Revoking delegatable anonymous credentials

Information

  • Patent Grant
  • 8839381
  • Patent Number
    8,839,381
  • Date Filed
    Tuesday, December 7, 2010
    14 years ago
  • Date Issued
    Tuesday, September 16, 2014
    10 years ago
Abstract
The claimed subject matter provides a method for revoking delegatable anonymous credentials. The method includes receiving a request to revoke an anonymous credential. The anonymous credential may be representative of an ability to prove non-membership in an accumulator for a first entity. The method also includes revoking the anonymous credential from the first entity in response to the request to revoke the anonymous credential. Additionally, the method includes revoking the anonymous credential from a second entity in response to the request to revoke the anonymous credential. The first entity delegates the anonymous credential to the second entity.
Description
BACKGROUND

In anonymous credential systems, a user with an anonymous credential may prove select private information while protecting other parts of the user's identity. For example, a person may choose to disclose only having a valid driver's license without disclosing name, age, address, etc. (or vice versa).


In some cases, anonymous credentials may be delegated. With delegatable credentials, a chain of delegation may describe a number of users delegating authority in a particular direction.


Some applications of anonymous credential systems include direct anonymous attestation and anonymous electronic identity tokens. Some of these approaches have been captured in implementations including U-prove, Idemix, and java cards.


Anonymous credential systems may include revocation functionality. With revocation, credentials may be invalided. Revocation is useful with regard to many organizational matters, including disputes, compromise, mistakes, identity change, hacking and other insecurities.


Revocation is challenging in anonymous credential systems because it is difficult to anonymously prove that a credential is not revoked. In the case of delegatable credentials, chains of delegation may be difficult to trail because of anonymity protections. As such, revocation may be especially challenging for anonymous credential systems with delegatable credentials.


SUMMARY

The following presents a simplified summary of the innovation in order to provide a basic understanding of some aspects described herein. This summary is not an extensive overview of the claimed subject matter. It is intended to neither identify key or critical elements of the claimed subject matter nor delineate the scope of the subject innovation. Its sole purpose is to present some concepts of the claimed subject matter in a simplified form as a prelude to the more detailed description that is presented later.


The subject innovation relates to a method and a system for revoking delegatable anonymous credentials. The method includes receiving a request to revoke an anonymous credential. A valid anonymous credential may be representative of an ability to prove non-membership in an accumulator for a first entity. The anonymous credential is delegated from the first entity to a second entity. The method also includes revoking the anonymous credential from the first entity in response to the request to revoke the anonymous credential. Additionally, the method includes revoking the anonymous credential from a second entity in response to the request to revoke the anonymous credential.


An exemplary system according to the subject innovation may be used for delegatable anonymous credentials. The exemplary system comprises a processing unit and a system memory that comprises code configured to direct the processing unit to receive a request to revoke an anonymous credential representative of an ability to prove non-membership in a universal, dynamic accumulator for a first entity.


The code may also be configured to direct the processing unit to revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential. In particular, the code may be configured to direct the processing unit to revoke the anonymous credential from a second entity in response to the request to revoke the anonymous credential


Another exemplary embodiment of the subject innovation provides one or more computer readable storage media that include code to direct the operation of a processing unit. In one exemplary embodiment, the code may direct the processing unit to receive a request to revoke an anonymous credential representative of an ability to prove non-membership in an accumulator for a first entity. The request is received from an anonymous credential system.


The code may also direct the processing unit to revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential. Additionally, the code may direct the processing unit to revoke the anonymous credential from a second entity in response to the request to revoke the anonymous credential.


The following description and the annexed drawings set forth in detail certain illustrative aspects of the claimed subject matter. These aspects are indicative, however, of a few of the various ways in which the principles of the innovation may be employed and the claimed subject matter is intended to include all such aspects and their equivalents. Other advantages and novel features of the claimed subject matter will become apparent from the following detailed description of the innovation when considered in conjunction with the drawings.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram of a system for revocation of anonymous credentials in accordance with the claimed subject matter;



FIG. 2 is a process flow diagram of a method for revoking delegatable anonymous credentials in accordance with the claimed subject matter;



FIG. 3 is a block diagram of an exemplary networking environment wherein aspects of the claimed subject matter can be employed; and



FIG. 4 is a block diagram of an exemplary operating environment for implementing various aspects of the claimed subject matter.





DETAILED DESCRIPTION

The claimed subject matter is described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the subject innovation. It may be evident, however, that the claimed subject matter may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the subject innovation.


As utilized herein, terms “component,” “system,” “browser,” “search engine,” “client” and the like are intended to refer to a computer-related entity, either hardware, software (e.g., in execution), and/or firmware, or a combination thereof. For example, a component can be a process running on a processor, an object, an executable, a program, a function, a library, a subroutine, and/or a computer or a combination of software and hardware.


By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and a component can be localized on one computer and/or distributed between two or more computers. The term “processor” is generally understood to refer to a hardware component, such as a processing unit of a computer system.


Furthermore, the claimed subject matter may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed subject matter. The term “article of manufacture” as used herein is intended to encompass a computer program accessible from any non-transitory computer-readable device, or media.


Computer-readable storage media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, and magnetic strips, among others), optical disks (e.g., compact disk (CD), and digital versatile disk (DVD), among others), smart cards, and flash memory devices (e.g., card, stick, and key drive, among others). In contrast, computer-readable media generally (i.e., not storage media) may additionally include communication media such as transmission media for wireless signals and the like.


Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope or spirit of the claimed subject matter. Moreover, the word “exemplary” is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs.


Proof systems are used in many cryptographic systems, such as signature, authentication, encryption, mix-net, and anonymous credential systems. In a proof system between a prover and a verifier, an honest prover with a witness can convince a verifier about the truth of a statement. However, an adversary cannot convince a verifier of a false statement.


One proof system, Groth and Sahai non-interactive proof system (GS proof system) provides several advantages. The GS proof systems are efficient and general, and do not use the random oracle assumption. The random oracle model assumes the existence of an oracle, returns a uniformly random response to queries, and outputs the same response for the same query. Additionally, GS proof systems can be randomized. For example, a new proof may be generated from an existing proof of the same statement without knowing the witness. Advantageously, as described below, GS proof systems are also homomorphic.


Proof systems are used to construct accumulators. An accumulator allows aggregation of a large set of elements into one constant-size accumulator value. A membership proof system may be used to prove that an element is in the accumulated value.


A non-membership proof system may be used to prove that an element is not accumulated. It can be used for revoking anonymous credentials.


For example, an accumulator may aggregate a large set of revoked credentials. The user whose credential has not been revoked may want to prove that the credential is not revoked by using the accumulator's non-membership proof system.


One embodiment provides an accumulator that is dynamic and universal. An accumulator may be dynamic if costs of certain operations do not depend on the number of elements aggregated. These operations may include adding elements, deleting elements, updating the accumulator value, and updating the proof systems' witnesses.


An accumulator is said to be universal if, in addition to the membership proof system, the accumulator includes a non-membership proof system. The non-membership proof system may prove that a given element is not accumulated in the accumulator value, e.g., the valid credential is not aggregated into the accumulator value.


Some applications of accumulators include space-efficient time stamping, ad-hoc anonymous authentication, ring signatures, ID-Based systems, and membership revocation for identity escrow, group signatures and anonymous credentials.


In one embodiment, homomorphic proofs may allow adding proofs and their statements to generate a new proof of the summed statement. A construction of such homomorphic proofs may be used in an accumulator scheme with delegatable non-membership (NM) proofs. This scheme may be used to extend a scheme with randomizable proofs and delegatable anonymous credentials. In this manner, an anonymous credential system with delegatable credentials may be created. This system may include revocation for the delegatable credentials.


As such, the accumulator's delegatable NM proofs may enable user A, without revealing user A's identity, to delegate to user B the ability to prove that A's credential has not been revoked. This ability may be supported even in scenarios where a blacklist of revoked credentials is dynamic.


Additionally, the delegation may be redelegatable, unlinkable, and verifiable. The security of the proposed schemes is provable.



FIG. 1 is a block diagram of a system 100 for revocation of anonymous credentials in accordance with the claimed subject matter. The system 100 may provide revocation for several anonymous credential systems, which may be delegatable or not.


An anonymous credential system is delegatable if credentials can be delegated from one user, the delegator, to another user, the delegatee. The delegatee may anonymously prove a credential which is delegated some levels away from the original delegator. Delegation is useful for efficiently managing many kinds of organizations. For example, many organizations include some authority who delegates tasks to a workforce so no one person is overburdened.


The system 100 may include an accumulator 102 and a blacklist authority 104. The accumulator 102 may implement the accumulator scheme with delegatable non-membership (NM) proofs.


The accumulator 102 may include an accumulator value 106 and proof systems 108. The blacklist authority 104 may use the accumulator 102 to create a blacklist and accumulate revoked identities of anonymous credentials. The accumulator value 106 is referred to herein as the blacklist because the accumulator 102 may aggregate the identities of revoked credentials in the accumulator value 106.


In the system 100, a user may prove that an identity is not accumulated in the blacklist. The user may also delegate this proof. Further, the delegatee may re-delegate or compute proofs based on the delegation.


The system 100 may be used with several anonymous credential systems with or without delegatability. In one embodiment, several anonymous credential systems, based on prime order, may be integrated with the system 100. In such embodiments, the anonymous credentials may or may not be delegatable.


The efficiencies of accumulators typically depend on the constant costs of their proofs. However, there is a tradeoff between the cost of computing and updating a witness. The cost of updating a witness is linear to the number of accumulated elements. As such, accumulators may be an inefficient choice in scenarios that involve numerous changes to the accumulator value, but only a few proofs. In some scenarios, the accumulator may be adjusted to improve performance. Some example improvement is described in greater detail with respect to Section 7.


1. Introduction


In one embodiment, homomorphic proofs may be extended to include an operation which adds proofs, their statements, and their witnesses. The adding operation may generate a new valid proof of the sum statement and the sum witness. In the following sections, a construction for homomorphic proofs from GS proofs is presented and proven. GS proofs have a high level of generalization, which enables their application in a number of areas, including group signatures, ring signatures, mix-nets, oblivious transfer, and anonymous credentials. In one embodiment, the construction of homomorphic proofs uses a general form of GS proofs to broaden the range of possible applications.


Some applications for homomorphic proofs may include homomorphic signatures, homomorphic authentication, network coding, digital photography, and undeniable signatures. Homomorphic encryption and commitment schemes have been used in mix-nets, voting, anonymous credentials, and other multi-party computation systems.


Additionally, homomorphic non-interactive zero knowledge (NIZK) is used for homomorphic encryption, which allows computing any generic functions of encrypted data without decryption. Homomorphic NIZK may be applied in scenarios such as, cloud computing and searchable encryption. Homomorphic proofs may also be useful in these contexts.


Homomorphic proofs bring delegatability of proofs to another level. A proof's statement often consists of some commitments of variables (witnesses) and some conditions. A proof may be randomizable or malleable. As such, it is possible to generate a new proof and to randomize the statement's commitments without witness. However, the statement's conditions stay the same.


Homomorphic proofs allow generating a new proof for a new statement containing new conditions, without any witness. A user can delegate the user's proving capability to another user by revealing some homomorphic proofs. By linearly combining these proofs and their statements, the delegatee could generate several new proofs for several other statements with different conditions.


In one embodiment, homomorphic proofs may be used in blacklisting delegatable, anonymous credentials. Using delegatable NM proofs of accumulators, changing a blacklist may be treated like changing a statement's conditions. In one embodiment, delegating proofs is not restrained to retaining the same statements' conditions. Rather, proofs may be delegated where the statements' conditions are dynamic.


Typically, the blacklisting of anonymous credentials involves the use of the accumulator 102. Identities of revoked credentials are accumulated in a blacklist, e.g., the accumulator value 106. A user proves that the user's credential is not revoked by using the accumulator's NM proof, whose cost is constant, to prove that the credential's identity is not accumulated.


In one embodiment, when a delegatable credential is revoked, all delegated descendants of the credential may also be revoked. Accordingly, the system 100 may ask users to anonymously prove that all ancestor credentials are not revoked, even when the blacklist changes.


Using the accumulator 102, user A, without revealing private information, may delegate the ability to prove user A's credentials is not blacklisted to user B. As such, proofs generated by A and B may be indistinguishable, even though the blacklist is dynamic. Additionally, the delegation may be unlinkable, i.e., it should be hard to tell if two such delegations come from the same delegator.


Further, user B may also be able to delegate the ability to prove that A's credential is not blacklisted to user C, such that the information C obtains from the redelegation is indistinguishable from the information obtained from user A's delegation. When receiving delegation information, one may be able to verify that such information is correctly built.


The system 100 is described in greater detail in the following sections. Section 2 describes proof systems 108. Section 3 discusses homomorphic proofs. In section 4, the accumulator 102 is described in greater detail. A model is described for the accumulator 102, which is extended to define security requirements for delegatable NM proofs. Section 5 describes a scheme for the accumulator 102 with delegatable non-membership proofs.


