Anonymous Credentials: Opportunities and Challenges

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed.

For privacy-enhancing user authentication, anonymous credential system was proposed. In the system, a user is issued a credential on attributes from an issuer, and the user can anonymously prove the ownership of the credential. As the extension, a delegatable anonymous credential (DAC) system was proposed. In the DAC system, the owner of a credential can hierarchically delegate it to another entity, who can also issue a credential to lower entities. Since intermediate issuers in the chaining credentials can be hidden, the DAC system is considered to be applied to a permissioned blockchain. Furthermore, to enable the revocation of credentials, a revocable DAC system was proposed. However, in the previously proposed revocable DAC system, an issuer, who manages the user group, has to issue the non-revocation credentials to all non-revoked users at every epoch, and thus the issuer can be in a bottleneck and the communication cost is high. In this paper, we propose a revocable DAC system using an accumulator. In the proposed system, only a single accumulator and the credential on the accumulator are published at every epoch. Thus there is no bottleneck of the issuer and the communication cost is very low.

Anonymous credentials are widely used to certify properties of a credential owner or to support the owner to demand valuable services, while hiding the user’s identity at the same time. A credential system (a.k.a. pseudonym system) usually consists of multiple interactive procedures between users and organizations, including generating pseudonyms, issuing credentials and verifying credentials, which are required to meet various security properties. We propose a general symbolic model (based on the applied pi calculus) for anonymous credential systems and give formal definitions of a few important security properties, including pseudonym and credential unforgeability, credential safety, pseudonym untraceability. We specialize the general formalization and apply it to the verification of a concrete anonymous credential system proposed by Camenisch and Lysyanskaya. The analysis is done automatically with the tool ProVerif and several security properties have been verified.KeywordsSecurity ProtocolSecurity PropertyCredential SystemEvaluation ContextDirect Anonymous AttestationThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Attributes proof in anonymous credential systems is an effective way to balance security and privacy in user authentication; however, the linear complexity of attributes proof causes the existing anonymous credential systems far away from being practical, especially on resource-limited smart devices. For efficiency considerations, we present a novel pairing-based anonymous credential system which solves the linear complexity of attributes proof based on aggregate signature scheme. We propose two extended signature schemes, BLS+ and BGLS+, to be cryptographical building blocks for constructing anonymous credentials in the random oracle model. Identity-like information of message holder is encoded in a signature in order that the message holder can prove the possession of the input message along with the validity of a signature. We present issuance protocol for anonymous credentials embedding weak attributes which are referred to what cannot identify a user in a population. Users can prove any combination of attributes all at once by aggregating the corresponding individual credentials into one. The attributes proof protocols on AND and OR relation over multiple attributes are also given. The performance analysis shows that the aggregation-based anonymous credential system outperforms both the conventional Camenisch–Lysyanskaya pairing-based system and the accumulator-based system when prove AND and OR relation over multiple attributes, and the size of credential and public parameters are shorter as well.

An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.

Until quite recently, anonymous credentials systems were based on public key primitives. A new approach, that relies on algebraic Message Authentication Codes (MACs) in prime-order groups, has recently been introduced by Chase et al. at CCS 2014. They proposed two anonymous credentials systems referred to as “Keyed-Verification Anonymous Credentials (KVAC)” as they require the verifier to know the issuer secret key. Unfortunately, both systems presentation proof, for n unrevealed attributes, is of complexity O(n) in the number of group elements. In this paper, we propose a new KVAC system that provides multi-show unlinkability of credentials and is of complexity O(1) in the number of group elements while being almost as efficient as Microsoft’s U-Prove anonymous credentials system (which does not ensure multi-show unlinkability) and many times faster than IBM’s Idemix. Our credentials are constructed based on a new algebraic MAC scheme which is of independent interest. Through slight modifications on the verifier side, our KVAC system, which is proven secure in the random oracle model, can be easily turned into a public-key credentials system. By implementing it on a standard NFC SIM card, we show its efficiency and suitability for real-world use cases and constrained devices. In particular, a credential presentation, with 3 attributes, can be performed in only 88 ms.

Web applications dealing with personal data in a privacy-friendly way have the need for anonymous credential systems. While there are already protocols describing anonymous credential systems and libraries, implementing the protocols, application using the libraries are rare. Without applications supporting anonymous credentials, companies will not start building a credential infrastructure and vice versa. This paper presents an easy way to issue and use anonymous credentials for web applications. By reducing the initial cost for both parties, the barrier of “starting first” can be lowered.

