In the realm of identity management within zero trust security frameworks, the "never trust, always verify" paradigm is critical. This approach, a departure from traditional IT security models, assumes no inherent trust in users, devices, or networks, regardless of their location or origin. It emphasizes continuous verification and authentication, fundamentally changing the way access and credentials are managed.
In this context, the role of signature schemes in credential issuance is critical. Traditional methods that rely on a single issuing instance are incompatible with the Zero Trust philosophy. To align with this approach, threshold signature schemes become indispensable. These schemes distribute the responsibility of credential issuance across multiple parties (or isolated systems within a domain), thereby eliminating single points of failure in the process.
The prominent BBS+ signature scheme stands out in this distributed approach. On the one hand, it offers compatibility with various zero-knowledge proof schemes, and on the other hand, it allows credential holders to selectively disclose certain attributes, thereby strengthening both privacy and security in line with zero-trust principles. However, when adapting schemes like BBS+ to a threshold setting, a key challenge arises: the issuance process becomes highly interactive, requiring continuous communication between all issuers during signing. This interaction creates bottlenecks for systems that need to issue large numbers of credentials and introduces potential security risks by providing additional attack vectors.
To overcome these challenges, recent advances in the form of so-called "Pseudorandom Correlation Generators" offer an interesting approach. By facilitating a pre-processing phase, this new cryptographic primitive enables non-interactive credential issuance by schemes such as BBS+, eliminating the need for per-credential issuer communication. This development dramatically reduces communication overhead while ensuring complete isolation between issuing instances.
This talk will provide a high-level overview of these advances and their implications for credential issuance in zero-trust environments, highlighting how they can potentially improve the security and efficiency of digital identity management systems.