Decentralized Anonymous Credentials

Anonymous credentials provide a powerful tool for making assertions about identity while maintaining privacy. However, a limitation of today's anonymous credential systems is the need for a trusted credential issuer — which is both a single point of failure and a target for compromise. Furthermore, the need for such a trusted issuer can make it challenging to deploy credential systems in practice, particularly in the ad hoc network setting (e.g., anonymous peer-to-peer networks) where no single party can be trusted with this responsibility. In this work we propose a novel anonymous credential scheme that eliminates the need for a trusted credential issuer. Our approach builds on recent results in the area of electronic cash that, given a public append-only ledger, do not need a trusted credential issuer. Furthermore, given a distributed public ledger, as in, e.g., Bitcoin, our system requires no credential issuer at all and hence is decentralized. Using such a public ledger and standard cryptographic primitives, we propose and provide a proof of security for a basic anonymous credential system that allows users to make flexible identity assertions with strong privacy guarantees without relying on trusted parties. Finally, we discuss a number of practical applications for our techniques, including resource management in ad hoc networks and prevention of Sybil attacks. We implement our scheme and measure its efficiency.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[3]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[4]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[5]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[6]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[7]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[8]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[9]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[10]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[11]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[12]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[13]  Jan Camenisch,et al.  Group signature schemes and payment systems based on the discrete logarithm problem , 1998 .

[14]  Amnon Ta-Shma,et al.  Auditable, Anonymous Electronic Cash Extended Abstract , 1999, CRYPTO.

[15]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[16]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[17]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[18]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[19]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[20]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[21]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[22]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[23]  Dan S. Wallach,et al.  Enforcing Fair Sharing of Peer-to-Peer Resources , 2003, IPTPS.

[24]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.

[25]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[26]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[27]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[28]  Ivan Damgård,et al.  Unclonable Group Identification , 2006, IACR Cryptol. ePrint Arch..

[29]  Jens Groth,et al.  Non-interactive Zero-Knowledge Arguments for Voting , 2005, ACNS.

[30]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[31]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[32]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[33]  Nikita Borisov,et al.  Computational Puzzles as Sybil Defenses , 2006, Sixth IEEE International Conference on Peer-to-Peer Computing (P2P'06).

[34]  Markulf Kohlweiss,et al.  P-signatures and Noninteractive Anonymous Credentials , 2008, TCC.

[35]  Abhi Shelat,et al.  Efficient Protocols for Set Membership and Range Proofs , 2008, ASIACRYPT.

[36]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[37]  Nikita Borisov,et al.  EigenSpeed: secure peer-to-peer bandwidth evaluation , 2009, IPTPS.

[38]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[39]  Jeremy Clark,et al.  CommitCoin: Carbon Dating Commitments with Bitcoin , 2011, IACR Cryptol. ePrint Arch..

[40]  Matthew Green,et al.  Access controls for oblivious and anonymous systems , 2011, TSEC.

[41]  Jeremy Clark,et al.  CommitCoin: Carbon Dating Commitments with Bitcoin - (Short Paper) , 2012, Financial Cryptography.

[42]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[43]  Alan M. Dunn,et al.  Anon-Pass: Practical Anonymous Subscriptions , 2013, 2013 IEEE Symposium on Security and Privacy.

[44]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[45]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[46]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.