In anonymous credential systems, a user with an anonymous credential may prove select private information while protecting other parts of the user's identity. For example, a person may choose to disclose only having a valid driver's license without disclosing name, age, address, etc. (or vice versa).
In some cases, anonymous credentails may be delegated. With delegatable credentials, a chain of delegation may describe a number of users delegating authority in a particular direction.
Some applications of anonymous credential systems include direct anonymous attestation and anonymous electronic identity tokens. Some of these approaches have been captured in implementations including U-prove, Idemix, and java cards.
Anonymous credential systems may include revocation functionality. With revocation, credentials may be invalided. Revocation is useful with regard to many organizational matters, including disputes, compromise, mistakes, identity change, hacking and other insecurities.
Revocation is challenging in anonymous credential systems because it is difficult to anonymously prove that a credential is not revoked. In the case of delegatable credentials, chains of delegation may be difficult to trail because of anonymity protections. As such, revocation may be especially challenging for anonymous credential systems with delegatable credentials.
The following presents a simplified summary of the innovation in order to provide a basic understanding of some aspects described herein. This summary is not an extensive overview of the claimed subject matter. It is intended to neither identify key or critical elements of the claimed subject matter nor delineate the scope of the subject innovation. Its sole purpose is to present some concepts of the claimed subject matter in a simplified form as a prelude to the more detailed description that is presented later.
The subject innovation relates to a method and a system for revoking delegatable anonymous credentials. The method includes receiving a request to revoke an anonymous credential. A valid anonymous credential may be representative of an ability to prove non-membership in an accumulator for a first entity. The anonymous credential is delegated from the first entity to a second entity. The method also includes revoking the anonymous credential from the first entity in response to the request to revoke the anonymous credential. Additionally, the method includes revoking the anonymous credential from a second entity in response to the request to revoke the anonymous credential.
An exemplary system according to the subject innovation may be used for delegatable anonymous credentials. The exemplary system comprises a processing unit and a system memory that comprises code configured to direct the processing unit to receive a request to revoke an anonymous credential representative of an ability to prove non-membership in a universal, dynamic accumulator for a first entity.
The code may also be configured to direct the processing unit to revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential. In particular, the code may be configured to direct the processing unit to revoke the anonymous credential from a second entity in response to the request to revoke the anonymous credential
Another exemplary embodiment of the subject innovation provides one or more computer readable storage media that include code to direct the operation of a processing unit. In one exemplary embodiment, the code may direct the processing unit to receive a request to revoke an anonymous credential representative of an ability to prove non-membership in an accumulator for a first entity. The request is received from an anonymous credential system.
The code may also direct the processing unit to revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential. Additionally, the code may direct the processing unit to revoke the anonymous credential from a second entity in response to the request to revoke the anonymous credential.
The following description and the annexed drawings set forth in detail certain illustrative aspects of the claimed subject matter. These aspects are indicative, however, of a few of the various ways in which the principles of the innovation may be employed and the claimed subject matter is intended to include all such aspects and their equivalents. Other advantages and novel features of the claimed subject matter will become apparent from the following detailed description of the innovation when considered in conjunction with the drawings.
The claimed subject matter is described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the subject innovation. It may be evident, however, that the claimed subject matter may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the subject innovation.
As utilized herein, terms “component,” “system,” “browser,” “search engine,” “client” and the like are intended to refer to a computer-related entity, either hardware, software (e.g., in execution), and/or firmware, or a combination thereof. For example, a component can be a process running on a processor, an object, an executable, a program, a function, a library, a subroutine, and/or a computer or a combination of software and hardware.
By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and a component can be localized on one computer and/or distributed between two or more computers. The term “processor” is generally understood to refer to a hardware component, such as a processing unit of a computer system.
Furthermore, the claimed subject matter may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed subject matter. The term “article of manufacture” as used herein is intended to encompass a computer program accessible from any non-transitory computer-readable device, or media.
Non-transitory computer-readable storage media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, and magnetic strips, among others), optical disks (e.g., compact disk (CD), and digital versatile disk (DVD), among others), smart cards, and flash memory devices (e.g., card, stick, and key drive, among others). In contrast, computer-readable media generally (i.e., not necessarily storage media) may additionally include communication media such as transmission media for wireless signals and the like.
Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope or spirit of the claimed subject matter. Moreover, the word “exemplary” is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs.
Proof systems are used in many cryptographic systems, such as signature, authentication, encryption, mix-net, and anonymous credential systems. In a proof system between a prover and a verifier, an honest prover with a witness can convince a verifier about the truth of a statement. However, an adversary cannot convince a verifier of a false statement.
One proof system, Groth and Sahai non-interactive proof system (GS proof system) provides several advantages. The GS proof systems are efficient and general, and do not use the random oracle assumption. The random oracle model assumes the existence of an oracle, returns a uniformly random response to queries, and outputs the same response for the same query. Additionally, GS proof systems can be randomized. For example, a new proof may be generated from an existing proof of the same statement without knowing the witness. Advantageously, as described below, GS proof systems are also homomorphic.
Proof systems are used to construct accumulators. An accumulator allows aggregation of a large set of elements into one constant-size accumulator value. A membership proof system may be used to prove that an element is in the accumulated value.
A non-membership proof system may be used to prove that an element is not accumulated. It can be used for revoking anonymous credentials.
For example, an accumulator may aggregate a large set of revoked credentials. The user whose credential has not been revoked may want to prove that the credential is not revoked by using the accumulator's non-membership proof system.
One embodiment provides an accumulator that is dynamic and universal. An accumulator may be dynamic if costs of certain operations do not depend on the number of elements aggregated. These operations may include adding elements, deleting elements, updating the accumulator value, and updating the proof systems' witnesses.
An accumulator is said to be universal if, in addition to the membership proof system, the accumulator includes a non-membership proof system. The non-membership proof system may prove that a given element is not accumulated in the accumulator value, e.g., the valid credential is not aggregated into the accumulator value.
Some applications of accumulators include space-efficient time stamping, ad-hoc anonymous authentication, ring signatures, ID-Based systems, and membership revocation for identity escrow, group signatures and anonymous credentials.
In one embodiment, homomorphic proofs may allow adding proofs and their statements to generate a new proof of the summed statement. A construction of such homomorphic proofs may be used in an accumulator scheme with delegatable non-membership (NM) proofs. This scheme may be used to extend a scheme with randomizable proofs and delegatable anonymous credentials. In this manner, an anonymous credential system with delegatable credentials may be created. This system may include revocation for the delegatable credentials.
As such, the accumulator's delegatable NM proofs may enable user A, without revealing user A's identity, to delegate to user B the ability to prove that A's credential has not been revoked. This ability may be supported even in scenarios where a blacklist of revoked credentials is dynamic.
Additionally, the delegation may be redelegatable, unlinkable, and verifiable. The security of the proposed schemes is provable.
An anonymous credential system is delegatable if credentials can be delegated from one user, the delegator, to another user, the delegatee. The delegatee may anonymously prove a credential which is delegated some levels away from the original delegator. Delegation is useful for efficiently managing many kinds of organizations. For example, many organizations include some authority who delegates tasks to a workforce so no one person is overburdened.
The system 100 may include an accumulator 102 and a blacklist authority 104. The accumulator 102 may implement the accumulator scheme with delegatable non-membership (NM) proofs.
The accumulator 102 may include an accumulator value 106 and proof systems 108. The blacklist authority 104 may use the accumulator 102 to create a blacklist and accumulate revoked identities of anonymous credentials. The accumulator value 106 is referred to herein as the blacklist because the accumulator 102 may aggregate the identities of revoked credentials in the accumulator value 106.
In the system 100, a user may prove that an identity is not accumulated in the blacklist. The user may also delegate this proof. Further, the delegatee may re-delegate or compute proofs based on the delegation.
The system 100 may be used with several anonymous credential systems with or without delegatability. In one embodiment, several anonymous credential systems, based on prime order, may be integrated with the system 100. In such embodiments, the anonymous credentials may or may not be delegatable.
The efficiencies of accumulators typically depend on the constant costs of their proofs. However, there is a tradeoff between the cost of computing and updating a witness. The cost of updating a witness is linear to the number of accumulated elements. As such, accumulators may be an inefficient choice in scenarios that involve numerous changes to the accumulator value, but only a few proofs. In some scenarios, the accumulator may be adjusted to improve performance. Some example improvement is described in greater detail with respect to Section 7.