In section 6, revoking delegatable anonymous credentials is described. Security of the accumulator scheme and the delegatable anonymous credentials with revocation system is proven.


Section 7 describes an example implementation. Section 8 is an appendix that provides proofs to theorems discussed in the following sections.


The following discussion uses, as examples, constructions in the symmetric external Diffie Hellman (SXDH) or symmetric decisional linear (SDLIN) instantiations of GS proofs, as these constructions enable the use of efficient curves for pairings.


2. Proof Systems


The following discussion includes a number of references and equations. As such, some abbreviations and notation are used for clarity. Further, a brief list of definitions is provided. These are briefly described as follows.


The abbreviations used include PPT, CRS, Pr, NM, and ADNMP. PPT stands for probabilistic polynomial time. CRS stands for common reference string. Pr stands for probability. NM stands for non-membership. ADNMP stands for the accumulator 102 with delegatable non-membership proofs.


The notation, “←” represents random output. The notation, custom character*:=custom character\{O}, represents a group custom character with identity O. Matm×n(custom character) is the set of matrices with size m×n of elements in custom character. For a matrix Γ, Γ[i, j] represents the value at row i and column j. A vector {right arrow over (z)} of l elements can be seen as a matrix of l rows and 1 column. For a vector or tuple z, the term, z[i], represents the ith element. Notations of algorithms may omit inputs, such as public parameters, when appropriate.


Definition: Bilinear Pairings. For example, let custom character1 and custom character2 be cyclic additive groups of order prime p generated by P1 and P2, respectively. Further, let custom characterT be a cyclic multiplicative group of order p. An efficiently computable bilinear pairing e:custom character1×custom character2custom characterT satisfies: e(αP, bQ)=e(P, Q)αb, ∀P ∈ custom character1, Q ∈ custom character2, α, b ∈ custom characterp; and e(P1, P2) generates GT.


Definition: Symmetric eXternal Diffie Hellman (SXDH). For bilinear setup (p, custom character, e, P1, P2) with prime p, eXternal Diffie-Hellman (XDH) assumes that the Decisional Diffie-Hellman (DDH) problem is computationally hard in one of custom character1 or custom character2. Symmetric XDH (SXDH) assumes that DDH is hard in both custom character1 and custom character2.


2.1 Non-Interactive Proof System


Let R be an efficiently computable relation of (Para, Sta, Wit) with setup parameters: Para, a statement, Sta, and a witness, Wit. A non-interactive proof system for R consists of 3 PPT algorithms: a Setup, a prover, Prove, and a verifier, Verify. A non-interactive proof system (Setup, Prove, Verify) is typically complete and sound.


Completeneness means that for every PPT adversary custom character, Pr[Para←Setup(1k); (Sta, Wit)←custom character(Para); Proof←Prove(Para, Sta, Wit): Verify(Para, Sta, Proof)=1 if (Para, Sta, W it) ∈ R] is overwhelming.


Soundness means that for every PPT adversary custom character, Pr[Para←Setup(1k); (Sta, Proof)←custom character(Para): Verify(Para, Sta, Proof)=0 if (Para, Sta, Wit) ∉R, ∀Wit] is overwhelming


Zero-knowledge. A non-interactive proof system is Zero-Knowledge (ZK), if the proof does not reveal any information except proving that the statement is true. Witness Indistinguishability (WI) may prevent the verifier from determining which witness was used in the proof. A non-interactive proof system is composable ZK if there exists a PPT simulation algorithm outputting a trapdoor and parameters indistinguishable from Setup's output. Further, the non-interactive proof system is composable ZK if, under the simulated parameters, ZK holds even when the adversary knows the trapdoor. Composable ZK implies the standard ZK.


Randomizing Proofs and Commitments. A randomizable non-interactive proof system has another PPT algorithm, RandProof, that takes as input (Para, Sta, Proof) and outputs another valid proof, Proof′. The Proof′ may be indistinguishable from a proof produced by Prove.


A PPT commitment algorithm, Com, binds and hides a value, x, with a random opening, r. Informally, a commitment scheme is if there exists a PPT algorithm, ReCom, such that ReCom(Com(x, r), r′)=Com(x, r+r′). Sta and Proof may contain commitments of variables.


A non-interactive proof system is malleable if it is efficient to randomize the proof and its statement's commitments to get a new proof which is valid for the new statement. When possible, concatenation of two proofs is a proof that merges setup parameters and all commitments and proves the combination of conditions. From a proof, Proof, a projected proof is obtained by moving some commitments from the statement to Proof.


Partial Extractability. A non-interactive proof of knowledge (NIPK) system (Setup, Prove, Verify) is F-extractable for a bijection, F, if there is a PPT extractor (ExSet, ExWit) such that ExSet's output Para is distributed identically to Setup's output, and if, for every PPT adversary, custom character, Pr[(Para, td)←ExSet(1k); (Sta, Proof)←custom character(Para); Ext←ExWit(td, Sta, Proof): Verify(Para, Sta, Proof)=1 custom character (Para, Sta, F−1 (Ext)) ∉R] is negligible. Similar to approaches in P-signatures and non-interactive anonymous credentials, the notations, NIPK or NIZKPK (ZK for zero knowledge), are used for a statement consisting of commitments C1, . . . , Ck of witness' variables x1, . . . , xk and some

  • Condition: Proof←NIPK[x1inC1, . . . , xkinCk]{F(Para, Wit): Condition(Para, Wit)}.


2.2 Groth-Sahai (GS) Proofs


Bilinear Map Modules. Given a finite commutative ring (R, +,·,0,1), an abelian group (A, +,0) is an custom character-module if ∀r, s ∈ custom character, ∀x, y ∈ A: (r+s)x=rx+sx custom character r(x+y)=rx+ry custom character r(sx)=(rs)x Λ 1x=x. Let A1, A2, AT be custom character-modules with a bilinear map ƒ: A1×A2→AT. Let B1, B2, BT be R-modules with a bilinear map F: B1×B2→BT and efficiently computable maps l1: A1→B1, l2: A2→B2 and lT: AT→BT. Maps p1: B1→A1, p2: B2→A2 and pT: BT→AT may be challenging to compute and satisfy the commutative properties: F(l1(x), l2(y))=lT(ƒ(x, y)) and ƒ(p1(x),p2(y))=pT(F(x, y)). For {right arrow over (x)} ∈ A1n and {right arrow over (y)} ∈ A2n, denote {right arrow over (x)}·{right arrow over (y)}=Σi=1n ƒ(x[i],y[i]). For {right arrow over (c)} ∈ B1n and {right arrow over (d)} ∈ B2n, denote {right arrow over (c)}•{right arrow over (d)}=Σi=1n F(c[i],d[i]).


Setup. GS parameters, Para, includes setup Gk and CRS σ·Gk:=(custom character, {A1(i), A2(i), AT(i), ƒ(i)}i=1L) where A1(i), A2(i), AT(i) are custom character-modules with map ƒ(i): A1(i)×A2(i)→AT(i). L is the number of equations in a statement to be proved. σ:=({B1(i), B2(i), BT(i), F(i), l1(i), p1(i), l2(i), p2(i), lT(i), pT(i), {right arrow over (u)}1(i), {right arrow over (u)}2(i), H1(i), . . . , Hηi(i)}i=1L) where B1(i), B2(i), BT(i), F(i), l1(i), p1(i), l2(i), p2(i), lT(i), pT(i) are described above. {right arrow over (u)}1(i) consists of {circumflex over (m)}(i) elements in B1(i) and {right arrow over (u)}2(i) consists of {circumflex over (n)}(i) elements in B2(i). They are commitment keys for A1(i) and A2(i) respectively, as discussed below.


Matrices H1(i), . . . , Hηi(i) ∈ Mat{circumflex over (m)}(i)×{circumflex over (n)}(i) (custom character) generate all matrices H(i) satisfying {right arrow over (u)}1(i)•H(i){right arrow over (u)}2(i)=0. In some scenarios, Ak(i)≡Al(j) for some k, l ∈ {1,2} and i,j ∈ {1, . . . , L}. In such a scenario, the following limitation applies: (Bk(i), lk(i), pk(i), {right arrow over (u)}k(i))≡(Bl(j), pl(j), pl(j), {right arrow over (u)}l(j)).


Statement. A GS statement is a set of L equations. Each equation is over custom character-modules A1, A2, AT with map ƒ: A1×A2→AT as follows:


Σj=1n ƒ(αj, yj)+Σi=1m ƒ(xi, bi)+Σi=1m Σj=1n γijƒ(xi, yj)=t,


where variables x1, . . . , xm ∈ A1 and y1, . . . , yn ∈ A2 and coeffficients α1, . . . , αm ∈ A1, b1, . . . , bn ∈ A2 and t ∈ AT. For any matrix Γ ∈ Matm×n(custom character), there exists {right arrow over (x)}·Γ{right arrow over (y)}=ΓT{right arrow over (x)}·{right arrow over (y)} and {right arrow over (x)}•Γ{right arrow over (y)}=ΓT {right arrow over (x)}•{right arrow over (y)}. As such, each equation may be written as {right arrow over (α)}·{right arrow over (y)}+{right arrow over (x)}·{right arrow over (b)}+{right arrow over (x)}·Γ{right arrow over (y)}=t.


A GS statement can be viewed as a set {({right arrow over (α)}i, {right arrow over (b)}i, Γi, ti)}i=1L over the corresponding set of bilinear groups {A1(i), A2(i), AT(i)), ƒ(i)}i=1L satisfying equations {right arrow over (a)}i·{right arrow over (y)}i+{right arrow over (x)}i·{right arrow over (b)}i+{right arrow over (x)}i·Γ{right arrow over (y)}i=ti. The witness is the set of corresponding variables {{right arrow over (x)}i, {right arrow over (y)}i}i=1L.


Commitment. Given keys {right arrow over (u)}1 ∈ B1{circumflex over (m)} and {right arrow over (u)}2 ∈ B2{circumflex over (n)}, commitments of {right arrow over (x)} ∈ A1m and {right arrow over (y)} ∈ A2n are respectively computed as {right arrow over (c)}:=l1({right arrow over (x)})+R{right arrow over (u)}1 and {right arrow over (d)}:=l2({right arrow over (y)})+S{right arrow over (u)}2, where R←Matm×{circumflex over (m)}(custom character) and S←Matn×{circumflex over (n)}(custom character). Further, {right arrow over (c)} ∈ B1m and {right arrow over (d)} ∈ B2n. The commitment keys could be one of two types: hiding and binding. Hiding keys satisfy l(A1) ({right arrow over (u)}1) and l(A2) ({right arrow over (u)}2). As such, the commitments are perfectly hiding. Binding keys satisfy p1({right arrow over (u)}1)={right arrow over (0)} and p2({right arrow over (u)}2)={right arrow over (0)}, and the maps l1∘p1 and l2∘p2 are non-trivial. If they are identity maps, then the commitments are perfectly binding.


Proof. For a statement consisting of several ({right arrow over (a)}, {right arrow over (b)}, Γ, t) and a witness of corresponding variables ({right arrow over (x)}, {right arrow over (y)}), the proof includes commitments ({right arrow over (c)}, {right arrow over (d)}) of the variables and corresponding pairs ({right arrow over (π)}, {right arrow over (ψ)}), computed as follows. Generate R←Matm×{circumflex over (m)}(custom character), S←Matn×{circumflex over (n)}(custom character), T←Mat{circumflex over (n)}×{circumflex over (m)}(custom character) and r1, . . . , rηcustom character. Compute {right arrow over (c)}:=l1({right arrow over (x)})+R{right arrow over (u)}1; {right arrow over (d)}:=l2({right arrow over (y)})+S{right arrow over (u)}2; {right arrow over (π)}:=RT l2({right arrow over (b)})+RTΓl2({right arrow over (y)})+RT ΓS{right arrow over (u)}2−TT{right arrow over (u)}2i=1η riHi{right arrow over (u)}2; and {right arrow over (ψ)}:=ST l1({right arrow over (α)})+ST ΓT l1({right arrow over (x)})+T{right arrow over (u)}1. Dimension of {right arrow over (b)}, {right arrow over (x)} and {right arrow over (c)} is m, dimension of {right arrow over (α)}, {right arrow over (y)} and {right arrow over (d)} is n, dimension of {right arrow over (π)} is {circumflex over (m)}, and dimension of {right arrow over (ψ)} is {circumflex over (n)}. To show that a variable of one equation is the same as another variable of the same or another equation, the same commitment is used for the variables. Verification for each equation's proof may be accomplished by ensuring that l1({right arrow over (α)})•{right arrow over (d)}+{right arrow over (c)}•l2({right arrow over (b)})+{right arrow over (c)}•Γ{right arrow over (d)}=lT(t)+{right arrow over (u)}1•{right arrow over (π)}+{right arrow over (ψ)}•{right arrow over (u)}2.


