An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

[1]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[2]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[3]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[4]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[5]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[6]  David Chaum,et al.  A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations , 1986, CRYPTO.

[7]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[8]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[9]  Ivan Damgård,et al.  Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals , 1988, CRYPTO.

[10]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[11]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[12]  Philip C. Kolin For H. B. , 1990 .

[13]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[14]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[15]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[16]  Stefan BrandsCWI,et al.  Untraceable Oo-line Cash in Wallets with Observers , 1993 .

[17]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[18]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[19]  Lidong Chen Access with Pseudonyms , 1995, Cryptography: Policy and Algorithms.

[20]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[21]  Moni Naor,et al.  Digital signets: self-enforcing protection of digital information (preliminary version) , 1996, STOC '96.

[22]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[23]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[24]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[25]  Eecient Group Signature Schemes for Large Groups , 1997 .

[26]  Joe Kilian,et al.  Identity Escrow , 1998, CRYPTO.

[27]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[28]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[29]  Birgit Pfitzmann,et al.  Self-Delegation with Controlled Propagation - or - What If You Lose Your Laptop , 1998, CRYPTO.

[30]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[31]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[32]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[33]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[34]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[35]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 1999, CCS '99.

[36]  Ivan Damgård,et al.  Verifiable Encryption and Applications to Group Signatures and Signature Sharing , 1998, IACR Cryptol. ePrint Arch..

[37]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[38]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[39]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[40]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[41]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[42]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[43]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[44]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[45]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[46]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.