Post on 18-Oct-2020
An Efficient Anonymous Credential System
Norio Akagi (Kyoto University)
Yoshifumi Manabe (Kyoto University, NTT Laboratories)
Tatsuaki Okamoto (Kyoto University, NTT Laboratories)
Anonymous CredentialCredential ?
Certificate for person’s qualification/attributeEg.) “Student of Kyoto U”, “Right to enter a room”
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credential of a studentIssuing a credential
Kyoto U student!
Problem of a system(1)-Unforgeability
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credentialIssuing a credential
CredentialKyoto U Student!
Kyoto U student!
Problem of a system(2)-Privacy
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credentialIssuing a credential
Kyoto U student!
Issuer and verifier collude to identify the name, address, etc. of
Desirable Properties of a system(1) -Unforgeability
Student
verifieraccept
Kyoto U
(Authority: Issuer)
Credential
Desirable Properties of a system(2) –Anonymity&Unlinkability
Student
Kyoto U
(Authority: Issuer)
Credential
Request of issuing a credentialIssuing a credential
Credential
Anonymous
UnlinkableAnonymous
Desirable Properties of a system(3) –Blacklist of Users
Revocation of Credentialscase1-Blacklistable
Verifier
Student !
reject
NG
Credential
Desirable Properties of a system(4) –Identity Revealing
Revocation of Credentialscase2-Revealing Identity of bad users
Verifier
StudentCredential !
Opener
Additional Security Property on the System with Revocation(1)
TraceabilityUser cannot produce a credential such that
Opener cannot identify the origin Opener believes it has identified the origin but is unable to produce a correct proof of its claim.
Verifier
UserCredential !
Opener
?
Dishonest
Additional Security Property on the System with Revocation(2)
Non-frameabilityOpener cannot create a proof, accepted by Verifier, that an honest user produced a certain valid proof of the credential unless the user really did produce the proof of the credential.
Verifier
User1
User2
Credential
User1
!
Opener
Dishonest
Dishonest
Related Researches
Jan Camenisch and Anna Lysyanskaya“Signature Schemes and Anonymous Credentials from Bilinear Maps” (CRYPTO2004)→discrete log based (under LRSW assumption)
Jan Camenisch and Anna Lysyanskaya“An efficient non-transferable anonymous multi-show credential system with optional anonymity revocation” (EUROCRYPTO2001)
→strong RSA based, identity revealing function
Oracle assumption
Related Researches
Patrick Tsang, Man Ho Au, Apu Kapadia, and Sean Smith
"Blacklistable anonymous credentials: Blocking misbehaving users without TTPs. "
(CCS2007)→revocation(Blacklistable) function
Our Results
We construct two anonymous credential systems(SDH assumption based).
Basic system- without revocation function- perfect-anonymity-and-unlinkability
System with Revocation- with two ways of revocation
(blacklistable, credential revealing)- computational-anonymity-and-unlinkability
Bilinear Groups
computedyefficientlbecan,,inactiongroup,,.51),(
,for),(),(mapbilineardegenerate-non
where,:.4)(with,tofrommisomorphis:.3
ofgenerator:,ofgenerator:.2.orderprimeofgroupscyclictwoareand.1
21
21
21
2121
1212
2211
21
T
abba
TT
GGGegge
GvGuvuevue
pGGGGGGeggGG
GgGgpGG
ψ
ψψ
≠
∈∈=
===→×
=
・
・
L