SXDH Instantiation. Bilinear pairing modules Zp, custom character1, custom character2 and custom characterT and map e are sufficient to specify all equations in a statement. Accordingly, Para includes setup Gk=(p, custom character, e, P1, P2) and CRS σ=(B1, B2, BT, F, l1, p1, l2, p2, l1′, p1′, l2′, p2′, lT, PT, {right arrow over (u)}, {right arrow over (v)}) where B1=custom character12, B2=custom character22 and BT:=custom characterT4 with entry-wise group operations. custom character1, custom character2 and custom characterT could be viewed as Zp-modules with map e. Matrices H1, . . . , Hη are not needed. Vectors {right arrow over (u)} of u1, u2 ∈ B1 and {right arrow over (v)} of v1, v2 ∈ B2 are commitment keys for custom character1 and custom character2.


There are 4 types of equations in statements: pairing product, multi-scalar multiplication in custom character1, multi-scalar multiplication in custom character2, and quadratic equations. For pairing product, A1=custom character1, A2=custom character2, AT=custom characterT, ƒ(X, Y)=e(X, Y), and equations are ({right arrow over (A)}·{right arrow over (Y)})({right arrow over (X)}·{right arrow over (B)})({right arrow over (X)}·Γ{right arrow over (Y)})=tT. For multi-scalar multiplication in custom character1, A1=custom character1, A2=Zp, AT=custom character1, ƒ(X, y)=yX, and equations are {right arrow over (A)}·{right arrow over (y)}+{right arrow over (X)}·{right arrow over (b)}+{right arrow over (X)}·Γ{right arrow over (y)}=T1. For multi-scalar multiplication in custom character2, A1=Zp, A2=custom character2, AT=custom character2, ƒ(x, Y)=xY, and equations are {right arrow over (α)}·{right arrow over (Y)}+{right arrow over (x)}·{right arrow over (B)}+{right arrow over (x)}·Γ{right arrow over (Y)}=T2. For quadratic equations, A1=Zp, A2=Zp, AT=Zp, ƒ(x, y)=xy mod p and equations are {right arrow over (α)}·{right arrow over (y)}+{right arrow over (x)}·{right arrow over (b)}+{right arrow over (x)}·Γ{right arrow over (y)}=t.


A proof and its verification can then be done as specified in the general GS proofs. GS proofs are WI and, in some cases, ZK. In the SXDH and Decisional Linear (DLIN) instantiations, for statements consisting of only multi-scalar multiplication and quadratic equations, GS proofs are composable ZK.


3. Homomorphic Proofs


3.1 Formalization


As stated previously, an abelian group satisfies five conditions: Closure, Associativity, Commutativity, Identity Element, and Inverse Element.


Definition. Let (Setup, Prove, Verify) be a proof system for a relation R and Para←Setup(1k). Consider a subset Π of all (Sta, Wit, Proof) such that (Para, Sta, Wit) ∈ R and Verify(Para, Sta, Proof)=1, and an operation +Π: Π×Π→Π. Π is said to be a set of homomorphic proofs if (Π, +Π) satisfies Closure, Associativity and Commutativity. For an IΠ:=(Sta0, Wit0, Proof0) ∈ Π, Π is said to be a set of strongly homomorphic proofs if (Π, +Π, IΠ) forms an abelian group where IΠ is the identity element.


If +Π((Sta1, Wit1, Proof1), (Sta2, Wit2, Proof2))custom character(Sta, Wit, Proof), the following notations apply: (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+Π(Sta2, Wit2, Proof2), Sta←Sta1+ΠSta2, Wit←Wit1+ΠWit2, and Proof←Proof1+ΠProof2. Further, the multiplicative notation n(Sta, Wit, Proof) may be used for the addition of n times of (Sta, Wit, Proof). As such, the notation, Σi αi(Stai, Witi, Proofi), may be used to represent linear combination of statements, witnesses and proofs. These homomorphic properties are particularly useful for randomizable proofs. One can randomize a proof computed from the homomorphic operation to get another proof which is indistinguishable from a proof generated by Prove.


3.2 GS Homomorphic Proofs


Consider a GS proof system (Setup, Prove, Verify) of L equations. Each map l1: A1→B1 satisfies l1(x1+x2)=l1(x1)+l1(x2), ∀x1, x2 ∈ A1, and similarly for l2.


The identity may be defined IGS=(Sta0, Wit0, Proof0). Sta0 consists of L GS equations ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0), Wit0 consists of L corresponding GS variables ({right arrow over (x)}0, {right arrow over (y)}0), Proof0 consists of L corresponding GS proofs ({right arrow over (c)}0, {right arrow over (d)}0, {right arrow over (π)}0, {right arrow over (ψ)}0), and there are L tuples of corresponding maps (l1, l2). They satisfy:

  • Let m be the dimension of {right arrow over (b)}0, {right arrow over (x)}0 and {right arrow over (c)}0. There exists a set M {1, . . . , m} such that ∀i ∈ M, b0[i]=0; ∀j ∈ M, x0[j]=0 and c0[j]=l1(0), where M:={1, . . . , m}\M.
  • Let n be the dimension of {right arrow over (α)}0, {right arrow over (y)}0 and {right arrow over (d)}0. There exists a set N {1, . . . , n} such that ∀i ∈ N, α0[i]=0; ∀j ∈ N, y0[j]=0 and d0[j]=l2(0), where N:={1, . . . , n}\N.
  • Both (∀i ∈ M, ∀j ∈ N) and (∀i ∈ M, ∀j ∈ N): Γ0[i, j]=0.
  • t0=0, {right arrow over (π)}0=0, and {right arrow over (ψ)}0=0.


A set ΠGS of tuples (Sta, Wit, Proof) may be defined from the identity IGS. Sta consists of L GS equations ({right arrow over (α)}, {right arrow over (b)}, Γ, t) (corresponding to Sta0's ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0) with m, n, M, N); Wit consists of L corresponding GS variables ({right arrow over (x)}, {right arrow over (y)}); Proof consists of L corresponding GS proofs ({right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, {right arrow over (ψ)}); satisfying:

  • ∀i ∈ M, x[i]=x0[i] and c[i]=c0[i]. ∀j ∈ M, b[j]=b0[j].
  • ∀i ∈ N, y[i]=y0[i] and d[i]=d0[i]. ∀j ∈ N, α[j]=α0[j].
  • If (i ∈ M) V (j ∈ N), then Γ[i, j]=Γ0[i, j]. That means ∀i ∈ M, ∀j ∈ N: Γ[i, j]=0.


Operation may be defined as +GS: ΠGS×ΠGS→ΠGS. For i ∈ {1,2} and (Stai, Witi, Proofi) ∈ ΠGS, Sta1 consists of L GS equations ({right arrow over (α)}i, {right arrow over (b)}i, Γi, ti) corresponding to Sta0's ({right arrow over (α)}0, {right arrow over (b)}0, Γ0, t0). Witi consists of L corresponding GS variables ({right arrow over (x)}i, {right arrow over (y)}i), and Proofi consists of L corresponding GS proofs ({right arrow over (c)}i, {right arrow over (d)}i, {right arrow over (π)}i, {right arrow over (ψ)}i).


Compute (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+GS(Sta2, Wit2, Proof2) of corresponding ({right arrow over (α)}, {right arrow over (b)}, Γ, t), ({right arrow over (x)}, {right arrow over (y)}) and ({right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, {right arrow over (ψ)}) as follows.

  • ∀i ∈ M: x[i]:=x1[i]; c[i]:=c1[i]; b[i]:=b1[i]+b2[i]. ∀j ∈ M: b[j]:=b1[j]; x[j]:=x1[j]+x2[j]; c[j]:=c1[j]+c2[j].
  • ∀i ∈ N: y[i]:=y1[i]; d[i]:=d1[i]; α[i]:=α1[i]+α2[i]. ∀j ∈ N: α[j]:=α1[j]; y[j]:=y1[j]+y2[j]; d[j]:=d1[j]+d2[j].
  • If (i ∈ M) V (j ∈ N), then Γ[i, j]:=Γ1[i, j]. Otherwise, Γ[i, j]:=Γ1[i, j]+Γ2[i, j].
  • t=t1+t2, {right arrow over (π)}={right arrow over (π)}1+{right arrow over (π)}2, and {right arrow over (ψ)}1+{right arrow over (ψ)}2.


Theorem 3.1 In the definitions above, ΠGS is a set of strongly homomorphic proofs with operation +GS and the identity element IGS. A proof of theorem 3.1 is described in greater detail with respect to section 8.


4. Accumulator


4.1 Model


A universal accumulator consists of the following PPT algorithms.

  • Setup takes in 1l and outputs (Para, Aux), where Para is setup parameters containing a domain DomPara of elements to be accumulated and Aux is some auxiliary information.
  • Accu takes in Para and a set of elements AcSet and returns an accumulator value AcVal. In some cases, Accu may also take in Aux to compute AcVal more efficiently. The input as a set, where order makes no difference, instead of a sequence implies a quasi commutativity property.
  • A proof system (Setup, ProveMem, VerifyMem) proves that an element Ele is accumulated in AcVal. Note that AcSet is not an input. There is a PPT algorithm, CompMemWit, to compute a membership witness for this proof from Para, Ele, AcSet and AcVal.
  • A non-membership proof system (Setup, ProveNM, VerifyNM) proves that an element Ele is not accumulated in AcVal. Note that AcSet is not an input. There is a PPT algorithm CompNMWit to compute an NM witness for this proof from Para, Ele, AcSet and AcVal.


An accumulator is dynamic if there exist the following 3 PPT algorithms, whose costs should not depend on AcSet's size, for adding or removing an accumulated element Ele. UpdateVal, whose input includes Para, Ele, the current accumulator value AcVal and Aux, updates the accumulator value. UpdateMemWit, whose input includes Para, Ele, the current witness Wit and AcVal, updates membership witnesses. For universal accumulators, UpdateNMWit, whose input includes Para, Ele, the current witness Wit and AcVal, updates NM witnesses.


Security of accumulators is implied by completeness and soundness of the 2 proof systems. Membership proofs are not described herein. As such, a universal accumulator is referred to herein as (Setup, ProveNM, VerifyNM, CompNMWit, Accu).


4.2 Delegatable NM Proofs for Accumulators


Delegating ability to prove statements is to allow someone else to prove the statements on one's behalf without revealing the witness, even if the statements' conditions are changing over time. For privacy reasons, adversaries could not distinguish different delegations coming from different users. Moreover, the delegatee could verify a delegation and unlinkably redelegate the proving ability further to other users.


Therefore, delegating an accumulator's non-membership proofs should meet 4 conditions: delegatability, unlinkability, redelegatability, and verifiability. Delegatability means that an element Ele's owner may delegate her ability to prove that Ele is not accumulated without simply revealing Ele. Even if the set of accumulated elements changes overtime, the delegatee does not contact the delegator again to generate the proof. Instead, the owner of the proof gives the delegatee a key De generated from Ele. The proof generated from De by CompProof is indistinguishable from a proof generated by ProveNM.


Unlinkability means that a delegatee should not be able to distinguish whether or not 2 delegating keys originating from the same element. Unlinkability implies that it is computationally hard to compute an element from the element's delegating keys.


Redelegatability means that the delegatee may redelegate De as De′ to other users, so that the distributions of De and De′ are indistinguishable. Verifiability means that one should be able to validate that a delegating key De is correctly built.


Definition: A universal accumulator (Setup, ProveNM, VerifyNM, CompNMWit, Accu) provides delegatable non-membership proofs if there exist PPT algorithms: delegating Dele, redelegating Rede, validating Vali, and computing proof CompProof. These algorithms may satisfy:

  • Delegatability: For every PPT algorithm (custom character1, custom character2), |Pr[(Para, Aux)←Setup(1k); (Ele, AcSet, state)←custom character1 (Para); AcVal←Accu(Para, AcSet); Wit←CompNMWit(Para, Ele, AcSet, AcVal); Proof0←ProveNM(Para, AcVal, Wit); De←Dele(Para, Ele); Proof1←CompProof(Para, De, AcSet, AcVal); b←{0,1}; b′←custom character2(state, AcVal, Wit, De, Proofb): (Ele ∉AcSet) custom character b=b′]−½| is negligible.
  • Unlinkability: For every PPT algorithm custom character, |Pr[(Para, Aux)←Setup(1k); (Ele0,Ele1)←DomPara; De←Dele (Para, Ele0); b←{0,1}; Deb←Dele(Para, Eleb); b′←custom character(Para, De, Deb): b=b′]−½| is negligible.
  • Redelegatability: For every PPT algorithms (custom character1, custom character2), |Pr[(Para, Aux)←Setup(1k); (Ele, state)←custom character1(Para); De←Dele(Para, Ele); De0←Dele(Para, Ele); De1←Rede (Para, De); b←{0,1}; b′←custom character2(state, De, Deb):b=b′]−½| is negligible.
  • Verifiability: For every PPT algorithm custom character, |Pr[(Para, Aux)←Setup(1k); Ele←custom character(Para); De←Dele(Para, Ele): Vali(Para, De)=1ifEle ∈ DomPara]−1| and |Pr[(Para, Aux)←Setup(1k); De′←custom character(Para): Vali(Para, De′)=0ifDe′ ∉{De|De←Dele(Para, Ele′); Ele′ ∈ DomPara}]−1| are negligible.