1. Introduction
In one embodiment, homomorphic proofs may be extended to include an operation which adds proofs, their statements, and their witnesses. The adding operation may generate a new valid proof of the sum statement and the sum witness. In the following sections, a construction for homomorphic proofs from GS proofs is presented and proven. GS proofs have a high level of generalization, which enables their application in a number of areas, including group signatures, ring signatures, mix-nets, oblivious transfer, and anonymous credentials. In one embodiment, the construction of homomorphic proofs uses a general form of GS proofs to broaden the range of possible applications.
Some applications for homomorphic proofs may include homomorphic signatures, homomorphic authentication, network coding, digital photography, and undeniable signatures. Homomorphic encryption and commitment schemes have been used in mix-nets, voting, anonymous credentials, and other multi-party computation systems.
Additionally, homomorphic non-interactive zero knowledge (NIZK) is used for homomorphic encryption, which allows computing any generic functions of encrypted data without decryption. Homomorphic NIZK may be applied in scenarios such as, cloud computing and searchable encryption. Homomorphic proofs may also be useful in these contexts.
Homomorphic proofs bring delegatability of proofs to another level. A proof's statement often consists of some commitments of variables (witnesses) and some conditions. A proof may be randomizable or malleable. As such, it is possible to generate a new proof and to randomize the statement's commitments without witness. However, the statement's conditions stay the same.
Homomorphic proofs allow generating a new proof for a new statement containing new conditions, without any witness. A user can delegate the user's proving capability to another user by revealing some homomorphic proofs. By linearly combining these proofs and their statements, the delegatee could generate several new proofs for several other statements with different conditions.
In one embodiment, homomorphic proofs may be used in blacklisting delegatable, anonymous credentials. Using delegatable NM proofs of accumulators, changing a blacklist may be treated like changing a statement's conditions. In one embodiment, delegating proofs is not restrained to retaining the same statements' conditions. Rather, proofs may be delegated where the statements' conditions are dynamic
Typically, the blacklisting of anonymous credentials involves the use of the accumulator 102. Identities of revoked credentials are accumulated in a blacklist, e.g., the accumulator value 106. A user proves that the user's credential is not revoked by using the accumulator's NM proof, whose cost is constant, to prove that the credential's identity is not accumulated.
In one embodiment, when a delegatable credential is revoked, all delegated descendants of the credential may also be revoked. Accordingly, the system 100 may ask users to anonymously prove that all ancestor credentials are not revoked, even when the blacklist changes.
Using the accumulator 102, user A, without revealing private information, may delegate the ability to prove user A's credentials is not blacklisted to user B. As such, proofs generated by A and B may be indistinguishable, even though the blacklist is dynamic. Additionally, the delegation may be unlinkable, i.e., it should be hard to tell if two such delegations come from the same delegator.
Further, user B may also be able to delegate the ability to prove that A's credential is not blacklisted to user C, such that the information C obtains from the redelegation is indistinguishable from the information obtained from user A's delegation. When receiving delegation information, one may be able to verify that such information is correctly built.
The system 100 is described in greater detail in the following sections. Section 2 describes proof systems 108. Section 3 discusses homomorphic proofs. In section 4, the accumulator 102 is described in greater detail. A model is described for the accumulator 102, which is extended to define security requirements for delegatable NM proofs. Section 5 describes a scheme for the accumulator 102 with delegatable non-membership proofs.
In section 6, revoking delegatable anonymous credentials is described. Security of the accumulator scheme and the delegatable anonymous credentials with revocation system is proven.
Section 7 describes an example implementation. Section 8 is an appendix that provides proofs to theorems discussed in the following sections.
The following discussion uses, as examples, constructions in the symmetric external Diffie Hellman (SXDH) or symmetric decisional linear (SDLIN) instantiations of GS proofs, as these constructions enable the use of efficient curves for pairings.
2. Proof Systems
The following discussion includes a number of references and equations. As such, some abbreviations and notation are used for clarity. Further, a brief list of definitions is provided. These are briefly described as follows.
The abbreviations used include PPT, CRS, Pr, NM, and ADNMP. PPT stands for probabilistic polynomial time. CRS stands for common reference string. Pr stands for probability. NM stands for non-membership. ADNMP stands for the accumulator 102 with delegatable non-membership proofs.
The notation, “←” represents random output. The notation, *:=\{O}, represents a group with identity O. Matm×n() is the set of matrices with size m×n of elements in . For a matrix Γ, Γ[i, j] represents the value at row i and column j. A vector {right arrow over (z)} of l elements can be seen as a matrix of l rows and 1 column For a vector or tuple z, the term, z[i], represents the ith element. Notations of algorithms may omit inputs, such as public parameters, when appropriate.
Definition: Bilinear Pairings. For example, let 1 and 2 be cyclic additive groups of order prime p generated by P1 and P2, respectively. Further, let T be a cyclic multiplicative group of order p. An efficiently computable bilinear pairing e:1×2→T satisfies: e(αP, bQ)=e(P, Q)αb, ∀P ∈ 1, Q ∈ 2, α, b ∈ p; and e(P1, P2) generates GT.
Definition: Symmetric eXternal Diffie Hellman (SXDH). For bilinear setup (p, , e, P1, P2) with prime p, eXternal Diffie-Hellman (XDH) assumes that the Decisional Diffie-Hellman (DDH) problem is computationally hard in one of 1 or 2. Symmetric XDH (SXDH) assumes that DDH is hard in both 1 and 2.
2.1 Non-Interactive Proof System
Let R be an efficiently computable relation of (Para, Sta, Wit) with setup parameters: Para, a statement, Sta, and a witness, Wit. A non-interactive proof system for R consists of 3 PPT algorithms: a Setup, a prover, Prove, and a verifier, Verify. A non-interactive proof system (Setup, Prove, Verify) is typically complete and sound.
Completeneness means that for every PPT adversary , Pr[Para←Setup(1k); (Sta, Wit)←(Para); Proof←Prove(Para, Sta, Wit): Verify(Para, Sta, Proof)=1 if (Para, Sta, W it) ∈ R] is overwhelming.
Soundness means that for every PPT adversary , Pr[Para←Setup(1k); (Sta, Proof)←(Para): Verify(Para, Sta, Proof)=0 if (Para, Sta, Wit) ∈ R, ∀Wit] is overwhelming
Zero-knowledge. A non-interactive proof system is Zero-Knowledge (ZK), if the proof does not reveal any information except proving that the statement is true. Witness Indistinguishability (WI) may prevent the verifier from determining which witness was used in the proof. A non-interactive proof system is composable ZK if there exists a PPT simulation algorithm outputting a trapdoor and parameters indistinguishable from Setup's output. Further, the non-interactive proof system is composable ZK if, under the simulated parameters, ZK holds even when the adversary knows the trapdoor. Composable ZK implies the standard ZK.
Randomizing Proofs and Commitments. A randomizable non-interactive proof system has another PPT algorithm, RandProof, that takes as input (Para, Sta, Proof) and outputs another valid proof, Proof′. The Proof′ may be indistinguishable from a proof produced by Prove.
A PPT commitment algorithm, Com, binds and hides a value, x, with a random opening, r. Informally, a commitment scheme is if there exists a PPT algorithm, ReCom, such that ReCom(Com(x, r), r′)=Com(x, r+r′). Sta and Proof may contain commitments of variables.
A non-interactive proof system is malleable if it is efficient to randomize the proof and its statement's commitments to get a new proof which is valid for the new statement. When possible, concatenation of two proofs is a proof that merges setup parameters and all commitments and proves the combination of conditions. From a proof, Proof, a projected proof is obtained by moving some commitments from the statement to Proof.
Partial Extractability. A non-interactive proof of knowledge (NIPK) system (Setup, Prove, Verify) is F-extractable for a bijection, F, if there is a PPT extractor (ExSet, ExWit) such that ExSet's output Para is distributed identically to Setup's output, and if, for every PPT adversary, , Pr[(Para, td)←ExSet(1k); (Sta, Proof)←(Para); Ext←ExWit(td, Sta, Proof): Verify(Para, Sta, Proof)=1 (Para, Sta, F−1 (Ext)) ∈ R] is negligible. Similar to approaches in P-signatures and non-interactive anonymous credentials, the notations, NIPK or NIZKPK (ZK for zero knowledge), are used for a statement consisting of commitments C1, . . . , Ck of witness' variables x1, . . . , xk and some
2.2 Groth-Sahai (GS) Proofs
Bilinear Map Modules. Given a finite commutative ring (R, +,·,0,1), an abelian group (A, +,0) is an -module if ∀r, s ∈ , ∀x, y ∈ A: (r+s)x=rx+sx r(x+y)=rx+ry r(sx)=(rs)x Λ 1x=x. Let A1, A2, AT be -modules with a bilinear map ƒ: A1×A2→AT. Let B1, B2, BT be R-modules with a bilinear map F: B1×B2→BT and efficiently computable maps l1: A1→B1, l2: A2→B2 and lT: AT→BT. Maps p1: B1→A1, p2: B2→A2 and pT: BT→AT may be challenging to compute and satisfy the commutative properties: F(l1(x), l2(y))=lT(ƒ(x, y)) and ƒ(p1(x),p2(y))=pT(F(x, y)). For {right arrow over (x)} ∈ A1n and {right arrow over (y)} ∈ A2n, denote {right arrow over (x)}·{right arrow over (y)}=Σi=1n ƒ(x[i],y[i]). For {right arrow over (c)} ∈ B1n and {right arrow over (d)} ∈ B2n, denote {right arrow over (c)}•{right arrow over (d)}=Σi=1n F(c[i],d[i]).
