;computing a commitment, ao=ucvs; sending ao to said user; receiving from said user a first value, a, such that r is a random value, r∈
Zq, and a=gr;sending (c, s) to said user; receiving from said user a second value, b=cx+r(mod q), wherein x is said master secret; receiving from said user said random exponent t; comparing a first equality, gb=hca, and a second equality, ut=v; determining verifying said proof is successful if both said first equality and said second equality are true, and wherein p is a large prime number, p−
1 has a large prime factor q, g is a generator of a multiplicative group of order q in Zp*, and h=gs for some random element s∈
zq chosen by the user,accepting said at least one AC only if said verifying step is successful, wherein requiring successful completion of said proof for said received assertion and each repeated instance thereof, before accepting said at least one AC, prevents transferring said at least one AC without also transferring said master secret.
-
Specification