However, given an element Ele′, the delegatee can accumulate Ele′ and try to prove that Ele is not accumulated using De. If the delegatee cannot prove that, then Ele≡Ele′. So for any ADNMP, given an element Ele and a delegating key De, one can tell if De is generated by Ele. Due to this restriction, in the accumulator's applications, Ele should be a secret that only its owner or a trusted authority knows.


5. An ADNMP Scheme


In one embodiment, a dynamic universal ADNMP may have its Setup, Accu and UpdateVal generalized from dynamic universal accumulators for Strong Diffie Hellman (SDH) groups.


Setup: GS instantiations may be used where GS proofs for this accumulator are composable ZK. As the corresponding GS proofs may be limited to multi-scalar or quadratic equations, either the SXDH or SDLIN instantiations may be used, as explained in section 2. For clarity, the following discussion merely uses SXDH as an example.


Parameters (p, custom character, e, P1, P2) and CRS σ may be generated with perfectly binding keys for the SXDH instantiation of GS proofs as described in section 2. Auxiliary information Aux=δ←custom characterp* may also be generated. For the proof, generate A←custom character1 and τ:=l2′, (δ).


For efficient accumulating without Aux, a tuple ζ=(P1, δP1, . . . , δq+1 P1) is needed, where q ∈ custom characterp*. The domain for elements to be accumulated is custom character=custom characterp* \{−δ}. Accordingly, the parameters may be described as Para=(p, custom character, e, P1, P2, A, σ, ζ, τ).


Accu: On input AcSet={α1, . . . , αQ} ⊂ custom character, compute m=Q/q. If Aux=δ is available, the output AcVal is a set of m component accumulator values {Vj}j=1m computed as Vji=(j−1)q+1; i<Q (δ+αi)δP1. If Aux is not available, AcVal is efficiently computable from ζ and AcSet.


UpdateVal: In case α′ ∈ custom character is being accumulated; from 1 to m, find the first Vj which hasn't accumulated q elements and update Vj′=(δ+α′)Vj; if such Vj could not be found, add Vm+1=(δ+α′)δP1. In case α′ is removed from AcVal, find Vj which contains α′ and update Vj′=1/(δ+α′)Vj.


Remarks. Typically, q of ζ is the upper bound on the number of elements to be accumulated in accumulators, i.e., m=1. In one embodiment, the upper bound may be relaxed by the above generalization which allows this ADNMP to work whether or not q is less than the number of accumulated elements. It also allows q to be set up smaller.


5.1 NM Proof


It may be proven that an element y2 custom character is not in any component accumulator value Vj of AcVal {Vj}j=1m. Suppose Vj accumulates {α1, . . . , αk} where k≦q, denote Poly(δ):=Πi=1k (δ+αi)δ, then Vj=Poly(δ)P1. Let yj3 be the remainder of polynomial division Poly(δ) mod (δ+y2) in Zp, and Xj1 be scalar product of the quotient and P1. Similar to universal, dynamic accumulators for DDH groups, constructing non-membership proofs may be based on the fact that y2 is not a member of {α1, . . . , αk} if and only if yj3≠0. The following equation incorporates δ, y2, yj3 and Xj1: (δ+y2)Xj1+yj3P1=Vj. Proving this equation by itself does not guarantee that yj3 is the remainder of the polynomial division above. Also proven are the knowledge of (yj3P2, yj3A) and the following Extended Strong DH (ESDH) assumption. The following assumption is a variation of the Hidden Strong DH (HSDH) assumption. However, it is not clear which assumption is stronger. It is in the extended uber-assumption family and can be proved in generic groups, similar to HSDH.


Definition. q-ESDH: Let (p, custom character, e, P1, P2) be bilinear parameters, A←custom character1* and δ←custom characterp*. Given P1, δP1, . . . , δq+1P1, A, P2, δP2, it is computationally hard to output






(




y
3


δ
+

y
2





P
1


,

y
2

,


y
3



P
2


,


y
3


A


)





where y3≠0.


If one could prove the knowledge of (yj3P2, yj3A) satisfying (δ+y2)Xj1+yj3P1=V and y2 is accumulated in V but yj3≠0, then the assumption may be broken. To prove the knowledge of (yj3P2, yj3A), then equation Xj3−yj3A=0. To verify yj3≠0, equation Tj=yj3Xj2 and the verifier checks Tj≠0. Following is a description of the non-membership proof and its security.


CompNMWit takes in y2, and for each component accumulator value Vj of AcVal {Vj}j=1m, computes remainder yj3 of Poly(δ) mod (δ+y2) in Zp which is efficiently computable from {α1, . . . , αk} and y2. It then computes Xj1=(Poly(δ)−yj3)/(δ+y2)P1, which is efficiently computable from {αl, . . . , αk}, y2 and ζ. The witness includes y2 and {(Xj1, Xj3=yj3A, yj3)}j=1m. UpdateNMWit is for one Vj at a time and similar to universal, dynamic accumulators for DDH groups. However, UpdateNMWit includes the extra task of updating Xj3=yj3A.


ProveNM generates Xj2custom character1* and outputs Tj=yj3Xj2 for each Vj and a GS proof for the following equations of variables: y1=δ, y2, {(Xj1, Xj3, Xj2, yj3)}j=1m and custom characterj=1m ((y1+y2)Xj1+yj3P1=Vj custom character Xj3−yj3A=0 custom character yj3Xj2=Tj).


Note that the prover does not need to know y1. From τ, it is efficient to generate a commitment of δ and the proof.


VerifyNM verifies the proof generated by ProveNM and checks that Tj≠0, ∀j. VerifyNM accepts if both of them pass, otherwise they are rejected.


Theorem 5.1 The proof system proves that an element is not accumulated. Its soundness depends on the ESDH assumption. Its composable ZK depends on the assumption underlying the GS instantiation (SXDH or SDLIN). A proof sketch of theorem 5.1 is described in section 8.


5.2 NM Proofs are Strongly Homomorphic


For the same constant A, the same variables δ, y2 and Xj2 and the same commitments, the set of non-membership proofs has the form of strongly homomorphic GS proofs constructed in section 3. Accordingly, delegatable non-membership proofs may be constructed from homomorphic proofs. Specifically, the delegatable non-membership proofs may be constructed by ‘adding’ 2 homomorphic proofs of 2 sets of equations (with the same commitments for δ, y2 and Xj2).


More specifically, custom characterj=1m ((δ+y2)Xj1(1)+yj3(1)P1=Vj(1) custom character Xj3(1)−yj3(1)A=0 custom character yj3(1)Xj2=Tj(1)) and custom characterj=1m ((δ+y2)Xj1(2)+yj3(2)P1=Vj(2) custom character Xj3(2)−yj3(2)A=0 custom character yj3(2)Xj2=Tj(2)) may form a proof of equations custom characterj=1m ((δ+y2)Xj1+yj3P1=Vj custom character Xj3−yj3A=0 custom character yj3Xj2=Tj), where Xj1=Xj1(1)+Xj1(2), Xj3=Xj3(1)+Xj3(2), yj3=Yj3(1)+yj3(2), Vj=Vj(1)+Vj(2) and Tj=Tj(1)+Tj(2).


5.3 Delegating NM Proof


Following is a description of constructing the accumulator's delegatable non-membership proof. A component accumulator value V=Πi=1k (δ+αi)δP1 of {α1, . . . , αk} can be written as V=Σi=0k biδk+1−iP1 where b0=1 and bi1≦j1<j2< . . . <ji≦k Πl=1i αjl. Accordingly, V can be written as a linear combination of δP1, . . . , δk+1P1 in ζ.


Homomorphic proofs can be constructed for each (δ+y2)X1(i)+y3(i)P1iP1 custom character X3(i)−y3(i) A=0 custom character y3(i)X2=T(i) where i ∈ {1, . . . , k+1}. Using the same linear combination of δP1, . . . , δk+1P1 for V, these proofs can linearly combined to get a proof for (δ+y2)X1+y3P1=V custom character X3−y3A=0 custom character y3X2=T, where X1i=0k biX1(k+1−i), X3i=0k biX3(k+1−i), y3i=0k biy3(k+1−i) and T=Σi=0k biT(k+1−i).


Following is a description of the algorithms for delegating non-membership proofs and the security theorem. It should be noted that UpdateProof may be used in place of CompProof when possible for efficiency.


Dele(Para, Ele). For each i ∈ {1, . . . , q+1}, compute remainder y3(i) of δi mod (δ+y2) in Zp, and X1(i)=(δi−y3(i))/(δ+y2)P1, which are efficiently computable from y2 and ζ. In fact, y3(i)=(−1)iy2i and X1(i+1)j=0i (−1)jy2jδi−jP1iP1−y2X1(i) (so the cost of computing all X1(i), i ∈ {1, . . . , q+1} is about q scalar products). Generate X2custom character1*, the delegation key De includes {T(i)=y3(i)X2}i=1q+1 and a GS proof of equations custom characteri=1q+1 ((δ+y2)X1(i)+y3(i)P1iP1custom character X3(i)−y3(i) A=0 custom character y3(i)X2=T(i)).


Rede(Para, De). For each i ∈ {1, . . . , q+1}, extract proof Proofi of y3(i)X2=T(i) in De. In each Proofi, for the same y3(i) and its commitment, Proofi is of homomorphic form. As such, generate r←Zp* and compute Proofi′=rProofi which is a proof of y3(i)X2′=T′(i), where X2′=rX2 and T′(i)=rT(i). It should be noted that commitments of y3(i) stay the same. For every i ∈ {1, . . . , q+1}, replace T(i) by T′(i) and Proofi by Proofi′ in De to get a new GS proof, which is then randomized to get the output De′.


Vali(Para, De). A simple option is to verify the GS proof De. An alternative way is to use batch verification: Divide De into proofs NMProofi of (δ+y2)X1(i)+y3(i)P1iP1 custom character X3(i)−y3(i) A =0 custom character y3(i)X2=T(i) for i ∈ {1, . . . , q+1}. Generate q+1 random numbers to linearly combine NMProofis and their statements and verify the combined proof and statement.


CompProof(Para, De, AcSet, AcVal). Divide De into proofs NMProofi as in Vali.


For each component accumulator value V of {α1, . . . , αk}, compute bi for i ∈ {0, . . . , k} as above. NMProofis belong to a set of homomorphic proofs, so compute NMProof=Σi=0k biNMProofk+1−i, which is a proof of (δ+y2)X1+y3P1=V custom character X3−y3A=0 custom character y3X2=T where X1, X3, y3, T and V are as explained above.


Extract proof SubProof of y3X2=T in NMProof. For the same y3 and its commitment, SubProof is of homomorphic form. Accordingly, generate r←Zp* and compute SubProof′=rSubProof which is a proof of y3X2′=T′, where X2′=rX2 and T′=rT. Note that y3's commitment stays the same. Replace T by T′ and SubProof by SubProof in NMProof to get a new proof NMProof′.


Concatenate those NMProof′ of all V in AcVal and output a randomization of the concatenation.


UpdateProof(Para, De, AcSet, AcVal, Proof, Opens). Proof is the proof to be updated and Opens contains openings for randomizing commitments of y1=δ and y2 from De to Proof. If there is a change in accumulated elements of a component value V, NMProof′ may be computed for the updated V as in CompProof. Randomize NMProof′ so that its commitments of y1 and y2 are the same as those in Proof and put it in Proof in place of its old part. Output a randomization of the result.


To prove that this construction provides an ADNMP, the following Decisional Strong Diffie Hellman (DSDH) assumption may be used. This assumption is not in the uber-assumption family, but can be proved in generic groups similarly to the PowerDDH assumption. A proof sketch of theorem 5.2 is described in section 8.


Definition. q-DSDH: Let (p, custom character, e, P1, P2) be bilinear parameters, B0, B1custom character1*, x0, x1custom characterp* and b←{0,1}. Given B0, x0, B0, . . . , x0qB0, B1, xbB1, . . . , xbqB1, no PPT algorithm could output b′=b with a probability non-negligibly better than a random guess.


Theorem 5.2 The accumulator provides delegatable non-membership proofs, based on ESDH, DSDH and the assumption underlying the GS instantiation (SXDH or SDLIN).