Setup. GS parameters, Para, includes setup Gk and CRS σ·Gk:=(, {A1(i), A2(i), AT(i), ƒ(i)}i=1L) where A1(i), A2(i), AT(i) are -modules with map ƒ(i): A1(i)×A2(i)→AT(i). L is the number of equations in a statement to be proved. σ:=({B1(i), B2(i), BT(i), F(i), l1(i), p1(i), l2(i), p2(i), lT(i), pT(i), {right arrow over (u)}1(i), {right arrow over (u)}2(i), H1(i), . . . , Hηi(i)}i=1L) where B1(i), B2(i), BT(i), F(i), l1(i), p1(i), l2(i), p2(i), lT(i), pT(i) are described above. {right arrow over (u)}1(i) consists of {circumflex over (m)}(i) elements in B1(i) and {right arrow over (u)}2(i) consists of {circumflex over (n)}(i) elements in B2(i). They are commitment keys for A1(i) and A2(i) respectively, as discussed below.
Matrices H1(i), . . . , Hηi(i) ∈ Mat{circumflex over (m)}
Statement. A GS statement is a set of L equations. Each equation is over -modules A1, A2, AT with map ƒ: A1×A2→AT as follows:
Σj=1n ƒ(αj, yj)+Σi=1m ƒ(xi, bi)+Σi=1m Σj=1n γijƒ(xi, yj)=t,
where variables x1, . . . , xm ∈ A1 and y1, . . . , yn ∈ A2 and coeffficients α1, . . . , αm ∈ A1, b1, . . . , bn ∈ A2 and t ∈ AT. For any matrix Γ ∈ Matm×n(), there exists {right arrow over (x)}·Γ{right arrow over (y)}=ΓT{right arrow over (x)}·{right arrow over (y)} and {right arrow over (x)}•Γ{right arrow over (y)}=ΓT {right arrow over (x)}•{right arrow over (y)}. As such, each equation may be written as {right arrow over (α)}·{right arrow over (y)}+{right arrow over (x)}·{right arrow over (b)}+{right arrow over (x)}·Γ{right arrow over (y)}=t.
A GS statement can be viewed as a set {({right arrow over (α)}i, {right arrow over (b)}i, Γi, ti)}i=1L over the corresponding set of bilinear groups {A1(i), A2(i), AT(i)), ƒ(i)}i=1L satisfying equations {right arrow over (a)}i·{right arrow over (y)}i+{right arrow over (x)}i·{right arrow over (b)}i+{right arrow over (x)}i·Γ{right arrow over (y)}i=ti. The witness is the set of corresponding variables {{right arrow over (x)}i, {right arrow over (y)}i}i=1L.
Commitment. Given keys {right arrow over (u)}1 ∈ B1{circumflex over (m)} and {right arrow over (u)}2 ∈ B2{circumflex over (n)}, commitments of {right arrow over (x)} ∈ A1m and {right arrow over (y)} ∈ A2n are respectively computed as {right arrow over (c)}:=l1({right arrow over (x)})+R{right arrow over (u)}1 and {right arrow over (d)}:=l2({right arrow over (y)})+S{right arrow over (u)}2, where R←Matm×{circumflex over (m)}() and S←Matn×{circumflex over (n)}(). Further, {right arrow over (c)} ∈ B1m and {right arrow over (d)} ∈ B2n. The commitment keys could be one of two types: hiding and binding. Hiding keys satisfy l(A1) ⊂ ({right arrow over (u)}1) and l(A2) ⊂ ({right arrow over (u)}2). As such, the commitments are perfectly hiding. Binding keys satisfy p1({right arrow over (u)}1)={right arrow over (0)} and p2({right arrow over (u)}2)={right arrow over (0)}, and the maps l1 ° p1 and l2 ° p2 are non-trivial. If they are identity maps, then the commitments are perfectly binding.
Proof. For a statement consisting of several ({right arrow over (a)}, {right arrow over (b)}, Γ, t) and a witness of corresponding variables ({right arrow over (x)}, {right arrow over (y)}), the proof includes commitments ({right arrow over (c)}, {right arrow over (d)}) of the variables and corresponding pairs ({right arrow over (π)}, {right arrow over (ψ)}), computed as follows. Generate R←Matm×{circumflex over (m)}(), S←Matn×{circumflex over (n)}(), T←Mat{circumflex over (n)}×{circumflex over (m)}() and r1, . . . , rη←. Compute {right arrow over (c)}:=l1({right arrow over (x)})+R{right arrow over (u)}1; {right arrow over (d)}:=l2({right arrow over (y)})+S{right arrow over (u)}2; {right arrow over (π)}:=RT l2({right arrow over (b)})+RTΓl2({right arrow over (y)})+RT ΓS{right arrow over (u)}2−TT{right arrow over (u)}2+Σi=1η riHi{right arrow over (u)}2; and {right arrow over (ψ)}:=ST l1({right arrow over (α)})+ST ΓT l1({right arrow over (x)})+T{right arrow over (u)}1. Dimension of {right arrow over (b)}, {right arrow over (x)} and {right arrow over (c)} is m, dimension of {right arrow over (α)}, {right arrow over (y)} and {right arrow over (d)} is n, dimension of {right arrow over (π)} is {circumflex over (m)}, and dimension of {right arrow over (ψ)} is {circumflex over (n)}. To show that a variable of one equation is the same as another variable of the same or another equation, the same commitment is used for the variables. Verification for each equation's proof may be accomplished by ensuring that l1({right arrow over (α)})•{right arrow over (d)}+{right arrow over (c)}•l2({right arrow over (b)})+{right arrow over (c)}•Γ{right arrow over (d)}=lT(t)+{right arrow over (u)}1•{right arrow over (π)}+{right arrow over (ψ)}•{right arrow over (u)}2.
SXDH Instantiation. Bilinear pairing modules Zp, 1, 2 and T and map e are sufficient to specify all equations in a statement. Accordingly, Para includes setup Gk=(p, , e, P1, P2) and CRS σ=(B1, B2, BT, F, l1, p1, l2, p2, l1′, p1′, l2′, p2′, lT, PT, {right arrow over (u)}, {right arrow over (v)}) where B1=12, B2=22 and BT:=T4 with entry-wise group operations. 1, 2 and T could be viewed as Zp-modules with map e. Matrices H1, . . . , Hη are not needed. Vectors {right arrow over (u)} of u1, u2 ∈ B1 and {right arrow over (v)} of v1, v2 ∈ B2 are commitment keys for 1 and 2.
There are 4 types of equations in statements: pairing product, multi-scalar multiplication in 1, multi-scalar multiplication in 2, and quadratic equations. For pairing product, A1=1, A2=2, AT=T, ƒ(X, Y)=e(X, Y), and equations are ({right arrow over (A)}·{right arrow over (Y)})({right arrow over (X)}·{right arrow over (B)})({right arrow over (X)}·Γ{right arrow over (Y)})=tT. For multi-scalar multiplication in 1, A1=1, A2=Zp, AT=1, ƒ(X, y)=yX, and equations are {right arrow over (A)}·{right arrow over (y)}+{right arrow over (X)}·{right arrow over (b)}+{right arrow over (X)}·Γ{right arrow over (y)}=T1. For multi-scalar multiplication in 2, A1=Zp, A2=2, AT=2, ƒ(x, Y)=xY, and equations are {right arrow over (α)}·{right arrow over (Y)}+{right arrow over (x)}·{right arrow over (B)}+{right arrow over (x)}·Γ{right arrow over (Y)}=T2. For quadratic equations, A1=Zp, A2=Zp, AT=Zp, ƒ(x, y)=xy mod p and equations are {right arrow over (α)}·{right arrow over (y)}+{right arrow over (x)}·{right arrow over (b)}+{right arrow over (x)}·Γ{right arrow over (y)}=t.
