Efficient Proofs for CNF Formulas on Attributes in Pairing-Based Anonymous Credential System

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove relations on his/her attributes embedded into the certificate. Previously, a pairing-based anonymous credential system with constant-size proofs in the number of attributes of the user was proposed. This system supports the proofs of the inner product relations on attributes, and thus can handle the complex logical relations on attributes as the CNF and DNF formulas. However this system suffers from the computational cost: The proof generation needs exponentiations depending on the number of the literals in OR relations. In this paper, we propose a pairing-based anonymous credential system with the constant-size proofs for CNF formulas and the more efficient proof generation. In the proposed system, the proof generation needs only multiplications depending on the number of literals, and thus it is more efficient than the previously proposed system. The key of our construction is to use an extended accumulator, by which we can verify that multiple attributes are included in multiple sets, all at once. This leads to the verification of CNF formulas on attributes. Since the accumulator is mainly calculated by multiplications, we achieve the better computational costs.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, a system to prove AND and OR relations simultaneously by CNF formulas was proposed. To achieve a constant-size proof of the formula, this system adopts an accumulator that compresses multiple attributes into a single value. However, this system has a problem: the proof generation requires a large computational time in case of lots of OR literals in the formula. One of the example formulas consists of lots of birthdate attributes to prove age. This greatly increases the public parameters correspondent to attributes, which causes a large delay in the accumulator computation due to multiplications of lots of parameters. In this paper, we propose an anonymous credential system with constant-size proofs for monotone formulas on attributes, in order to obtain more efficiency in the proof generation. The monotone formula is a logic formula that contains any combination of AND and OR relations. Our approach to prove the monotone formula is that the accumulator is extended to be adapted to the tree expressing the monotone formula. Since the use of monotone formulas increases the expression capability of the attribute proof, the number of public parameters multiplied in the accumulator is greatly decreased, which impacts the reduction of the proof generation time.KeywordsAnonymous Credential SystemMonotone FormulaConstant-size ProofsbirthDate PropertyProof Generation TimeThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, we proposed a paring-based anonymous credential system with constant size of proofs, where the combinations of logical AND and OR relations on user attributes can be proved as CNF formulas. However, this system has a problem of requiring large online computation time during authentication, which depends on the number of AND relations in the proved formula. In this paper, we propose an efficiency improvement of the computational overhead based on online/offline precomputation technique. In our improvement, all exponentiations that can be used for the accumulator and witness computations are executed in advance in the precomputation algorithm. Thus, exponentiations in the online accumulator and witness computations are excluded, and only multiplications are needed. We implemented the system using a fast pairing library, and measured the processing times, while changing the size of the proved CNF formula. The experimental result shows that the computational costs of the proof generation in the case of using lots of AND relations are greatly reduced than the previous system. Hence, it is practical for mobile users.

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove logical relations on his/her attributes embedded into the certificate. Previously, we proposed a pairing-based system with constant-size proofs. In the system, the proof generation needs only multiplications depending on the size of the proved relations, and it is more efficient than other existing system that needs the exponentiations whose costs are much larger than multiplications. However, our efficient system has never been implemented, and thus the practicality is not evaluated. In this study, we implemented the system, and measured the processing times and data size, when changing the parameters describing the size of the proved relation. The verification time is very fast and constant, and the proof size is also constant, from which we can confirm the practicality. However, the proof generation time increases, when the parameters increase. Although we confirm the practicality in case of small relations, we clarify the problems in case of larger relations, which should be solved in our future works.

In an anonymous (or private) credential system as put forth by Chaum in 1985, a user is known to different organizations by pseudonyms only. The system allows the user to obtain a credential from one organization and then later show such credentials to another organizations without that transactions are linkable. The area of privacy enhancing cryptography protocols and, in particular, anonymous credential systems have recently gained considerable momentum in research and indeed many substantial contributions have been made in last few years. At the same time, the interest in applying such systems in the real world has grown. Despite of this, the area is still relatively young and there are still many open research challenges to overcome. In this talk, we will review the state of the art in anonymous credential systems. We will then discuss their applications including privacy enhancing identity management (www.prime-project.eu.org) and anonymous attestation. Finally, we will discuss research directions and challenges.

