14B/ SNARK-based anonymous credentials

SNARK-Based Anonymous Credentials

Wednesday 14B

Convener: Johannes Sedlmeir & Matthias Babel

Notes-taker(s): -

Tags for the session - technology discussed/ideas considered:

An implementation of anonymous credentials using generic ZKPs, in our case, SNARKs. This gives a lot of flexibility as it replaces developing new, optimized “island” cryptography through generic tools and an “engineering” approach; however, at the cost of significant performance challenges compared to CL/BBS+.

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: 

So far, there has not been a cryptographic review on the code.

The major limitation is performance; while prover time is currently ~1s on a Macbook with 12 cores, the CPU and memory requirements are likely too high for general purpose smartphones and IoT devices. STARKs could help, but the larger proof size may be inhibiting.

The implementation covers private holder binding (potentially even using secure hardware for the binding key), private delegation (from the perspective of the holder), revocation, and range proofs for expiration.

A new feature that we implemented and that is probably difficult to achieve without generic ZKPs comprise, e.g., the “Leather Trousers” proof that can be used to demonstrate that an x and y coordinate are inside or outside a polygon defined by the verifier. It is also very easy to add further features that output a computation on the attributes, such as multiplying or adding different attributes.

The presentation slides and also the code will be made public by the end of July at https://github.com/MatthiasBabel/heimdall.
The implementation is based on SNARKs, using the libraries https://github.com/iden3/circom and https://github.com/iden3/snarkjs.