A proof and its verification can then be done as specified in the general GS proofs. GS proofs are WI and, in some cases, ZK. In the SXDH and Decisional Linear (DLIN) instantiations, for statements consisting of only multi-scalar multiplication and quadratic equations, GS proofs are composable ZK.
3. Homomorphic Proofs
3.1 Formalization
As stated previously, an abelian group satisfies five conditions: Closure, Associativity, Commutativity, Identity Element, and Inverse Element.
Definition. Let (Setup, Prove, Verify) be a proof system for a relation R and Para←Setup(1k). Consider a subset Π of all (Sta, Wit, Proof) such that (Para, Sta, Wit) ∈ R and Verify(Para, Sta, Proof)=1, and an operation +Π: Π×Π→Π. Π is said to be a set of homomorphic proofs if (Π, +Π) satisfies Closure, Associativity and Commutativity. For an IΠ:=(Sta0, Wit0, Proof0) ∈ Π, Π is said to be a set of strongly homomorphic proofs if (Π, +Π, IΠ) forms an abelian group where IΠ is the identity element.
If +Π((Sta1, Wit1, Proof1), (Sta2, Wit2, Proof2))(Sta, Wit, Proof), the following notations apply: (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+Π(Sta2, Wit2, Proof2), Sta←Sta1+ΠSta2, Wit←Wit1+ΠWit2, and Proof←Proof1+ΠProof2. Further, the multiplicative notation n(Sta, Wit, Proof) may be used for the addition of n times of (Sta, Wit, Proof). As such, the notation, Σi αi(Stai, Witi, Proofi), may be used to represent linear combination of statements, witnesses and proofs. These homomorphic properties are particularly useful for randomizable proofs. One can randomize a proof computed from the homomorphic operation to get another proof which is indistinguishable from a proof generated by Prove.
3.2 GS Homomorphic Proofs
Consider a GS proof system (Setup, Prove, Verify) of L equations. Each map l1: A1→B1 satisfies l1(x1+x2)=l1(x1)+l1(x2), ∀x1, x2 ∈ A1, and similarly for l2.
The identity may be defined IGS=(Sta0, Wit0, Proof0). Sta0 consists of L GS equations ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0), Wit0 consists of L corresponding GS variables ({right arrow over (x)}0, {right arrow over (y)}0), Proof0 consists of L corresponding GS proofs ({right arrow over (c)}0, {right arrow over (d)}0, {right arrow over (π)}0, {right arrow over (ψ)}0), and there are L tuples of corresponding maps (l1, l2). They satisfy:
A set ΠGS of tuples (Sta, Wit, Proof) may be defined from the identity IGS. Sta consists of L GS equations ({right arrow over (α)}, {right arrow over (b)}, Γ, t) (corresponding to Sta0's ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0) with m, n, M, N); Wit consists of L corresponding GS variables ({right arrow over (x)}, {right arrow over (y)}); Proof consists of L corresponding GS proofs ({right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, {right arrow over (ψ)}); satisfying:
Operation may be defined as +GS: ΠGS×ΠGS→ΠGS. For i ∈ {1,2} and (Stai, Witi, Proofi) ∈ ΠGS, Sta1 consists of L GS equations ({right arrow over (α)}i, {right arrow over (b)}i, Γi, ti) corresponding to Sta0's ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0). Witi consists of L corresponding GS variables ({right arrow over (x)}i, {right arrow over (y)}i), and Proofi consists of L corresponding GS proofs ({right arrow over (c)}i, {right arrow over (d)}i, {right arrow over (π)}i, {right arrow over (ψ)}i).
Compute (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+GS(Sta2, Wit2, Proof2) of corresponding ({right arrow over (α)}, {right arrow over (b)}, Γ, t), ({right arrow over (x)}, {right arrow over (y)}) and ({right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, {right arrow over (ψ)}) as follows.
Theorem 3.1 In the definitions above, ΠGS is a set of strongly homomorphic proofs with operation +GS and the identity element IGS. A proof of theorem 3.1 is described in greater detail with respect to section 8.
4. Accumulator
4.1 Model
A universal accumulator consists of the following PPT algorithms.
An accumulator is dynamic if there exist the following 3 PPT algorithms, whose costs should not depend on AcSet's size, for adding or removing an accumulated element Ele. UpdateVal, whose input includes Para, Ele, the current accumulator value AcVal and Aux, updates the accumulator value. UpdateMemWit, whose input includes Para, Ele, the current witness Wit and AcVal, updates membership witnesses. For universal accumulators, UpdateNMWit, whose input includes Para, Ele, the current witness Wit and AcVal, updates NM witnesses.
Security of accumulators is implied by completeness and soundness of the 2 proof systems. Membership proofs are not described herein. As such, a universal accumulator is referred to herein as (Setup, ProveNM, VerifyNM, CompNMWit, Accu).
4.2 Delegatable NM Proofs for Accumulators
Delegating ability to prove statements is to allow someone else to prove the statements on one's behalf without revealing the witness, even if the statements' conditions are changing over time. For privacy reasons, adversaries could not distinguish different delegations coming from different users. Moreover, the delegatee could verify a delegation and unlinkably redelegate the proving ability further to other users.
Therefore, delegating an accumulator's non-membership proofs should meet 4 conditions: delegatability, unlinkability, redelegatability, and verifiability. Delegatability means that an element Ele's owner may delegate her ability to prove that Ele is not accumulated without simply revealing Ele. Even if the set of accumulated elements changes overtime, the delegatee does not contact the delegator again to generate the proof. Instead, the owner of the proof gives the delegatee a key De generated from Ele. The proof generated from De by CompProof is indistinguishable from a proof generated by ProveNM.
Unlinkability means that a delegatee should not be able to distinguish whether or not 2 delegating keys originating from the same element. Unlinkability implies that it is computationally hard to compute an element from the element's delegating keys.
Redelegatability means that the delegatee may redelegate De as De′ to other users, so that the distributions of De and De′ are indistinguishable. Verifiability means that one should be able to validate that a delegating key De is correctly built.
Definition: A universal accumulator (Setup, ProveNM, VerifyNM, CompNMWit, Accu) provides delegatable non-membership proofs if there exist PPT algorithms: delegating Dele, redelegating Rede, validating Vali, and computing proof CompProof. These algorithms may satisfy:
However, given an element Ele′, the delegatee can accumulate Ele′ and try to prove that Ele is not accumulated using De. If the delegatee cannot prove that, then Ele≡Ele′. So for any ADNMP, given an element Ele and a delegating key De, one can tell if De is generated by Ele. Due to this restriction, in the accumulator's applications, Ele should be a secret that only its owner or a trusted authority knows.
5. An ADNMP Scheme
In one embodiment, a dynamic universal ADNMP may have its Setup, Accu and UpdateVal generalized from dynamic universal accumulators for Strong Diffie Hellman (SDH) groups.
Setup: GS instantiations may be used where GS proofs for this accumulator are composable ZK. As the corresponding GS proofs may be limited to multi-scalar or quadratic equations, either the SXDH or SDLIN instantiations may be used, as explained in section 2. For clarity, the following discussion merely uses SXDH as an example.
Parameters (p, , e, P1, P2) and CRS σ may be generated with perfectly binding keys for the SXDH instantiation of GS proofs as described in section 2. Auxiliary information Aux=δ←p* may also be generated. For the proof, generate A←1 and τ:=l2′, (δ).
For efficient accumulating without Aux, a tuple ζ=(P1, δP1, . . . , δq+1 P1) is needed, where q ∈ p*. The domain for elements to be accumulated is =p* \{−δ}. Accordingly, the parameters may be described as Para=(p, , e, P1, P2, A, σ, ζ, τ).
Accu: On input AcSet={α1, . . . , αQ} ⊂ , compute m=Q/q. If Aux=δ is available, the output AcVal is a set of m component accumulator values {Vj}j=1m computed as Vj=Πi=(j−1)q+1; i<Q (δ+αi)δP1. If Aux is not available, AcVal is efficiently computable from ζ and AcSet.
UpdateVal: In case α′ ∈ is being accumulated; from 1 to m, find the first Vj which hasn't accumulated q elements and update Vj′=(δ+α′)Vj; if such Vj could not be found, add Vm+1=(δ30 α′)δP1. In case α′ is removed from AcVal, find Vj which contains α′ and update Vj′=1/(δ+α′)Vj.
Remarks. Typically, q of ζ is the upper bound on the number of elements to be accumulated in accumulators, i.e., m=1. In one embodiment, the upper bound may be relaxed by the above generalization which allows this ADNMP to work whether or not q is less than the number of accumulated elements. It also allows q to be set up smaller.
