The zk-SAM procedure consists of a signature proof of knowledge combined with a pairing-based accumulator membership proof. It allows the prover to demonstrate knowledge of a value \(n\) that is contained in an unrevealed, but signed accumulator. This acts as a basis of a scalable, anonymous credential revocation system.
The signature is a short group signature based on BBS+. It covers selectively-revealed associated messages in addition to the accumulator value, and is verifiable against the issuer's public signing key in combination with a public accumulation key.
The pairing-based accumulator design follows Ngu05[1]. In brief, a witness for a member value \(n\) in an accumulator \(V\) is defined by \(W = V(n + z)^{-1}\) where \(z\) is the private revocation key of the issuer.
See Non-Revocation Token for implementation details.
Notation:
Inputs:
Procedure:
Inputs:
Procedure:
Inputs:
Procedure:
Inputs:
Procedure:
Inputs:
Procedure:
In addition to verifying the Fiat-Shamir challenge value.
Inputs:
Procedure:
Explanation:
The prover demonstrates (adapted from CDL16[4] 4.5):
\[\displaylines{\pi \in SPK\lbrace(e,\{m_i\}_{i \notin \mathcal{D}},n,r2):\\
\bar{A} - E = W'n - A'e \land\\
P_1 + \sum_{i \in \mathcal{D}}H_{i}m_{i} = (E - \bar{W})r_2 - \sum_{i \notin \mathcal{D}}H_{i}m_i\rbrace}\]
Lan Nguyen. Accumulators from Bilinear Pairings and Applications in CT-RSA 2005: Topics in Cryptology. ↩︎
Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch. RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2 November 2016. ↩︎
Hashing to Elliptic Curves draft-irtf-cfrg-hash-to-curve-11 ↩︎
Jan Camenisch, Manu Drijvers, and Anja Lehmann. Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited last revised Jan 2017. ↩︎