IsOver21 n 𝑑𝑝𝑘 n Signed nonce verifiable with 𝑑𝑝𝑘 𝑑𝑠𝑘 𝑑𝑝𝑘 Credential PoP Presentation n n IsOver21 n 𝑑𝑝𝑘 𝑑𝑠𝑘: device private key, 𝑑𝑝𝑘: device public key
IsOver21 n 𝑑𝑝𝑘 n Signed nonce verifiable with 𝑑𝑝𝑘 𝑑𝑠𝑘 𝑑𝑝𝑘 X.509 Certs for Key Attestation n “𝑑𝑝𝑘 is in a secure device” Credential PoP Attestation CA Presentation n n IsOver21 n 𝑑𝑝𝑘 𝑑𝑠𝑘: device private key, 𝑑𝑝𝑘: device public key
consist of many correlating factors: lSerial number lValidity period (exact datetime) lSubject public key lSignature value lKey identifiers lExtended attributes for attestation, (e.g., Boot key hash) n … But they do not support selective disclosure or range proofs n Do not provide unlinkability
S&P 2016) n Use zk-SNARKs (Pinocchio) to anonymize RSA-based X.509 certificates n 👍 Tiny proofs (288 B) & fast verification (milliseconds) → verifier-friendly n 👍 “Parse outside, re-serialize inside” design → efficient circuits n 👍 Support proof of OCSP-stapling for revocation n 😢 Huge parameters (GB-scale) & non-universal trusted setup n 😢 Proof generation takes hundreds of seconds → not suitable for mobile devices
is proving performance. Since the resulting Cinderella pseudo-certificates can take up to 9 minutes to generate for complex policies on a computer, it is recommended that they are generated offline and refreshed typically on a daily basis. … Yet, progress in zk-SNARK proving performance - e.g. lookup table with PLONKish arithmetization, assembly provers for mobile platforms, and tolerance of "bigger" proofs (hundreds of kilobytes) would arguably make a re- implementation of Cinderella practical on mobile phones
that verifies a device key as genuine while keeping it unlinkable to the device’s real-world identity n Built upon the Cinderella approach, enabling on-device execution on smartphones: l Uses UltraHonk (a PLONKish scheme) instead of Pinocchio to reduce prover computation cost l Prevents memory overflow by concatenating per-certificate proofs instead of generating a single chain-wide proof l Leverages zk-DSL Noir for circuit design, enabling developer-friendly circuit implementation and maintenance, and integrates with Mopro for seamless mobile deployment n Performance: Generates a two-level chain proof (CA → EE; ES256) in about 30 seconds on an Android device (Google Pixel 9a) Anastasia: Cinderella's Stepsister Turning X.509 Certificates into Pseudonymous Key Attestations
a system that transforms X.509 certificate chains into anonymous key attestations using ZKP, building upon Microsoft’s Cinderella n In the prototype, a two-level chain proof (CA → EE; ES256) is generated in about 30 seconds on Google Pixel 9a Future Works p Additionally support ES384 and RSA4096 certificates p Support privacy-preserving revocation applying ZK to CRL p Add iOS support p Provide formal security audit Repository
yamdan
rinchoku
henryofficial
shigeruoda
sat
tommy0124
makoakiba
bengo4com
zozotech
okiyuki99
coconala_engineer
tomorrowkey
otakensh
tammyeverts
bluesmoon
bcantrill
kevinliebholz
addyosmani
rasmusluckow
reverentgeek
paigeccino
keithpitt
cassininazir
eileencodes