6. Revoking Delegatable Anonymous Credentials


6.1 Model


This is a model of delegatable anonymous credential with revocation systems. For each credential proof, a user uses a new nym which is indistinguishable from the user's other nyms. Another type of nyms may be used for revocation, referred to herein as r-nyms to distinguish between the 2 types. When an r-nym is revoked, its owner can no longer prove credentials. Participants include users and the blacklist authority 104 owning a blacklist, BL, which is initially empty. The PPT algorithms are:

  • Setup(1k) outputs trusted public parameters ParaDC, BA's secret key SkBA, and an initially empty blacklist BL.
  • KeyGen(ParaDC) outputs a secret key Sk and a secret r-nym Rn for a user.
  • NymGen(ParaDC, Sk, Rn) outputs a new nym Nym with an auxiliary key Aux(Nym).
  • An user O becomes a root credential issuer by publishing a nym NymO and a proof that her r-nym RnO is not revoked that O has to update when BL changes.
  • Issue(ParaDC,NymO,SkI,RnI, NymI, Aux(NymI), Cred, DeInf, NymU,L)custom characterObtain(ParaDC,NymO,SkU, RnU, NymU, Aux(NymU),NymI,L) lets user I issue a level L+1 credential to user U. SkI, RnI, NymI and Cred are the secret key, r-nym, nym and level L credential rooted at Nymo of issuer I. SkU, RnU and NymU are the secret key, r-nym and nym of user U. I gets no output and U gets a credential CredU. DeInf is optional. When it is included, U also gets delegation information DeInfU to later prove that r-nyms of all delegators in her chain are not revoked. If L=0 then Cred is omitted and DeInf=1 (optional).
  • Revoke(ParaDC,SkBA,Rn,BL) updates BL so that a revoked user Rn cannot prove credentials or delegate.
  • CredProve(ParaDC, NymO, Cred, DeInf, Sk, Rn, Nym, Aux(Nym), BL, L) takes a level L credential Cred, Sk, Rn and optionally DeInf to output CredProof, which proves that: (i) a credential level L is issued to Nym's owner. (ii) Nym's Rn is not revoked. (iii)(optional, when DeInf is included) all r-nyms on the credential's chain are not revoked.
  • CredVerify(ParaDC, NymO, CredProof, Nym, BL, L) verifies if CredProof is a valid proof of the above statements.


The differences between the model for delegatable anonymous credentials with revocation and the model for delegatable anonymous credentials without revocation are the introductions of the blacklist authority 104 with SkBA and BL; r-nyms; delegation information DeInf; Revoke; and 2 CredProof's conditions (ii) and (iii).


Generally speaking, delegability does not implicate anonymity. Nor is the reverse true, such as in this case. Suppose user I delegates to user U the ability to prove that I is not revoked in BL (U knows I by NymI). Then, in any construction, given an r-nym Rn, U and the blacklist authority 104 can collude to tell if Rn belongs to NymI or not by blacklisting Rn and checking if U can still prove that I is not revoked. As such, it may be useful for a user to keeps the r-nym secret. Otherwise, the user may not know that such delegation could compromise the user's anonymity when issuing. It is still the user's right to delegate (or not) that proving ability (by issuing DeInf or not).


Advantageously, even in worst cases, a collision of the blacklist authority 104 and the delegatee may only learn if an r-nym belongs to a delegator from Issuecustom characterObtain. Other privacy properties such as anonymity of CredProof, Nym and the delegatee, may still be maintained.


This limitation will be reflected in the Anonymity definition and is related to the restriction on ADNMP mentioned in section 4.2. When a BL is implemented by using ADNMP to accumulate revoked Rns, given an Rn′ and an ADNMP delegating key De, a user can collude with the blacklist authority 104 to tell if De is generated by Rn′.


Exposing r-nyms. Typical methods for the blacklist authority 104 may be used to obtain r-nyms to revoke. There could be an authority that may force any user to reveal the user's r-nym to BA, and prove the user's ownership by using CredProve and showing openings of his r-nym's commitment.


For example, users may give deposits to the authority when entering the system. If a user does not follow the enforcement, the deposit may be forfeited. If such an enforcement is difficult, another method adopted from group signatures is an Opening Authority who can open any disputed CredProof to find its generator's r-nym. Another option includes a Nym Authority that controls users' r-nyms and makes requests to the blacklist authority 104 to revoke r-nyms.


6.2 Security


According to an embodiment, the security includes three conditions which are extended from the security definition of delegatable anonymous credentials: correctness, anonymity, and unforgeability.


Correctness: Suppose all participants are honest. A user gets valid credentials from issuers. If the user is not revoked, the user may generate a credential proof that is typically accepted by a verifier, whether or not the user's credential chain is partially revoked. If the user's whole credential chain is partially revoked, the user may generate a credential proof, which is usually accepted.


Anonymity means that an adversary, who could collude with some participants in the system, can not gain any information about honest participants. The adversary's interaction with honest parties is indistinguishable from interaction with simulators, including SimSetup, SimProve, SimObtain and SimIssue. Additions to the security definition for delegatable anonymous credentials include Nym and DeInf. Nym reveals no information about its r-nym. New entities' r-nyms, blacklist and delegation information could be generated as part of challenges by the adversary to simulators. For scenarios when DeInf is included, when interacting with SimIssue, r-nyms on the chain of issuer's credentials are randomly generated and not revealed to the adversary. As discussed above, a user and the blacklist authority 104 can tell if a given r-nym belongs to one of the delegators on the user's chain.


Unforgeability: It means that an adversary, who could interact with the system in many ways, could not forge a valid credential proof for a challenge Nym of an r-nym and a secret key, which are in one of rogue conditions. Unforgeability also assumes complete binding of Nyms, so that one r-nym and one key could be extracted from a Nym. The adversary's interaction with the system is modelled by an Oracle that may perform several tasks based on the adversary's request.


The additions to the unforgeability definition for delegatable anonymous credentials include the following. The Oracle maintains a list of honest parties, which may or may not include BA. Apart from the condition that there is no chain of honest users who delegate the challenge Nym, another rogue condition is that the challenge r-nym is blacklisted by an honest BA. If a credential proof is used to prove that all users on its chain are not revoked, another rogue condition is that a user on the challenge Nym's credential chain is blacklisted by an honest BA.


6.3 A Scheme


Overview. Intuitions of the BCCKLS delegatable anonymous credential scheme are described, along with how ADNMP extends this scheme to provide revocation.


BCCKLS uses an F-Unforgeable certification secure authentication scheme AU of PPT algorithms AtSetup, AuthKg, Authen, VerifyAuth. AtSetup(1k) returns public parameters ParaAt, AuthKg(ParaAt) generates a key Sk, Authen(ParaAt, Sk, {right arrow over (m)}) produces an authenticator Auth authenticating a vector of messages {right arrow over (m)}, and VerifyAuth(ParaAt, Sk, {right arrow over (m)}, Auth) accepts if and only if Auth validly authenticates {right arrow over (m)} under Sk. The scheme could be F-Unforgeable for a function F, which means (F({right arrow over (m)}), Auth) is unforgeable without obtaining an authenticator on {right arrow over (m)}; or certification secure, which means no PPT adversary, even after obtaining an authenticator by the challenge secret key, can forge another authenticator. Additionally, BCCKLS uses a protocol (AuthPro) for a user to obtain from an issuer an NIZKPK of an authenticator on {right arrow over (m)} without revealing anything about {right arrow over (m)}.


An user U could generate a secret key Sk←AuthKg(ParaAt), and many nyms Nym=Com(Sk, Open) by choosing different values Open. Supposing U has a level L+1 credential from O, let (SkO=SkO, Sk1, . . . , SkL, SkL+1=Sk) be the keys such that Ski's owner delegated the credential to Ski+1, and let H: {0,1}*→Zp be a collision resistant hash function. ri=H(NymO, atributes, i) is computed for a set of attributes for that level's credential. U generates a proof of her delegated credential as CredProof←NIZKPK[SkOinNymO,Sk in Nym] {(F(SkO), F(Sk1), . . . , F(SkL), F(Sk),auth1, . . . , authL+1):


VerifyAuth(SkO, (Sk1,r1), auth1) custom character VerifyAuth(Sk1, (Sk2, r2),auth2) custom character . . . custom character VerifyAuth(SkL−1, (SkL, rL),authL) custom character VerifyAuth(SkL, (Sk, rL+1),authL+1)}.


ADNMP may extend BCCKLS to provide revocation. Using ADNMP, BA's blacklist, BL, includes an accumulated set of revoked Rns and its accumulator value. Beside a secret key Sk, user U has a secret r-nym Rn in the accumulator's domain, and generates nyms Nym=(Com(Sk, OpenSk), Com(Rn, OpenRn)). ADNMP allows delegation and redelegation of a proof that an Rn is not accumulated in a blacklist Rn ∉BL. U generates a proof of the delegated credential and validity of the credential's chain as:

  • CredProof←NIZKPK[SkOinNymO [1],SkinNym[1],RninNym[2]] {(F(SkO), F(Sk1), F(Rn1), . . . , F(SkL), F(RnL), F(Sk), F(Rn), auth1, . . . , authL, authL+1): VerifyAuth(SkO, (Sk1,Rn1,r1),auth1) custom character (Rn1 ∉BL) custom character VerifyAuth(Sk1, (Sk2,Rn2,r2),auth2) custom character (Rn2 ∉BL) custom character . . . custom character VerifyAuth(SkL−1, (SkL,RnL,rL),authL) custom character (RnL ∉BL) custom character VerifyAuth(SkL,(Sk,Rn,rL+1),authL+1) custom character (Rn ∉BL)}.


EQUATION 1

Description. The building blocks consist of: (i) Those from BCCKLS, including AU; AuthPro; H; and a malleable NIPK credential proof system (CredPS) of PKSetup, PKProve, PKVerify, RandProof, with commitment Corn; (ii) An accumulator with a randomizable delegatable non-membership proof system (NMPS) of AcSetup, ProveNM, VerifyNM, CompNMWit, Accu, Dele, Rede, Vali, CompProof, with commitment ComNM; and (iii) A randomizable proof system (EQPS), whose setup consists of PKSetup and AcSetup, to prove that 2 given commitments by Corn and ComNM commit to the same value.


Assume a delegating key De contains a commitment of its element Ele. CompProof and Rede generate Ele's commitment in their outputs by randomizing the commitment in De. Elements of the accumulator domain and the authenticator's keyspace can be committed by Corn.


The BCCKLS building blocks could be instantiated as in delegatable anonymous credentials. An ADNMP instantiation is presented in section 4. Additionally, an equality proof system(EQPS) instantiation with composable ZK can be constructed from p-signatures and noninteractive anonymous credentials. They all share the same bilinear pairing parameters, so elements of the accumulator domain and the authenticator's keyspace are in custom characterp and committable by Com. The concatenation of instantiated CredPS, NMPS and EQPS forms a GS proof system and thereby is randomizable, partially extractable, and composable ZK. The following algorithm inputs are the same as in the model and omitted.

  • Setup: Use PKSetup(1k), AtSetup(1k) and AcSetup(1k) to generate ParaPK, ParaAt, and (ParaAc, AuxAc). The blacklist includes an accumulated set of revoked r-nyms and its accumulator value. Output an initial blacklist BL with an empty set and its initial accumulator value, ParaDC=(ParaPK, ParaAt, ParaAc, H), and SkBA=AuxAc.
  • KeyGen: Run AuthKg(ParaAt) to output a secret key Sk. Output a random r-nym Rn from the accumulator's domain.
  • NymGen: Generate random OpenSk and OpenRn, and output nym Nym=(Com(Sk, OpenSk), Com(Rn, OpenRn)) and Aux(Nym)=(OpenSk, OpenRn).
  • The credential originator O publishes a Nym0 and a proof NMProof0 that RnO is not revoked that O has to update when BL changes.
  • Issuecustom characterObtain: If L=0 and NymO≠NymI, aborts. Issuer I verifies that NymI and Cred are valid with SkI, RnI and Aux(NymI), and user U verifies that Nym is valid with SkU, RnU and Aux(NymU). After that, they both compute rL+1=H(NymO,atributes, L+1) for a set of attributes for that level's credential, as in delegatable anonymous credentials. They then run AuthPro for U to receive: ProofU←NIZKPK[SkIin NymI[1], SkUinCom(SkU, 0), RnUinCom(RnU, 0)] {(F(SkI), F(SkU), F(RnU),auth):VerifyAuth(SkI, (SkU, RnU, rL+1), auth)}. U's output is CredU=ProofU when L=0. Otherwise, suppose the users on I's chain from the root are 0 (same as O), 1, 2, . . . , L (same as I). I randomizes Cred to get a proof CredProofI (containing the same NymI) that for every Nymj on I's chain for j ∈ {1, . . . , L}, Skj and Rnj are authenticated by Skj−1 (with rj). Concatenate ProofU and CredProofI and project NymI from statement to proof to get CredU.
  • The optional DeInf includes a list of delegating keys Dejs generated by the accumulator's Dele to prove that each Rnj is not accumulated in the blacklist, and a list of EQProofj for proving that two commitments of Rnj in Cred and Dej commit to the same value Rnj, for j ∈ {1, . . . , L−1}. When DeInf is in the input, I Redes these delegating keys, updates and randomizes EQProofj to match the new keys and CredU, and adds a new delegating key DeI to prove that RnI is not revoked and a proof EQProofI that two commitments of RnI in NymI[2] and DeI commit to the same value. The result DeInfU is sent to U.
  • Revoke: Add Rn to the accumulated set and update the accumulator value.
  • CredProve: Abort if Nym≠ (Com(Sk, OpenSk), Com(Rn, OpenRn)). Use ProveNM to generate a proof, NMProof, that Rn is not blacklisted. Generate EQProof that Rn's commitments in NMProof and in Nym[2] both commit to the same value. Randomize Cred to get a proof which contains Nym. Concatenate this proof with NMProof and EQProof to get CredProof′. If the optional DeInf is omitted, just output CredProof′. Otherwise, use CompProof to generate a proof NMChainProof that each Rnj's on the user's chain of delegators is not accumulated in the blacklist Update and randomize EQProofj for j ∈ {1, . . . , L} to match with NMChainProof and CredProof′. Concatenate NMChainProof and CredProof′ to output CredProof as described in EQUATION 1.
  • CredVerify runs PKVerify, VerifyNM and verifies EQProofs to output accept or reject.


