Anonymous Credential System Research Articles

Random oracle-based anonymous credential system for efficient attributes proof on smart devices

Attributes proof in anonymous credential systems is an effective way to balance security and privacy in user authentication; however, the linear complexity of attributes proof causes the existing anonymous credential systems far away from being practical, especially on resource-limited smart devices. For efficiency considerations, we present a novel pairing-based anonymous credential system which solves the linear complexity of attributes proof based on aggregate signature scheme. We propose two extended signature schemes, BLS+ and BGLS+, to be cryptographical building blocks for constructing anonymous credentials in the random oracle model. Identity-like information of message holder is encoded in a signature in order that the message holder can prove the possession of the input message along with the validity of a signature. We present issuance protocol for anonymous credentials embedding weak attributes which are referred to what cannot identify a user in a population. Users can prove any combination of attributes all at once by aggregating the corresponding individual credentials into one. The attributes proof protocols on AND and OR relation over multiple attributes are also given. The performance analysis shows that the aggregation-based anonymous credential system outperforms both the conventional Camenisch–Lysyanskaya pairing-based system and the accumulator-based system when prove AND and OR relation over multiple attributes, and the size of credential and public parameters are shorter as well.

Non-Interactive Anonymous Credential Based on Structure-Preserving Signature

ABSTRACTStructure-preserving signature, as a special kind of digital signature, provides a way to construct modular cryptographic protocols with reasonable efficiency while retaining conceptual simplicity. This feature makes it suitable to be applied in the construction of non-interactive anonymous credential systems, which allows the user to convince a verifier of the possession of a certificate issued by the trusted authority anonymously and efficiently without interaction. In this paper, we design a secure and efficient structure-preserving signature scheme (SPSIG), and combine the scheme with Groth–Sahai non-interactive zero-knowledge (GSNIZK) proof system to construct a non-interactive anonymous credential scheme. The SPSIG is based on q-ADH-SDH assumption and can resist existential forgery in the chosen message attack. The message, signature, and verification keys are group elements, which are fully compatible with the GSNIZK system. The SXDH assumption is employed to instantiate the certificate-proving process, which is considered to be the most efficient instantiation at the moment. We analyze the efficiency and formally prove the security in the standard model. The result shows that our scheme satisfies correctness, zero knowledge, and unforgeability, and achieves identity authentication in the way of anonymity. Besides, our scheme has stronger anonymity, traceability, and non-interaction, and has lower communication cost compared with the conventional schemes.

A New and Efficient Signature on Commitment Values

We present a new short signature scheme based on a variant of the Boneh-Boyen's short signatures schemes. Our short signature scheme is secure without requiring the random oracle model. We show how to prove a committed value embedded in our short signature. Using this primitive, we construct an efficient anonymous credential system.

Blactr: A Technique to Revoke the Misbehaving Users with TTP

Anonymous credential systems permit the users to authenticate themselves in a privacy- preserving way. An anonymous credential system is of major practical relevance because it is the best means of providing privacy for users. In this paper, we propose a technique known as Blacklistable Anonymous Credentials with Trust Reputation (BLACTR) for revoking misbehaving users with Trusted Third Party (TTP). The technique uses both Certifying Authority (CA) review as well as other user reviews in order to blacklist a user making use of the fuzzy and rule matched to check if the person is to be blacklisted or not. The proposed technique performed well when compared to BLAC and BLACR.

Efficient Proofs for CNF Formulas on Attributes in Pairing-Based Anonymous Credential System

To enhance user privacy, anonymous credential systems allow the user to convince a verifier of the possession of a certificate issued by the issuing authority anonymously. In the systems, the user can prove relations on his/her attributes embedded into the certificate. Previously, a pairing-based anonymous credential system with constant-size proofs in the number of attributes of the user was proposed. This system supports the proofs of the inner product relations on attributes, and thus can handle the complex logical relations on attributes as the CNF and DNF formulas. However this system suffers from the computational cost: The proof generation needs exponentiations depending on the number of the literals in OR relations. In this paper, we propose a pairing-based anonymous credential system with the constant-size proofs for CNF formulas and the more efficient proof generation. In the proposed system, the proof generation needs only multiplications depending on the number of literals, and thus it is more efficient than the previously proposed system. The key of our construction is to use an extended accumulator, by which we can verify that multiple attributes are included in multiple sets, all at once. This leads to the verification of CNF formulas on attributes. Since the accumulator is mainly calculated by multiplications, we achieve the better computational costs.

