Optimized authentication algorithm for privacy-preserving anonymous credentials using randomized aggregate signatures

Traceable Anonymous Credentials (TACs) are an important extension of Anonymous Credentials (ACs). TAC systems protect user privacy during credential verifications while also allowing for the de-anonymization of credentials in cases of misbehavior. Although TACs have been studied with several constructions based on number-theoretic assumptions, the formal security definitions of credential tracing and efficient constructions with post-quantum security remain absent. This work addresses both gaps by presenting the first formalization of TACs and the first post-quantum construction based on module lattices. We design a new trapdoor for a lattice-based commitment, which allows partial recovery of commitment randomness. We integrate our trapdoor commitment into the state-of-the-art lattice-based AC system by Jeudy et al. (Crypto 2023) to derive our efficient TAC system.

An anonymous credential (AC) system with partial disclosure allows users to prove possession of a credential issued by an issuer while selectively disclosing a subset of their attributes to a verifier in a privacy-preserving manner. In keyed-verification AC (KVAC) systems, the issuer and verifier share a secret key. Existing KVAC schemes rely on computationally expensive zero-knowledge proofs during credential presentation, with the presentation size growing linearly with the number of attributes. In this work, we propose two highly efficient KVAC constructions that eliminate the need for zero-knowledge proofs during the credential presentation and achieve constant-size presentations. Our first construction adapts the approach of Fuchsbauer, Hanser and Slamanig (JoC'19), which achieved constant-size credential presentation in a publicly verifiable setting using their proposed structure-preserving signatures on equivalence classes (SPS-EQ) and set commitment schemes, to the KVAC setting. We introduce structure-preserving message authentication codes on equivalence classes (SP-MAC-EQ) and designated-verifier set commitments (DVSC), resulting in a KVAC system with constant-size credentials (2 group elements) and presentations (5 group elements). To avoid the bilinear groups and pairing operations required by SP-MAC-EQ, our second construction uses a homomorphic MAC with a simplified DVSC. While this sacrifices constant-size credentials (n+2 group elements, where n is the number of attributes), it retains constant-size presentations (2 group elements) in a pairingless setting. We formally prove the security of both constructions and provide open-source implementation results demonstrating their practicality. We extensively benchmarked our KVAC protocols and, additionally, bechmarked the efficiency of our SP-MAC-EQ scheme against the original SPS-EQ scheme, showcasing significant performance improvements.

AsCred: An anonymous credential system based on batch partial blind signature and polymath

Anonymous credential (AC) systems are privacy-preserving authentication mech-anisms that allow users to prove that they have valid credentials anonymously. These systems provide a powerful tool for several practical applications, such as anonymous pay-ment systems in e-commerce, preserving robust privacy protection for users. Most existing AC systems are constructed using traditional number-theoretic approaches, making them insecure under quantum attacks. With four decades of research in anonymous credential systems, there is a need for a comprehensive review that identifies the design structures of AC systems, organizes the research trends, and highlights unaddressed gaps for the future development of AC, especially bringing AC to post-quantum cryptography. This work is a complete study describing AC systems, as well as their architecture, components, security, and performance. Additionally, real-world implementations of various applications are identified, analyzed, and compared according to the design structure. Lastly, the challenges hindering the shift toward the quantumly secure lattice-based AC designs are discussed.

This article proposes a novel method for managing usage counters within an anonymous credential system, addressing the limitation of traditional anonymous credentials in tracking repeated use. The method takes advantage of blockchain technology through Smart Contracts deployed on the Ethereum network to enforce a predetermined maximum number of uses for a given credential. Users retain control over increments by providing zero-knowledge proofs (ZKPs) demonstrating private key possession and agreement on the increment value. This approach prevents replay attacks and ensures transparency and security. A prototype implementation on a private Ethereum blockchain demonstrates the feasibility and efficiency of the proposed method, paving the way for its potential deployment in real-world applications requiring both anonymity and usage tracking.

