Implementation and Evaluation of an Pairing-Based Anonymous Credential System with Constant-Size Proofs and Efficient Proof Generations

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove relations on his/her attributes embedded into the certificate. Previously, a pairing-based anonymous credential system with constant-size proofs in the number of attributes of the user was proposed. This system supports the proofs of the inner product relations on attributes, and thus can handle the complex logical relations on attributes as the CNF and DNF formulas. However this system suffers from the computational cost: The proof generation needs exponentiations depending on the number of the literals in OR relations. In this paper, we propose a pairing-based anonymous credential system with the constant-size proofs for CNF formulas and the more efficient proof generation. In the proposed system, the proof generation needs only multiplications depending on the number of literals, and thus it is more efficient than the previously proposed system. The key of our construction is to use an extended accumulator, by which we can verify that multiple attributes are included in multiple sets, all at once. This leads to the verification of CNF formulas on attributes. Since the accumulator is mainly calculated by multiplications, we achieve the better computational costs.

In an anonymous (or private) credential system as put forth by Chaum in 1985, a user is known to different organizations by pseudonyms only. The system allows the user to obtain a credential from one organization and then later show such credentials to another organizations without that transactions are linkable. The area of privacy enhancing cryptography protocols and, in particular, anonymous credential systems have recently gained considerable momentum in research and indeed many substantial contributions have been made in last few years. At the same time, the interest in applying such systems in the real world has grown. Despite of this, the area is still relatively young and there are still many open research challenges to overcome. In this talk, we will review the state of the art in anonymous credential systems. We will then discuss their applications including privacy enhancing identity management (www.prime-project.eu.org) and anonymous attestation. Finally, we will discuss research directions and challenges.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, a system to prove AND and OR relations simultaneously by CNF formulas was proposed. To achieve a constant-size proof of the formula, this system adopts an accumulator that compresses multiple attributes into a single value. However, this system has a problem: the proof generation requires a large computational time in case of lots of OR literals in the formula. One of the example formulas consists of lots of birthdate attributes to prove age. This greatly increases the public parameters correspondent to attributes, which causes a large delay in the accumulator computation due to multiplications of lots of parameters. In this paper, we propose an anonymous credential system with constant-size proofs for monotone formulas on attributes, in order to obtain more efficiency in the proof generation. The monotone formula is a logic formula that contains any combination of AND and OR relations. Our approach to prove the monotone formula is that the accumulator is extended to be adapted to the tree expressing the monotone formula. Since the use of monotone formulas increases the expression capability of the attribute proof, the number of public parameters multiplied in the accumulator is greatly decreased, which impacts the reduction of the proof generation time.KeywordsAnonymous Credential SystemMonotone FormulaConstant-size ProofsbirthDate PropertyProof Generation TimeThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, we proposed an anonymous credential system to prove user's attributes to satisfy a monotone formula, i.e., A logic relation with any combination of AND/OR relations. However, this system has a restriction that the user can prove the monotone formula when only one attribute is true for any OR relation. Recently, we proposed the improved system to overcome the restriction, by adopting Linear Homonorphic (LH) signature scheme to generate a certificate that contains the minimum attribute set as required in the verification. However, the improved system has never been implemented, and thus the practicality is not evaluated. In this paper, we implement the system using a fast pairing library, and measure the processing times and data sizes, when changing the number of user's attributes and the size of the proved relation.

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove relations on his/her attributes embedded into the certificate. Previously, a pairing-based anonymous credential system with constant-size proofs in the number of attributes of the user was proposed. This system supports the proofs of the inner product relations on attributes, and thus can handle the complex logical relations on attributes as the CNF and DNF formulas. However this system suffers from the computational cost: The proof generation needs exponentiations depending on the number of the literals in OR relations. In this paper, we propose a pairing-based anonymous credential system with the constant-size proofs for CNF formulas and the more efficient proof generation. In the proposed system, the proof generation needs only multiplications depending on the number of literals, and thus it is more efficient than the previously proposed system. The key of our construction is to use an extended accumulator, by which we can verify that multiple attributes are included in multiple sets, all at once. This leads to the verification of CNF formulas on attributes. Since the accumulator is mainly calculated by multiplications, we achieve the better computational costs.

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed.

In conventional ID-based user authentications, privacy issues may occur, since users’ behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K0), where K0 is the maximum number of sessions in which the user can conduct. Furthermore, the O(K0)-size data causes the user the computational cost of O(K0) exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user’s computational cost depends on parameters, the dependent cost is O(δBL · K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

We propose Bulletproofs, a new non-interactive zero-knowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log_2(n)+9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive O(log(m)) group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very efficient in practice. The marginal cost of batch verifying 32 aggregated range proofs is less than the cost of verifying 32 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. The full version of this article is available on ePrint.

