Non-Interactive Anonymous Credentials

In this paper, we introduce P-signatures. A P-signature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a non-interactive proof system for proving that the contents of a commitment has been signed; (3) a non-interactive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for P-signatures and show how they can be realized under appropriate assumptions about groups with bilinear map. Namely, we make extensive use of the powerful suite of non-interactive proof techniques due to Groth and Sahai. Our P-signatures enable, for the first time, the design of a practical non-interactive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other privacy-preserving authentication mechanisms.

[1]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[2]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[3]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[4]  Jan Camenisch,et al.  A Cryptographic Framework for the Controlled Release of Certified Data , 2004, Security Protocols Workshop.

[5]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[6]  Ivan Damgård,et al.  Unclonable Group Identification , 2006, IACR Cryptol. ePrint Arch..

[7]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[8]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[9]  David Chaum,et al.  Transferred Cash Grows in Size , 1992, EUROCRYPT.

[10]  Anna Lysyanskaya,et al.  Signature schemes and applications to cryptographic protocol design , 2002 .

[11]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[12]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[13]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[14]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[15]  Authenticated ID-based Key Exchange and Remote Log-in with Insecure Token and PIN Number , 2002 .

[16]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[17]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[18]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[19]  Vitaly Shmatikov,et al.  Efficient Two-Party Secure Computation on Committed Inputs , 2007, EUROCRYPT.

[20]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[21]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[22]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[23]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[24]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[25]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[26]  Sébastien Canard,et al.  A Handy Multi-coupon System , 2006, ACNS.

[27]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[28]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[29]  Kazue Sako,et al.  k-Times Anonymous Authentication (Extended Abstract) , 2004, ASIACRYPT.

[30]  Kazue Sako,et al.  k-Times Anonymous Authentication with a Constant Proving Cost , 2006, Public Key Cryptography.

[31]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge Proof Systems , 1987, CRYPTO.

[32]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[33]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[34]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[35]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[36]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[37]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[38]  Giovanni Di Crescenzo,et al.  Necessary and Sufficient Assumptions for Non-iterative Zero-Knowledge Proofs of Knowledge for All NP Relations , 2000, ICALP.

[39]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[40]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[41]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[42]  Ivan Damgård,et al.  Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals , 1988, CRYPTO.

[43]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[44]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[45]  Reihaneh Safavi-Naini,et al.  Dynamic k-Times Anonymous Authentication , 2005, ACNS.

[46]  Steven D. Galbraith,et al.  Easy decision-Diffie-Hellman groups , 2004, IACR Cryptol. ePrint Arch..

[47]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[48]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[49]  Victor K.-W. Wei More Compact E-Cash with Efficient Coin Tracing , 2005, IACR Cryptol. ePrint Arch..

[50]  Vitaly Shmatikov,et al.  Handcuffing Big Brother: an Abuse-Resilient Transaction Escrow Scheme , 2004, EUROCRYPT.

[51]  Jan Camenisch,et al.  Balancing accountability and privacy using E-cash , 2006 .

[52]  Jan Camenisch,et al.  Endorsed E-Cash , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).