In conventional ID-based user authentications, privacy issues may occur, since users’ behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K0), where K0 is the maximum number of sessions in which the user can conduct. Furthermore, the O(K0)-size data causes the user the computational cost of O(K0) exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user’s computational cost depends on parameters, the dependent cost is O(δBL · K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

Learning orthogonal F-Horn formulas

Attributes proof in anonymous credential systems is an effective way to balance security and privacy in user authentication; however, the linear complexity of attributes proof causes the existing anonymous credential systems far away from being practical, especially on resource-limited smart devices. For efficiency considerations, we present a novel pairing-based anonymous credential system which solves the linear complexity of attributes proof based on aggregate signature scheme. We propose two extended signature schemes, BLS+ and BGLS+, to be cryptographical building blocks for constructing anonymous credentials in the random oracle model. Identity-like information of message holder is encoded in a signature in order that the message holder can prove the possession of the input message along with the validity of a signature. We present issuance protocol for anonymous credentials embedding weak attributes which are referred to what cannot identify a user in a population. Users can prove any combination of attributes all at once by aggregating the corresponding individual credentials into one. The attributes proof protocols on AND and OR relation over multiple attributes are also given. The performance analysis shows that the aggregation-based anonymous credential system outperforms both the conventional Camenisch–Lysyanskaya pairing-based system and the accumulator-based system when prove AND and OR relation over multiple attributes, and the size of credential and public parameters are shorter as well.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, we proposed an anonymous credential system to prove user's attributes to satisfy a monotone formula, i.e., A logic relation with any combination of AND/OR relations. However, this system has a restriction that the user can prove the monotone formula when only one attribute is true for any OR relation. Recently, we proposed the improved system to overcome the restriction, by adopting Linear Homonorphic (LH) signature scheme to generate a certificate that contains the minimum attribute set as required in the verification. However, the improved system has never been implemented, and thus the practicality is not evaluated. In this paper, we implement the system using a fast pairing library, and measure the processing times and data sizes, when changing the number of user's attributes and the size of the proved relation.

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed.

For privacy-enhancing user authentication, anonymous credential system was proposed. In the system, a user is issued a credential on attributes from an issuer, and the user can anonymously prove the ownership of the credential. As the extension, a delegatable anonymous credential (DAC) system was proposed. In the DAC system, the owner of a credential can hierarchically delegate it to another entity, who can also issue a credential to lower entities. Since intermediate issuers in the chaining credentials can be hidden, the DAC system is considered to be applied to a permissioned blockchain. Furthermore, to enable the revocation of credentials, a revocable DAC system was proposed. However, in the previously proposed revocable DAC system, an issuer, who manages the user group, has to issue the non-revocation credentials to all non-revoked users at every epoch, and thus the issuer can be in a bottleneck and the communication cost is high. In this paper, we propose a revocable DAC system using an accumulator. In the proposed system, only a single accumulator and the credential on the accumulator are published at every epoch. Thus there is no bottleneck of the issuer and the communication cost is very low.

An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.

Anonymous credentials are widely used to certify properties of a credential owner or to support the owner to demand valuable services, while hiding the user’s identity at the same time. A credential system (a.k.a. pseudonym system) usually consists of multiple interactive procedures between users and organizations, including generating pseudonyms, issuing credentials and verifying credentials, which are required to meet various security properties. We propose a general symbolic model (based on the applied pi calculus) for anonymous credential systems and give formal definitions of a few important security properties, including pseudonym and credential unforgeability, credential safety, pseudonym untraceability. We specialize the general formalization and apply it to the verification of a concrete anonymous credential system proposed by Camenisch and Lysyanskaya. The analysis is done automatically with the tool ProVerif and several security properties have been verified.KeywordsSecurity ProtocolSecurity PropertyCredential SystemEvaluation ContextDirect Anonymous AttestationThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, an anonymous credential system was proposed to prove user's attributes to satisfy a monotone formula, i.e., a logic relation with any combination of AND/OR relations. However, this system has a problem of requiring large authentication time which depends on the number of attributes in the proved formula. In this paper, we propose methods to accelerate the authentication time by reducing the exponentiation costs for the calculations of accumulator and the witness which are used in the system. We implemented the accelerated system using a fast pairing library, and measured the authentication times, while changing the size of the proved relation.

We investigate cryptographic limitations on the power of membership queries to help with concept learning. We extend the notion of prediction-preserving reductions to prediction with membership queries. We exhibit a number of reductions and show several prediction problems to be complete for different complexity classes. We show that assuming the intractability of (1) quadratic residues module a composite, (2) inverting RSA encryption, or (3) factoring Blum integers, there is no polynomial time prediction algorithm with membership queries for Boolean formulas, constant depth threshold circuits, 3 ?-Boolean formulas, finite unions or intersections of DFAs, 2-way DFAs, NFAs, or CFGs. Also, we show that if there exist one-way functions that cannot be inverted by polynomial-sized circuits, then CNF or DNF formulas and convex polytopes intersected with the Boolean hypercube are either polynomial time predictable without membership queries, or they are not polynomial time predictable even with membership queries; so, in effect, membership queries will not help with predicting CNF or DNF formulas.