We propose a multi-show decentralized multi-authority attribute-based anonymous credential system (dACS). Referring to previous work, we give a new syntax and three security notions: unforgeability, anonymity and unlinkability. Especially, corruption of authorities is considered to reflect a real scenario. Then we give a generic construction of dACS. In our $$ \textsf{dACS} $$ , an attribute authority who issues a private secret key to an entity only has to sign the entity's identifier. Then, according to the principle of "commit-to-identifier", the entity generates a proof of knowing credentials. There are two building blocks: the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system, both of which are in asymmetric bilinear groups. The principle is realized with a bundled language that is simultaneous pairing-product equations on the identifier. There, the bundled language works for preventing collusion attacks . Finally, we instantiate our generic $$ \textsf{dACS} $$ under the Symmetric External Diffie-Hellman (SXDH) assumption, compare the instantiated scheme with previous work, and evaluate the performance.

Camenisch–Lysyanskaya signature scheme with randomizability, namely CL signatures, at CRYPTO’04 has been well adopted for many privacy-preserving constructions, especially in the context of anonymous credential systems. Unfortunately, CL signatures suffer from linear size drawbacks. The signature size grows linearly based on the signing messages, which decreases the interest in practice, as each user may have multiple attributes (messages). Its standard EUF-CMA security was first proven under an interactive assumption. While the interactive assumption is not desirable in cryptography, Fuchsbauer et al. revisited its security at CRYPTO’18 by proving the scheme under the discrete logarithm (Dlog) assumption in the algebraic group model (AGM) that idealizes the adversary’s computation to be algebraic, yet the reduction loss is non-tight. In this work, we propose a new variant of CL signatures, namely CL+ signatures, that improves efficiency and security. The proposed CL+ signatures possess randomizability without the linear size drawback, such that signature size is a constant of three group elements. Besides, we prove the security of CL+ signatures can be tightly reduced to the DLog problem in AGM with only a loss factor of 3. Lastly, we show how CL+ signatures can also be instantiated to anonymous credential systems.

Anonymous credentials are cryptographic mechanisms enabling users to authenticate themselves with a fine-grained control on the information they leak in the process. They have been the topic of countless papers which have improved the performance of such mechanisms or proposed new schemes able to prove ever-more complex statements about the attributes certified by those credentials. However, although these papers have studied in depth the problem of the information leaked by the credential and/or the attributes, almost all of them have surprisingly overlooked the information one may infer from the knowledge of the credential issuer. In this paper we address this problem by showing how one can efficiently hide the actual issuer of a credential within a set of potential issuers. The novelty of our work is that we do not resort to zero-knowledge proofs but instead we show how one can tweak Pointcheval-Sanders signatures to achieve this issuer-hiding property in a compact way. This results in an efficient anonymous credential system that indeed provides a complete control of the information leaked in the authentication process. Our construction is moreover modular and can then fit a wide spectrum of applications, notably for Self-Sovereign Identity (SSI) systems.

Threshold anonymous credentials enable users to acquire credentials in a decentralized manner while upholding their privacy. However, distributed network environments, such as electronic voting systems and federated identity management systems, have pressing needs for enhancing security, reducing reliance on fixed-group issuers, and achieving scalability. These requirements expose the significant constraints of existing threshold anonymous credential systems, which struggle to support dynamic threshold settings. This struggle leads to the necessity of system rewinding whenever an issuer is included or excluded. Moreover, the communication and computation complexities involved in showing credentials exhibit a linear relationship with the number of credentials possessed by each user. In this paper, we present a novel dynamic threshold anonymous credential system, named DTACB, to tackle the aforementioned challenges. DTACB enables the dynamic adjustment of thresholds, allowing issuer adjustments without rewinding the system. DTACB additionally supports batch-showing of credentials and proof of credential quantity values while preserving the user’s credentials collection remains undisclosed. We conduct rigorous security analysis and validate our efficiency claims via implementing and benchmarking. In particular, DTACB effectively reduces the cost of batch-proof verification to 3.78 ms, independent of the user’s proof size.