Using Distributed User Interfaces in Collaborative, Secure, and Privacy-Preserving Software Environments

In complex, ad hoc constituted situations, people with different intentions, experiences, and expertise need or want to cooperate to cope with the domain-specific challenges they face. These situations can occur in both a professional and a leisure-life context. Cooperative systems providing enhanced interaction facilities in the user interface (e.g., direct manipulation techniques) could substantially support cooperation especially for geographically distributed cooperating participants. In many cases, sensitive information has to be shared in a common workspace requiring different handling procedures according to the different types of participants involved in these ad hoc processes. This article proposes the use of a common, multilaterally secure distributed user interface to support collaboration for distributed groups of process participants. The system combines a collaborative multipointer system with an anonymous credential security system to provide users with an easy way to share and access information securely, ensuring the privacy of sensitive information communicated in the course of ad hoc processes. Various scenarios representing contrary use cases from three different projects are introduced to derive typical requirements and to show the generality of the proposed system and its core components.

Introducing proxy zero‐knowledge proof and utilization in anonymous credential systems

ABSTRACTIn pseudonym systems, users by means of pseudonyms anonymously interact with organizations to obtain credentials. The credential scheme constructed by Lysyanskaya and Camenisch is among the most complete credential systems, in which “all‐or‐nothing” sharing scheme is used to prevent users sharing their credentials. If a user cannot directly show a credential issued by an organization, she or he has to give her or his own secret key to someone else as a proxy; afterward, the proxy can show the credential on behalf of the user. Thus, according to the all‐or‐nothing property of the system, having the user's secret key, the proxy can use all credentials of the user for itself. To solve this problem, in this paper, we present proxy zero‐knowledge proof and utilize it in Lysyanskaya and Camenisch anonymous credential system. In our proposed system, instead of giving the secret key to the proxy, the user generates a proxy key based on the desired credential particularly for the proxy. Therefore, the proxy neither is the owner of the user's credential nor uses his or her other credentials. Copyright © 2012 John Wiley & Sons, Ltd.

Guest Editorial: Computing and Combinatorics

“Computing and Combinatorics” is an interesting and fundamental research area, which involves several fields, ranging from algorithms, theory of computation, and computational complexity to combinatorics related to computing. This issue consists of six papers, which are briefly discussed as follows. The “Shorthand Universal Cycles for Permutations” paper investigates SP-cycles with maximum and minimum ’weight’. The authors show that periodic min-weight SP-cycles correspond to spanning trees of the (n− 1) permutohedron and provides two constructions by using ’half-hunts’ from bell-ringing and the cool-lex order. In “Zero-Knowledge Argument for Simultaneous Discrete Logarithms,” the authors present an EQDL (the equality of two discrete logarithms) protocol in the ROM (random oracle model) which saves approximately 40 % of the computational cost and approximately 33 % of the prover’s outgoing message size. This improvement benefits a variety of interesting cryptosystems, ranging from signatures and anonymous credential systems, to verifiable secret sharing and threshold cryptosystems. The issue also includes the study of computational complexity. Namely, the paper “Tile-Packing Tomography is NP-hard” shows that for a fixed tile, it is NP-hard to reconstruct its tilings from their projections for all types of tiles. The #NC1 upper bound for the problem of counting accepting paths in any fixed visibly pushdown automaton is considered in “Counting paths in VPA is complete for #NC1”. The paper also shows that the difference between #BWBP and #NC1 is captured exactly by the addition of a visible stack to a nondeterministic finite-state automaton. Due to the NP-hardness of the problems, approximation algorithms are needed to provide a near-optimal solution. In “Exact and Approximation Algorithms for Geometric and General Capacitated Set Cover Problems”, the first known polynomial-

Efficient Attributes for Anonymous Credentials

We extend the Camenisch-Lysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear number of modular exponentiations in the total number of attributes. This limitation makes them unfit for many practical applications, such as electronic identity cards. Our novel approach can incorporate a large number of binary and finite-set attributes without significant performance impact. It compresses all such attributes into a single attribute base and, thus, boosts the efficiency of all proofs of possession. The core idea is to encode discrete binary and finite-set values as prime numbers. We then use the divisibility property for efficient proofs of their presence or absence. In addition, we contribute efficient methods for conjunctions and disjunctions. The system builds on the strong RSA assumption. We demonstrate the aptness of our method in realistic application scenarios, notably electronic identity cards, and show its advantages for small devices, such as smartcards and cell phones.