Our Basic Anonymous Credential System
Key Generation
User
R
R
Authority
Our Basic Anonymous Credential System
Credential Issuing
UserRequest to issue a credential on qualification m
sr ,
Authority
σ ← g1mu1v1
s( )1
x+r
Verification( ) ( )smr vuggegwe 222122 ,, =σ
m
Our Basic Anonymous Credential System
Showing Anonymous Credential
User VerifierShows a randomized credential and proves the correctness by WI three-move protocols
sr ,t ∈R Zp
* , θ ∈R Zp*
WI - Proof of knowledge of (θ ≠ 0,rθ)forα = w2θ g2
rθ ,and (t ≠ 0,st) for β = (g2
m)tu2tv2
st
σ ← g1mu1v1
s( )1
x+r
σ '←σtθ = g1
mu1v1s( )
tθ
x+r( ),
α← w2g2r( )θ ,
β ← g2mu2v2
s( )t . ( ) ( )βασ ,,' 1gee =
Security of Our Basic System
UnforgeabilitycomputationalSDH assumption
Anonymity and Unlinkabilityinformation-theoritical
Efficiency of Our Basic System
CL04 OursAssumption LRSW SDH
Size of pk 7 elements 5 elements
Size of sk 3 elements 1 element
Size of Cred 5 elements 3 elements
Size of Proof 4 elements 17 elements
Ops to Issue 5 exp 1 exp
Ops to Verify 8 pairings+2exp 2 pairings+2exp
Ops to Prove 8 pairings+7exp 2 pairings+15exp
Our Anonymous Credential System With Revocation
Key Generation
User AuthorityOpener
R
R
SK:PK:
SK:PK:
USK,UPK
Our Anonymous Credential System With Revocation
Credential Issuing
User Authority
Uq Siggm ,, 2
Signature on by using USK
Verifies by using USigUPKsr ,
σ ← g1m+qu1v1
s( )1
x+r
Verification( ) ( )sqmr vuggegwe 222122 ,, +=σ
writes
In database DB
( )Uq Siggmsr ,,,,, 2σ
g2q
Our Anonymous Credential System With Revocation
Showing Anonymous Credential
User
Verifier
t1, t2 ∈R Zp* ,
θ ∈R Zp* ,ρ ∈R Zp
* ,
f , ˆ f ∈R G1
sr ,( ) rxsqm vug ++←
1
111σ
( ) ( )βασ ,,' 1gee =
( ) ( ) ( )ρχ 2
?
2 ,,, gfebfege i
)≠
BL( )lbbb L,, 21=
22qg
σ '←σ ⋅ g1t1 + t2 = g1
m+qu1v1s( )x+r
⋅ g1t1 + t2 ,
α ← w2g2r( )θ ,
β ← g2m+qu2v2
s( )t ⋅α t1 + t2 ,
d1 ←ψ U( )t1 ,d2 ←ψ V( )t2 ,
χ ← f q) f ρ ,
f , ˆ f ,ρ
REJECT
Blacklistable
Our Anonymous Credential System With Revocation
Revealing Identity of a bad user
User
Verifier
Opener 'σ1d2dσ '←σ ⋅ g1
t1 + t2 = g1m+qu1v1
s( )x+r⋅ g1
t1 + t2 ,
α ← w2g2r( )θ ,
β ← g2m+qu2v2
s( )t ⋅α t1 + t2 ,
d1 ←ψ U( )t1 ,d2 ←ψ V( )t2
21
1
2
1
1
'
ξξ
σσdd
=
( )Uq Siggmsr ,,,, 2
from DB
( ) ( )βασ ,,' 1gee = checks by using USig UPK
Efficiency of Our System with Revocation
CL01 OursAssumption strong RSA, DDH SDH
Size of pk 10 elements (|N|) 8 elements (|p|)
Size of sk 7 elements (|N|) 5 element (|p|)
Size of Cred 3 elements (|N|) 3 elements (|p|)
Size of Proof 9 elements (|N|) 42 elements (|p|)
Size of Open 15 elements (|N|) 15 elements (|p|)
Ops to Prove 9 exp (N) 2exp, l+2 pairings (p)(l : Blacklisted users)
Ops to Issue 1 exp (N) 4 exp (p)
Ops to Verify 1 exp (N) 4 exp (p)
Ops to Reveal 14 exp (N) 12 exp, 2 pairing (p)
Security of Our System with Revocation
UnforgeabilitycomputationalSDH assumption
Anonymity and Unlinkabilitycomputational, except for the OpenerDDL assumption
Security of Our System with Revocation
TreaceabilitycomputationalSDH assumption
Non-frameabilitycomputationalSDH assumption
Conclusion
Two anonymous credential systemsThe Basic system
information-theoretically anonymous-and-unlinkable
The System with revocationBlacklistable, Identity Revealing
Proofs of SecurityComparison of Efficiency