The anonymous credential has broad-ranging applications, for example for the pay-as-you-go strategy in the electronic subscription. However, the ‘plain vanilla’ pay-as-you-go strategy may not be suitable for non-regular users since the latter group is likely to require a tighter identity supervision mechanism. We also note that a key building block in the construction of an anonymous credential system is identity supervision. Since identity supervision is more than revocation, the approach to regulating user behavior needs to be both reasonable and practical. In a situation where the user is allowed to control their own identities, the latter approach could be more flexible compared to the revocation. There are existing works about the limitation on the k-times or epochs. However, due to the weaknesses of these single limitations, the combination of the customized k-times and epochs is necessary and remains to be done. In this paper, we present a permissioned redactable credentials scheme, which allows fine-grained supervision, user control, and user redaction. In our approach, we choose times and epochs as the regulation dimensions, which limits users invoke the credential show method for customized times in each epoch determined by the certificate authority. The users could also redact their credentials to realize selective disclosure. We then evaluate the proposed scheme’s performance and present a comparative summary to demonstrate potential utility.

In the paper we present novel anonymous credential schemes that provide controllable opening and linking capability. In a normal situation, signers are allowed to prove their possession of attributes of credentials anonymously and in a user-controllable way. The proof can demonstrate that certified claims hold with a desired privacy level, such as proving that age is within a certain value or a predefined range. However, in case of misbehaviors or for accountability, the identity of a signer can be revealed or signatures can be anonymously linked using opening and linking keys, respectively. The proposed scheme is designed to work for dynamic credential management allowing for the issuance of new credentials and proper revocation. To prove the security of the proposed anonymous credential scheme, we first define a security model to capture basic properties, anonymity, traceability, non-frameability, and controllable unlinkability. We then demonstrate that it satisfies all these properties under the standard assumption, i.e., q-strong Diffie-Hellman assumption in the random oracle model. Finally we provide a performance analysis of our scheme in terms of signature size and basic signing and verifying operations. Additionally, we present empirical results to show that the performance of our scheme is reasonably efficient. INDEX TERMS Privacy, anonymous credential, controllable unlinkability, dynamic membership, zeroknowledge proof.

Anonymous credential (AC) systems allow users, obtaining a credential on a set of attributes, to anonymously prove ownership of the credential and then to selectively disclose a subset of attributes without leaking any other attributes. Recently, a new type of AC, called keyed-verification anonymous credential (KVAC), has been proposed, which indicates that the credential issuer is also the verifier. Conceptually, the KVAC system is suitable for being used as employee cards, library access cards or eIDs (electronic ID cards). However, since the limited process power of smart cards, most of the existing KVAC systems are hard to be implemented on them. In addition, none of the existing KVAC systems provide traceability to obtain the user’s identity if anyone tries to misbehave with KVAC. In this paper, we present the first efficient and traceable KVAC system designated for smart cards. Our scheme provides the following security properties: unforgeability, anonymity, traceability and unlinkability. To demonstrate the efficiency and feasibility, we present an implementation of our scheme on standard Multos smart cards. The implementation results show that our scheme is efficient enough for practical use.

To enhance the user’s privacy in electronic ID, anonymous credential systems have been researched. In the anonymous credential system, a trusted issuing organization first issues a certificate certifying the user’s attributes to a user. Then, in addition to the possession of the certificate, the user can anonymously prove only the necessary attributes. Previously, an anonymous credential system was proposed, where CNF (Conjunctive Normal Form) formulas on attributes can be proved. The advantage is that the attribute proof in the authentication has the constant size for the number of attributes that the user owns and the size of the proved formula. Thus, various expressive logical relations on attributes can be efficiently verified. However, the previous system has a limitation: the proved CNF formulas cannot include any negation. Therefore, in this paper, we propose an anonymous credential system with constant-size attribute proofs such that the user can prove CNF formulas with negations. For the proposed system, we extend the previous accumulator for the limited CNF formulas to verify CNF formulas with negations.

As privacy-enhancing authentications without any TTP (Trusted Third Party), blacklistable anonymous credential systems with reputation have been proposed. However, the previous systems have the efficiency problem: The authentication data size is O ( L ) or O ( K ) , where L is the reputation list, and K is the size of a window indicating the most recent K authentications of the user. Therefore, the previous systems suffer from O ( L ) or O ( K ) -size data in each authentication. In addition, the authentication needs the computation of O ( L ) or O ( K ) exponentiations. In this paper, an efficient blacklistable anonymous credential system with reputation is proposed. In our system, the data size of the authentication is O ( 1 ) . Furthermore, although the computational costs in the authentication depend on some parameters, the parameter-related costs are only multiplications instead of exponentiations. Compared to the previously proposed blacklistable system FARB with the constant computational and communication costs, our system has the advantage that the clear/redeem protocol only has to be executed every interval instead of every session. For constructing our system, we newly introduce the concept of an accumulator for reputation, and propose an efficient construction.

