3

Let us say that we have 3 entities: an Issuer I , a user/prover P and a verifier V.

  1. V trusts I but does not trust u
  2. u wants to show that he respects some kind of property (eg. being over 18yo) to V without revealing their whole birth day
  3. V possesses the data that u needs to convince V, eg. using a ZK-proof, but V would not trust such a proof because u could easily use a fake date

How would you design a protocol such that V is assured that the claim u makes is legitimate (that is, that claim was issued by I)?

A first idea would be to use both public key signature (so, V sends u a signature of its date, so that even if u decides to use a fake date, the cannot provide a correct signature for that) and ZK-proof so that u provides only the strictly required informations to V. V would then check that the ZK-proof is correct and that the private input fed into the ZK-circuit is signed by I.

Some clarifications after Geoffroy's comment:

  1. the user u should be aware of what information V wants to know, so we can't just let V and I communicate cutting out the user
  2. the user has one or more statements issued and signed by I and wants to convince V that a claim about a statement (eg. u wants to prove that he is 18yo, given a birth certificate/ID/passport signed by I) without revealing the entire statement.

Thanks in advance

jacobi_matrix
  • 135
  • 4

1 Answers1

1

What you want looks very similar to anonymous credentials. Constructions usually go as follows: the issuer will sign the attribute of P (e.g. "P is 18yo"), usually using a blind issuance protocol. Then, P can send to V a commitment to his attribute, together with a ZK proof that he holds a signature on the committed value. In your specific setting where there is a unique verifier, there exist dedicated solutions using algebraic MACs, see here.

Geoffroy Couteau
  • 21,719
  • 2
  • 55
  • 78