Coconut

Coconut builds upon pairing-based cryptography and zero-knowledge proofs. Its core mechanism involves:

• Blind Signatures: A signer can issue a credential on a user's private attributes without seeing them.
• Attribute-Based Credentials: A single credential can encode multiple attributes (e.g., age, citizenship).
• Zero-Knowledge Proofs: Users can prove they possess a valid credential and that specific attributes satisfy a policy (e.g., age > 21) without revealing the credential or other attributes.

A user can generate a selective disclosure proof for a verifier. This process involves:

• The user takes their Coconut credential, which is a cryptographic signature on hidden attributes.
• They create a zero-knowledge proof that convinces the verifier the credential is valid and that the disclosed attributes (e.g., a public key) are correct, while keeping all other attributes secret.
• The proof is unlinkable, meaning multiple proofs from the same credential cannot be linked together by the verifier.

To decentralize trust in the credential issuer, Coconut employs threshold cryptography.

• A distributed set of authorities (e.g., a decentralized network) holds shares of a master signing key.
• A user collects partial signatures from a threshold number of these authorities (e.g., 3 out of 5).
• The user then combines these partial signatures into a single, valid Coconut credential. No single authority learns the user's full private attributes or can issue a credential alone.

A primary use case is privacy-preserving transactions. For example, in a decentralized anonymous payment system:

1. A user obtains a credential attesting they have X coins in their account, without revealing the account itself.
2. To spend coins, they create a proof showing a valid credential for the required amount and generate a one-time public key for the transaction.
3. The blockchain verifies the proof, transfers funds, and cannot link the transaction to the user's original account or other transactions. This is analogous to zero-knowledge confidential transactions.

Coconut is part of a family of privacy technologies but has distinct characteristics:

• vs. zk-SNARKs (e.g., Zcash): Coconut is optimized for credential-based privacy and selective disclosure, while zk-SNARKs often prove the validity of entire state transitions.
• vs. Ring Signatures (e.g., Monero): Coconut provides attribute-based anonymity and policy proofs, whereas ring signatures provide sender ambiguity within a set.
• vs. Plain Digital Signatures: Standard signatures (ECDSA) are fully revealing; Coconut signatures are zero-knowledge.

The core privacy mechanism. Coconut uses zero-knowledge proofs to allow a user to prove a statement about their credentials (e.g., 'I am over 18') without revealing the credential itself. This prevents sensitive data from being linked across transactions or services.

• Selective Disclosure: Users reveal only the minimum information required.
• Unlinkability: Multiple proofs from the same credential cannot be correlated.

Credentials are issued by a decentralized threshold authority. A group of issuers holds secret key shares; a threshold number must collaborate to issue a valid credential. This removes reliance on a single, centralized issuer and prevents single points of failure or corruption.

• Threshold Cryptography: Requires a quorum (e.g., 3 out of 5) to issue.
• Trust Distribution: Trust is distributed across the issuing committee.

Coconut employs blind signature schemes. The issuer can sign a user's credential without seeing its contents, ensuring the issuer cannot learn the user's private attributes or later link the signed credential to the user. This is a fundamental building block for credential privacy.

• Issuer Blindness: The issuer signs a blinded message.
• User Unlinkability: The final unblinded signature is untraceable to the issuance session.

The system ensures credentials cannot be forged or altered. Cryptographic signatures bind the credential to the issuer's public key and the user's secret. Any tampering invalidates the proof.

• Cryptographic Binding: Attributes are cryptographically committed within the credential.
• Public Verifiability: Anyone can verify a credential's validity against the issuers' public keys without interacting with them.

Security depends on specific trust assumptions. Key considerations include:

• Issuer Committee Honesty: A malicious majority of issuers could collude to forge credentials.
• Cryptographic Security: Relies on the hardness of underlying problems like the Decisional Diffie-Hellman (DDH) assumption.
• Implementation Security: Bugs in smart contracts or client software could leak data.

A primary application is anonymizing blockchain transactions. A user can obtain a credential proving they have sufficient funds (from an issuer watching a public chain) and then spend it in a private zk-rollup or sidechain. The payment is valid but reveals no link to the original public address or transaction history.

• Asset Provenance: Prove an asset's origin without revealing the full path.
• Compliance: Demonstrate regulatory compliance (e.g., KYC) privately across multiple dApps.

Coconut's primary implementation is for privacy-preserving KYC/AML in decentralized finance. A trusted issuer (e.g., a regulator) can issue a credential attesting to a user's verified identity or jurisdiction. The user can then interact with DeFi protocols, proving they are compliant (e.g., "I am over 18" or "I am not from a sanctioned country") without revealing their specific identity or passport details. This bridges regulatory requirements with user privacy.

To decentralize trust in the issuer, Coconut employs a threshold signature scheme. A credential is issued not by a single entity, but by a decentralized committee of authorities. A user collects partial signatures from a threshold number of these authorities (e.g., 3 out of 5) to assemble a valid credential. This prevents any single authority from forging credentials or censoring users, enhancing the system's robustness and censorship resistance.

Chainscore Labs utilizes Coconut-like credential schemes as a core research area for on-chain reputation and sybil resistance. The research focuses on how privacy-preserving credentials can be used to:

• Create anonymous yet accountable user profiles.
• Enable sybil-resistant airdrops and governance.
• Build privacy-enhanced credit scoring without exposing personal financial data. This moves beyond simple KYC to a generalized framework for trusted, private attributes in web3.

Coconut differs from other credential systems like zk-SNARKs-based or SELFS protocols in its specific design choices:

• Selective Disclosure: Built-in support for revealing subsets of attributes.
• Blind Issuance: The issuer signs attributes without learning their values.
• Aggregation: Multiple credentials can be aggregated into a single proof.
• Threshold Trust: Native support for decentralized issuance committees. These features make it particularly suited for decentralized, multi-party trust scenarios.

A cryptographic method allowing one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. Coconut uses ZKPs to enable selective disclosure, where a user can prove they hold a valid credential with specific authorized attributes (e.g., age > 18) without revealing the credential's unique identifier or other private data.

A portable, user-controlled identifier that does not depend on a centralized registry, identity provider, or certificate authority. In Coconut's architecture, a DID is the foundational self-sovereign identity to which verifiable credentials are issued and bound. It allows users to prove control over their identity across different systems without correlation.

A form of digital signature where the message is blinded (obscured) before it is signed, so the signer cannot see the content. The signature can later be verified against the original, unblinded message. Coconut employs threshold blind signatures, where a decentralized set of authorities collaboratively sign a blinded credential request, enabling issuance without learning the credential's contents or the user's identity.

A tamper-evident digital credential whose authorship and integrity can be cryptographically verified. A Coconut credential is a type of VC. It is a set of one or more claims (e.g., KYC-verified, accredited-investor) made by an issuer, packaged with metadata and proofs, allowing the holder to present it to verifiers. The selective disclosure property is a key enhancement.

A cryptographic scheme where a secret (like a private signing key) is distributed among multiple parties. An action (like creating a signature) requires a threshold number of those parties to collaborate, preventing any single party from acting alone. Coconut uses a distributed key generation (DKG) protocol to create a master issuing key split among authorities, ensuring decentralization and fault tolerance for credential issuance.

A broader class of privacy-preserving credential systems where credentials contain multiple attributes, and users can selectively disclose subsets of them. Coconut is a specific, advanced implementation of ABCs. It distinguishes itself by combining threshold issuance, blind signatures, and zero-knowledge proofs to achieve decentralized trust, issuer privacy, and minimal disclosure in a single system.