Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers

We present Coconut, a novel selective disclosure credential scheme supporting distributed threshold issuance, public and private attributes, re-randomization, and multiple unlinkable selective attribute revelations. Coconut can be used by modern blockchains to ensure confidentiality, authenticity and availability even when a subset of credential issuing authorities are malicious or offline. We implement and evaluate a generic Coconut smart contract library for Chainspace and Ethereum; and present three applications related to anonymous payments, electronic petitions, and distribution of proxies for censorship resistance. Coconut uses short and computationally efficient credentials, and our evaluation shows that most Coconut cryptographic primitives take just a few milliseconds on average, with verification taking the longest time (10 milliseconds).

[1]  Thomas S. Heydt-Benjamin,et al.  Cryptographic Protocols of the Identity Mixer Library , 2009 .

[2]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[3]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[4]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[5]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[6]  Jeremy Clark,et al.  Mixcoin: Anonymity for Bitcoin with Accountable Mixes , 2014, Financial Cryptography.

[7]  J. Camenisch,et al.  Proof systems for general statements about discrete logarithms , 1997 .

[8]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[9]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[10]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[11]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[12]  David Pointcheval,et al.  Divisible E-Cash Made Practical , 2015, Public Key Cryptography.

[13]  George Danezis,et al.  Chainspace: A Sharded Smart Contracts Platform , 2017, NDSS.

[14]  Palash Sarkar,et al.  Efficient Adaptively Secure IBBE From the SXDH Assumption , 2016, IEEE Transactions on Information Theory.

[15]  Ghassan O. Karame,et al.  Double-spending fast payments in bitcoin , 2012, CCS.

[16]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[17]  Ian Goldberg,et al.  Distributed Key Generation in the Wild , 2012, IACR Cryptol. ePrint Arch..

[18]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[19]  Pedro Moreno-Sanchez,et al.  CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin , 2014, ESORICS.

[20]  Luke Valenta,et al.  Blindcoin: Blinded, Accountable Mixes for Bitcoin , 2015, Financial Cryptography Workshops.

[21]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[22]  Brent Waters,et al.  Strongly Unforgeable Signatures Based on Computational Diffie-Hellman , 2006, Public Key Cryptography.

[23]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures, Multisignatures, and Verifiably Encrypted Signatures Without Random Oracles , 2013, Journal of Cryptology.

[24]  David Pointcheval,et al.  Short Randomizable Signatures , 2016, CT-RSA.

[25]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[26]  Christian Cachin,et al.  Architecture of the Hyperledger Blockchain Fabric , 2016 .

[27]  Melissa Chase,et al.  Algebraic MACs and Keyed-Verification Anonymous Credentials , 2014, CCS.

[28]  Yuto Kawahara,et al.  Barreto-Naehrig Curves , 2016 .

[29]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[30]  Ethan Heilman,et al.  TumbleBit: An Untrusted Bitcoin-Compatible Anonymous Payment Hub , 2017, NDSS.

[31]  Brian Neil Levine,et al.  Sybil-Resistant Mixing for Bitcoin , 2014, WPES.

[32]  Sarah Meiklejohn,et al.  Möbius: Trustless Tumbling for Transaction Privacy , 2018, IACR Cryptol. ePrint Arch..

[33]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[34]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[35]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[36]  Hovav Shacham,et al.  Sequential Aggregate Signatures from Trapdoor Permutations , 2004, EUROCRYPT.

[37]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[38]  Liqun Chen,et al.  On the Design and Implementation of an Efficient DAA Scheme , 2010, IACR Cryptol. ePrint Arch..

[39]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[40]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[41]  Georg Fuchsbauer,et al.  Anonymous attestation with user-controlled linkability , 2013, International Journal of Information Security.

[42]  Jeremy Clark,et al.  Anonymity for Bitcoin with accountable mixes ( Full version ) , 2014 .

[43]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[44]  Dong Hoon Lee,et al.  Aggregating CL-Signatures Revisited: Extended Functionality and Better Efficiency , 2013, Financial Cryptography.

[45]  Sarah Meiklejohn,et al.  An Empirical Analysis of Anonymity in Zcash , 2018, USENIX Security Symposium.

[46]  Alexandra Boldyreva,et al.  Efficient threshold signature , multisignature and blind signature schemes based on the Gap-Diffie-Hellman-group signature scheme , 2002 .

[47]  Pieter Wuille,et al.  Enabling Blockchain Innovations with Pegged Sidechains , 2014 .

[48]  Bryan Ford,et al.  OmniLedger: A Secure, Scale-Out, Decentralized Ledger , 2017, IACR Cryptol. ePrint Arch..

[49]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[50]  Eleni Kosta,et al.  Privacy preserving electronic petitions , 2008 .

[51]  日経BP社,et al.  Amazon Web Services完全ソリューションガイド , 2016 .

[52]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[53]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.