US-20260128860-A1 - ANONYMOUS AND UNLINKABLE AUTHENTICATION WITH MEMBERSHIP TEST VIA PRIVATE SET INTERSECTION CARDINALITY

Abstract

A computer-implemented method anonymously verifies credentials while performing a membership test in a privacy-preserving manner. The method includes: executing a first committed-input-and-key-shares distributed oblivious pseudorandom function (DOPRF) protocol to obtain a set of first pseudorandom function (PRF) results, each result corresponding to one of a plurality of elements in a checklist held by a list holder; executing a second committed-input-and-key-shares DOPRF protocol to obtain a second PRF result corresponding to an identity of a prover; and determining whether one of the elements in the checklist corresponds to the identity of the prover based upon the set of first PRF results and the second PRF result.

Inventors

• Christiane KUHN
• Giorgia Azzurra Marson
• Sebastien Andreina

Assignees

• NEC Laboratories Europe GmbH

Dates

Publication Date

20260507

Application Date

20230627

Claims (15)

1. 1 : A computer-implemented method for anonymous credential verification and privacy-preserving membership test, the method comprising: executing a first committed-input-and-key-shares distributed oblivious pseudorandom function (DOPRF) protocol to obtain a set of first pseudorandom function (PRF) results, each result corresponding to one of a plurality of elements in a checklist held by a list holder; executing a second committed-input-and-key-shares DOPRF protocol to obtain a second PRF result corresponding to an identity of a prover; and determining whether one of the elements in the checklist corresponds to the identity of the prover based upon the set of first PRF results and the second PRF result.
2. 2 : The method as claimed in claim 1 , wherein the first committed-input-and-key-shares DOPRF protocol is a shuffled committed-input-&-key-shares DOPRF protocol, and the set of first PRF results are shuffled as compared to an order of the elements in the checklist to provide a pseudorandom representation of the checklist.
3. 3 : The method of claim 1 , the method further comprising: receiving, from the prover, a first commitment to the identity of the prover, a first zero-knowledge proof (ZKP) binding the identity of the prover to verifiable anonymous credentials (VAC) of the prover; and at least one of a pseudonym of the identity or a corresponding credentials, the VAC comprising the identity, the pseudonym, and the credentials; and verifying that the first ZKP is valid; and verifying the credentials.
4. 4 : The method of claim 1 , wherein the inputs to the first committed-input-and-key-shares DOPRF protocol comprise: a first pseudorandom function (PRF) key share of the prover; a first commitment corresponding to a second PRF key share of the list holder; the second PRF key share of the list holder; a set of commitments corresponding to the elements in the checklist; a second commitment corresponding to the PRF key share of the prover; and the checklist, and wherein the set of first PRF results comprises values of a pseudorandom function evaluated on the plurality of elements of the checklist, using the first PRF key share and the second PRF key share.
5. 5 : The method of claim 1 , wherein the inputs to the second committed-input-and-key-shares DOPRF protocol comprise: a first pseudorandom function (PRF) key share of the prover, a first commitment corresponding to a second PRF key share of the list holder, the identity of the prover; the second PRF key share of the list holder, and a second commitment corresponding to the first PRF key share of the prover, and wherein the second PRF result comprises a value of the pseudorandom function evaluated on the identity of the prover, using the first PRF key share and the second PRF key share.
6. 6 : The method of claim 1 , wherein executing the second committed-input-and-key-shares DOPRF protocol further obtains a third commitment to the identity of the prover.
7. 7 : The method of claim 1 , the method further comprising, at a verifier, before executing the first committed-input-and-key-shares DOPRF protocol and the second committed-input-and-key-shares DOPRF protocol: receiving, from the list holder, a commitment to a first pseudorandom function (PRF) key share, commitments to the plurality of elements of the checklist, and a zero-knowledge proof (ZKP) that the checklist supplied for the first DOPRF protocol is consistent with the commitments to the plurality of elements of the checklist, and sending the commitment to the first PRF key share, the commitments to the plurality of elements of the checklist, and the ZKP to the prover; and receiving, from the prover, a commitment to a second PRF key share, and sending the commitment to the second PRF key share to the list holder, wherein the first PRF key share was selected uniformly at random by the list holder, and the second PRF key share was selected uniformly at random by the prover.
8. 8 : The method as claimed in claim 7 , the method further comprising, at the verifier, after executing the first committed-input-and-key-shares DOPRF protocol and the second committed-input-and-key-shares DOPRF protocol: receiving, from the prover, a second ZKP of a consistency between the first commitment to the identity of the prover and a second commitment to the identity of the prover from in the second committed-input-and-key-shares DOPRF protocol; and verifying the second ZKP.
9. 9 : The method of claim 8 , wherein the checklist is a whitelist, the method further comprising: upon determining that the identity of the prover belongs to one of the plurality of elements of the checklist and upon verifying that the second ZKP is valid, authenticating the prover.
10. 10 : The method of claim 8 , wherein the checklist is a blacklist, the method further comprising: upon determining that the identity of the prover does not correspond to any of the plurality of elements of the checklist and upon verifying that the second ZKP is valid, authenticating the prover.
11. 11 : The method as claimed in claim 7 , wherein the verifier executes the first committed-input-and-key-shares DOPRF protocol, executes the second committed-input-and-key-shares DOPRF protocol, and determines whether one of the elements in the checklist corresponds to the identity of the prover.
12. 12 : The method as claimed in claim 1 , wherein the verifier and the list holder coincide on a same computer.
