International Association
for Cryptologic Research

The eIDAS 2.0 regulation aims to develop interoperable digital identities for European citizens, and it has recently become law. One of its requirements is that credentials be unlinkable. Anonymous credentials (AC) allow holders to prove statements about their identity in a way that does not require to reveal their identity and does not enable linking different usages of the same credential. As a result, they are likely to become the technology that provides digital identity for Europeans. Any digital credential system, including anonymous credentials, needs to be secured against identity theft and fraud. In this work, we introduce the notion of a multi-holder anonymous credential scheme that allows issuing shares of credentials to different authentication factors (or "holders"). To present the credential, the user's authentication factors jointly run a threshold presentation protocol. Our definition of security requires that the scheme provide unforgeability: the adversary cannot succeed in presenting a credential with identity attributes that do not correspond to an identity for which the adversary controls at least t shares; this is true even if the adversary can obtain credentials of its choice and cause concurrent executions of the presentation protocol. Further, our definition requires that the presentation protocol provide security with identifiable abort. Finally, presentations generated by all honest holders must be unlinkable and must not reveal the user's secret identity attributes even to an adversary that controls some of the user's authentication factors. We design and prove the (concurrent) security of a multi-holder version of the BBS anonymous credential scheme. In our construction, each holder is issued a secret share of a BBS credential. Using these shares, the holders jointly compute a credential presentation that is identical to (and therefore compatible with) the traditional, single-holder variant (due to Tessaro and Zhu, Eurocrypt'23) of a BBS credential presentation.

Since the publication of the initial 2018 paper, the DKLs protocols [Doerner et al., IEEE S&P 2018 and 2019] have been deployed to secure cryptocurrency assets at considerable scale. In this time, much has changed in our understanding of industry needs, perspectives on protocol design, as well as the theory underlying our protocols. There is not at present an academic venue to announce such changes to the broader community as they do not constitute technical novelty, but they are important to communicate nonetheless. Until this point, we have communicated updates of this nature privately to developers on an ad-hoc basis. While this has been effective in supporting---and learning from---the developers with whom we have interacted directly, a more systematic approach is required for a dialogue with the broader community. We have therefore synthesized the information that is relevant to developers who wish to deploy and maintain our protocols today, and made the necessary resources available on a dedicated website. In this talk, we will give a summary of the resources that developers can expect to find on our site. Highlights include 1. Conservative Design Principles: We discuss standard vs non-standard functionalities for ECDSA, and what it takes to realize them. In response to criticism of our non-standard ideal functionality in our two-party paper, we provide a three-round version of our signing protocol that realizes the standard F_ECDSA functionality, along with recommendations for modes of operation. We additionally discuss the marginal cost of achieving UC security; in particular the efficiency of signing remains the same even with this improved security guarantee, due to an approach that avoids the use of zero-knowledge proofs. 2. Security of primitives: We make important recommendations for the instantiation of underlying primitives including Oblivious Transfer, and Secure Multiplication. Such recommendations include crucial non-obvious implementation details such as enforcing sequentiality of statistical checks on shared state, and random oracle tagging, as well as higher level advice in choice of protocols for building blocks. 3. Efficiency: We compare and contrast the efficiency profiles of homomorphic encryption based approaches to ECDSA, and OT based ones such as ours. Through benchmarks on diverse hardware and points of comparison in broadly relatable terms, we make the case that OT based threshold ECDSA achieves the best tradeoffs in many scenarios. Additionally, we present optimizations to our protocol that provide noticeable improvements in bandwidth. 4. Modes of operation: We discuss how to achieve proactive security---an industry best practice today---when using our protocols. Additionally, we discuss non-interactive signing in the preprocessing model, which is a mode of operation that has received much interest in the industry recently. 5. We discuss our experiences in helping several companies that have implemented, tested internally, and ultimately deployed our protocol to their users.

We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto’18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt’19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto'18), and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt'19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime, and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

At CRYPTO 2018, Cascudo et al. introduced Reverse Multiplication Friendly Embeddings (RMFEs). These are a mechanism to compute $\delta$ parallel evaluations of the same arithmetic circuit over a field $\mathbb{F}_q$ at the cost of a single evaluation of that circuit in $\mathbb{F}_{q^d}$, where $\delta < d$. Due to this inequality, RMFEs are a useful tool when protocols require to work over $\mathbb{F}_{q^d}$ but one is only interested in computing over $\mathbb{F}_q$. In this work we introduce Circuit Amortization Friendly Encodings (CAFEs), which generalize RMFEs while having concrete efficiency in mind. For a Galois Ring $R = GR(2^k,d)$, CAFEs allow to compute certain circuits over $\mathbb{Z}_{2^k}}$ at the cost of a single secure multiplication in $R$. We present three CAFE instantiations, which we apply to the protocol for MPC over $\mathbb{Z}_{2^k}}$ via Galois Rings by Abspoel et al. (TCC 2019). Our protocols allow for efficient switching between the different CAFEs, as well as between computation over $GR(2^k,d)$ and $\mathbb{F}_{2^{d}}$ in a way that preserves the CAFE in both rings. This adaptability leads to efficiency gains for e.g. Machine Learning applications, which can be represented as highly parallel circuits over $\mathbb{Z}_{2^k}}$ followed by bit-wise operations. From an implementation of our techniques, we estimate that an SVM can be evaluated on 250 images in parallel up to $\times 7$ as efficient using our techniques, compared to using the protocols from Abspoel et al. (TCC 2019).