1# Anonymous Tokens (AT) 2 3The implementations follow the two IETF standards drafts: 4 5* [RSA Blind Signatures](https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-blind-signatures/) 6* [RSA Blind Signatures with Public Metadata](https://datatracker.ietf.org/doc/draft-amjad-cfrg-partially-blind-rsa/) 7 8As the standardization process is in progress, we expect the code in this repo to change over time to conform to modifications in the IETF specifications. 9 10## Problem Statement 11 12Anonymous Tokens (AT) are a cryptographic protocol that enables propagating trust in a cryptographically secure manner while 13maintaining anonymity. At a high level, trust propagation occurs in a two step manner. 14 15* Trusted Setting (User and Signer): In the first stage, a specific user is in a trusted setting with a party that we denote the signer (also known as the issuer). Here, trust may have been established in a variety of ways (authentication, log-in, etc.). To denote that the user is trusted, the issuer may issue a token to the user. 16* Untrusted Setting (User and Verifier): In the second stage, suppose the user is now in an untrusted setting with another party that we denote the verifier. The user is now able to prove that they were trusted by the issuer through the use of the prior received token. By using a cryptographically secure verification process, the verifier can check that the user was once trusted by the issuer. 17 18At a high level, anonymous tokens provide the following privacy guarantees: 19 20* Unforgeability: Adversarial users are not able to fabricate tokens that will pass the verification step of the verifier. In particular, if a malicious user interacts with the signer `K` times, then the user cannot generate `K+1` tokens that successfully verify. 21* Unlinkability: Adversarial signers are unable to determine the interaction that created tokens. Suppose a signer has interacted with users `K` times then and receives one of the resulting signatures at random. Then, the signer cannot determine the interaction resulting in the 22challenge signature with probability better than random guess of `1/K`. 23 24## Dependencies 25 26The Private Set Membership library requires the following dependencies: 27 28* [Abseil](https://github.com/abseil/abseil-cpp) for C++ common libraries. 29 30* [Bazel](https://github.com/bazelbuild/bazel) for building the library. 31 32* [BoringSSL](https://github.com/google/boringssl) for underlying 33 cryptographic operations. 34 35* [Google Test](https://github.com/google/googletest) for unit testing the 36 library. 37 38* [Protocol Buffers](https://github.com/google/protobuf) for data 39 serialization. 40 41* [Tink](https://github.com/google/tink) for cryptographic libraries. 42 43## How to build 44 45In order to run this library, you need to install Bazel, if you don't have 46it already. 47[Follow the instructions for your platform on the Bazel website. Make sure you 48 are installing version 6.1.2.] 49(https://docs.bazel.build/versions/master/install.html) 50 51You also need to install Git, if you don't have it already. 52[Follow the instructions for your platform on the Git website.](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) 53 54Once you've installed Bazel and Git, open a Terminal and clone the repository into a local folder. 55 56Navigate into the `anonymous-tokens` folder you just created, and build the 57library and dependencies using Bazel. Note, the library must be built using C++17. 58 59```bash 60cd anonymous-tokens 61bazel build ... --cxxopt='-std=c++17' 62``` 63 64You may also run all tests (recursively) using the following command: 65 66```bash 67bazel test ... --cxxopt='-std=c++17' 68``` 69 70## Disclaimers 71 72This is not an officially supported Google product. The software is provided as-is without any guarantees or warranties, express or implied.