5.1 NM Proof
It may be proven that an element y2 ∈ is not in any component accumulator value Vj of AcVal {Vj}j=1m. Suppose Vj accumulates {α1, . . . , αk} where k≦q, denote Poly(δ):=Πi=1k (δ30 αi)δ, then Vj=Poly(δ)P1. Let yj3 be the remainder of polynomial division Poly(δ) mod (δ+y2) in Zp, and Xj1 be scalar product of the quotient and P1. Similar to universal, dynamic accumulators for DDH groups, constructing non-membership proofs may be based on the fact that y2 is not a member of {α1, . . . , αk} if and only if yj3≠0. The following equation incorporates δ, y2, yj3 and Xj1: (δ30 y2)Xj1+yj3P1=Vj. Proving this equation by itself does not guarantee that yj3 is the remainder of the polynomial division above. Also proven are the knowledge of (yj3P2, yj3A) and the following Extended Strong DH (ESDH) assumption. The following assumption is a variation of the Hidden Strong DH (HSDH) assumption. However, it is not clear which assumption is stronger. It is in the extended uber-assumption family and can be proved in generic groups, similar to HSDH.
Definition. q-ESDH: Let (p, , e, P1, P2) be bilinear parameters, A←1* and δ←p*. Given P1, δP1, . . . , δq+1P1, A, P2, δP2, it is computationally hard to output
where y3≠0.
If one could prove the knowledge of (yj3P2, yj3A) satisfying (δ+y2)Xj1+yj3P1=V and y2 is accumulated in V but yj3≠0, then the assumption may be broken. To prove the knowledge of (yj3P2, yj3A), then equation Xj3−yj3A=0. To verify yj3≠0, equation Tj=yj3Xj2 and the verifier checks Tj≠0. Following is a description of the non-membership proof and its security.
CompNMWit takes in y2, and for each component accumulator value Vj of AcVal {Vj }j=1m, computes remainder yj3 of Poly(δ) mod (δ+y2) in Zp which is efficiently computable from {α1, . . . , αk} and y2. It then computes Xj1=(Poly(δ)−yj3)/(δ+y2)P1, which is efficiently computable from {αl, . . . , αk}, y2 and ζ. The witness includes y2 and {(Xj1, Xj3=yj3A, yj3)}j=1m. UpdateNMWit is for one Vj at a time and similar to universal, dynamic accumulators for DDH groups. However, UpdateNMWit includes the extra task of updating Xj3=yj3A.
ProveNM generates Xj2←1* and outputs Tj=yj3Xj2 for each Vj and a GS proof for the following equations of variables: y1=δ, y2, {(Xj1, Xj3, Xj2, yj3)}j=1m and j=1m ((y1+y2)Xj1+yj3P1=Vj Xj3−yj3A=0 yj3Xj2=Tj).
Note that the prover does not need to know y1. From τ, it is efficient to generate a commitment of δ and the proof.
VerifyNM verifies the proof generated by ProveNM and checks that Tj≠0, ∀j. VerifyNM accepts if both of them pass, otherwise they are rejected.
Theorem 5.1 The proof system proves that an element is not accumulated. Its soundness depends on the ESDH assumption. Its composable ZK depends on the assumption underlying the GS instantiation (SXDH or SDLIN). A proof sketch of theorem 5.1 is described in section 8.
5.2 NM Proofs are Strongly Homomorphic
For the same constant A, the same variables δ, y2 and Xj2 and the same commitments, the set of non-membership proofs has the form of strongly homomorphic GS proofs constructed in section 3. Accordingly, delegatable non-membership proofs may be constructed from homomorphic proofs. Specifically, the delegatable non-membership proofs may be constructed by ‘adding’ 2 homomorphic proofs of 2 sets of equations (with the same commitments for δ, y2 and Xj2).
More specifically, j=1m ((δ+y2)Xj1(1)+yj3(1)P1=Vj(1) Xj3(1)−yj3(1)A=0 yj3(1)Xj2=Tj(1)) and j=1m ((δ+y2)Xj1(2)+yj3(2)P1=Vj(2) Xj3(2)−yj3(2)A=0 yj3(2)Xj2=Tj(2)) may form a proof of equations j=1m ((δ+y2)Xj1+yj3P1=Vj Xj3−yj3A=0 yj3Xj2=Tj), where Xj1=Xj1(1)+Xj1(2), Xj3=Xj3(1)+Xj3(2), yj3=Yj3(1)+yj3(2), Vj=Vj(1)+Vj(2) and Tj=Tj(1)+Tj(2).
5.3 Delegating NM Proof
Following is a description of constructing the accumulator's delegatable non-membership proof. A component accumulator value V=Πi=1k (δ+αi)δP1 of {α1, . . . , αk} can be written as V=Σi=0k biδk+1−iP1 where b0=1 and bi=Σ1≦j
Homomorphic proofs can be constructed for each (δ+y2)X1(i)+y3(i)P1=δiP1 X3(i)−y3(i) A=0 y3(i)X2=T(i) where i ∈ {1, . . . , k+1}. Using the same linear combination of δP1, . . . , δk+1P1 for V, these proofs can linearly combined to get a proof for (δ+y2)X1+y3P1=V X3−y3A=0 y3X2=T, where X1=Σi=0k biX1(k+1−i), X3=Σi=0k biX3(k+1−i), y3=Σi=0k biy3(k+1−i) and T=Σi=0k biT(k+1−i).
Following is a description of the algorithms for delegating non-membership proofs and the security theorem. It should be noted that UpdateProof may be used in place of CompProof when possible for efficiency.
Dele(Para, Ele). For each i ∈ {1, . . . , q+1}, compute remainder y3(i) of δi mod (δ+y2) in Zp, and X1(i)=(δi−y3(i))/(δ+y2)P1, which are efficiently computable from y2 and ζ. In fact, y3(i)=(−1)iy2i and X1(i+1)=Σj=0i (−1)jy2jδi−jP1=δiP1−y2X1(i) (so the cost of computing all X1(i), i ∈ {1, . . . , q+1} is about q scalar products). Generate X2←1*, the delegation key De includes {T(i)=y3(i)X2}i=1q+1 and a GS proof of equations i=1q+1 ((δ+y2)X1(i)+y3(i)P1=δiP1 X3(i)−y3(i) A=0 y3(i)X2=T(i)).
Rede(Para, De). For each i ∈ {1, . . . , q+1}, extract proof Proofi of y3(i)X2=T(i) in De. In each Proofi, for the same y3(i) and its commitment, Proofi is of homomorphic form. As such, generate r←Zp* and compute Proofi′=rProofi which is a proof of y3(i)X2′=T′(i), where X2′=rX2 and T′(i)=rT(i). It should be noted that commitments of y3(i) stay the same. For every i ∈ {1, . . . , q+1}, replace T(i) by T′(i) and Proofi by Proofi′ in De to get a new GS proof, which is then randomized to get the output De′.
Vali(Para, De). A simple option is to verify the GS proof De. An alternative way is to use batch verification: Divide De into proofs NMProofi of (δ+y2)X1(i)+y3(i)P1=δiP1 X3(i)−y3(i) A =0 y3(i)X2=T(i) for i ∈ {1, . . . , q+1}. Generate q+1 random numbers to linearly combine NMProofis and their statements and verify the combined proof and statement.
CompProof(Para, De, AcSet, AcVal). Divide De into proofs NMProofi as in Vali.
For each component accumulator value V of {α1, . . . , αk}, compute bi for i ∈ {0, . . . , k} as above. NMProofis belong to a set of homomorphic proofs, so compute NMProof=Σi=0k biNMProofk+1−i, which is a proof of (δ+y2)X1+y3P1=V X3−y3A=0 y3X2=T where X1, X3, y3, T and V are as explained above.
Extract proof SubProof of y3X2=T in NMProof. For the same y3 and its commitment, SubProof is of homomorphic form. Accordingly, generate r←Zp* and compute SubProof′=rSubProof which is a proof of y3X2′=T′, where X2′=rX2 and T′=rT. Note that y3's commitment stays the same. Replace T by T′ and SubProof by SubProof in NMProof to get a new proof NMProof′.
Concatenate those NMProof′ of all V in AcVal and output a randomization of the concatenation.
UpdateProof(Para, De, AcSet, AcVal, Proof, Opens). Proof is the proof to be updated and Opens contains openings for randomizing commitments of y1=δ and y2 from De to Proof. If there is a change in accumulated elements of a component value V, NMProof′ may be computed for the updated V as in CompProof. Randomize NMProof′ so that its commitments of y1 and y2 are the same as those in Proof and put it in Proof in place of its old part. Output a randomization of the result.