Theorem 6.1 If the authentication scheme is F-unforgeable and certification-secure; a concatenation of CredPS, NMPS and EQPS is randomizable, partially extractable, and composable ZK; and H is collision resistant, then this construction is a secure revocable delegatable anonymous credential system. A proof sketch of theorem 6 is described in section 8.


6.4 A Method



FIG. 2 is a process flow diagram of a method 200 for revoking delegatable anonymous credentials in accordance with the claimed subject matter. The method 200 may be performed by the blacklist authority 104.


The method begins at block 202, where a request is received to revoke an anonymous credential. The anonymous credential may be delegated from a first entity to a second entity.


At block 204, the blacklist authority 104 may revoke the anonymous credential from the first entity. The revocation may occur in response to the request to revoke.


At block 206, the blacklist authority 104 may revoke the anonymous credential from the second entity. The revocation for the second entity may also occur in response to the request to revoke.


7. Example Implementation


The system 100 may be implemented in two program libraries of various languages. The first library may implement the scheme for the accumulator 102 in the SXDH instantiation described in section 5. The first libray may also be used to develop the accumulator's applications. Further, application program interfaces may be provided for the algorithms described herein, e.g., AcSetup, ProveNM, VerifyNM, CompNMWit, Accu, Dele, Rede, Vali and CompProof.


The second library may depend on the first library to perform the revoking of anonymous credentials described above.


Typically, prime-order universal accumulators use a random oracle (RO) for non-interactive proofs. The random oracle's its prover uses 3 pairings. In contrast, the accumulator 102 does not use a random oracle. Further, the accumulator's prover does no pairing. In one embodiment, with q=500, using 256-bit BN pairing curves, on a regular 2.4 GHz Intel 2 Core with 4 GB RAM, ProveNM takes 0.14 s and Dele takes 69.38 s.


In some embodiments, the system 100 may include a central entity that knows Aux, and can adjust the value of q at any time. Based on the work loads on the accumulator's operations and the number of accumulated elements, the value of q may be determined based on a desired efficiency improvement.


This improvement may be used in the following scenario. Assume in an application, the number of accumulated elements is around a constant Q over time, allowing for elements to be added or removed. Let m=[Q/q], the computation unit be a scalar product, and the approximate costs of the accumulator's operations be as follows (generalized for both SXDH and SDLIN instantiations): Accu-m; UpdateVal-1; CompNMWit-(mq≈Q); UpdateWitness-2; ProveNM-α1m; VerifyNM-α2m; Dele-β1q; Rede-β2q; Vali-β3q; CompProof-(β4mq+α3m); UpdateProof-(β43m); where αi and βi are constants. For simplicity and analysis of a common user, less commonly used operations, operations performed by a central entity, and operations whose cost does not change when q changes are not described.


Suppose over a period of approximately a year, the average numbers of runs of operations per user are as follows: ProveNM-α1; VerifyNM-α2; Dele-b1; Rede-b2; Vali-b3; CompProof-α3; UpdateProof-c; where αi, bi and c are constants. The total cost per user per period is








S


(
q
)






a
1



α
1


m

+


a
2



α
2


m

+


b
1



β
1


q

+


b
2



β
2


q

+


b
3



β
3


q

+


a
3



α
3


m

+


a
3



β
4


mq

+

c






β
4


q

+

c






α
3


m







(



a
1



α
1


+


a
2



α
2


+


a
3



α
3


+

c






α
3



)


Q

q

+


(



b
1



β
1


+


b
2



β
2


+


b
3



β
3


+

c






β
4



)


q

+


a
3



β
4



Q
.








Because








(







(



a
1



α
1


+


a
2



α
2


+


a
3



α
3


+

c






α
3



)



Q
/
q



-








(



b
1



β
1


+


b
2



β
2


+


b
3



β
3


+

c






β
4



)


q





)

2




0

,




then
,





(



a
1



α
1


+


a
2



α
2


+


a
3



α
3


+

c






α
3



)


Q

q

+


(



b
1



β
1


+


b
2



β
2


+


b
3



β
3


+

c






β
4



)


q




2





(



a
1



α
1


+


a
2



α
2


+


a
3



α
3


+

c






α
3



)



(



b
1



β
1


+


b
2



β
2


+


b
3



β
3


+

c






β
4



)


Q


.







As such, a minimum of S(q) happens when






q



min
(

Q
,






a
1



α
1


+


a
2



α
2


+


a
3



α
3


+

c






α
3






b
1



β
1


+


b
2



β
2


+


b
3



β
3


+

c






β
4





Q



)

.





  • Accordingly, if users have to generate proofs a great deal more than delegations, then q=Q. If their cost amounts are about the same, then q≈√{square root over (Q)}.



8. Appendix: Proofs


Proof of theorem 3.1. To prove that (ΠGS, +GS, IGS) satisfies the 5 conditions of an abelian group, it is given that the following conditions: associativity, commutativity, identity element, and inverse element may be easily validated. As such, the proof of closure is described.


It is given that (Sta, Wit, Proof)←(Sta1, Wit1, Proof1)+GS (Sta2, Wit2, Proof2) (as in the description) satisfies the conditions for an element in ΠGS as follows. ∀i ∈ M: x[i]=x1[i]=x0[i] and c[i]=c1[i]=c0[i]. ∀j ∈ M: b[j]=b1[j]=b0[j]. ∀i ∈ N: y[i]=y1[i]=y0[i] and d[i]=d1[i]=d0[i]. ∀j ∈ N: α[j]=α1[j]=α0[j]. If (i ∈ M) V (j ∈ N), then Γ[i,j]=Γ1[i,j]=Γ0[i,j]. Then, to prove that Proof is the valid proof of Sta and Wit, suppose for i ∈ {1,2}, {right arrow over (c)}i:=l1({right arrow over (x)}i)+Ri{right arrow over (u)}1, {right arrow over (d)}i:=l2({right arrow over (y)}i)+Si{right arrow over (u)}2, then

{right arrow over (π)}i:=RiTl2({right arrow over (b)}i)+RiTΓil2({right arrow over (y)}i)+RiTΓiSi{right arrow over (u)}2−TiT{right arrow over (u)}2j=1ηrj(i)Hj{right arrow over (u)}2, and  EQUATION 2
{right arrow over (ψ)}i:=SiTl1({right arrow over (α)}i)+SiTl1({right arrow over (x)}i)+Ti{right arrow over (u)}1  EQUATION 3


Without losing generality, for i∈{ 1,2}, it is true that









x
->

i

:=

(




X
^







X
~

i




)


,



b
->

i

:=

(





B
^

i






B
~




)


,


R
i

:=

(




R
^







R
~

i




)


,



c
->

i

:=

(




C
^







C
~

i




)






  • where {circumflex over (X)} consists of x[j] with j ∈ M and {tilde over (X)}i consists of xi[j] with j ∈ M; {circumflex over (B)}i consists of bi[j] with j ∈ M and {tilde over (B)} consists of b[j] with j ∈ M; and {circumflex over (R)} consists of rows j of Ri with j ∈ M and {tilde over (R)}i consists of rows j of Ri with j ∈ M; and Ĉ consists of c[j] with j ∈ M and {tilde over (C)}i consists of Ci[j] with j ∈ M. As such, it is true that:













x
->

=

(




X
^








X
~

1

+


X
~

2





)


,


b
->

=

(






B
^

1

+


B
^

2







B
~




)


,

R
=

(




R
^








R
~

1

+


R
~

2





)













c
->

=

(




C
^








C
~

1

+


C
~

2





)







=

(






ι
1



(

X
^

)


+


R
^




u
->

1










ι
1



(


X
~

1

)


+



R
~

1




u
->

1


+


ι
1



(


X
~

2

)


+



R
~

2




u
->

1






)







=

(






ι
1



(

X
^

)


+


R
^




u
->

1










ι
1



(



X
~

1

+


X
~

2


)


+


(



R
~

1

+


R
~

2


)




u
->

1






)







=



ι
1



(

x
->

)


+

R







u
->

1











EQUATION





4







  • which is how commitment {right arrow over (c)} may be generated from {right arrow over (x)} and R for the proof. In the same way, without losing generality, for i ∈ {1,2}, it is true that










y
->

i

:=

(




Y
^







Y
~

i




)


,



a
->

i

:=

(





A
^

i






A
~




)


,


S
i

:=

(




S
^







S
~

i




)


,



d
->

i

:=

(




D
^







D
~

i




)






  • where Ŷ consists of y[j] with j ∈ N and {tilde over (Y)}i consists of yi[j] with j ∈ N; Âi consists of αi[j] with j ∈ N and à consists of α[j] with j ∈ N; Ŝ consists of rows j of Si with j ∈ N and {tilde over (S)}i consists of rows j of Si with j ∈ N; and {circumflex over (D)} consists of d[j] with j ∈ N and {tilde under (D)}i consists of Di[j] with j ∈ N. Further,












y
->

=

(




Y
^








Y
~

1

+


Y
~

2





)


,


a
->

=

(






A
^

1

+


A
^

2







A
~




)


,

S
=

(




S
^








S
~

1

+


S
~

2





)


,






d
->

=


(




D
^








D
~

1

+


D
~

2





)

=



ι
2



(

y
->

)


+

S







u
->

2









EQUATION





5







which shows how commitment {right arrow over (d)} is generated from {right arrow over (y)} and S for the proof. Further, for i ∈ {1,2}:











Γ
i

:=

(





Γ
^

i




Γ







Γ
~



0



)


,

Γ
:=

(






Γ
^

1

+


Γ
^

2





Γ
^






Γ
~



0



)






EQUATION





6







where {circumflex over (Γ)}i consists of Γ[j, k] with j ∈ M and k ∈ N, {hacek over (Γ)} consists of Γ[j, k] with j ∈ M and k ∈ N, {tilde under (Γ)} consists of Γ[j, k] with j ∈ M and k ∈ N, and a zero matrix of Γ[j, k] with j ∈ M and k ∈ N. Substituting EQUATIONS 2 and 3 with EQUATIONS 4 and 6, respectively, then, π=π1+π2:







π
->

=


(



(





R
^

T





R
~

1
T




)



(





ι
2



(


B
^

1

)








ι
2



(

B
~

)





)


+


(





R
^

T





R
~

2
T




)



(





ι
2



(


B
^

2

)








ι
2



(

B
~

)





)



)

+

(



(





R
^

T





R
~

1
T




)



(





Γ
^

1




Γ







Γ
~



0



)



(





ι
2



(

Y
^

)








ι
2



(


Y
~

1

)





)


+


(





R
^

T





R
~

2
T




)



(





Γ
^

2




Γ







Γ
~



0



)



(





ι
2



(

Y
^

)








ι
2



(


Y
~

2

)





)



)

+


(



(





R
^

T





R
~

1
T




)



(





Γ
^

1




Γ







Γ
~



0



)



(




S
^







S
~

1




)


+


(





R
^

T





R
~

2
T




)



(





Γ
^

2




Γ







Γ
~



0



)



(




S
^







S
~

2




)



)




u
->

2


-


(


T
1
T

+

T
2
T


)




u
->

2


+


(





j
=
1

η




r
j

(
1
)




H
j



+




j
=
1

η




r
j

(
2
)




H
j




)




u
->

2







Multiplying matrices and regrouping with EQUATIONS 4 and 6 yields:







π
->

=



(




(


R
^

T






(



R
~

1

+


R
~

2


)

T




)



(





ι
2



(



B
^

1

+


B
^

2


)








ι
2



(

B
~

)





)


+





(




R
^

T



(



Γ
^

1

+


Γ
^

2


)


+



(



R
~

1

+


R
~

2


)

T



Γ
~












R
^

T



Γ



)



(





ι
2



(

Y
^

)








ι
2



(



Y
~

1

+


Y
~

2


)





)


+






(







R
^

T



(



Γ
^

1

+


Γ
^

2


)


+



(



R
~

1

+


R
~

2


)

T



Γ
~








R
^

T



Γ






)



(




S
^








S
~

1

+


S
~

2





)




u
->

2


+




j
=
1

η




r
j



H
j




u
->

2








Replacing {right arrow over (b)} and R from EQUATION 4 and {right arrow over (y)} and S from EQUATION 5, then {right arrow over (π)}=RTl2({right arrow over (b)})+RTΓl2({right arrow over (y)})+RTΓS{right arrow over (u)}2−TT{right arrow over (u)}2j=1η rjHj{right arrow over (u)}2. Similarly, {right arrow over (ψ)}:=STl1({right arrow over (α)})+STΓTl1({right arrow over (x)})+T{right arrow over (u)}1. As such, {right arrow over (c)}, {right arrow over (d)}, {right arrow over (π)}, and {right arrow over (ψ)} are generated according to the formula for a GS proof of ({right arrow over (α)}, {right arrow over (b)}, Γ, t) and ({right arrow over (x)},{right arrow over (y)}). Therefore, Proof is a valid proof of Sta and Wit. Accordingly, theorem 3.1 holds.


