Privacy-Preserving Auditing for Attribute-Based Credentials

Privacy-enhancing attribute-based credentials PABCs allow users to authenticate to verifiers in a data-minimizing way, in the sense that users are unlinkable between authentications and only disclose those attributes from their credentials that are relevant to the verifier. We propose a practical scheme to apply the same data minimization principle when the verifiers' authentication logs are subjected to external audits. Namely, we propose an extended PABC scheme where the verifier can further remove attributes from presentation tokens before handing them to an auditor, while preserving the verifiability of the audit tokens. We present a generic construction based on a signature, a signature of knowledge and a trapdoor commitment scheme, prove it secure in the universal composability framework, and give an efficient instantiation based on the strong RSA assumption in the random-oracle model.

[1]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[2]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[3]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[4]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[5]  Mihir Bellare,et al.  Transitive Signatures Based on Factoring and RSA , 2002, ASIACRYPT.

[6]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[7]  Ian Goldberg,et al.  Provably Secure and Practical Onion Routing , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[8]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[9]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[10]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[11]  Marc Fischlin,et al.  Trapdoor commitment schemes and their applications , 2001 .

[12]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[13]  Abhi Shelat,et al.  Computing on Authenticated Data , 2012, Journal of Cryptology.

[14]  Florian Volk,et al.  Security of Sanitizable Signatures Revisited , 2009, Public Key Cryptography.

[15]  Georg Fuchsbauer,et al.  Commuting Signatures and Verifiable Encryption , 2011, EUROCRYPT.

[16]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[17]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[18]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[19]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.

[20]  Stefan Katzenbeisser,et al.  Redactable Signatures for Tree-Structured Data: Definitions and Constructions , 2010, ACNS.

[21]  Claus-Peter Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1990, EUROCRYPT.

[22]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocols , 1999, RFC.

[23]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24]  Gene Tsudik,et al.  Sanitizable Signatures , 2005, ESORICS.

[25]  Marc Fischlin,et al.  Unlinkability of Sanitizable Signatures , 2010, Public Key Cryptography.

[26]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[27]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[28]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[29]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[30]  Aggelos Kiayias,et al.  On the Portability of Generalized Schnorr Proofs , 2009, EUROCRYPT.