Anonymous credentials provide a powerful tool for making assertions about identity while maintaining privacy. However, a limitation of today's anonymous credential systems is the need for a trusted credential issuer — which is both a single point of failure and a target for compromise. Furthermore, the need for such a trusted issuer can make it challenging to deploy credential systems in practice, particularly in the ad hoc network setting (e.g., anonymous peer-to-peer networks) where no single party can be trusted with this responsibility. In this work we propose a novel anonymous credential scheme that eliminates the need for a trusted credential issuer. Our approach builds on recent results in the area of electronic cash that, given a public append-only ledger, do not need a trusted credential issuer. Furthermore, given a distributed public ledger, as in, e.g., Bitcoin, our system requires no credential issuer at all and hence is decentralized. Using such a public ledger and standard cryptographic primitives, we propose and provide a proof of security for a basic anonymous credential system that allows users to make flexible identity assertions with strong privacy guarantees without relying on trusted parties. Finally, we discuss a number of practical applications for our techniques, including resource management in ad hoc networks and prevention of Sybil attacks. We implement our scheme and measure its efficiency.

Anonymous credentials are an important privacy-enhancing technique that allows users to convince a service provider of their legitimacy for service accesses in an anonymous manner. Among others, a fundamental feature of anonymous credentials is unlinkability, that is, multiple showings of the same credential should not be linked by the service providers, the issuing organization, or the coalition of the two. Recently, Persiano et. al. proposed an interesting anonymous credential system, which was claimed to be unlinkable. In this paper, we prove that their unlinkability claim is false. In particular, we show that the issuing organization can easily relate two showings of the same credential, point out the flaw in their original security proof and present a fix to avoid our attack.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, we proposed an anonymous credential system to prove user's attributes to satisfy a monotone formula, i.e., A logic relation with any combination of AND/OR relations. However, this system has a restriction that the user can prove the monotone formula when only one attribute is true for any OR relation. Recently, we proposed the improved system to overcome the restriction, by adopting Linear Homonorphic (LH) signature scheme to generate a certificate that contains the minimum attribute set as required in the verification. However, the improved system has never been implemented, and thus the practicality is not evaluated. In this paper, we implement the system using a fast pairing library, and measure the processing times and data sizes, when changing the number of user's attributes and the size of the proved relation.

In conventional ID-based user authentications, privacy issues may occur, since users’ behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K0), where K0 is the maximum number of sessions in which the user can conduct. Furthermore, the O(K0)-size data causes the user the computational cost of O(K0) exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user’s computational cost depends on parameters, the dependent cost is O(δBL · K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

Regular (non-private) mining can be applied to manage and utilize accumulated transaction data. For example, the accumulated relative service time per user per month can be calculated given individual transaction from which the user compliance with a service agreement can be determined and possibly billing can be processed. Nevertheless, due to user concerns, cryptographic research developed transactions based on unlinkable anonymous credentials. Given the nature of anonymous credentials the ease of managing accumulated (e.g., per user) is lost. To restore the possibility of management and accumulation of it seems that a suitable form of preserving mining is needed. Indeed, preserving mining methods have been suggested for various protocols and interactions where individual can be contributed in an encrypted form, but not within the context of anonymous credentials. Given our motivation we suggest a new notion of performing privacy preserving mining within the context of anonymous cryptographic credential systems, so as to protect both the of individually contributed and the identity of their sources while revealing only what is needed. To instantiate our approach we focus on a primitive we call data mining group signatures (DMGS), where it is possible for a set of authorities to employ distributed quorum control for conducting preserving mining operations on a batch of transactions while preserving maximum possible anonymity. We define and model the new primitive and its security goals, we then present a construction and finally show its and security properties. Along the way we build a methodology that safely combines multi-server protocols as sub-procedures in a more general setting.

Optimized authentication algorithm for privacy-preserving anonymous credentials using randomized aggregate signatures

To enhance the user’s privacy in electronic ID, anonymous credential systems have been researched. In the anonymous credential system, a trusted issuing organization first issues a certificate certifying the user’s attributes to a user. Then, in addition to the possession of the certificate, the user can anonymously prove only the necessary attributes. Previously, an anonymous credential system was proposed, where CNF (Conjunctive Normal Form) formulas on attributes can be proved. The advantage is that the attribute proof in the authentication has the constant size for the number of attributes that the user owns and the size of the proved formula. Thus, various expressive logical relations on attributes can be efficiently verified. However, the previous system has a limitation: the proved CNF formulas cannot include any negation. Therefore, in this paper, we propose an anonymous credential system with constant-size attribute proofs such that the user can prove CNF formulas with negations. For the proposed system, we extend the previous accumulator for the limited CNF formulas to verify CNF formulas with negations.

To enhance the user’s privacy in electronic ID, anonymous credential systems have been researched. In the anonymous credential system, a trusted issuing organization first issues a certificate certifying the user’s attributes to a user. Then, in addition to the possession of the certificate, the user can anonymously prove only the necessary attributes. Previously, an anonymous credential system was proposed, where CNF (Conjunctive Normal Form) formulas on attributes can be proved. The advantage is that the attribute proof in the authentication has the constant size for the number of attributes that the user owns and the size of the proved formula. Thus, various expressive logical relations on attributes can be efficiently verified. However, the previous system has a limitation: the proved CNF formulas cannot include any negation. Therefore, in this paper, we propose an anonymous credential system with constant-size attribute proofs such that the user can prove CNF formulas with negations. For the proposed system, we extend the previous accumulator for the limited CNF formulas to verify CNF formulas with negations.