An Efficient Anonymous Credential System Norio Akagi (Kyoto University) Yoshifumi Manabe (Kyoto University, NTT Laboratories) Tatsuaki Okamoto (Kyoto University, NTT Laboratories)
An Efficient Anonymous Credential System
Norio Akagi (Kyoto University)
Yoshifumi Manabe (Kyoto University, NTT Laboratories)
Tatsuaki Okamoto (Kyoto University, NTT Laboratories)
Anonymous CredentialCredential ?
Certificate for person’s qualification/attributeEg.) “Student of Kyoto U”, “Right to enter a room”
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credential of a studentIssuing a credential
Kyoto U student!
Problem of a system(1)-Unforgeability
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credentialIssuing a credential
CredentialKyoto U Student!
Kyoto U student!
Problem of a system(2)-Privacy
Student
Kyoto U
(Authority: Issuer)
Verifier
Credential
Request of issuing a credentialIssuing a credential
Kyoto U student!
Issuer and verifier collude to identify the name, address, etc. of
Desirable Properties of a system(1) -Unforgeability
Student
verifieraccept
Kyoto U
(Authority: Issuer)
Credential
Desirable Properties of a system(2) –Anonymity&Unlinkability
Student
Kyoto U
(Authority: Issuer)
Credential
Request of issuing a credentialIssuing a credential
Credential
Anonymous
UnlinkableAnonymous
Desirable Properties of a system(3) –Blacklist of Users
Revocation of Credentialscase1-Blacklistable
Verifier
Student !
reject
NG
Credential
Desirable Properties of a system(4) –Identity Revealing
Revocation of Credentialscase2-Revealing Identity of bad users
Verifier
StudentCredential !
Opener
Additional Security Property on the System with Revocation(1)
TraceabilityUser cannot produce a credential such that
Opener cannot identify the origin Opener believes it has identified the origin but is unable to produce a correct proof of its claim.
Verifier
UserCredential !
Opener
?
Dishonest
Additional Security Property on the System with Revocation(2)
Non-frameabilityOpener cannot create a proof, accepted by Verifier, that an honest user produced a certain valid proof of the credential unless the user really did produce the proof of the credential.
Verifier
User1
User2
Credential
User1
!
Opener
Dishonest
Dishonest
Related Researches
Jan Camenisch and Anna Lysyanskaya“Signature Schemes and Anonymous Credentials from Bilinear Maps” (CRYPTO2004)→discrete log based (under LRSW assumption)
Jan Camenisch and Anna Lysyanskaya“An efficient non-transferable anonymous multi-show credential system with optional anonymity revocation” (EUROCRYPTO2001)
→strong RSA based, identity revealing function
Oracle assumption
Related Researches
Patrick Tsang, Man Ho Au, Apu Kapadia, and Sean Smith
"Blacklistable anonymous credentials: Blocking misbehaving users without TTPs. "
(CCS2007)→revocation(Blacklistable) function
Our Results
We construct two anonymous credential systems(SDH assumption based).
Basic system- without revocation function- perfect-anonymity-and-unlinkability
System with Revocation- with two ways of revocation
(blacklistable, credential revealing)- computational-anonymity-and-unlinkability
Bilinear Groups
computedyefficientlbecan,,inactiongroup,,.51),(
,for),(),(mapbilineardegenerate-non
where,:.4)(with,tofrommisomorphis:.3
ofgenerator:,ofgenerator:.2.orderprimeofgroupscyclictwoareand.1
21
21
21
2121