In conventional ID-based user authentications, privacy issues may occur, since users’ behavior histories are collected in Service Providers (SPs). Although anonymous authentications such as group signatures have been proposed, these schemes rely on a Trusted Third Party (TTP) capable of tracing misbehaving users. Thus, the privacy is not high, because the TTP of tracing authority can always trace users. Therefore, the anonymous credential system using a blacklist without the TTP of tracing authority has been proposed, where blacklisted anonymous users can be blocked. Recently, an RSA-based blacklistable anonymous credential system with efficiency improvement has been proposed. However, this system still has an efficiency problem: The data size in the authentication is O(K0), where K0 is the maximum number of sessions in which the user can conduct. Furthermore, the O(K0)-size data causes the user the computational cost of O(K0) exponentiations. In this paper, a blacklistable anonymous credential system using a pairing-based accumulator is proposed. In the proposed system, the data size in the authentication is constant for parameters. Although the user’s computational cost depends on parameters, the dependent cost is O(δBL · K) multiplications, instead of exponentiations, where δBL is the number of sessions added to the blacklist after the last authentication of the user, and K is the number of past sessions of the user. The demerit of the proposed system is O(n)-size public key, where n corresponds to the total number of all sessions of all users in the system. But, the user only has to download the public key once.

Decentralized blacklistable anonymous credentials with reputation

This article describes how after the concept of anonymous credential systems was introduced in 1985, a number of similar systems have been proposed. However, these systems use zero-knowledge protocols to authenticate users, resulting in inefficient authentication during the stage of proving credential possession. To overcome this drawback, this article presents a signature scheme that uses partially blind signatures and chameleon hash functions such that both the prover and verifier achieve efficient authentication. In addition to providing a computational cost comparison table showing that the proposed signature scheme achieves a more efficient credential possession proving compared to other schemes, concrete security proofs are provided under a random oracle model to demonstrate that the proposed scheme satisfies the properties of anonymous credentials.

Structure-preserving signatures (SPS) are a powerful building block for cryptographic protocols. We introduce SPS on equivalence classes (SPS-EQ), which allow joint randomization of messages and signatures. Messages are projective equivalence classes defined on group-element vectors, so multiplying a vector by a scalar yields a different representative of the same class. Our scheme lets one adapt a signature for one representative to a signature for another representative without knowledge of any secret. Moreover, given a signature, an adapted signature for a different representative is indistinguishable from a fresh signature on a random message. We propose a definitional framework for SPS-EQ and an efficient construction in Type-3 bilinear groups, which we prove secure against generic forgers. We also introduce set-commitment schemes that let one open subsets of the committed set. From this and SPS-EQ, we then build an efficient multi-show attribute-based anonymous credential system for an arbitrary number of attributes. Our ABC system avoids costly zero-knowledge proofs and only requires a short interactive proof to thwart replay attacks. It is the first credential system whose bandwidth required for credential showing is independent of the number of its attributes, i.e., constant-size. We propose strengthened game-based security definitions for ABC and prove our scheme anonymous against malicious organizations in the standard model; finally, we discuss a concurrently secure variant in the CRS model.

The pervasive nature of the Internet of Things (IoT) entails additional threats that compromise the security and privacy of IoT devices and, eventually, the users. This issue is aggravated in constrained IoT devices equipped with minimal hardware resources. Current security and privacy implementations need to be redesigned and implemented maintaining its level of assurance, aiming for this family of devices. To cope with this issue, this paper proposes the first novel attempt to leverage anonymous credential systems (ACSs) to preserve the privacy of autonomous IoT constrained devices. Concretely, we have designed a solution to integrate IBM's identity mixer into constrained IoT ecosystems, endowing the IoT with ACSs' privacypreserving capabilities. The solution has been designed, implemented, and evaluated, proving its feasibility.