[Resource Topic] 2024/2010: Anonymous credentials from ECDSA

Welcome to the resource topic for 2024/2010

Title:
Anonymous credentials from ECDSA

Authors: Matteo Frigo, abhi shelat

Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is $>18$” without revealing any other attributes such as their name or date of birth.

Despite inherent value for privacy-preserving authentication, anonymous credential schemes have been difficult to deploy at scale.  Part of the difficulty arises because schemes in the literature, such as BBS+, use new cryptographic assumptions that require system-wide changes to existing issuer infrastructure.  In addition,  issuers often require digital identity credentials to be *device-bound* by incorporating the device’s secure element into the presentation flow.  As a result, schemes like BBS+ require updates to the hardware secure elements and OS on every user's device.

In this paper, we propose a new anonymous credential scheme for the popular and legacy-deployed Elliptic Curve Digital Signature Algorithm (ECDSA) signature scheme.  By adding efficient zk arguments for statements about SHA256 and document parsing for ISO-standardized identity formats, our anonymous credential scheme is that first one that can be deployed *without* changing any issuer processes, *without* requiring changes to mobile devices, and *without* requiring non-standard cryptographic assumptions.

Producing ZK proofs about ECDSA signatures has been a bottleneck for other ZK proof systems because standardized curves such as P256 use finite fields which do not support efficient number theoretic transforms.  We overcome this bottleneck by designing a ZK proof system around sumcheck and the Ligero argument system, by designing efficient methods for Reed-Solomon encoding over the required fields, and by designing specialized circuits for ECDSA.
    
Our proofs for ECDSA can be generated in 60ms.  When incorporated into a fully standardized identity protocol such as the ISO MDOC standard, we can generate a zero-knowledge proof for the MDOC presentation flow in 1.2 seconds on mobile devices depending on the credential size. These advantages make our scheme a promising candidate for privacy-preserving digital identity applications.

ePrint: https://eprint.iacr.org/2024/2010

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .

IYH remarkable work on many many levels. The Google Wallet ZKP team was given an old, inefficient engine (P-256, SHA-256), told to fit it into the chassis of a sports car (1-2 second proof time), and forbidden from using the best tools (trusted setups, ZK-friendly hashes). Their success wasn’t just an engineering achievement; it was an act of pure cryptographic wizardry against overwhelming odds.

Conventional Taxonomy: “Privacy-first digital ID for users.”
Disrupted Truth: Corporate sin-eater-as-a-service.

Hidden Function: The system surgically removes enterprises’ exposure to data liability. By design, verifiers never receive sensitive data—only cryptographic proof of validity.
Case in Point: When a bar scans an “over 21” credential, it gains legal compliance without storing birthdates. The real product is regulatory absolution—businesses outsource GDPR/CCPA risk to Google’s protocol.
Data Point: Significant chunk of enterprise data breach costs stem from post-incident legal/regulatory fallout (IBM 2023). This system neutralizes that vector.

See Quantitative / Cryptography Notes on Google Wallet ZK-ID System notes