stclarke explains how Crescent, a cryptographic library from Microsoft Research, provides privacy-preserving features for digital identity systems, preventing tracking and protecting user data with advanced cryptography.

Crescent: Bringing Privacy to Digital Identity Systems

Digital identities are now commonplace—embedded in our phones, workplace logins, and apps—offering convenience but raising concerns about privacy, particularly linkability and surveillance. When users present credentials such as mobile driver’s licenses or log into apps, these interactions can be tracked and linked, building detailed profiles over time.

Introducing Crescent

Crescent is a cryptographic library developed by Microsoft Research to address these concerns by providing unlinkability for popular digital identity formats, including JSON Web Tokens and mobile driver’s licenses. Crescent’s privacy features go beyond existing systems:

Unlinkability: Prevents credentials from being linked across uses by removing or randomizing hidden identifiers.
Selective Disclosure: Users can prove specific facts (e.g., age eligibility) without revealing unnecessary or identifying information.
No Issuer Migration Required: Crescent works with current credential infrastructure, so issuers do not need to update their systems.

Two Paths to Unlinkability

The article explores two approaches for privacy in identity systems:

Specialized cryptographic signatures (e.g., BBS signatures): Require significant upgrades to infrastructure.
Zero-knowledge proofs with existing credentials: Crescent follows this route, letting users prove statements about credentials (e.g., employment, age) without revealing underlying data, leveraging advances in zero-knowledge proof efficiency and preprocessing.

Architecture and Cryptography

Crescent is based on zero-knowledge SNARKs, specifically the Groth16 proof system, which is compact, efficient, and noninteractive.

Proof Preparation: Intensive computations are done once and stored securely on users’ devices.
Proof Presentation: Uses randomization to prevent linkage of separate uses, enabling fast credential presentation even on mobile devices.
Security: Credentials and keys remain private and can be integrated with secure hardware.

Figures in the original article illustrate the stages of proof preparation, credential presentation, and the overall system architecture.

Sample Application

A reference implementation includes:

Employment Verification: Proving workplace status with a JSON Web Token (without exposing user identity).
Age Verification: Confirming age eligibility using a mobile driver’s license (without revealing actual age or identity).
Technical Stack: Sample code is provided using Rust servers for issuers/verifiers and a browser extension wallet.

Integration

Crescent protocols can be incorporated into higher-level identity frameworks like OpenID/OAuth or mobile driver’s license ecosystems. More information is available on the Crescent GitHub repository and in recent presentations at industry conferences.

Resources

This post appeared first on “Microsoft News”. Read the entire article here