Random oracle-based anonymous credential system for efficient attributes proof on smart devices

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed.

In an anonymous (or private) credential system as put forth by Chaum in 1985, a user is known to different organizations by pseudonyms only. The system allows the user to obtain a credential from one organization and then later show such credentials to another organizations without that transactions are linkable. The area of privacy enhancing cryptography protocols and, in particular, anonymous credential systems have recently gained considerable momentum in research and indeed many substantial contributions have been made in last few years. At the same time, the interest in applying such systems in the real world has grown. Despite of this, the area is still relatively young and there are still many open research challenges to overcome. In this talk, we will review the state of the art in anonymous credential systems. We will then discuss their applications including privacy enhancing identity management (www.prime-project.eu.org) and anonymous attestation. Finally, we will discuss research directions and challenges.

Until quite recently, anonymous credentials systems were based on public key primitives. A new approach, that relies on algebraic Message Authentication Codes (MACs) in prime-order groups, has recently been introduced by Chase et al. at CCS 2014. They proposed two anonymous credentials systems referred to as “Keyed-Verification Anonymous Credentials (KVAC)” as they require the verifier to know the issuer secret key. Unfortunately, both systems presentation proof, for n unrevealed attributes, is of complexity O(n) in the number of group elements. In this paper, we propose a new KVAC system that provides multi-show unlinkability of credentials and is of complexity O(1) in the number of group elements while being almost as efficient as Microsoft’s U-Prove anonymous credentials system (which does not ensure multi-show unlinkability) and many times faster than IBM’s Idemix. Our credentials are constructed based on a new algebraic MAC scheme which is of independent interest. Through slight modifications on the verifier side, our KVAC system, which is proven secure in the random oracle model, can be easily turned into a public-key credentials system. By implementing it on a standard NFC SIM card, we show its efficiency and suitability for real-world use cases and constrained devices. In particular, a credential presentation, with 3 attributes, can be performed in only 88 ms.

For privacy-enhancing user authentication, anonymous credential system was proposed. In the system, a user is issued a credential on attributes from an issuer, and the user can anonymously prove the ownership of the credential. As the extension, a delegatable anonymous credential (DAC) system was proposed. In the DAC system, the owner of a credential can hierarchically delegate it to another entity, who can also issue a credential to lower entities. Since intermediate issuers in the chaining credentials can be hidden, the DAC system is considered to be applied to a permissioned blockchain. Furthermore, to enable the revocation of credentials, a revocable DAC system was proposed. However, in the previously proposed revocable DAC system, an issuer, who manages the user group, has to issue the non-revocation credentials to all non-revoked users at every epoch, and thus the issuer can be in a bottleneck and the communication cost is high. In this paper, we propose a revocable DAC system using an accumulator. In the proposed system, only a single accumulator and the credential on the accumulator are published at every epoch. Thus there is no bottleneck of the issuer and the communication cost is very low.

Anonymous credential systems allow users to obtain a certified credential (a driving license, a student card, etc.) from one organization and then later prove possession of this certified credential to another party, while minimizing the information given to the latter. At CANS 2010, Guajardo, Mennink and Schoenmakers have introduced the concept of anonymous credential schemes with encrypted attributes, where the attributes to be certified are encrypted and unknown to the user and/or issuing organization. Their construction is secure in the random oracle model and based on blind signatures, which, unfortunately, restrict the credentials to be used only once (one-show) to remain unlinkable. In their paper, Guajardo et al. left as an open problem to construct multi-show credential schemes with encrypted attributes, or to show the impossibility of such a construction. We here provide a positive answer to this problem: our multi-show anonymous credential scheme with encrypted attributes relies on the non-interactive Groth-Sahai proof system and the recent work on commuting signatures from Fuchsbauer (Eurocrypt 2011) and is proven secure in the standard model.

Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two variants of privacy-enhancing proxy signatures, namely blank signatures [25] and warrant-hiding proxy signatures [26], have been introduced. In this context, privacy-enhancing means that a verifier of a proxy signature does not learn anything about the delegated message set beyond the message being presented for verification. We observe that this principle bears similarities with functionality provided by anonymous credentials. Inspired by this observation, we examine black-box constructions of the two aforementioned proxy signatures from non-interactive anonymous credentials, i.e., anonymous credentials with a non-interactive showing protocol, and show that the so obtained proxy signatures are secure if the anonymous credential system is secure. Moreover, we present two concrete instantiations using well-known representatives of anonymous credentials, namely Camenisch-Lysyanskaya CL and Brands' credentials. While constructions of anonymous credentials from signature schemes with particular properties, such as CL signatures or structure-preserving signatures, as well as from special variants of signature schemes, such as group signatures, sanitizable and indexed aggregate signatures, are known, this is the first paper that provides constructions of special variants of signature schemes, i.e., privacy-enhancing proxy signatures, from anonymous credentials.

In an aggregate signature scheme, $n$ signatures on $n$ different messages from $n$ users can be combined into a single signature. By verifying the signature, the verifier believes that $n$ users did generate the $n$ corresponding signatures. In the recent decade, numerous certificateless aggregate signature (CLAS) schemes have been introduced. There are two issues with these schemes. First, it was in the random oracles model (ROM) that the security proofs of these schemes were given. ROM is an idealized model. A signature scheme is not necessarily secure in real life even if it has proven to be safe in ROM. Second, the number of hash-to-point operations increases linearly with the number of signers in these schemes, so that are not suited for the computation-constrained devices (such as mobile devices). In this article, a new certificateless signature scheme is constructed. Based on it, a new CLAS scheme is proposed. Under the hypothesis that it is hard to solve a computation Diffie–Hellman problem, two schemes are proved to be secure in the standard model. The CLAS scheme needs only three pairing operations and does not need a hash-to-point operation, taken into account the computation cost, it is more efficient than previous CLAS schemes.

Anonymous credential systems allow users to obtain certified credentials from organizations and use them later without being traced. For instance, a student will be able to prove, using his student card certified by the University, that he is a student living e.g. in Hangzhou without revealing other information given by the student card, such as his name or studies. Besides, sanitizable signatures enable a designated person, called the sanitizer, to modify some parts of a signed message in a controlled way, such that the message can still be verified w.r.t. the original signer.We propose in this paper to formalize the following new idea. A user gets from the organization a signed document certifying personal data (e.g. name, address, studies, etc.) and plays the role of the sanitizer. When showing his credential, he uses sanitization techniques to hide the information he does not want to reveal (e.g. name, studies or complete address), and shows the resulting document, which is still seen as a document certified by the organization. Unfortunately, existing sanitizable signatures can not directly be used for this purpose. We thus seek for generic conditions on them to be used as anonymous credentials. We also provide a concrete construction based on standard assumptions and secure in the random oracle model.

ABSTRACTThe most important contribution of modern cryptography is the invention of digital signatures. To deal with specific application scenarios, digital signature schemes have been evolved with different variants. One of such variants is the aggregate signature scheme, which allows aggregation of different signatures by different users on different messages, to achieve computational and communication efficiency. Such schemes are useful in the design of Wireless Sensor Networks, Mobile Ad-hoc Networks, and Vehicular Ad-hoc Networks, where storage, bandwidth, and computational complexity are major constraints. In order to improve the computational and communicational efficiency along with security, in this paper, we propose a novel Certificateless Aggregate Signature (CLAS) scheme and extended it to achieve full aggregation. The proposed CLAS scheme uses bilinear pairings over elliptic curves and is proven secure in the Random Oracle Model under the assumption that Computational Diffie–Hellman Problem is hard. The security of the proposed CLAS scheme is proven without using forking lemma to achieve tight security. We compared our scheme with well-known existing schemes. Efficiency analysis shows that our scheme is much efficient than existing schemes in terms of communication and computational costs.

