On the Efficiency of Revocation in RSA-Based Anonymous Systems

The problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist LW of non-revoked users or a blacklist LB of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in LW (membership proof) or that they are not in LB (non-membership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zero-knowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSA-based setting, and we consider the case of non-membership proofs to blacklists L = LB. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zero-knowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zero-knowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zero-knowledge non-membership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.

[1]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[2]  David Pointcheval,et al.  Removing the Strong RSA Assumption from Arguments over the Integers , 2017, IACR Cryptol. ePrint Arch..

[3]  Kun Peng,et al.  Improving Applicability, Efficiency and Security of Non-Membership Proof , 2010, 2010 Second International Symposium on Data, Privacy, and E-Commerce.

[4]  Jonathan Katz Signature Schemes Based on the (Strong) RSA Assumption , 2010 .

[5]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[6]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[7]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[8]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[9]  Jens Groth,et al.  Zero-Knowledge Argument for Polynomial Evaluation with Application to Blacklists , 2013, EUROCRYPT.

[10]  Bart De Decker,et al.  Analysis of Revocation Strategies for Anonymous Idemix Credentials , 2011, Communications and Multimedia Security.

[11]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[12]  Ninghui Li,et al.  Universal Accumulators with Efficient Nonmembership Proofs , 2007, ACNS.

[13]  Javier Herranz Attribute-based signatures from RSA , 2014, Theor. Comput. Sci..

[14]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[15]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[16]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[17]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[18]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[19]  Dario Fiore,et al.  Vector Commitments and Their Applications , 2013, Public Key Cryptography.

[20]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.