Open-Source Hardware For Embedded Security

Geoffrey Ottoy, Bart Preneel, et. al. | EDN Network | February 4, 2013

Imagine you’re waiting in line, queuing to enter a major event. The ticket you have bought online is stored on your smart phone. As you swipe your phone over some designated area, an NFC connection is set up, your ticket is validated and the gates open to let you in. And the good thing is, that it all happened anonymously.

In this kind of applications, your anonymity can be guaranteed by the use of recently developed anonymous credentials protocols like Idemix (IBM) or U-Prove (Microsoft). These protocols rely on Zero-Knowledge Proofs-of-Knowledge (ZKPK); you prove that you have knowledge of a certain attribute without revealing its value. The attribute is bound to a public key in a so-called commitment.

Figure 1 gives a simplified overview of such a ZKPK, in this case the Schnorr protocol. Here, y is the commitment of x. Under the strong RSA assumption, it is very hard to find x from y, even if you know g and m. If we look at the protocol, we see that x remains hidden. The verifier only learns that y is a correct commitment. We can also see that the protocol mainly consists of communication and arithmetic – this is where our research comes to the fore...