With a Little Help from My Friends: Constructing Practical Anonymous Credentials

Anonymous credentials (ACs) are a powerful cryptographic tool for the secure use of digital services, when simultaneously aiming for strong privacy guarantees of users combined with strong authentication guarantees for providers of services. They allow users to selectively prove possession of attributes encoded in a credential without revealing any other meaningful information about themselves. While there is a significant body of research on AC systems, modern use-cases of ACs such as mobile applications come with various requirements not sufficiently considered so far. These include preventing the sharing of credentials and coping with resource constraints of the platforms (e.g., smart cards such as SIM cards in smartphones). Such aspects are typically out of scope of AC constructions, and, thus AC systems that can be considered entirely practical have been elusive so far. In this paper we address this problem by introducing and formalizing the notion of core/helper anonymous credentials (CHAC). The model considers a constrained core device (e.g., a SIM card) and a powerful helper device (e.g., a smartphone). The key idea is that the core device performs operations that do not depend on the size of the credential or the number of attributes, but at the same time the helper device is unable to use the credential without its help. We present a provably secure generic construction of CHACs using a combination of signatures with flexible public keys (SFPK) and the novel notion of aggregatable attribute-based equivalence class signatures (AAEQ) along with a concrete instantiation. The key characteristics of our scheme are that the size of showing tokens is independent of the number of attributes in the credential(s) and that the core device only needs to compute a single elliptic curve scalar multiplication, regardless of the number of attributes. We confirm the practical efficiency of our CHACs with an implementation of our scheme on a Multos smart card as the core and an Android smartphone as the helper device. A credential showing requires less than 500 ms on the smart card and around 200 ms on the smartphone (even for a credential with 1000 attributes).

[1]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[2]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[3]  Kai Rannenberg,et al.  Integrating Anonymous Credentials with eIDs for Privacy-Respecting Online Authentication , 2012, APF.

[4]  D. Pointcheval,et al.  Traceable Constant-Size Multi-authority Credentials , 2023, SCN.

[5]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[6]  Michael Backes,et al.  Membership Privacy for Fully Dynamic Group Signatures , 2019, IACR Cryptol. ePrint Arch..

[7]  Kevin Fu,et al.  Privacy for Public Transportation , 2006, Privacy Enhancing Technologies.

[8]  Stefan A. Brands,et al.  A Technical Overview of Digital Credentials , 2002 .

[9]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[10]  Thomas Eisenbarth,et al.  CacheQuote: Efficiently Recovering Long-term Secrets of SGX EPID via Cache Attacks , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Jan Camenisch,et al.  One TPM to Bind Them All: Fixing TPM 2.0 for Provably Secure Anonymous Attestation , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[13]  Melissa Chase,et al.  Algebraic MACs and Keyed-Verification Anonymous Credentials , 2014, CCS.

[14]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[15]  Alec Wolman,et al.  fTPM: A Software-Only Implementation of a TPM Chip , 2016, USENIX Security Symposium.

[16]  Georg Fuchsbauer,et al.  Weakly Secure Equivalence-Class Signatures from Standard Assumptions , 2018, Public Key Cryptography.

[17]  Giulio Malavolta,et al.  Functional Credentials , 2018, Proc. Priv. Enhancing Technol..

[18]  Eric R. Verheul,et al.  Self-Blindable Credential Certificates from the Weil Pairing , 2001, ASIACRYPT.

[19]  Daniel Slamanig,et al.  Structure-Preserving Signatures on Equivalence Classes From Standard Assumptions , 2019, IACR Cryptol. ePrint Arch..

[20]  Stephan Krenn,et al.  Towards Attribute-Based Credentials in the Cloud , 2017, CANS.

[21]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[22]  Johannes Blömer,et al.  Updatable Anonymous Credentials and Applications to Incentive Systems , 2019, IACR Cryptol. ePrint Arch..

[23]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[24]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[25]  Kai Rannenberg,et al.  Attribute-based Credentials for Trust: Identity in the Information Society , 2014 .

[26]  David Pointcheval,et al.  Short Randomizable Signatures , 2016, CT-RSA.

[27]  Practical Round-Optimal Blind Signatures in the Standard Model , 2015, IACR Cryptol. ePrint Arch..

[28]  Koen Decroix,et al.  Privacy-Preserving Public Transport Ticketing System , 2015, DBSec.