Proof sketch of theorem 5.1. The correctness and composable ZK of theorem 5.1 comes from the GS proof, the GS proof's instantiations, and the fact that y2 ∉AcSet and Xj2≠0 means Tj≠O. Further, a setup and a proof may be simulated that are respectively computationally indistinguishable from a real setup and a real proof generated from the simulated setup.


Soudness may be proven as follows. Suppose an adversary could forge a proof that VerifyNM accepts for equations custom characterj=1m ((y1+y2)Xj1+yj3P1=Vj custom character Xj3−yj3A=0 custom character yj3Xj2=Tj) where Tj≠0 but y2 is accumulated in one of Vjs with non-negligible probability. The proof may be used to break ESDH.


Given the assumption challenge (p, custom character, e, P1, δP1, . . . , δq+1P1, A, P2, δP2), simulate random CRS σ with extracting trapdoor for GS proofs in either the SXDH or SDLIN instantiations. Accordingly, from a commitment in custom character2 of y ∈ Zp and a commitment of X ∈ custom character1, yP2 and X may be respectively extracted. With the trapdoor, compute τ:=l2′,(δ), thereby providing all parameters for a simulated accumulator.


The forged proof contains commitments of Xj1,Xj3,Xj2 and of y1=δ,y2,yj3 in custom character2. As such, Xj1,Xj3,Xj2 and y2P2,yj3P2 could be extracted, and know yj3≠0. As y2 is in AcSet, then y2 could be found. Suppose y2 is accumulated in Vl which accumulates {α1, . . . , αk}. As Xl3=yl3A, Xl1, y2 and (yl3P2,yl3A) could be extracted. Therefore, (y1+y2)Xl1+yl3P1i=1k (y1i)y1P1 and y2 ∈ {α1, . . . , αk}. Accordingly,








y

l





3




y
1

+

y
2





P
1





  • may be computed from Xl1, {α1, . . . , αk} and ζ. As such,







(




y

l





3



δ
+

y
2





P
1


,

y
2

,


y

l





3




P
2


,


y

l





3



A


)




  • could be found to break the assumption.



Proof sketch of theorem 5.2. To prove delegatability, consider CompProofs output is a randomized proof of equations custom characterj=1m ((y1+y2)Xj1+yj3P1=Vj custom character Xj3−yj3A=0 custom character yj3Xj2=Tj) which are the same as equations for the proof outputted by ProveNM. Due to GS proofs' randomizability, the outputs have the same distribution, indicating Delegatability.


For proving redelegatability, consider the same y2. The output T′(i), i ∈ {1, . . . , k+1} of Rede has the same distribution as the output T(i), i ∈ {1, . . . , k+1} of Dele. For the same T(i), i ∈ {1, . . . , k+1}, Rede's output is a randomization of a proof that Dele could produce, so their outputs have the same distribution. Therefore, Dele and Rede output the same distribution that leads to redelegatability. Verifiability comes from ESDH and the completeness and soundness of GS proofs, as De is a GS proof.


If an adversary can break the accumulator's unlinkability, it may be proven that either q-DSDH or GS's underlying assumption (SXDH or SDLIN) can be broken. Consider 2 cases. If the adversary can distinguish between a GS proof De and its simulated proof both in a simulated setup with non-negligible probability, then the underlying assumption may be broken. If not, then q-DSDH can be broken as follows.


Suppose the q-DSDH Challenge

  • p, custom character, e, P1,P2,B0,x0B0, . . . , x0qB0,B1,xbB1, . . . , xbqB1 is given. Simulate a CRS for GS proofs from the setup. Use the same simulation for GS proofs, and simulate a proof De for custom characteri=1q+1 ((δ+y2)X1(i)+y3(i)P1iP1 custom character X3(i)−y3(i)A=0 custom character y3(i)X2=(−1)ix0i−1B0), and a proof Deb for custom characteri=1q+1 ((δ+y2)X1(i)+y3(i)P1iP1 custom character X3(i)−y3(i)A=0 custom character y3(i)X2=(−1)ixbi−1B1). The adversary may then be given De and Deb. As the adversary can not distinguish between a delegating key and a simulated one with non-negligible probability, the adversary may break unlinkability. Accordingly, the adversary could tell with non-negligible advantage over a random guess if b is 0 or 1. That breaks q-DSDH.


Proof sketch of theorem 6.1. The scheme's correctness comes from correctness of its component authentication scheme and the concatenation of CredPS, NMPS and EQPS, and delegatability and redelegatability of the accumulator 102. The unforgeability proof is based on F-unforgeability and certification-security of the authentication scheme, and partial extractability and soundness of the concatenation.


The anonymity proof is also similar to the one for randomizable proofs and delegatable anonymous credentials. One difference is to create SimIssue indistinguishable from Issue with input DeInf. SimSetup includes AtSetup and the simulation setup SimConSetup for the concatenation. It is true that the accumulator's four delegation properties still hold under parameters generated by SimConSetup. Otherwise, an adversary breaking one of the properties could distinguish SimConSetup and the concatenation setup ConSetup. It is also true that a concatenation of just CredPS and EQPS is also composable ZK using simulation SimConSetup. SimIssue first generates a list of delegating keys for L random r-nyms. Based on the accumulator's unlinkability and redelegatability, the adversary can not distinguish this list from the list in DeInfu generated by Issue, as r-nyms of input DeInf to Issue are also randomly generated and not revealed to the adversary. SimIssue then simulates the concatenation of CredPS and EQPS with r-nyms commitments in the delegating keys and merge it with the delegating keys to output. This output is indistinguishable from the output (CredU,DeInfU) generated by Issue.



FIG. 3 is a block diagram of an exemplary networking environment 300 wherein aspects of the claimed subject matter can be employed. Moreover, the exemplary networking environment 300 may be used to implement a system and method of revoking delegatable anonymous credentials.


The networking environment 300 includes one or more client(s) 310. The client(s) 310 can be hardware and/or software (e.g., threads, processes, computing devices). As an example, the client(s) 310 may be computers providing access, for users of a web browser, to servers over a communication framework 340, such as the Internet.


The system 300 also includes one or more server(s) 320. The server(s) 320 can be hardware and/or software (e.g., threads, processes, computing devices). The server(s) 320 may include web servers, or other servers that support delegatable anonymous credentials.


The server(s) may be accessed by the client(s) 310. The servers 320 can house threads to delegate and revoke anonymous credentials.


One possible communication between a client 310 and a server 320 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The system 300 includes a communication framework 340 that can be employed to facilitate communications between the client(s) 310 and the server(s) 320.


The client(s) 310 are operably connected to one or more client data store(s) 350 that can be employed to store information local to the client(s) 310. The client data store(s) 350 may be located in the client(s) 310, or remotely, such as in a cloud server. Similarly, the server(s) 320 are operably connected to one or more server data store(s) 330 that can be employed to store information local to the servers 320.


With reference to FIG. 4, an exemplary operating environment 400 for implementing various aspects of the claimed subject matter. The exemplary operating environment 400 includes a computer 412. The computer 412 includes a processing unit 414, a system memory 416, and a system bus 418.


The system bus 418 couples system components including, but not limited to, the system memory 416 to the processing unit 414. The processing unit 414 can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can be employed as the processing unit 414.


The system bus 418 can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures known to those of ordinary skill in the art. The system memory 416 is non-transitory computer-readable media that includes volatile memory 420 and nonvolatile memory 422.


The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer 412, such as during start-up, is stored in nonvolatile memory 422. By way of illustration, and not limitation, nonvolatile memory 422 can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.


Volatile memory 420 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), SynchLink™ DRAM (SLDRAM), Rambus® direct RAM (RDRAM), direct Rambus® dynamic RAM (DRDRAM), and Rambus® dynamic RAM (RDRAM).


The computer 412 also includes other non-transitory computer-readable media, such as removable/non-removable, volatile/non-volatile computer storage media. FIG. 4 shows, for example a disk storage 424. Disk storage 424 includes, but is not limited to, devices like a magnetic disk drive, floppy disk drive, tape drive, Jaz drive, Zip drive, LS-100 drive, flash memory card, or memory stick.


In addition, disk storage 424 can include storage media separately or in combination with other storage media including, but not limited to, an optical disk drive such as a compact disk ROM device (CD-ROM), CD recordable drive (CD-R Drive), CD rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM). To facilitate connection of the disk storage devices 424 to the system bus 418, a removable or non-removable interface is typically used such as interface 426.


It is to be appreciated that FIG. 4 describes software that acts as an intermediary between users and the basic computer resources described in the suitable operating environment 400. Such software includes an operating system 428. Operating system 428, which can be stored on disk storage 424, acts to control and allocate resources of the computer system 412.


System applications 430 take advantage of the management of resources by operating system 428 through program modules 432 and program data 434 stored either in system memory 416 or on disk storage 424. It is to be appreciated that the claimed subject matter can be implemented with various operating systems or combinations of operating systems.


A user enters commands or information into the computer 412 through input device(s) 436. Input devices 436 include, but are not limited to, a pointing device (such as a mouse, trackball, stylus, or the like), a keyboard, a microphone, a joystick, a satellite dish, a scanner, a TV tuner card, a digital camera, a digital video camera, a web camera, and/or the like. The input devices 436 connect to the processing unit 414 through the system bus 418 via interface port(s) 438. Interface port(s) 438 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB).


Output device(s) 440 use some of the same type of ports as input device(s) 436. Thus, for example, a USB port may be used to provide input to the computer 412, and to output information from computer 412 to an output device 440.


Output adapter 442 is provided to illustrate that there are some output devices 440 like monitors, speakers, and printers, among other output devices 440, which are accessible via adapters. The output adapters 442 include, by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 440 and the system bus 418. It can be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 444.


The computer 412 can be a server hosting a universal, dynamic accumulator in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 444. The remote computer(s) 444 may be client systems configured with web browsers, PC applications, mobile phone applications, and the like, to allow users to delegate and revoke anonymous credentials, as discussed herein. For example, remote computer 444 may include a client used to request delegation and revocation of anonymous credentials.


The remote computer(s) 444 can be a personal computer, a server, a router, a network PC, a workstation, a microprocessor based appliance, a mobile phone, a peer device or other common network node and the like, and typically includes many or all of the elements described relative to the computer 412.


For purposes of brevity, only a memory storage device 446 is illustrated with remote computer(s) 444. Remote computer(s) 444 is logically connected to the computer 412 through a network interface 448 and then physically connected via a communication connection 450.


Network interface 448 encompasses wire and/or wireless communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet, Token Ring and the like. WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL).


Communication connection(s) 450 refers to the hardware/software employed to connect the network interface 448 to the bus 418. While communication connection 450 is shown for illustrative clarity inside computer 412, it can also be external to the computer 412. The hardware/software for connection to the network interface 448 may include, for exemplary purposes only, internal and external technologies such as, mobile phone switches, modems including regular telephone grade modems, cable modems and DSL modems, ISDN adapters, and Ethernet cards.


An exemplary embodiment of the computer 412 may comprise a server hosting a website. Anonymous credentials may be used to control access to the website. The server may be configured to delegate and revoke the anonymous credentials.


An exemplary processing unit 414 for the server may be a computing cluster comprising Intel® Xeon CPUs. The disk storage 424 may comprise an enterprise data storage system, for example, holding thousands of impressions.