To prove that this construction provides an ADNMP, the following Decisional Strong Diffie Hellman (DSDH) assumption may be used. This assumption is not in the uber-assumption family, but can be proved in generic groups similarly to the PowerDDH assumption. A proof sketch of theorem 5.2 is described in section 8.
Definition. q-DSDH: Let (p, , e, P1, P2) be bilinear parameters, B0, B1←1*, x0, x1←p* and b←{0,1}. Given B0, x0, B0, . . . , x0qB0, B1, xbB1, . . . ,xbqB1, no PPT algorithm could output b′=b with a probability non-negligibly better than a random guess.
Theorem 5.2 The accumulator provides delegatable non-membership proofs, based on ESDH, DSDH and the assumption underlying the GS instantiation (SXDH or SDLIN).
6. Revoking Delegatable Anonymous Credentials
6.1 Model
This is a model of delegatable anonymous credential with revocation systems. For each credential proof, a user uses a new nym which is indistinguishable from the user's other nyms. Another type of nyms may be used for revocation, referred to herein as r-nyms to distinguish between the 2 types. When an r-nym is revoked, its owner can no longer prove credentials. Participants include users and the blacklist authority 104 owning a blacklist, BL, which is initially empty. The PPT algorithms are:
The differences between the model for delegatable anonymous credentials with revocation and the model for delegatable anonymous credentials without revocation are the introductions of the blacklist authority 104 with SkBA and BL; r-nyms; delegation information DeInf; Revoke; and 2 CredProof's conditions (ii) and (iii).
Generally speaking, delegability does not implicate anonymity. Nor is the reverse true, such as in this case. Suppose user I delegates to user U the ability to prove that I is not revoked in BL (U knows I by NymI). Then, in any construction, given an r-nym Rn, U and the blacklist authority 104 can collude to tell if Rn belongs to NymI or not by blacklisting Rn and checking if U can still prove that I is not revoked. As such, it may be useful for a user to keeps the r-nym secret. Otherwise, the user may not know that such delegation could compromise the user's anonymity when issuing. It is still the user's right to delegate (or not) that proving ability (by issuing DeInf or not).
Advantageously, even in worst cases, a collision of the blacklist authority 104 and the delegatee may only learn if an r-nym belongs to a delegator from IssueObtain. Other privacy properties such as anonymity of CredProof, Nym and the delegatee, may still be maintained.
This limitation will be reflected in the Anonymity definition and is related to the restriction on ADNMP mentioned in section 4.2. When a BL is implemented by using ADNMP to accumulate revoked Rns, given an Rn′ and an ADNMP delegating key De, a user can collude with the blacklist authority 104 to tell if De is generated by Rn′.
Exposing r-nyms. Typical methods for the blacklist authority 104 may be used to obtain r-nyms to revoke. There could be an authority that may force any user to reveal the user's r-nym to BA, and prove the user's ownership by using CredProve and showing openings of his r-nym's commitment.
For example, users may give deposits to the authority when entering the system. If a user does not follow the enforcement, the deposit may be forfeited. If such an enforcement is difficult, another method adopted from group signatures is an Opening Authority who can open any disputed CredProof to find its generator's r-nym. Another option includes a Nym Authority that controls users' r-nyms and makes requests to the blacklist authority 104 to revoke r-nyms.
6.2 Security
According to an embodiment, the security includes three conditions which are extended from the security definition of delegatable anonymous credentials: correctness, anonymity, and unforgeability.
Correctness: Suppose all participants are honest. A user gets valid credentials from issuers. If the user is not revoked, the user may generate a credential proof that is typically accepted by a verifier, whether or not the user's credential chain is partially revoked. If the user's whole credential chain is partially revoked, the user may generate a credential proof, which is usually accepted.
Anonymity means that an adversary, who could collude with some participants in the system, can not gain any information about honest participants. The adversary's interaction with honest parties is indistinguishable from interaction with simulators, including SimSetup, SimProve, SimObtain and SimIssue. Additions to the security definition for delegatable anonymous credentials include Nym and DeInf. Nym reveals no information about its r-nym. New entities' r-nyms, blacklist and delegation information could be generated as part of challenges by the adversary to simulators. For scenarios when DeInf is included, when interacting with SimIssue, r-nyms on the chain of issuer's credentials are randomly generated and not revealed to the adversary. As discussed above, a user and the blacklist authority 104 can tell if a given r-nym belongs to one of the delegators on the user's chain.
Unforgeability: It means that an adversary, who could interact with the system in many ways, could not forge a valid credential proof for a challenge Nym of an r-nym and a secret key, which are in one of rogue conditions. Unforgeability also assumes complete binding of Nyms, so that one r-nym and one key could be extracted from a Nym. The adversary's interaction with the system is modelled by an Oracle that may perform several tasks based on the adversary's request.
The additions to the unforgeability definition for delegatable anonymous credentials include the following. The Oracle maintains a list of honest parties, which may or may not include BA. Apart from the condition that there is no chain of honest users who delegate the challenge Nym, another rogue condition is that the challenge r-nym is blacklisted by an honest BA. If a credential proof is used to prove that all users on its chain are not revoked, another rogue condition is that a user on the challenge Nym's credential chain is blacklisted by an honest BA.
6.3 A Scheme
Overview. Intuitions of the BCCKLS delegatable anonymous credential scheme are described, along with how ADNMP extends this scheme to provide revocation.
BCCKLS uses an F-Unforgeable certification secure authentication scheme AU of PPT algorithms AtSetup, AuthKg, Authen, VerifyAuth. AtSetup(1k) returns public parameters ParaAt, AuthKg(ParaAt) generates a key Sk, Authen(ParaAt, Sk, {right arrow over (m)}) produces an authenticator Auth authenticating a vector of messages {right arrow over (m)}, and VerifyAuth(ParaAt, Sk, {right arrow over (m)}, Auth) accepts if and only if Auth validly authenticates {right arrow over (m)} under Sk. The scheme could be F-Unforgeable for a function F, which means (F({right arrow over (m)}), Auth) is unforgeable without obtaining an authenticator on {right arrow over (m)}; or certification secure, which means no PPT adversary, even after obtaining an authenticator by the challenge secret key, can forge another authenticator. Additionally, BCCKLS uses a protocol (AuthPro) for a user to obtain from an issuer an NIZKPK of an authenticator on {right arrow over (m)} without revealing anything about {right arrow over (m)}.
An user U could generate a secret key Sk←AuthKg(ParaAt), and many nyms Nym=Com(Sk, Open) by choosing different values Open. Supposing U has a level L+1 credential from O, let (SkO=SkO, Sk1, . . . , SkL, SkL+1=Sk) be the keys such that Ski's owner delegated the credential to Ski+1, and let H: {0,1}*→Zp be a collision resistant hash function. ri=H(NymO, atributes, i) is computed for a set of attributes for that level's credential. U generates a proof of her delegated credential as CredProof←NIZKPK[SkOinNymO,Sk in Nym] {(F(SkO), F(Sk1), . . . ,F(SkL), F(Sk),auth1, . . . ,authL+1):
VerifyAuth(SkO, (Sk1,r1), auth1) VerifyAuth(Sk1, (Sk2, r2),auth2) . . .
VerifyAuth(SkL−1, (SkL, rL),authL) VerifyAuth(SkL, (Sk, rL+1),authL+1)}.
ADNMP may extend BCCKLS to provide revocation. Using ADNMP, BA's blacklist, BL, includes an accumulated set of revoked Rns and its accumulator value. Beside a secret key Sk, user U has a secret r-nym Rn in the accumulator's domain, and generates nyms Nym=(Com(Sk, OpenSk), Com(Rn, OpenRn)). ADNMP allows delegation and redelegation of a proof that an Rn is not accumulated in a blacklist Rn ∈ BL. U generates a proof of the delegated credential and validity of the credential's chain as:
Description. The building blocks consist of: (i) Those from BCCKLS, including AU; AuthPro; H; and a malleable NIPK credential proof system (CredPS) of PKSetup, PKProve, PKVerify, RandProof, with commitment Corn; (ii) An accumulator with a randomizable delegatable non-membership proof system (NMPS) of AcSetup, ProveNM, VerifyNM, CompNMWit, Accu, Dele, Rede, Vali, CompProof, with commitment ComNM; and (iii) A randomizable proof system (EQPS), whose setup consists of PKSetup and AcSetup, to prove that 2 given commitments by Corn and ComNM commit to the same value.
