Accountable Anonymous Credentials

Anonymity refers to withholding the identification information associated with an interaction. In the cyberworld, anonymous authentication is an important tool for protecting privacy. However, users may misbehave under the cover of anonymity, thus, accountability is crucial in any practical privacy-preserving authentication. Balancing anonymity and accountability has always been a challenging research problem in privacy protection. Accountable anonymous credentials are the cryptographic schemes designed to address this challenge. Users are allowed to anonymously prove their possession of valid credentials to protect user privacy. If they misbehave, they will be de-anonymized or blacklisted. In other words, it is technically possible for a system to achieve both anonymity and accountability simultaneously. In this chapter, we review the concept of anonymous credentials and discuss various accountability mechanisms. We discuss how the recent development of blockchain and quantum computers have influenced the recent research advances in this area. Finally, we also discuss how anonymous credentials are applied in real-world applications in cryptocurrencies.

[1]  Aggelos Kiayias,et al.  Anonymous Identification in Ad Hoc Groups , 2004, EUROCRYPT.

[2]  Man Ho Au,et al.  PERM: practical reputation-based blacklisting without TTPS , 2012, CCS.

[3]  Man Ho Au,et al.  Anonymous Post-Quantum Cryptocash , 2018, IACR Cryptol. ePrint Arch..

[4]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[5]  Zhenfeng Zhang,et al.  Simpler Efficient Group Signatures from Lattices , 2015, Public Key Cryptography.

[6]  Sean W. Smith,et al.  PEREA: towards practical TTP-free revocation in anonymous authentication , 2008, CCS.

[7]  David Chaum,et al.  Online Cash Checks , 1990, EUROCRYPT.

[8]  Moni Naor,et al.  Deniable Ring Authentication , 2002, CRYPTO.

[9]  Jörg Schwenk,et al.  A CDH-Based Ring Signature Scheme with Short Signatures and Public Keys , 2010, Financial Cryptography.

[10]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[11]  Reihaneh Safavi-Naini,et al.  Dynamic k-Times Anonymous Authentication , 2005, ACNS.

[12]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[13]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[14]  Stephen R. Tate,et al.  Traceable Signature: Better Efficiency and Beyond , 2006, ICCSA.

[15]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[16]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[17]  Joseph K. Liu,et al.  Linkable Ring Signature with Unconditional Anonymity , 2014, IEEE Transactions on Knowledge and Data Engineering.

[18]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[19]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash , 2017, ASIACRYPT.

[20]  David Pointcheval,et al.  Dynamic Fully Anonymous Short Group Signatures , 2006, VIETCRYPT.

[21]  Joseph K. Liu,et al.  Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (Extended Abstract) , 2004, ACISP.

[22]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Kazue Sako,et al.  k-Times Anonymous Authentication , 2009, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[24]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[25]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[26]  Shen Noether,et al.  Ring Confidential Transactions , 2016, Ledger.

[27]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[28]  Huaxiong Wang,et al.  Constant-Size Group Signatures from Lattices , 2018, Public Key Cryptography.

[29]  Moti Yung,et al.  Short Traceable Signatures Based on Bilinear Pairings , 2006, IWSEC.

[30]  Joseph K. Liu,et al.  Separable Linkable Threshold Ring Signatures , 2004, INDOCRYPT.

[31]  Moti Yung,et al.  Efficient traceable signatures in the standard model , 2009, Theor. Comput. Sci..

[32]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[33]  Ivan Damgård,et al.  Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals , 1988, CRYPTO.

[34]  Damien Stehlé,et al.  Lattice-Based Group Signatures with Logarithmic Signature Size , 2013, ASIACRYPT.

[35]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[36]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[37]  Jan Camenisch,et al.  Fully Anonymous Attribute Tokens from Lattices , 2012, SCN.

[38]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[39]  Joseph K. Liu,et al.  Linkable Ring Signatures: Security Models and New Schemes , 2005, ICCSA.

[40]  Man Ho Au,et al.  Decentralized Blacklistable Anonymous Credentials with Reputation , 2018, IACR Cryptol. ePrint Arch..

[41]  David Pointcheval,et al.  Traceable Signature with Stepping Capabilities , 2012, Cryptography and Security.

[42]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[43]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[44]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[45]  Tsz Hon Yuen,et al.  Ring signatures without random oracles , 2006, ASIACCS '06.

[46]  Koutarou Suzuki,et al.  Traceable Ring Signature , 2007, Public Key Cryptography.

[47]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[48]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[49]  Hovav Shacham,et al.  Efficient Ring Signatures Without Random Oracles , 2007, Public Key Cryptography.

[50]  Jacques Stern,et al.  Threshold Ring Signatures and Applications to Ad-hoc Groups , 2002, CRYPTO.

[51]  Yael Tauman Kalai,et al.  A Framework for Efficient Signatures, Ring Signatures and Identity Based Encryption in the Standard Model , 2010, IACR Cryptol. ePrint Arch..

[52]  David Chaum,et al.  A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations , 1986, CRYPTO.

[53]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[54]  Patrick D. McDaniel,et al.  An Analysis of Anonymity in Bitcoin Using P2P Network Traffic , 2014, Financial Cryptography.

[55]  Sherman S. M. Chow Real Traceable Signatures , 2009, Selected Areas in Cryptography.

[56]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[57]  Sébastien Canard,et al.  Divisible E-Cash Systems Can Be Truly Anonymous , 2007, EUROCRYPT.

[58]  Willy Susilo,et al.  Short Linkable Ring Signatures Revisited , 2006, EuroPKI.

[59]  Prateek Saxena,et al.  A Traceability Analysis of Monero's Blockchain , 2017, ESORICS.

[60]  Willy Susilo,et al.  BLACR: TTP-Free Blacklistable Anonymous Credentials with Reputation , 2012, NDSS.

[61]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[62]  Sean W. Smith,et al.  The Quality of Open Source Production: Zealots and Good Samaritans in the Case of Wikipedia , 2007 .

[63]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2007, IEEE Transactions on Dependable and Secure Computing.

[64]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[65]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[66]  Victor K.-W. Wei,et al.  Short Linkable Ring Signatures for E-Voting, E-Cash and Attestation , 2005, ISPEC.

[67]  Markulf Kohlweiss,et al.  One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin , 2015, EUROCRYPT.

[68]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[69]  Benoît Libert,et al.  A Lattice-Based Group Signature Scheme with Message-Dependent Opening , 2016, ACNS.

[70]  Tsz Hon Yuen,et al.  RingCT 2.0: A Compact Accumulator-Based (Linkable Ring Signature) Protocol for Blockchain Cryptocurrency Monero , 2017, ESORICS.

[71]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[72]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[73]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[74]  Matthew Green,et al.  Decentralized Anonymous Credentials , 2014, NDSS.

[75]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[76]  Reihaneh Safavi-Naini,et al.  Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from Bilinear Pairings , 2004, ASIACRYPT.

[77]  Huaxiong Wang,et al.  Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions , 2016, ASIACRYPT.