Anonymous Credential with Attributes Certification after Registration

An anonymous credential system enables individuals to selectively prove their attributes while all other knowledge remains hidden. We considered the applicability of such a system to large scale infrastructure systems and perceived that revocations are still a problem. Then we contrived a scenario to lessen the number of revocations by using more attributes. In this scenario, each individual needs to handle a huge number of attributes, which is not practical with conventional systems. In particular, each individual needs to prove small amounts of attributes among a huge number of attributes and the manager of the system needs to certify a huge number of attributes of individuals periodically. These processes consume extremely large resources. This paper proposes an anonymous credential system in which both a user's proving attributes set, which is included in a huge attribute set, and manager's certifying attributes are very efficient. Conclusion Our proposal enables an anonymous credential system to be deployed as a large scale infrastructure system.

A Pairing-Based Anonymous Credential System with Efficient Attribute Proofs

A Pairing-Based Anonymous Credential System with Efficient Attribute Proofs

A Pairing-Based Anonymous Credential System with Efficient Attribute Proofs

A Pairing-Based Anonymous Credential System with Efficient Attribute Proofs

Zero-Knowledge Argument for Simultaneous Discrete Logarithms

In Crypto 1992, Chaum and Pedersen introduced a protocol (CP protocol for short) for proving the equality of two discrete logarithms (EQDL) with unconditional soundness, which is widely used nowadays and plays a central role in DL-based cryptography. Somewhat surprisingly, the CP protocol has never been improved for nearly two decades since its advent. We note that the CP protocol is usually used as a non-interactive proof by using the Fiat-Shamir heuristic, which inevitably relies on the random oracle model (ROM) and assumes that the adversary is computationally bounded. In this paper, we present an EQDL protocol in the ROM which saves approximately 40% of the computational cost and approximately 33% of the prover’s outgoing message size when instantiated with the same security parameter. The catch is that our security guarantee only holds for computationally bounded adversaries. Our idea can be naturally extended for simultaneously showing the equality of n discrete logarithms with O(1)-size commitment, in contrast to the n-element adaption of the CP protocol which requires O(n)-size. This improvement benefits a variety of interesting cryptosystems, ranging from signatures and anonymous credential systems, to verifiable secret sharing and threshold cryptosystems. As an example, we present a signature scheme that only takes one (offline) exponentiation to sign, without utilizing pairing, relying on the standard decisional Diffie-Hellman assumption.

BLAC

Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate “too many times,” such as “double spending” with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who “deface too many Web pages” on a Web site. We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of misbehaving users without relying on a TTP . Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP . Additionally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system. Thus, for the first time, it is indeed possible to block anonymous users who have “defaced too many Web pages” using our scheme.

Vulnerabilities in Anonymous Credential Systems

We show the following:(i)In existing anonymous credential revocation systems, the revocation authority can link the transactions of any user in a subset T of users in O(log|T|) fake failed sessions.(ii)A concern about the DLREP-I anonymous credentials system described in [Stefan Brands: Rethinking public key infrastructure and Digital Certificates; The MIT Press, Cambridge Massachusetts, London England. ISBN 0-262-02491-8] and [Stefan Brands: A Technical Overview of Digital Credentials; February 2002 (was a white paper in credentica.com)].

Witness Hiding Proofs and Applications

<p>Witness hiding is a basic requirement for most cryptology protocols. The concept was proposed by Feige and Shamir several years ago. This thesis concentrates on witness hiding protocols and its applications.</p><p>The possibility to divert a witness hiding protocol parallelly had been an open problem for some time. The parallel divertibility is not only of theoretical significance but also a crucial point for the security of some applications, for example, electronic cash, digital signatures, etc. It is proved, in this thesis, that with limited computational power, it is impossible to divert a witness hiding protocol parallelly to two independent verifiers with large probability.</p><p>The thesis explores the applications of witness hiding protocols in anonymous credentials, election schemes, and group signatures. In an anonymous credential system, one user may have many pseudonyms. The credentials issued on one of a user's pseudonyms can be transferred to other pseudonyms by the user without revealing the links between pseudonyms. Election, as a practical model, is formally defined. Two election schemes are proposed and discussed. Especially the voting scheme is parallelized with electronic cash system so that some new tool can be introduced. Group signature is a kind of digital signature for a group of people such that only members of the group can sign messages on behalf of the group and without revealing which member has signed. But the signer can be identified by either an authority or a certain number of group members who hold some kind of auxiliary information. The new group signature schemes, based on witness hiding proofs, have several advantages, compared with the original scheme proposed by Chaum and Heijst. The most important improvement is that the signers can be identified by a majority of group members, which had been a open problem in the literature. In this thesis, some theoretical results about bounds of secret keys and auxiliary information have been proved.</p>