A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.KeywordsPrivacy protectioncredential systempseudonym systeme-cashblind signaturescircular encryptionkey-oblivious encryption

This paper proposes the first code-based quantum immune sequential aggregate signature (SAS) scheme and proves the security of the proposed scheme in the random oracle model. Aggregate signature (AS) schemes and sequential aggregate signature schemes allow a group of potential signers to sign different messages respectively, and all the signatures of those users on those messages can be aggregated into a single signature such that the size of the aggregate signature is much smaller than the total size of all individual signatures. Because of the aggregation of many signatures into a single short signature, AS and SAS schemes can reduce bandwidth and save storage; moreover, when a SAS is verified, not only the valid but also the order in which each signer signed can be verified. AS and SAS schemes can be applied to traffic control, banking transaction and military applications. Most of the existing AS and SAS schemes are based either on pairing or Rivest–Shamir–Adleman (RSA), and hence, can be broken by Shor’s quantum algorithm for Integer Factoring Problem (IFP) and Discrete Logarithm Problem (DLP). There are no quantum algorithms to solve syndrome decoding problems. Hence, code-based cryptography is seen as one of the promising candidates for post-quantum cryptography. This paper shows how to construct quantum immune sequential aggregate signatures based on coding theory. Specifically, we construct our scheme with the first code based signature scheme proposed by Courtois, Finiasz and Sendrier (CFS). Compared to the CFS signature scheme without aggregation, the proposed sequential aggregate signature scheme can save about 90% storage when the number of signers is asymptotically large.

Optimized authentication algorithm for privacy-preserving anonymous credentials using randomized aggregate signatures

An aggregate signature scheme is a digital signature scheme that supports aggregation: Given n ordinary signatures on n distinct messages from n distinct ordinary signers, it is possible to aggregate all these signatures into a single short signature. An aggregate proxy signature scheme permits to compress multiple proxy signatures to a single short signature. However, since the previous aggregate signature schemes cannot simultaneously aggregate ordinary signatures and proxy signatures, these schemes is referred as mono-aggregation schemes. A new aggregate scheme is proposed called the hybrid aggregate signature scheme which supports to condense simultaneously ordinary signatures and proxy signatures to a single short signature.

Web applications dealing with personal data in a privacy-friendly way have the need for anonymous credential systems. While there are already protocols describing anonymous credential systems and libraries, implementing the protocols, application using the libraries are rare. Without applications supporting anonymous credentials, companies will not start building a credential infrastructure and vice versa. This paper presents an easy way to issue and use anonymous credentials for web applications. By reducing the initial cost for both parties, the barrier of “starting first” can be lowered.

Recent works to improve privacy in permissioned blockchains like Hyperledger Fabric rely on Idemix, the only anonymous credential system that has been integrated to date. The current Idemix implementation in Hyperledger Fabric (v2.4) only supports a fixed set of attributes; it does not support revocation features, nor does it support anonymous endorsement of transactions (in Fabric, transactions need to be approved by a subset of peers before consensus). A prototype Idemix extension by Bogatov et al. (CANS, 2021) was proposed to include revocation, auditability, and to gain privacy for users. In this work, we explore how to gain efficiency, functionality, and further privacy, departing from recent works on anonymous credentials based on Structure-Preserving Signatures on Equivalence Classes. As a result, we extend previous works to build a new anonymous credential scheme called Protego. We also present a variant of it (Protego Duo) based on a different approach to hiding the identity of an issuer during showings. We also discuss how both can be integrated into Hyperledger Fabric and provide a prototype implementation. Finally, our results show that Protego and Protego Duo are at least twice as fast as state-of-the-art approaches based on Idemix.KeywordsAnonymous credentialsAuditabilityHyperledger fabricMercurial signaturesPermissioned blockchains