17. No need to give away the SSN to the
Relying Party!
18. Let the Identity Manager store only a
COMMITMENT of the SSN
We use the Pedersen commitment
19. Pedersen Commitment
c=gxhr
●G : Finite cyclic group of large prime order p so that the
Computational Diffie-Hellman (CDH) problem is hard in G
● A generator g ∊ G
● x, r ∊ {0, 1, ... , p-1} = Fp
20. The user obtains a signed identity attribute value
from an identity provider
Sets up the commitment with the identity manager
23. Schnorr protocol
1. U randomly chooses y, s ∊ F*p , and sends V the
element d = gyhs ∊ G
2. V picks a random value e ∊ F*p , and sends e as a
challenge to U.
3. U sends u = y + ex, v = s + er, both in Fp, to V.
u v e
4. V accepts the proof if and only if g h = d c in G.
34. Request Security Token Response
<wst:RequestSecurityTokenResponse>
...
<vi:SupportedStrongClaimValues>
<vi:ClaimValue Uri="http://veryidx...strongclaims/xyz">
<vi:Commitment>77666876989=</vi:Commitment>
<vi:R>329839797987493827983=</vi:R>
</vi:ClaimValue>
</vi:SupportedStrongClaimValues>
</wst:RequestSecurityTokenResponse>
Used by the identity selector to retrieve the
new commitment and random values
35. Identity Manager : WSO2 Identity Server (IS)
Identity Selector : Higgins
Relying Party : WSO2 IS Java RP
ZKPK implementation : VeryIDX