An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, we proposed a paring-based anonymous credential system with constant size of proofs, where the combinations of logical AND and OR relations on user attributes can be proved as CNF formulas. However, this system has a problem of requiring large online computation time during authentication, which depends on the number of AND relations in the proved formula. In this paper, we propose an efficiency improvement of the computational overhead based on online/offline precomputation technique. In our improvement, all exponentiations that can be used for the accumulator and witness computations are executed in advance in the precomputation algorithm. Thus, exponentiations in the online accumulator and witness computations are excluded, and only multiplications are needed. We implemented the system using a fast pairing library, and measured the processing times, while changing the size of the proved CNF formula. The experimental result shows that the computational costs of the proof generation in the case of using lots of AND relations are greatly reduced than the previous system. Hence, it is practical for mobile users.

Privacy is one of the major security concerns. The zero-knowledge proof enables the transmission of data from the sender to the receiver without disclosing the actual content of the data. The proposed work uses the ZK-STARK (Zero-Knowledge Scalable Transparent ARgument of Knowledge) Algorithm for transaction privacy in the organic jaggery supply chain. The paper emphasizes a detailed mathematical model, involving two key participants: the prover (food processor) and the verifier (distributor). The prover calculates the polynomial for the problem, its composition polynomial, and provides its Merkle proof to the verifier. The verifier conducts queries to confirm and validate the accuracy of the information. Using the fast reed-solomon interactive oracle proofs protocol, the proof is validated. It measures performance as proof generation and verification time, proof size, and throughput. Plans involve increasing the domain size of this algorithm, varying the polynomial interpolation, and evaluating its performance measures by integrating it into Blockchain.

Anonymous credentials are widely used to certify properties of a credential owner or to support the owner to demand valuable services, while hiding the user’s identity at the same time. A credential system (a.k.a. pseudonym system) usually consists of multiple interactive procedures between users and organizations, including generating pseudonyms, issuing credentials and verifying credentials, which are required to meet various security properties. We propose a general symbolic model (based on the applied pi calculus) for anonymous credential systems and give formal definitions of a few important security properties, including pseudonym and credential unforgeability, credential safety, pseudonym untraceability. We specialize the general formalization and apply it to the verification of a concrete anonymous credential system proposed by Camenisch and Lysyanskaya. The analysis is done automatically with the tool ProVerif and several security properties have been verified.KeywordsSecurity ProtocolSecurity PropertyCredential SystemEvaluation ContextDirect Anonymous AttestationThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Revelio (CVCBT 2019) is a proof of reserves protocol for MimbleWimble-based cryptocurrencies which provides privacy to a cryptocurrency exchange by hiding the exchange-owned outputs in a larger anonymity set of unspent outputs. A drawback of Revelio is that the proof size scales linearly in the size of the anonymity set. To alleviate this, we design RevelioBP, a Bulletproofs-based proof of reserves protocol with proof sizes which scale logarithmically in the size of the anonymity set. This improvement allows us to use the set of all UTXOs as the anonymity set, resulting in better privacy for the exchange. On the downside, the higher proof generation and verification time of RevelioBP than that of Revelio might affect practical deployment of RevelioBP. Through implementation of RevelioBP, we quantitatively analyse trade-offs in design of MimbleWimble proofs of reserves in terms of scalability and performance. We conclude that unless proof size is a concern for exchanges, Revelio is a marginally better choice for proof of reserves. On the other hand, if an exchange is willing to pay in terms of proof generation time, RevelioBP offers proof sizes significantly smaller than Revelio.

For privacy-enhancing user authentication, anonymous credential system was proposed. In the system, a user is issued a credential on attributes from an issuer, and the user can anonymously prove the ownership of the credential. As the extension, a delegatable anonymous credential (DAC) system was proposed. In the DAC system, the owner of a credential can hierarchically delegate it to another entity, who can also issue a credential to lower entities. Since intermediate issuers in the chaining credentials can be hidden, the DAC system is considered to be applied to a permissioned blockchain. Furthermore, to enable the revocation of credentials, a revocable DAC system was proposed. However, in the previously proposed revocable DAC system, an issuer, who manages the user group, has to issue the non-revocation credentials to all non-revoked users at every epoch, and thus the issuer can be in a bottleneck and the communication cost is high. In this paper, we propose a revocable DAC system using an accumulator. In the proposed system, only a single accumulator and the credential on the accumulator are published at every epoch. Thus there is no bottleneck of the issuer and the communication cost is very low.

An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.

Data integrity is critical for many applications. With huge amount of data shared with the cloud computing platform, i.e. Amazon S3, GFS, Apache Hadoop etc, the risk of damage is increasing at the same time. Equivocation is a powerful tool that malicious nodes can use to poison the states of honest nodes and escape punishment. Accountability which makes the system actions verifiable has become the first-class citizen in distributed system design. Tamper-evidence logging is a useful utility to construct accountable system, and is used in different self-certify systems. In this paper, we present Index Tree which is a utility for tamper-evidence logging construction. Index Tree supports efficient proof generation and verification and its proof size is much smaller which is convenient to exchange among distributed nodes. Experiments show Index Tree has advantages in proof size, proof generation and verification compared with AASL.