13. 13 : The method as claimed in claim 1 , wherein determining whether one of the elements in the checklist corresponds to the identity of the prover comprises determining whether a value of a pseudorandom function evaluated on the identity of the prover matches with any values of the pseudorandom function evaluated on the plurality of elements of the checklist.
14. 14 : A computer system comprising one or more hardware processors which, alone or in combination, are configured to provide for execution of the following steps: executing a first committed-input-and-key-shares distributed oblivious pseudorandom function (DOPRF) protocol to obtain a set of first pseudorandom function (PRF) results, each result corresponding to one of a plurality of elements in a checklist held by a list holder; executing a second committed-input-and-key-shares DOPRF protocol to obtain a second PRF result corresponding to an identity of a prover; and determining whether one of the elements in the checklist corresponds to the identity of the prover based upon the set of first PRF results and the second PRF result.
15. 15 : A tangible, non-transitory computer-readable medium having instructions thereon which, upon being executed by one or more hardware processors, alone or in combination, provide for execution of the following steps: executing a first committed-input-and-key-shares distributed oblivious pseudorandom function (DOPRF) protocol to obtain a set of first pseudorandom function (PRF) results, each result corresponding to one of a plurality of elements in a checklist held by a list holder; executing a second committed-input-and-key-shares DOPRF protocol to obtain a second PRF result corresponding to an identity of a prover; and determining whether one of the elements in the checklist corresponds to the identity of the prover based upon the set of first PRF results and the second PRF result.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a U.S. National Phase application under 35 U.S.C. § 371 of International Application No. PCT/IB2023/056617, filed on Jun. 27, 2023, and claims benefit to U.S. Patent Application No. 63/455,276, filed on Mar. 29, 2023, the entire disclosure of which is hereby incorporated by reference herein. The International Application was published in English on Oct. 3, 2024 as WO 2024/201126 A1 under PCT Article 21(2). FIELD Embodiments of the present disclosure relate to a method, system and computer-readable medium for anonymous and unlinkable authentication with membership test via private set intersection (PSI) cardinality. BACKGROUND A self-sovereign identity (SSI) system enables individuals to have full control of their own identities and credentials. Verifiable anonymous credentials (VAC) provide a powerful tool to realize the SSI vision. In a VAC system, a user can obtain credentials from a credential issuer, and can later use these credentials to authenticate to verifiers anonymously. The authentication process is performed peer-to-peer between end-users and verifiers, without the need of involving the credential issuer. Additionally, users remain anonymous to verifiers and are unlinkable across interactions. The present inventors have recognized that, while VACs have the potential of combining the goals of authentication and privacy in practically relevant use cases, most existing solutions are limited to basic authentication scenarios between users and verifiers. SUMMARY An aspect of the present disclosure provides a computer-implemented method for anonymous credential verification and privacy-preserving membership test. The method includes: executing a first committed-input-and-key-shares distributed oblivious pseudorandom function (DOPRF) protocol to obtain a set of first pseudorandom function (PRF) results, each result corresponding to one of a plurality of elements in a checklist held by a list holder; executing a second committed-input-and-key-shares DOPRF protocol to obtain a second PRF result corresponding to an identity of a prover; and determining whether one of the elements in the checklist corresponds to the identity of the prover based upon the set of first PRF results and the second PRF result. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments of the present disclosure will be described in even greater detail below based on the exemplary figures. The present invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the present invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawings which illustrate the following: FIG. 1 illustrates a system and method of anonymous credential verification and privacy-preserving membership testing according to an embodiment of the present disclosure; FIG. 2 illustrates a system and method of anonymous credential verification and privacy-preserving membership testing for a three-party case according to an embodiment of the present disclosure; FIG. 3 illustrates a system and method of anonymous credential verification and privacy-preserving membership testing for a two-party case according to an embodiment of the present disclosure; and FIG. 4 illustrates a processing system configured according to an embodiment of the present disclosure. DETAILED DESCRIPTION An aspect of the present disclosure provides a method that performs a privacy preserving blacklist or whitelist matching in a self-sovereign identity-based (SSI-based) digital identity system. The matching can be made on any attributes of a users' anonymous credentials. A system configured to perform the method and a computer-readable medium configured to store instructions for executing the method are also provided according to aspects of the present disclosure. As discussed above, most existing VAC solutions are limited to basic authentication scenarios between users and verifiers. Currently, in the state of the art known to the present inventors, only a single solution is available to enable a private membership test for a VAC holder with respect to a private checklist held by a third party: Kohlweiss et al, “Privacy-preserving blueprints”, Advances in Cryptology (Eurocrypt) 2023, Lecture Notes in Computer Science, vol. 14005, pp. 594-625, 2023, available online at: <<eprint.iacr.org/2022/1536.>> (hereinafter “Kohlweiss”) (the entire contents of which are hereby incorporated by reference herein). Kohlweiss relies on a homomorphic enough cryptosystem to encode the list elements in the coefficients of a polynomial. Instead, implementations according to the present disclosure uses a PRF-based representation of the list elements computed obliviously by means of a DOPRF protocol. As a consequence, if the u