1212
2211
21
T
abba
TT
GGGegge
GvGuvuevue
pGGGGGGeggGG
GgGgpGG
ψ
ψψ
≠
∈∈=
===→×
=
・
・
L
Our Basic Anonymous Credential System
Key Generation
User
R
R
Authority
Our Basic Anonymous Credential System
Credential Issuing
UserRequest to issue a credential on qualification m
sr ,
Authority
σ ← g1mu1v1
s( )1
x+r
Verification( ) ( )smr vuggegwe 222122 ,, =σ
m
Our Basic Anonymous Credential System
Showing Anonymous Credential
User VerifierShows a randomized credential and proves the correctness by WI three-move protocols
sr ,t ∈R Zp
* , θ ∈R Zp*
WI - Proof of knowledge of (θ ≠ 0,rθ)forα = w2θ g2
rθ ,and (t ≠ 0,st) for β = (g2
m)tu2tv2
st
σ ← g1mu1v1
s( )1
x+r
σ '←σtθ = g1
mu1v1s( )
tθ
x+r( ),
α← w2g2r( )θ ,
β ← g2mu2v2
s( )t . ( ) ( )βασ ,,' 1gee =
Security of Our Basic System
UnforgeabilitycomputationalSDH assumption
Anonymity and Unlinkabilityinformation-theoritical
Efficiency of Our Basic System
CL04 OursAssumption LRSW SDH
Size of pk 7 elements 5 elements
Size of sk 3 elements 1 element
Size of Cred 5 elements 3 elements
Size of Proof 4 elements 17 elements
Ops to Issue 5 exp 1 exp
Ops to Verify 8 pairings+2exp 2 pairings+2exp
Ops to Prove 8 pairings+7exp 2 pairings+15exp
Our Anonymous Credential System With Revocation
Key Generation
User AuthorityOpener
R
R
SK:PK:
SK:PK:
USK,UPK
Our Anonymous Credential System With Revocation
Credential Issuing
User Authority
Uq Siggm ,, 2
Signature on by using USK
Verifies by using USigUPKsr ,
σ ← g1m+qu1v1
s( )1
x+r
Verification( ) ( )sqmr vuggegwe 222122 ,, +=σ
writes
In database DB
( )Uq Siggmsr ,,,,, 2σ
g2q
Our Anonymous Credential System With Revocation
Showing Anonymous Credential
User
Verifier
t1, t2 ∈R Zp* ,
θ ∈R Zp* ,ρ ∈R Zp
* ,
f , ˆ f ∈R G1
sr ,( ) rxsqm vug ++←
1
111σ
( ) ( )βασ ,,' 1gee =
( ) ( ) ( )ρχ 2
?
2 ,,, gfebfege i
)≠
BL( )lbbb L,, 21=
22qg
σ '←σ ⋅ g1t1 + t2 = g1
m+qu1v1s( )x+r
⋅ g1t1 + t2 ,
α ← w2g2r( )θ ,
β ← g2m+qu2v2
s( )t ⋅α t1 + t2 ,
d1 ←ψ U( )t1 ,d2 ←ψ V( )t2 ,
χ ← f q) f ρ ,
f , ˆ f ,ρ
REJECT
Blacklistable
Our Anonymous Credential System With Revocation
Revealing Identity of a bad user
User
Verifier
Opener 'σ1d2dσ '←σ ⋅ g1
t1 + t2 = g1m+qu1v1
s( )x+r⋅ g1
t1 + t2 ,
α ← w2g2r( )θ ,
β ← g2m+qu2v2
s( )t ⋅α t1 + t2 ,
d1 ←ψ U( )t1 ,d2 ←ψ V( )t2
21
1
2
1
1
'
ξξ
σσdd
=
( )Uq Siggmsr ,,,, 2
from DB
( ) ( )βασ ,,' 1gee = checks by using USig UPK
Efficiency of Our System with Revocation
CL01 OursAssumption strong RSA, DDH SDH
Size of pk 10 elements (|N|) 8 elements (|p|)
Size of sk 7 elements (|N|) 5 element (|p|)
Size of Cred 3 elements (|N|) 3 elements (|p|)
Size of Proof 9 elements (|N|) 42 elements (|p|)
Size of Open 15 elements (|N|) 15 elements (|p|)
Ops to Prove 9 exp (N) 2exp, l+2 pairings (p)(l : Blacklisted users)
Ops to Issue 1 exp (N) 4 exp (p)
Ops to Verify 1 exp (N) 4 exp (p)
Ops to Reveal 14 exp (N) 12 exp, 2 pairing (p)
Security of Our System with Revocation
UnforgeabilitycomputationalSDH assumption
Anonymity and Unlinkabilitycomputational, except for the OpenerDDL assumption
Security of Our System with Revocation
TreaceabilitycomputationalSDH assumption
Non-frameabilitycomputationalSDH assumption
Conclusion
Two anonymous credential systemsThe Basic system
information-theoretically anonymous-and-unlinkable
The System with revocationBlacklistable, Identity Revealing
Proofs of SecurityComparison of Efficiency