Assume a delegating key De contains a commitment of its element Ele. CompProof and Rede generate Ele's commitment in their outputs by randomizing the commitment in De. Elements of the accumulator domain and the authenticator's keyspace can be committed by Corn.
The BCCKLS building blocks could be instantiated as in delegatable anonymous credentials. An ADNMP instantiation is presented in section 4. Additionally, an equality proof system(EQPS) instantiation with composable ZK can be constructed from p-signatures and noninteractive anonymous credentials. They all share the same bilinear pairing parameters, so elements of the accumulator domain and the authenticator's keyspace are in p and committable by Com. The concatenation of instantiated CredPS, NMPS and EQPS forms a GS proof system and thereby is randomizable, partially extractable, and composable ZK. The following algorithm inputs are the same as in the model and omitted.
Theorem 6.1 If the authentication scheme is F-unforgeable and certification-secure; a concatenation of CredPS, NMPS and EQPS is randomizable, partially extractable, and composable ZK; and H is collision resistant, then this construction is a secure revocable delegatable anonymous credential system. A proof sketch of theorem 6 is described in section 8.
6.4 A Method
The method begins at block 202, where a request is received to revoke an anonymous credential. The anonymous credential may be delegated from a first entity to a second entity.
At block 204, the blacklist authority 104 may revoke the anonymous credential from the first entity. The revocation may occur in response to the request to revoke.
At block 206, the blacklist authority 104 may revoke the anonymous credential from the second entity. The revocation for the second entity may also occur in response to the request to revoke.
7. Example Implementation
The system 100 may be implemented in two program libraries of various languages. The first library may implement the scheme for the accumulator 102 in the SXDH instantiation described in section 5. The first libray may also be used to develop the accumulator's applications. Further, application program interfaces may be provided for the algorithms described herein, e.g., AcSetup, ProveNM, VerifyNM, CompNMWit, Accu, Dele, Rede, Vali and CompProof.
The second library may depend on the first library to perform the revoking of anonymous credentials described above.
Typically, prime-order universal accumulators use a random oracle (RO) for non-interactive proofs. The random oracle's its prover uses 3 pairings. In contrast, the accumulator 102 does not use a random oracle. Further, the accumulator's prover does no pairing. In one embodiment, with q=500, using 256-bit BN pairing curves, on a regular 2.4 GHz Intel 2 Core with 4 GB RAM, ProveNM takes 0.14 s and Dele takes 69.38 s.
In some embodiments, the system 100 may include a central entity that knows Aux, and can adjust the value of q at any time. Based on the work loads on the accumulator's operations and the number of accumulated elements, the value of q may be determined based on a desired efficiency improvement.
This improvement may be used in the following scenario. Assume in an application, the number of accumulated elements is around a constant Q over time, allowing for elements to be added or removed. Let m=[Q/q], the computation unit be a scalar product, and the approximate costs of the accumulator's operations be as follows (generalized for both SXDH and SDLIN instantiations): Accu-m; UpdateVal-1; CompNMWit-(mq≈Q); UpdateWitness-2; ProveNM-α1m; VerifyNM-α2m; Dele-β1q; Rede-β2q; Vali-β3q; CompProof-(β4mq+α3m); UpdateProof-(β4+α3m); where αi and βi are constants. For simplicity and analysis of a common user, less commonly used operations, operations performed by a central entity, and operations whose cost does not change when q changes are not described.
Suppose over a period of approximately a year, the average numbers of runs of operations per user are as follows: ProveNM-α1; VerifyNM-α2; Dele-b1; Rede-b2; Vali-b3; CompProof-α3; UpdateProof-c; where αi, bi and c are constants. The total cost per user per period is
As such, a minimum of S(q) happens when
8. Appendix: Proofs
Proof of theorem 3.1. To prove that (ΠGS, +GS, IGS) satisfies the 5 conditions of an abelian group, it is given that the following conditions: associativity, commutativity, identity element, and inverse element may be easily validated. As such, the proof of closure is described.
It is given that (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+GS (Sta2, Wit2, Proof2) (as in the description) satisfies the conditions for an element in ΠGS as follows. ∀i ∈ M: x[i]=x1[i]=x0[i] and c[i]=c1[i]=c0[i]. ∀j ∈
{right arrow over (π)}i:=RiTl2({right arrow over (b)}i)+RiTΓil2({right arrow over (y)}i)+RiTΓiSi{right arrow over (u)}2−TiT{right arrow over (u)}2+Σj=1ηrj(i)Hj{right arrow over (u)}2, and
EQUATION 2
{right arrow over (ψ)}i:=SiTl1({right arrow over (α)}i)+SiTl1({right arrow over (x)}i)+Ti{right arrow over (u)}1
EQUATION 3
Without losing generality, for i∈{ 1,2), it is true that
which shows how commitment {right arrow over (d)} is generated from {right arrow over (y)} and S for the proof. Further, for i ∈ {1,2}:
where {circumflex over (Γ)}i consists of Γ[j, k] with j ∈ M and k ∈ N, {hacek over (Γ)} consists of Γ[j, k] with j ∈ M and k ∈
Multiplying matrices and regrouping with EQUATIONS 4 and 6 yields:
Replacing {right arrow over (b)} and R from EQUATION 4 and {right arrow over (y)} and S from EQUATION 5, then {right arrow over (π)}=RTl2({right arrow over (b)})+RTΓl2({right arrow over (y)})+RTΓS{right arrow over (u)}2−TT{right arrow over (u)}2+Σj=1η rjHj{right arrow over (u)}2. Similarly, {right arrow over (ψ)}:=STl1({right arrow over (α)})+STΓTl 1({right arrow over (x)})+T{right arrow over (u)}1. As such, {right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, and {right arrow over (ψ)} are generated according to the formula for a GS proof of ({right arrow over (α)}, {right arrow over (b)}, Γ, t) and ({right arrow over (x)},{right arrow over (y)}). Therefore, Proof is a valid proof of Sta and Wit. Accordingly, theorem 3.1 holds.
Proof sketch of theorem 5.1. The correctness and composable ZK of theorem 5.1 comes from the GS proof, the GS proof's instantiations, and the fact that y2 ∈ AcSet and Xj2≠0 means Tj≠O. Further, a setup and a proof may be simulated that are respectively computationally indistinguishable from a real setup and a real proof generated from the simulated setup.
Soudness may be proven as follows. Suppose an adversary could forge a proof that VerifyNM accepts for equations j=1m ((y1+y2)Xj1+yj3P1=Vj Xj3−yj3A=0 yj3Xj2=Tj) where Tj≠0 but y2 is accumulated in one of Vjs with non-negligible probability. The proof may be used to break ESDH.
Given the assumption challenge (p, , e, P1, δP1, . . . ,δq+1P1, A , P2, δP2), simulate random CRS σ with extracting trapdoor for GS proofs in either the SXDH or SDLIN instantiations. Accordingly, from a commitment in 2 of y ∈ Zp and a commitment of X ∈ 1, yP2 and X may be respectively extracted. With the trapdoor, compute τ:=l2′,(δ), thereby providing all parameters for a simulated accumulator.
The forged proof contains commitments of Xj1,Xj3,Xj2 and of y1=δ,y2,yj3 in 2. As such, Xj1,Xj3,Xj2 and y2P2,yj3P2 could be extracted, and know yj3≠0. As y2 is in AcSet, then y2 could be found. Suppose y2 is accumulated in Vl which accumulates {α1, . . . , αk}. As Xl3=yl3A, Xl1, y2 and (yl3P2,yl3A) could be extracted. Therefore, (y1+y2)Xl1+yl3P1=Πi=1k (y1+αi)y1P1 and y2 ∈ {α1, . . . , αk}. Accordingly,
Proof sketch of theorem 5.2. To prove delegatability, consider CompProofs output is a randomized proof of equations j=1m ((y1+y2)Xj1+yj3P1=Vj Xj3−yj3A=0 yj3Xj2=Tj) which are the same as equations for the proof outputted by ProveNM. Due to GS proofs′ randomizability, the outputs have the same distribution, indicating Delegatability.
For proving redelegatability, consider the same y2. The output T′(i), i ∈ {1, . . . ,k+1} of Rede has the same distribution as the output T(i), i ∈ {1, . . . ,k+1} of Dele. For the same T(i), i ∈ {1, . . . ,k+1}, Rede's output is a randomization of a proof that Dele could produce, so their outputs have the same distribution. Therefore, Dele and Rede output the same distribution that leads to redelegatability. Verifiability comes from ESDH and the completeness and soundness of GS proofs, as De is a GS proof.
