Best anonymous credentials that don't use pairings: Single show, no attributes, symmetric issuer: Privacy Pass; uses VOPRFs Multi show, attributes, symmetric issuer: CMZ14 (original, https://eprint.iacr.org/2013/516)/CPZ19 (group element attribute variant, https://eprint.iacr.org/2019/1416); uses "algebraic MACs" and categorically supercedes U-Prove Single show,
A threshold signature allows a subset t of a group of n possible signers to collectively produce a signature for the entire group. The simplest ones tend to use some distributed key generation [https://en.wikipedia.org/wiki/Distributed_key_generation] ("DKG") based on verifiable secret sharing [https://en.wikipedia.
Last January, Adam Langley did a really cool thing. He grafted zero-knowledge proofs [https://www.imperialviolet.org/2019/01/01/zkattestation.html] onto an already-deployed, non-upgradable hardware system, thereby gaining privacy that the original design never allowed. I am VERY EXCITED ABOUT THIS. It's an existence proof for all kinds
Recently, a friend [https://twitter.com/filosottile] and I indulged in the very normal spring weekend activity of discussing the Signal contact discovery problem [https://signal.org/blog/contact-discovery] in the park. The contact discovery problem is this: a service holds a list of all registered users, and an individual
Macaroons are one of my favorite cryptographic constructions. They were almost the first one I really understood, and they heavily influence my designs [https://privacypass.github.io/] for anything involving authorization. There's a lot to love about macaroons. They're elegant and fast. They're secure and easy to reason about. They