Fast revocation of attribute-based credentials for both users and verifiers

Attribute-based credentials allow a user to prove properties about herself anonymously. Revoking such credentials, which requires singling them out, is hard because it is at odds with anonymity. All revocation schemes proposed to date either sacrifice anonymity altogether, require the parties to be online, or put high load on the user or the verifier. As a result, these schemes are either too complicated for low-powered devices such as smart cards or they do not scale. We propose a new revocation scheme that has a very low computational cost for users and verifiers, and does not require users to process updates. We trade only a limited, but well-defined, amount of anonymity to make the first practical revocation scheme that is efficient at large scales and fast enough for smart cards.

[1]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[2]  Eric R. Verheul Practical backward unlinkable revocation in FIDO, German e-ID, Idemix and U-Prove , 2016, IACR Cryptol. ePrint Arch..

[3]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[4]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[5]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[6]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Moti Yung,et al.  Group Signatures with Almost-for-Free Revocation , 2012, CRYPTO.

[9]  Joe Kilian,et al.  Identity Escrow , 1998, CRYPTO.

[10]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[11]  Sherman S. M. Chow Real Traceable Signatures , 2009, Selected Areas in Cryptography.

[12]  Ninghui Li,et al.  Universal Accumulators with Efficient Nonmembership Proofs , 2007, ACNS.

[13]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[14]  Jaap-Henk Hoepman,et al.  Towards a Full-Featured Implementation of Attribute Based Credentials on Smart Cards , 2014, CANS.

[15]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[16]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[17]  Giles Hogben,et al.  Privacy Features: Privacy features of European eID card specifications , 2008 .

[18]  Nobuo Funabiki,et al.  Verifier-Local Revocation Group Signature Schemes with Backward Unlinkability from Bilinear Maps , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[19]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[20]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[21]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[22]  Jaap-Henk Hoepman,et al.  Fast revocation of attribute-based credentials for both users and verifiers , 2015, Comput. Secur..

[23]  Norbert Felber,et al.  ECC Is Ready for RFID - A Proof in Silicon , 2008, Selected Areas in Cryptography.

[24]  Kai Rannenberg,et al.  Architecture for Attribute-based Credential Technologies , 2011 .

[25]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[26]  Gergely Alpár,et al.  Efficient Selective Disclosure on Smart Cards Using Idemix , 2013, IDMAN.

[27]  Jan Camenisch,et al.  The DAA scheme in context , 2005 .

[28]  Christian Paquin,et al.  U-Prove Designated-Verifier Accumulator Revocation Extension , 2013 .

[29]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[30]  Dawn Xiaodong Song,et al.  Quasi-Efficient Revocation in Group Signatures , 2002, Financial Cryptography.

[31]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[32]  Bart De Decker,et al.  Analysis of Revocation Strategies for Anonymous Idemix Credentials , 2011, Communications and Multimedia Security.

[33]  S. Team,et al.  Specification of the Identity Mixer Cryptographic Library Version 2 . 3 . 0 * , 2022 .

[34]  Michal Koza,et al.  Restricted Identification Scheme and Diffie-Hellman Linking Problem , 2011, INTRUST.