If an adversary can break the accumulator's unlinkability, it may be proven that either q-DSDH or GS's underlying assumption (SXDH or SDLIN) can be broken. Consider 2 cases. If the adversary can distinguish between a GS proof De and its simulated proof both in a simulated setup with non-negligible probability, then the underlying assumption may be broken. If not, then q-DSDH can be broken as follows.
Suppose the q-DSDH Challenge
Proof sketch of theorem 6.1. The scheme's correctness comes from correctness of its component authentication scheme and the concatenation of CredPS, NMPS and EQPS, and delegatability and redelegatability of the accumulator 102. The unforgeability proof is based on F-unforgeability and certification-security of the authentication scheme, and partial extractability and soundness of the concatenation.
The anonymity proof is also similar to the one for randomizable proofs and delegatable anonymous credentials. One difference is to create SimIssue indistinguishable from Issue with input DeInf. SimSetup includes AtSetup and the simulation setup SimConSetup for the concatenation. It is true that the accumulator's four delegation properties still hold under parameters generated by SimConSetup. Otherwise, an adversary breaking one of the properties could distinguish SimConSetup and the concatenation setup ConSetup. It is also true that a concatenation of just CredPS and EQPS is also composable ZK using simulation SimConSetup. SimIssue first generates a list of delegating keys for L random r-nyms. Based on the accumulator's unlinkability and redelegatability, the adversary can not distinguish this list from the list in DeInfu generated by Issue, as r-nyms of input DeInf to Issue are also randomly generated and not revealed to the adversary. SimIssue then simulates the concatenation of CredPS and EQPS with r-nyms commitments in the delegating keys and merge it with the delegating keys to output. This output is indistinguishable from the output (CredU,DeInfU) generated by Issue.
The networking environment 300 includes one or more client(s) 310. The client(s) 310 can be hardware and/or software (e.g., threads, processes, computing devices). As an example, the client(s) 310 may be computers providing access, for users of a web browser, to servers over a communication framework 340, such as the Internet.
The system 300 also includes one or more server(s) 320. The server(s) 320 can be hardware and/or software (e.g., threads, processes, computing devices). The server(s) 320 may include web servers, or other servers that support delegatable anonymous credentials.
The server(s) may be accessed by the client(s) 310. The servers 320 can house threads to delegate and revoke anonymous credentials.
One possible communication between a client 310 and a server 320 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The system 300 includes a communication framework 340 that can be employed to facilitate communications between the client(s) 310 and the server(s) 320.
The client(s) 310 are operably connected to one or more client data store(s) 350 that can be employed to store information local to the client(s) 310. The client data store(s) 350 may be located in the client(s) 310, or remotely, such as in a cloud server. Similarly, the server(s) 320 are operably connected to one or more server data store(s) 330 that can be employed to store information local to the servers 320.
With reference to
The system bus 418 couples system components including, but not limited to, the system memory 416 to the processing unit 414. The processing unit 414 can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can be employed as the processing unit 414.
The system bus 418 can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures known to those of ordinary skill in the art. The system memory 416 is non-transitory computer-readable media that includes volatile memory 420 and nonvolatile memory 422.
The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer 412, such as during start-up, is stored in nonvolatile memory 422. By way of illustration, and not limitation, nonvolatile memory 422 can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
Volatile memory 420 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), SynchLink™ DRAM (SLDRAM), Rambus® direct RAM (RDRAM), direct Rambus® dynamic RAM (DRDRAM), and Rambus® dynamic RAM (RDRAM).
The computer 412 also includes other non-transitory computer-readable media, such as removable/non-removable, volatile/non-volatile computer storage media.
In addition, disk storage 424 can include storage media separately or in combination with other storage media including, but not limited to, an optical disk drive such as a compact disk ROM device (CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM). To facilitate connection of the disk storage devices 424 to the system bus 418, a removable or non-removable interface is typically used such as interface 426.
It is to be appreciated that
System applications 430 take advantage of the management of resources by operating system 428 through program modules 432 and program data 434 stored either in system memory 416 or on disk storage 424. It is to be appreciated that the claimed subject matter can be implemented with various operating systems or combinations of operating systems.
A user enters commands or information into the computer 412 through input device(s) 436. Input devices 436 include, but are not limited to, a pointing device (such as a mouse, trackball, stylus, or the like), a keyboard, a microphone, a joystick, a satellite dish, a scanner, a TV tuner card, a digital camera, a digital video camera, a web camera, and/or the like. The input devices 436 connect to the processing unit 414 through the system bus 418 via interface port(s) 438. Interface port(s) 438 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB).
Output device(s) 440 use some of the same type of ports as input device(s) 436. Thus, for example, a USB port may be used to provide input to the computer 412, and to output information from computer 412 to an output device 440.
Output adapter 442 is provided to illustrate that there are some output devices 440 like monitors, speakers, and printers, among other output devices 440, which are accessible via adapters. The output adapters 442 include, by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 440 and the system bus 418. It can be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 444.
The computer 412 can be a server hosting a universal, dynamic accumulator in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 444. The remote computer(s) 444 may be client systems configured with web browsers, PC applications, mobile phone applications, and the like, to allow users to delegate and revoke anonymous credentials, as discussed herein. For example, remote computer 444 may include a client used to request delegation and revocation of anonymous credentials.
The remote computer(s) 444 can be a personal computer, a server, a router, a network PC, a workstation, a microprocessor based appliance, a mobile phone, a peer device or other common network node and the like, and typically includes many or all of the elements described relative to the computer 412.
For purposes of brevity, only a memory storage device 446 is illustrated with remote computer(s) 444. Remote computer(s) 444 is logically connected to the computer 412 through a network interface 448 and then physically connected via a communication connection 450.
Network interface 448 encompasses wire and/or wireless communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet, Token Ring and the like. WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL).
Communication connection(s) 450 refers to the hardware/software employed to connect the network interface 448 to the bus 418. While communication connection 450 is shown for illustrative clarity inside computer 412, it can also be external to the computer 412. The hardware/software for connection to the network interface 448 may include, for exemplary purposes only, internal and external technologies such as, mobile phone switches, modems including regular telephone grade modems, cable modems and DSL modems, ISDN adapters, and Ethernet cards.
An exemplary embodiment of the computer 412 may comprise a server hosting a website. Anonymous credentials may be used to control access to the website. The server may be configured to delegate and revoke the anonymous credentials.
An exemplary processing unit 414 for the server may be a computing cluster comprising Intel® Xeon CPUs. The disk storage 424 may comprise an enterprise data storage system, for example, holding thousands of impressions.
Exemplary embodiments of the subject innovation may display an icon on the remote computer(s) 444 that is clickable to request asynchronous searches. Asynchronous search results may be requested from human or crowd-sourcing resources. Results may be made available via a non-intrusive icon on the remote computer(s) 444.
What has been described above includes examples of the subject innovation. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the claimed subject matter, but one of ordinary skill in the art may recognize that many further combinations and permutations of the subject innovation are possible. Accordingly, the claimed subject matter is intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims
In particular and in regard to the various functions performed by the above described components, devices, circuits, systems and the like, the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., a functional equivalent), even though not structurally equivalent to the disclosed structure, which performs the function in the herein illustrated exemplary aspects of the claimed subject matter. In this regard, it will also be recognized that the innovation includes a system as well as a computer-readable storage media having computer-executable instructions for performing the acts and/or events of the various methods of the claimed subject matter.
There are multiple ways of implementing the subject innovation, e.g., an appropriate API, tool kit, driver code, operating system, control, standalone or downloadable software object, etc., which enables applications and services to use the techniques described herein. The claimed subject matter contemplates the use from the standpoint of an API (or other software object), as well as from a software or hardware object that operates according to the techniques set forth herein. Thus, various implementations of the subject innovation described herein may have aspects that are wholly in hardware, partly in hardware and partly in software, as well as in software.
The aforementioned systems have been described with respect to interaction between several components. It can be appreciated that such systems and components can include those components or specified sub-components, some of the specified components or sub-components, and/or additional components, and according to various permutations and combinations of the foregoing. Sub-components can also be implemented as components communicatively coupled to other components rather than included within parent components (hierarchical).
Additionally, it can be noted that one or more components may be combined into a single component providing aggregate functionality or divided into several separate sub-components, and any one or more middle layers, such as a management layer, may be provided to communicatively couple to such sub-components in order to provide integrated functionality. Any components described herein may also interact with one or more other components not specifically described herein but generally known by those of skill in the art.
In addition, while a particular feature of the subject innovation may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms “includes,” “including,” “has,” “contains,” variants thereof, and other similar words are used in either the detailed description or the claims, these terms are intended to be inclusive in a manner similar to the term “comprising” as an open transition word without precluding any additional or other elements.