Exemplary embodiments of the subject innovation may display an icon on the remote computer(s) 444 that is clickable to request asynchronous searches. Asynchronous search results may be requested from human or crowd-sourcing resources. Results may be made available via a non-intrusive icon on the remote computer(s) 444.


What has been described above includes examples of the subject innovation. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the claimed subject matter, but one of ordinary skill in the art may recognize that many further combinations and permutations of the subject innovation are possible. Accordingly, the claimed subject matter is intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims


In particular and in regard to the various functions performed by the above described components, devices, circuits, systems and the like, the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., a functional equivalent), even though not structurally equivalent to the disclosed structure, which performs the function in the herein illustrated exemplary aspects of the claimed subject matter. In this regard, it will also be recognized that the innovation includes a system as well as a computer-readable storage media having computer-executable instructions for performing the acts and/or events of the various methods of the claimed subject matter.


There are multiple ways of implementing the subject innovation, e.g., an appropriate API, tool kit, driver code, operating system, control, standalone or downloadable software object, etc., which enables applications and services to use the techniques described herein. The claimed subject matter contemplates the use from the standpoint of an API (or other software object), as well as from a software or hardware object that operates according to the techniques set forth herein. Thus, various implementations of the subject innovation described herein may have aspects that are wholly in hardware, partly in hardware and partly in software, as well as in software.


The aforementioned systems have been described with respect to interaction between several components. It can be appreciated that such systems and components can include those components or specified sub-components, some of the specified components or sub-components, and/or additional components, and according to various permutations and combinations of the foregoing. Sub-components can also be implemented as components communicatively coupled to other components rather than included within parent components (hierarchical).


Additionally, it can be noted that one or more components may be combined into a single component providing aggregate functionality or divided into several separate sub-components, and any one or more middle layers, such as a management layer, may be provided to communicatively couple to such sub-components in order to provide integrated functionality. Any components described herein may also interact with one or more other components not specifically described herein but generally known by those of skill in the art.


In addition, while a particular feature of the subject innovation may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms “includes,” “including,” “has,” “contains,” variants thereof, and other similar words are used in either the detailed description or the claims, these terms are intended to be inclusive in a manner similar to the term “comprising” as an open transition word without precluding any additional or other elements.

Claims
  • 1. A method for revoking delegatable anonymous credentials, comprising: receiving, in a processor, a request to revoke an anonymous credential representative of an ability to prove non-membership in an accumulator for a first entity, wherein the anonymous credential is delegated from the first entity to a second entity;revoking the anonymous credential from the first entity in response to the request to revoke the anonymous credential; andrevoking the anonymous credential from the second entity in response to the request to revoke the anonymous credential,wherein revoking the anonymous credential from the second entity comprises revoking a delegated descendant of the anonymous credential.
  • 2. The method recited in claim 1, wherein the accumulator comprises a universal and dynamic accumulator.
  • 3. The method recited in claim 1, comprising: delegating the anonymous credential to a third entity; andrevoking the anonymous credential from the third entity in response to the request to revoke the anonymous credential, wherein the anonymous credential is delegated from the second entity to the third entity.
  • 4. The method recited in claim 1, wherein the accumulator comprises: an accumulator value comprising an identity of the anonymous credential; anda non-membership proof system for the accumulator value.
  • 5. The method recited in claim 4, wherein the non-membership proof system is configured to prove non-membership of the anonymous credential.
  • 6. The method recited in claim 4, wherein the non-membership proof system comprises homomorphic proofs.
  • 7. The method recited in claim 6, wherein the homomorphic proofs comprise Groth-Sahai proofs.
  • 8. The method recited in claim 1, wherein the request is received from an anonymous credential system.
  • 9. A system for revoking delegatable anonymous credentials, comprising: a processing unit; anda system memory, wherein the system memory comprises code configured to direct the processing unit to:receive a request to revoke an anonymous credential representative of an ability to prove non-membership in a universal, dynamic accumulator for a first entity, wherein the anonymous credential is delegated from the first entity to a second entity;revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential; andrevoke the anonymous credential from the second entity in response to the request to revoke the anonymous credential,wherein revoking the anonymous credential from the second entity comprises revoking a delegated descendant of the anonymous credential.
  • 10. The system recited in claim 9, wherein the code is configured to direct the processing unit to: delegate the anonymous credential to a third entity; andrevoke the anonymous credential from the third entity in response to the request to revoke the anonymous credential, wherein the second entity delegates the anonymous credential to the third entity.
  • 11. The system recited in claim 9, wherein the accumulator comprises: an accumulator value comprising an identity of the anonymous credential; anda non-membership proof system for the accumulator value.
  • 12. The system recited in claim 11, wherein the non-membership proof system is configured to prove non-membership of the anonymous credential before the anonymous credential is revoked.
  • 13. The system recited in claim 11, wherein the non-membership proof system comprises homomorphic proofs.
  • 14. The system recited in claim 13, wherein the homomorphic proofs comprise Groth-Sahai proofs.
  • 15. The system recited in claim 9, wherein the request is received from an anonymous credential system.
  • 16. One or more computer-readable storage devices, comprising code configured to direct a processing unit to: receive a request to revoke an anonymous credential representative of an ability to prove non-membership in a universal, dynamic accumulator for a first entity, wherein the request is received from an anonymous credential system, and wherein the anonymous credential is delegated from the first entity to a second entity;revoke the anonymous credential from the first entity in response to the request to revoke the anonymous credential; andrevoke the anonymous credential from a second entity in response to the request to revoke the anonymous credential, wherein the first entity delegates the anonymous credential to the second entity,wherein revoking the anonymous credential from the second entity comprises revoking a delegated descendant of the anonymous credential.
  • 17. The computer-readable storage devices recited in claim 16, wherein the code is configured to direct the processing unit to: delegate the anonymous credential to a third entity; andrevoke the anonymous credential from the third entity in response to the request to revoke the anonymous credential, wherein the second entity delegates the anonymous credential to the third entity.
  • 18. The computer-readable storage devices recited in claim 16, wherein the accumulator comprises: an accumulator value comprising an identity of the anonymous credential; anda non-membership proof system for the accumulator value.
  • 19. The computer-readable storage devices recited in claim 18, wherein the non-membership proof system is configured to prove non-membership of the anonymous credential before the anonymous credential is revoked.
  • 20. The computer-readable storage devices recited in claim 18, wherein the non-membership proof system comprises homomorphic Groth-Sahai proofs.
US Referenced Citations (8)
Number Name Date Kind
7213262 Elley et al. May 2007 B1
7360080 Camnisch et al. Apr 2008 B2
7543139 Camenisch et al. Jun 2009 B2
7747857 Ramzan et al. Jun 2010 B2
7783777 Pabla et al. Aug 2010 B1
20070150944 Zeng et al. Jun 2007 A1
20090132813 Schibuk May 2009 A1
20090177591 Thorpe et al. Jul 2009 A1
Non-Patent Literature Citations (24)
Entry
Boyen, et al., “Compact Group Signatures Without Random Oracles”, Retrieved at << http://eprint.iacr.org/2005/381.pdf >>, Mar. 7, 2006, pp. 1-19.
Ateniese, et al., “Proofs of Storage from Homomorphic Identification Protocols”, Retrieved at << http://www.cs.jhu.edu/˜ateniese/papers/pos.pdf >>, 15th International Conference on the Theory and Application of Cryptology and Information Security, Dec. 6-10, 2009, pp. 1-14.
Au, et al., “Dynamic Universal Accumulators for DDH Groups and their Application to Attribute-Based Anonymous Credential Systems”, Retrieved at << http://uow.academia.edu/documents/0009/2568/full.pdf >>, Apr. 27, 2009, pp. 1-26.
Belenkiy, et al., “Randomizable Proofs and Delegatable Anonymous Credentials”, Retrieved at << https://www.cosic.esat.kuleuven.be/publications/article-1239.pdf >>, 29th Annual International Cryptology Conference, Aug. 16-20, 2009, pp. 108-125.
Belenkiy, et al., “P-Signatures and Noninteractive Anonymous Credentials”, Retrieved at << http://www.iacr.org/archive/tcc2008/49480352/49480352.pdf >>, Fifth Theory of Cryptography Conference TCC, Mar. 19-21, 2008, pp. 36.
Bichsel, et al., “Anonymous Credentials on a Standard Java Card”, Retrieved at << http://www.shoup.net/papers/bcgs.pdf >>, 16th ACM Conference on Computer and Communications Security, Nov. 9-13, 2009, pp. 11.
Boneh, et al., “Short Group Signatures”, Retrieved at << http://crypto.stanford.edu/˜dabo/papers/groupsigs.pdf >>, 24th Annual International CryptologyConference, Aug. 15-19, 2004, pp. 38.
Boyen, et al., “Full-Domain Subgroup Hiding and Constant-Size Group Signatures”, Retrieved at << http://userweb.cs.utexas.edu/˜bwaters/publications/papers/pkc07grp.pdf >>, 10th International Conference on Practice and Theory in Public-Key Cryptography, Apr. 16-20, 2007, pp. 46.
Brickell, et al., “Direct Anonymous Attestation”, Retrieved at << http://eprint.iacr.org/2004/205.pdf >>, 11th ACM Conference on Computer and Communications Security, Oct. 25-29, 2004, pp. 56.
Camenisch, et al., “Signature Schemes and Anonymous Credentials from Bilinear Maps”, Retrieved at << http://www.iacr.org/archive/crypto2004/31520055/cl04.pdf >>, 24th Annual International Cryptology Conference, Aug. 15-19, 2004, pp. 17.
Camenisch, et al., “Simulatable Adaptive Oblivious Transfer”, Retrieved at << http://www.cs.virginia.edu/papers/CNS07.pdf >>, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, May 20-24, 2007, pp. 50.
Camenisch, et al., “Design and Implementation of the Idemix Anonymous Credential System”, Retrieved at << http://www.freehaven.net/anonbib/cache/idemix.pdf >>, Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS, Nov. 18-22, 2002, pp. 20.
Charles, et al., “Signatures for Network Coding”, Retrieved at << http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4067928 >>, International Journal of Information and Coding Theory, vol. 1, No. 1, Mar. 24, 2009, pp. 857-863.
Dodis, et al., “Cryptography Against Continuous Memory Attacks”, Retrieved at << http://eprint.iacr.org/2010/196.pdf >>, Apr. 25, 2010, pp. 53.
Fouque, et al., “Sharing Decryption in the Context of Voting or Lotteries”, Retrieved at << http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.104.5575&rep=rep1&type=pdf >>, 4th International Conference, FC, Feb. 20-24, 2000, pp. 30.
Gentry, Craig., “Fully Homomorphic Encryption using Ideal Lattices”, Retrieved at << http://domino.research.ibm.com/comm/research—projects.nsf/pages/security.homoenc.html/$FILE/stocdhe.pdf >>, Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC, May 31-Jun. 2, 2009, pp. 10.
Ghadafi, et al., “Groth Sahai Proofs Revisited”, Retrieved at << http://eprint.iacr.org/2009/599.pdf >>, 13th International Conference on Practice and Theory in Public Key Cryptography, May 26-28, 2010, pp. 16.
Groth, et al., “Efficient Non-Interactive Proof Systems for Bilinear Groups”, Retrieved at << http://www.brics.dk/˜jg/WlmoduleFull.pdf >>, Mar. 26, 2010, pp. 72.
Johnson, et al., “Homomorphic Signature Schemes”, Retrieved at << http://www.cs.berkeley.edu/˜dmolnar/papers/hom-rsa02.pdf >>, Topics in Cryptology—CT-RSA, The Cryptographer's Track at the RSA Conference, Feb. 18-22, 2002, pp. 18.
Johnson, et al., “Homomorphic Signatures for Digital Photographs”, Retrieved at << http://www.leifwalsh.info/crop.pdf >>, pp. 1-19, 2012.
“Microsoft. U-prove community technology preview. In”, Retrieved at << https://connect.microsoft.com/content/content.aspx?contentid=12505&siteid=642 >>, Retrieved Date: Sep. 8, 2010, pp. 55.
Monnerat, et al., “Generic Homomorphic Undeniable Signatures”, Retrieved at << http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.163.9882&rep=rep1&type=pdf >>, 10th International Conference on the Theory and Application of Cryptology and Information Security, Dec. 5-9, 2004, pp. 34.
Tsang, et al., “PEREA: Towards Practical TTP-Free Revocation in Anonymous Authentication”, Retrieved at << http://www.cs.dartmouth.edu/˜patrick/pub/perea-ccs08.pdf >>, 15th ACM Conference on Computer and Communications Security, Oct. 27-31, 2008, pp. 333-343.
Yun, et al., “On Homomorphic Signatures for Network Coding”, Retrieved at << http://www.math.snu.ac.kr/˜jhcheon/publications/2009/HomoSig—ToC09.pdf >>, IEEE Transactions on Computers, vol. X, No. X, 2009, pp. 1-3.
Related Publications (1)
Number Date Country
20120144459 A1 Jun 2012 US