README.md
1# Anonymous Tokens (AT)
2
3The implementations follow the two IETF standards drafts:
4
5* [RSA Blind Signatures](https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-blind-signatures/)
6* [RSA Blind Signatures with Public Metadata](https://datatracker.ietf.org/doc/draft-amjad-cfrg-partially-blind-rsa/)
7
8As the standardization process is in progress, we expect the code in this repo to change over time to conform to modifications in the IETF specifications.
9
10## Problem Statement
11
12Anonymous Tokens (AT) are a cryptographic protocol that enables propagating trust in a cryptographically secure manner while
13maintaining anonymity. At a high level, trust propagation occurs in a two step manner.
14
15* Trusted Setting (User and Signer): In the first stage, a specific user is in a trusted setting with a party that we denote the signer (also known as the issuer). Here, trust may have been established in a variety of ways (authentication, log-in, etc.). To denote that the user is trusted, the issuer may issue a token to the user.
16* Untrusted Setting (User and Verifier): In the second stage, suppose the user is now in an untrusted setting with another party that we denote the verifier. The user is now able to prove that they were trusted by the issuer through the use of the prior received token. By using a cryptographically secure verification process, the verifier can check that the user was once trusted by the issuer.
17
18At a high level, anonymous tokens provide the following privacy guarantees:
19
20* Unforgeability: Adversarial users are not able to fabricate tokens that will pass the verification step of the verifier. In particular, if a malicious user interacts with the signer `K` times, then the user cannot generate `K+1` tokens that successfully verify.
21* Unlinkability: Adversarial signers are unable to determine the interaction that created tokens. Suppose a signer has interacted with users `K` times then and receives one of the resulting signatures at random. Then, the signer cannot determine the interaction resulting in the
22challenge signature with probability better than random guess of `1/K`.
23
24## Dependencies
25
26The Private Set Membership library requires the following dependencies:
27
28* [Abseil](https://github.com/abseil/abseil-cpp) for C++ common libraries.
29
30* [Bazel](https://github.com/bazelbuild/bazel) for building the library.
31
32* [BoringSSL](https://github.com/google/boringssl) for underlying
33 cryptographic operations.
34
35* [Google Test](https://github.com/google/googletest) for unit testing the
36 library.
37
38* [Protocol Buffers](https://github.com/google/protobuf) for data
39 serialization.
40
41* [Tink](https://github.com/google/tink) for cryptographic libraries.
42
43## How to build
44
45In order to run this library, you need to install Bazel, if you don't have
46it already.
47[Follow the instructions for your platform on the Bazel website. Make sure you
48 are installing version 6.1.2.]
49(https://docs.bazel.build/versions/master/install.html)
50
51You also need to install Git, if you don't have it already.
52[Follow the instructions for your platform on the Git website.](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
53
54Once you've installed Bazel and Git, open a Terminal and clone the repository into a local folder.
55
56Navigate into the `anonymous-tokens` folder you just created, and build the
57library and dependencies using Bazel. Note, the library must be built using C++17.
58
59```bash
60cd anonymous-tokens
61bazel build ... --cxxopt='-std=c++17'
62```
63
64You may also run all tests (recursively) using the following command:
65
66```bash
67bazel test ... --cxxopt='-std=c++17'
68```
69
70## Disclaimers
71
72This is not an officially supported Google product. The software is provided as-is without any guarantees or warranties, express or implied.