[29]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2012, IEEE Trans. Dependable Secur. Comput..

[30]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[31]  Sujata Garera,et al.  Challenges in teaching a graduate course in applied cryptography , 2009, SGCS.

[32]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[33]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[34]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[35]  Maryline Laurent-Maknavicius,et al.  Privacy in Digital Identity Systems: Models, Assessment, and User Adoption , 2015, EGOV.

[36]  Jan Camenisch,et al.  Anonymous Attestation Using the Strong Diffie Hellman Assumption Revisited , 2016, TRUST.

[37]  Jan Camenisch,et al.  Composable and Modular Anonymous Credentials: Definitions and Practical Constructions , 2015, ASIACRYPT.

[38]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[39]  Michael Backes,et al.  Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys , 2018, ASIACRYPT.

[40]  Tancrède Lepoint,et al.  Anonymous Tokens with Private Metadata Bit , 2020, IACR Cryptol. ePrint Arch..

[41]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[42]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[43]  Johannes Blömer,et al.  Delegatable Attribute-based Anonymous Credentials from Dynamically Malleable Signatures , 2018, IACR Cryptol. ePrint Arch..

[44]  Yunwen Liu,et al.  Rotational-XOR Cryptanalysis of Simon-like Block Ciphers , 2020, IACR Cryptol. ePrint Arch..

[45]  Wojciech Mostowski,et al.  Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards , 2011, SecureComm.

[46]  Melissa Chase,et al.  The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption , 2020, IACR Cryptol. ePrint Arch..

[47]  Daniel Slamanig,et al.  Privacy-Preserving Incentive Systems with Highly Efficient Point-Collection , 2020, IACR Cryptol. ePrint Arch..

[48]  Moti Yung,et al.  Practical "Signatures with Efficient Protocols" from Simple Assumptions , 2016, AsiaCCS.

[49]  Liqun Chen,et al.  DAA-A: Direct Anonymous Attestation with Attributes , 2015, TRUST.

[50]  Jan Camenisch,et al.  Universally Composable Direct Anonymous Attestation , 2016, Public Key Cryptography.

[51]  Ian Goldberg,et al.  Privacy Pass: Bypassing Internet Challenges Anonymously , 2018, Proc. Priv. Enhancing Technol..

[52]  Olivier Sanders,et al.  Efficient Redactable Signature and Application to Anonymous Credentials , 2020, IACR Cryptol. ePrint Arch..

[53]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[54]  Jan Camenisch Protecting (Anonymous) Credentials with the Trusted Computing Group's TPM V1.2 , 2006, SEC.

[55]  Matthew Green,et al.  Controlling Access to an Oblivious Database Using Stateful Anonymous Credentials , 2009, Public Key Cryptography.

[56]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[57]  Christian Hanser,et al.  Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials , 2014, IACR Cryptol. ePrint Arch..

[58]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials , 2018, Journal of Cryptology.

[59]  Marina Blanton,et al.  Online subscriptions with anonymous access , 2008, ASIACCS '08.

[60]  Michael Schwarz,et al.  How Trusted Execution Environments Fuel Research on Microarchitectural Attacks , 2020, IEEE Security & Privacy.

[61]  Anna Lysyanskaya,et al.  Mercurial Signatures for Variable-Length Messages , 2020, IACR Cryptol. ePrint Arch..

[62]  Thomas Eisenbarth,et al.  TPM-FAIL: TPM meets Timing and Lattice Attacks , 2019, USENIX Security Symposium.

[63]  Anna Lysyanskaya,et al.  Delegatable Anonymous Credentials from Mercurial Signatures , 2019, IACR Cryptol. ePrint Arch..

[64]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[65]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[66]  Jan Camenisch,et al.  Anonymous credentials on a standard java card , 2009, CCS.

[67]  George Danezis,et al.  Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers , 2018, NDSS.

[68]  Jan Camenisch,et al.  Fast Keyed-Verification Anonymous Credentials on Standard Smart Cards , 2019, IACR Cryptol. ePrint Arch..

[69]  Bart Jacobs,et al.  Developing Efficient Blinded Attribute Certificates on Smart Cards via Pairings , 2010, CARDIS.

[70]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[71]  Geoffroy Couteau,et al.  Non-Interactive Keyed-Verification Anonymous Credentials , 2019, IACR Cryptol. ePrint Arch..