2024年7月15日月曜日

選択的開示に関するReview論文を読む(2)

こんにちは、富士榮です。

引き続き選択的開示に関する調査論文を読んでいきます。
Selective disclosure in digital credentials: A review

まさに選択的開示(笑)※拾い物です


本文に入っていきます。
最初のポイントは、「選択的情報開示の形態と種類、実現方法」についてです。

まず、選択的開示の方法として以下の3種類が挙げられています。
  1. アトミック・クレデンシャル
  2. 選択的開示署名
  3. ハッシュ値

アトミック・クレデンシャル

非常にシンプルな方法です。一つのクレデンシャルに一つのクレームのみを含むようにする手法です。
例えば、選択的開示可能なマイナンバーカードのクレデンシャルを作ろうと思ったら、名前・住所・生年月日・性別をそれぞれ別のクレデンシャルにしてしまって、必要に応じて提示するクレデンシャル自体を分ける、ということですね。

選択的開示署名

ネイティブに選択的開示をサポートしている署名形式を用いる手法です。CL署名とかBBS+なんかはこちらでしょうね。

ハッシュ値

全てのクレームを含むクレデンシャルを発行するものの値をハッシュ化する手法です。SD-JWTはこちらですね。論文中ではハッシュの方法論についても比較をしつつ解説していますので、こちらも参考になります。


他にもZKPについても語られており、ZKPとハッシュ値の組み合わせなど複合手法についても分析が行われています。


アトミック・クレデンシャルについては置いておくとして、選択的開示署名とハッシュ値の2点については方式が一覧化されています。

論文中に出てくる順番とは異なりますが、引用しておきます。

選択的開示署名の方式の概要

Table 5. Overview of signature-based methods.

ArticleAlgorithmComplexityPerformanceSuitabilityKey sizeaSignature sizea
[69]CL signatureHigh due to the use of interactive ZKP of signaturesRelatively slow due to the complex arithmeticSuitable for systems that require anonymity features256 bytesCan be in kilobytes
[67]ECDLREP functionModerate complexityEfficient due to the properties of elliptic curvesSuitable for systems where performance and compact signatures are required32 bytes64 bytes
[72]URS (SPS signatures)Moderate to high (depends on specific construction)Efficient in protocols that need to maintain structure of the message
(ZKP)
Used in advanced systems where preserving message is crucial32 bytesCan be in kilobytes
[68]Edwards curveLow in context of other elliptic curves due to the simpler formulasFaster calculation and better securityCommonly used in systems like EdDSA32 bytes64 bytes
[70]BLS signatureHigh due to the use of pairing based cryptographySignature generation is slower, verification can be fast and aggregation can be done effectivelyParticularly useful where aggregation of signatures is needed48 bytes96 bytes
[71]BBS+ signatureHigh due to the use of pairing based cryptographySimilar to BLS, but with more flexible signatures and message managementSuitable for multi-message systems96 bytes112 bytes
[74]Aggregate signatures with randomizable tagsHigh due to integration of randomizable tagsEfficient in scenarios where aggregation and randomization are needed simultaneouslySuitable for systems where reusability of signatures without linkability is needed32 bytesCan be in kilobytes
[79]Redactable signaturesHigh due to the modifying or redacting of signaturesTypically slower due to the additional data management requirements.Ideal for systems where document integrity is important, especially with authorized edits.32 bytesCan be in kilobytes
[77]Unlinkable redactable signature schemesVery high due to the combination of unlinkability with redactionMore complex and slowerIdeal for highly sensitive environments redaction2048 bitsCan be in kilobytes
[75]Tag-based aggregatable mercurial signaturesExtremely high with the combination of mercurial signatures and tag aggregationSlowerSuited for systems with complex workflows2048 bytes5056 bytes
a

Depends on the chosen primitive.


ハッシュ方式の概要

Table 4. Overview of hash-based methods.

ArticleAlgorithmComplexityPerformanceSuitabilityStatic/DynamicSize/Overhead
[54]
[55]
[61]
[57]
Hash commitmentsGenerally low because it involves one hashing operation per attribute
Depends on size of credential and on hashing function used
Fast processing and verificationStatic datasets where integrity is more important than confidentiality or structured proofs.Static dataSimple proofs
Large in size
All hashes or disclosed messages are sent
[56]Polynomial commitmentHigher than regular commitments Depends on selected polynomialsSlower due to the mathematical operations required for committing and verifying attributesIdeal for applications that require structured proof (ZKP systems)Static dataComplex proofs with higher computation costs
Disclosed data + calculated commitment are shared
[50]
[52]
HMAC (keyed-hash message authentication code)Low because it is similar to hash commitments
Requires key management
Efficient but slower than regular hash due to the key-based operationsUseful for authentication in insecure environments
Ensures data integrity and authenticity
Static dataSimple proofs Large in size
Added overhead due to key management
[62]Merkle treeBuilding O(n) Updates or proofs O(log n)Efficient for large datasets Allows partial verificationUseful for application where efficient, incremental updates and verifications are neededDynamic dataProof size grows slower than the dataset
𝑂(log𝑛)
[64]Merkle B-tree with ECHigher than standard Merkle tree due to multiple child nodes and added overhead of ECEC can increase tree construction and update time
Faster access for non-sequential data operations
Useful for systems where updates are frequent and there is a requirement for securityDynamic dataProof size grows slower than the dataset
𝑂(log𝑛)
[63]Merkle B-tree with encryptionSimilar to standard Merkle Tree with added overhead of encryption (complexity depends on algorithm)Encrypting can increase time for tree construction, update and verificationUseful for systems where enhanced privacy is neededDynamic dataProof size grows slower than the dataset
𝑂(log𝑛)



いやぁ、ものすごく参考になりますね。





0 件のコメント:

コメントを投稿