Algebraic MACs and Keyed-Verification Anonymous Credentials

We consider the problem of constructing anonymous credentials for use in a setting where the issuer of credentials is also the verifier, or more generally where the issuer and verifier have a shared key. In this setting we can use message authentication codes (MACs) instead of public key signatures as the basis for the credential system. To this end, we construct two algebraic MACs in prime-order groups, along with efficient protocols for issuing credentials, asserting possession of a credential, and proving statements about hidden attributes (e.g., the age of the credential owner). We prove the security of the first scheme in the generic group model, and prove the security of the second scheme\dash using a dual-system-based approach\dash under decisional Diffie-Hellman (DDH). Our MACs are of independent interest, as they are the only uf-cmva-secure MACs with efficient proofs of knowledge. Finally, we compare the efficiency of our new systems to two existing constructions of anonymous credentials: U-Prove and Idemix. We show that the performance of the new schemes is competitive with U-Prove (which does not have multi-show unlinkability), and many times faster than Idemix.

[1]  J. Camenisch,et al.  Proof systems for general statements about discrete logarithms , 1997 .

[2]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[3]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[4]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[5]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[6]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[7]  Hoeteck Wee,et al.  Shorter IBE and Signatures via Asymmetric Pairings , 2012, Pairing.

[8]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[9]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[10]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[11]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[12]  Eike Kiltz,et al.  Message Authentication, Revisited , 2012, EUROCRYPT.

[13]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[14]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[15]  Hovav Shacham,et al.  Randomizable Proofs and Delegatable Anonymous Credentials , 2009, CRYPTO.

[16]  Martin Nemzow,et al.  Rethinking Public Key Infrastructures and Digital Certificates and Privacy , 2001 .

[17]  Yi Mu,et al.  Constant-Size Dynamic k-TAA , 2006, SCN.

[18]  Jan Camenisch,et al.  Anonymous credentials on a standard java card , 2009, CCS.

[19]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[20]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[21]  Shirley M. Radack Updated Digital Signature Standard Approved as Federal Information Processing Standard (FIPS)186-3 | NIST , 2009 .

[22]  Allison Bishop,et al.  Dual Form Signatures: An Approach for Proving Security from Static Assumptions , 2012, IACR Cryptol. ePrint Arch..

[23]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[24]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[25]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[26]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[27]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[28]  Nigel P. Smart The Exact Security of ECIES in the Generic Group Model , 2001, IMACC.

[29]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[30]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[31]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[32]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[33]  Ron Steinfeld,et al.  How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature , 2007, CT-RSA.