Bank of Canada researchers claim breakthrough in credentialisation

Researchers with the Bank of Canada say they have created a system for substantiating credentials that is anonymous and immune to quantum computer hacking.

“In this work, we construct the first secret-free and quantum-safe credential mechanism,” authors Raza Ali Kazmi and Cyrus Minwalla say. A “secret-free” approach means an organisation would not have to safeguard a set of numbers known as a key to verify individuals.

Kazmi is a cryptographer with the Bank of Canada, while Minwalla is a security lead and researcher in its fintech research department.

Quantum computing poses risks to once-secure systems, Kazmi and Minwalla note. “Given the advent of quantum computing, credential mechanisms need to be hardened against quantum computing attacks that threaten to break classical cryptographic [practices],” they warn.

The scientists based their system on a “Merkle tree”, also called a hash tree – a structure of nodes used to encrypt and verify data. Their method uses “a simple, quantum-safe, zero-knowledge argument of knowledge of membership in the Merkle tree”.

They say other methods of quantum safe credentialing require organisations to safeguard a key, creating a vulnerability in the system.

Those systems “possess a common security assumption: namely, that the organisation must safeguard its secret key at all times”, say the researchers. ”Compromising the secret key could result in an attacker issuing legitimate credentials. Moreover, it may be difficult for the organisation to detect forged credentials, and the system may be rapidly flooded by such credentials before mitigation steps are taken.”

“A secret key is not required to issue credentials,” the authors say. “Rather, security relies on the organisation’s ability to maintain the integrity of a data structure – namely, the Merkle tree – and the quantum hardness of the underlying additively homomorphic hash function.”

The researchers sought to create a system that seamlessly grants access to authorised personnel. “An anonymous credential mechanism is a set of protocols that allows users to obtain credentials from an organisation,” they say. Users can then “demonstrate ownership of these credentials without compromising users’ privacy”.

Their system has implications for digital currencies, fintech, and payment clearing and settlement systems, they say.