Digital identities, the digital credentials embedded in telephone wallets, office logins, and different apps, have gotten ubiquitous. Whereas they provide unprecedented comfort, additionally they create new privateness dangers, notably round monitoring and surveillance. 

One in all these dangers is linkability, the power to affiliate a number of makes use of of a credential to a selected particular person. At the moment, when folks use their cell driver’s license or log into varied apps, hidden identifiers can hyperlink these separate actions collectively, constructing detailed profiles of person conduct.  

To deal with this, we now have launched Crescent (opens in new tab), a cryptographic library that provides unlinkability to extensively used identification codecs, defending privateness. These embrace JSON Net Tokens (the authentication normal behind many app logins) and cell driver’s licenses. Crescent additionally works with out requiring the organizations that difficulty these credentials to replace their methods.  

The safety goes past current privateness options. Some digital identification methods already provide selective disclosure, permitting customers to share solely particular items of data in every interplay.  

However even with selective disclosure, credentials can nonetheless be linked by means of serial numbers, cryptographic signatures, or embedded identifiers. Crescent’s unlinkability function is designed to forestall something within the credential, past what a person explicitly chooses to disclose, from getting used to attach their separate digital interactions.

Two paths to unlinkability 

To know how Crescent works, it helps to look at the 2 important approaches researchers have developed for including unlinkability to identification methods: 

1. Specialised cryptographic signature schemes. These schemes can present unlinkability however require in depth adjustments to current infrastructure. New algorithms have to be standardized, applied, and built-in into software program and {hardware} platforms. For instance, the BBS (opens in new tab) signature scheme is at the moment being standardized by the Web Engineering Job Drive (IETF), however even after completion, adoption could also be sluggish.   

2. Zero-knowledge proofs with current credentials. This strategy, utilized by Crescent (opens in new tab), permits customers to show particular details about their credentials with out revealing the underlying information that would allow monitoring. For instance, somebody might show they maintain a sound driver’s license and dwell in a selected ZIP code with out exposing every other private data or identifiers that would hyperlink this interplay to future ones. 

Zero-knowledge proofs have turn into extra sensible since they have been first developed 40 years in the past however they don’t seem to be as environment friendly because the cryptographic algorithms utilized in right this moment’s credentials. Crescent addresses this computational problem by means of preprocessing, performing essentially the most complicated calculations as soon as upfront in order that later proof technology is fast and environment friendly for cell gadgets. 

Past unlinkability, Crescent helps selective disclosure, permitting customers to show particular details with out revealing pointless particulars. For instance, it could possibly affirm {that a} credential is legitimate and unexpired with out disclosing the precise expiration date, which could in any other case function a singular identifier. These privateness protections work even when credentials are saved in a telephone’s safe {hardware}, which retains them tied to the machine and prevents unauthorized entry.

Behind the cryptographic curtain 

At its core, Crescent makes use of a classy type of cryptographic proof known as a zero-knowledge SNARK (Zero-Data Succinct Noninteractive Argument of Data). This methodology permits one occasion to show possession of data or credentials with out revealing the underlying information itself. 

Crescent particularly makes use of the Groth16 proof system, one of many first sensible implementations of this know-how. What makes Groth16 notably helpful is that its proofs are small in dimension, fast to confirm, and may be shared in a single step with out back-and-forth communication between the person and verifier. 

The system works by first establishing shared cryptographic parameters based mostly on a credential template. A number of organizations issuing related credentials, similar to completely different state motorized vehicle departments issuing cell driver’s licenses, can use the identical parameters so long as they comply with suitable information codecs and safety requirements. 

The mathematical guidelines that outline what every proof will confirm are written utilizing specialised programming instruments that convert them right into a Rank-1 Constraint System (R1CS), a mathematical framework that describes precisely what must be confirmed a couple of credential. 

To make the system quick sufficient for real-world use, Crescent splits the proof technology into two distinct levels: 

1. Put together stage. This step runs as soon as and generates cryptographic values that may be saved on the person’s machine for repeated use. 

2. Present stage. When a person must current their credential, this faster step takes the saved values and randomizes them to forestall any connection to earlier shows. It additionally creates a compact cryptographic abstract that reveals solely the particular data wanted for that exact interplay. 

Figures 2 and three illustrate this credential-proving workflow and the division between the put together and present steps.

A pattern software 

To show how Crescent works, we created a pattern software overlaying two real-world situations: verifying employment and proving age for on-line entry. The applying contains pattern code for organising fictional issuers and verifiers as Rust servers, together with a browser-extension pockets for the person. The step numbers correspond to the steps in Determine 4. 

Setup 

1. A Crescent service pre-generates the zero-knowledge parameters for creating and verifying proofs from JSON Net Tokens and cell driver’s licenses. 

2. The person obtains a cell driver’s license from their Division of Motor Automobiles. 

3. The person obtains a proof-of-employment JSON Net Token from their employer, Contoso. 

4. These credentials and their personal keys are saved within the Crescent pockets. 

Situations 

5. Employment verification: The person presents their JSON Net Token to Fabrikam, an internet well being clinic, to show they’re employed at Contoso and eligible for office advantages. Fabrikam learns that the person works at Contoso however not the person’s identification, whereas Contoso stays unaware of the interplay. 

6. Age verification: The person presents their cell driver’s license to a social community, proving they’re over 18. The proof confirms eligibility with out revealing their age or identification. 

Throughout each situations, Crescent ensures that credential shows stay unlinkable, stopping any occasion from connecting them to the person. 

For simplicity, the pattern defines its personal issuance and presentation protocol, however it may very well be built-in into higher-level identification frameworks similar to OpenID/OAuth, Verifiable Credentials, or the cell driver’s license ecosystem.

To study extra concerning the undertaking, go to the Crescent undertaking GitHub (opens in new tab) web page, or try our latest shows given on the Actual-Phrase Crypto 2025 (opens in new tab) and North Sec 2025 (opens in new tab) conferences. 

Opens in a brand new tab