Digital identities, the digital credentials embedded in cellphone wallets, office logins, and different apps, have gotten ubiquitous. Whereas they provide unprecedented comfort, in addition they create new privateness dangers, notably round monitoring and surveillance.
Considered one of these dangers is linkability, the power to affiliate a number of makes use of of a credential to a selected individual. At present, when individuals use their cellular driver’s license or log into varied apps, hidden identifiers can hyperlink these separate actions collectively, constructing detailed profiles of consumer conduct.
To handle this, we’ve launched Crescent (opens in new tab), a cryptographic library that provides unlinkability to extensively used id codecs, defending privateness. These embody JSON Net Tokens (the authentication normal behind many app logins) and cellular driver’s licenses. Crescent additionally works with out requiring the organizations that difficulty these credentials to replace their methods.
The safety goes past present privateness options. Some digital id methods already supply selective disclosure, permitting customers to share solely particular items of data in every interplay.
However even with selective disclosure, credentials can nonetheless be linked by serial numbers, cryptographic signatures, or embedded identifiers. Crescent’s unlinkability characteristic is designed to stop something within the credential, past what a consumer explicitly chooses to disclose, from getting used to attach their separate digital interactions.
Two paths to unlinkability
To know how Crescent works, it helps to look at the 2 important approaches researchers have developed for including unlinkability to id methods:
- Specialised cryptographic signature schemes. These schemes can present unlinkability however require in depth modifications to present infrastructure. New algorithms should be standardized, carried out, and built-in into software program and {hardware} platforms. For instance, the BBS (opens in new tab) signature scheme is at the moment being standardized by the Web Engineering Job Power (IETF), however even after completion, adoption could also be sluggish.
- Zero-knowledge proofs with present credentials. This strategy, utilized by Crescent (opens in new tab), permits customers to show particular details about their credentials with out revealing the underlying knowledge that might allow monitoring. For instance, somebody may show they maintain a sound driver’s license and dwell in a specific ZIP code with out exposing every other private data or identifiers that might hyperlink this interplay to future ones.
Zero-knowledge proofs have turn into extra sensible since they had been first developed 40 years in the past however they aren’t as environment friendly because the cryptographic algorithms utilized in as we speak’s credentials. Crescent addresses this computational problem by preprocessing, performing essentially the most advanced calculations as soon as prematurely in order that later proof era is fast and environment friendly for cellular gadgets.
Past unlinkability, Crescent helps selective disclosure, permitting customers to show particular details with out revealing pointless particulars. For instance, it might probably affirm {that a} credential is legitimate and unexpired with out disclosing the precise expiration date, which could in any other case function a singular identifier. These privateness protections work even when credentials are saved in a cellphone’s safe {hardware}, which retains them tied to the system and prevents unauthorized entry.
Highlight: Occasion Sequence
Microsoft Analysis Discussion board
Be a part of us for a steady alternate of concepts about analysis within the period of normal AI. Watch the primary 4 episodes on demand.
Behind the cryptographic curtain
At its core, Crescent makes use of a classy type of cryptographic proof referred to as a zero-knowledge SNARK (Zero-Information Succinct Noninteractive Argument of Information). This methodology permits one occasion to show possession of data or credentials with out revealing the underlying knowledge itself.
Crescent particularly makes use of the Groth16 proof system, one of many first sensible implementations of this expertise. What makes Groth16 notably helpful is that its proofs are small in measurement, fast to confirm, and may be shared in a single step with out back-and-forth communication between the consumer and verifier.
The system works by first establishing shared cryptographic parameters based mostly on a credential template. A number of organizations issuing related credentials, resembling completely different state motorized vehicle departments issuing cellular driver’s licenses, can use the identical parameters so long as they observe appropriate knowledge codecs and safety requirements.
The mathematical guidelines that outline what every proof will confirm are written utilizing specialised programming instruments that convert them right into a Rank-1 Constraint System (R1CS), a mathematical framework that describes precisely what must be confirmed a few credential.
To make the system quick sufficient for real-world use, Crescent splits the proof era into two distinct phases:
- Put together stage. This step runs as soon as and generates cryptographic values that may be saved on the consumer’s system for repeated use.
- Present stage. When a consumer must current their credential, this faster step takes the saved values and randomizes them to stop any connection to earlier displays. It additionally creates a compact cryptographic abstract that reveals solely the precise data wanted for that exact interplay.
Figures 2 and three illustrate this credential-proving workflow and the division between the put together and present steps.
A pattern software
To show how Crescent works, we created a pattern software masking two real-world situations: verifying employment and proving age for on-line entry. The applying contains pattern code for organising fictional issuers and verifiers as Rust servers, together with a browser-extension pockets for the consumer. The step numbers correspond to the steps in Determine 4.
Setup
- A Crescent service pre-generates the zero-knowledge parameters for creating and verifying proofs from JSON Net Tokens and cellular driver’s licenses.
- The consumer obtains a cellular driver’s license from their Division of Motor Autos.
- The consumer obtains a proof-of-employment JSON Net Token from their employer, Contoso.
- These credentials and their personal keys are saved within the Crescent pockets.
Eventualities
- Employment verification: The consumer presents their JSON Net Token to Fabrikam, an internet well being clinic, to show they’re employed at Contoso and eligible for office advantages. Fabrikam learns that the consumer works at Contoso however not the consumer’s id, whereas Contoso stays unaware of the interplay.
- Age verification: The consumer presents their cellular driver’s license to a social community, proving they’re over 18. The proof confirms eligibility with out revealing their age or id.
Throughout each situations, Crescent ensures that credential displays stay unlinkable, stopping any occasion from connecting them to the consumer.
For simplicity, the pattern defines its personal issuance and presentation protocol, nevertheless it might be built-in into higher-level id frameworks resembling OpenID/OAuth, Verifiable Credentials, or the cellular driver’s license ecosystem.
To study extra concerning the mission, go to the Crescent mission GitHub (opens in new tab) web page, or try our latest displays given on the Actual-Phrase Crypto 2025 (opens in new tab) and North Sec 2025 (opens in new tab) conferences.
