NIZK anonymous credentials for protester and witness identifiers

[dbosk]

To designate the event: each protest has a cause, this cause can be documented in some type of manifesto. Simply run this manifesto through a hash function to get a unique ID.

To ensure one-proof-per-person we can use a technique from Camenisch (How to Win the Clone Wars, CCS 2006):

• An authority blindly signs a PRF-key $k$.
• Protester computes $y \gets PRF_k(id)$, where $id$ is the unique protest ID (hash of manifesto).
• Protester computes a non-interactive zero-knowledge (NIZK) proof of: $y$ is the result of a PRF-computation with the key $k$ and that the key $k$ is signed by the authority.

To get "receipt freeness" (forward secrecy?) we must delete $k$ after the protest (see #23).

We can simply give $y$ to someone, but an interactive zero-knowledge proof of knowledge of $k$ will solve that (e.g. for Jane to trust she is talking to the right person).

[dbosk]

A protester $i$ is identified by $pidi = PRF{k_i}(id)$ and the NIZK proof of $pidi = PRF{k_i}(id) \land sign(k_i)$. The protester can authenticate using an interactive ZK proof of knowledge of $k_i$.

[dbosk]

Camenisch's paper requires interactive zero-knowledge proofs. We need a non-interactive one. Should be possible, e.g. P-signatures and Noninteractive Anonymous Credentials is probably a good start.

[dbosk]

We currently use the Fiat-Shamir heuristic to achieve the NIZK version of a proof.