1 / 22

Accumulators and U-Prove Revocation

This paper explores the use of accumulators and the U-Prove scheme for anonymous revocation of credentials. It discusses the definitions and security of accumulators, the U-Prove scheme, and various revocation methods. It also examines the implementation and performance of the accumulator-based revocation scheme.

marymgreene
Download Presentation

Accumulators and U-Prove Revocation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Accumulators andU-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research

  2. Outline Accumulators • Definitionsand Security • Anonymous Revocation • New scheme U-Prove • Overview • Revocation methods • Revocation with the new accumulator Implementation and Performance

  3. Accumulator Primitives • Accumulate: Aggregate a set of elements into a single value V. • Non-Membership (NM) Proof: Prove that an element x is NOT accumulated in V without revealing any info about x. • Membership Proof: Prove that an element x is accumulated in Vwithout revealing any info about x. • Efficient Update of V and Proofs’ Witnesses when the accumulated set changes.

  4. Accumulator Security • Member Completeness:x is accumulated ⇒ Member proof accepts. • Member Soundness:x is not accumulated ⇒ Member proof rejects. • NM Completeness:x is not accumulated ⇒ NM proof accepts. • NM Soundness:x is accumulated ⇒ NM proof rejects. • Information hiding: The proofs should be Zero-Knowledge or Witness Indistinguishable.

  5. Revoking Anonymous Credentials For Blacklisting Anonymous Credentials, • Accumulate blacklisted elements in an accumulator value. • NM Proof proves that an element is not accumulated • ⇒ The element is not blacklisted. • NM Proof does not reveal the element ⇒ Privacy Protection. For Whitelisting Anonymous Credentials, it is similar in the opposite way.

  6. Accumulator Scheme – Setup • Bilinear pairing e: where and are cyclic multiplicative groups, all of order prime q. • Setup • Private Key: • Public Key: where Optionally,

  7. Accumulator Operations • Items to accumulate is a set • Accumulator value • Non-Membership Witness is with • Compute from t • A new witness for x is computed or updated when a new x‘ is accumulated or an accumulated x’ is removed from the set S • Similar for Membership Witness

  8. Efficient Accumulator NM Proof Computations are moved from and to efficient • Prove is PoK: • Instead of To reduce pairing • Add to witness • Hide by and , so • PoK : Efficiency gains • Prover needs no pairing • Verifier needs 2 pairings to verify Similar for the Mem Proof.

  9. Outline Accumulators • Definitionsand Security • Anonymous Revocation • New scheme U-Prove • Overview • Revocation methods • Revocation with the new accumulator Implementation and Performance

  10. U-Prove Participants: Issuer, User (Prover), Service Provider (Verifier). Issuing Protocol between Issuer and User • User obtains Tokens from Issuer • Token certifies attributes (Driver License, Age > 21,…) Presentation Protocol between User and Service Provider • Users proves certain attributes to Service Provider • Service Provider learns nothing about other attributes

  11. U-Prove Crypto Issuing • Each token is a blind signature on a commitment of attributes • Re-Committing to is like a sealed envelop • Blind Signing is like carbon paper • Extracting from is like opening envelop Presenting • Showing disclose attributes • PoK of committed attributes • Verifying the blind signature Different presentations of the same token are linkable

  12. Revocation in U-Prove Four Methods • ID Exposure. It breaks privacy. Force revoked user to reveal the ID (S/N or another attribute) • Credential Update. Not efficient. Short validity time encoded in an attribute Issuer periodically updates valid credentials for download • Credential Revocation Lists. Not efficient. List of proofs that the ID is not in blacklisted items • Accumulators Use an accumulator to aggregate the IDs

  13. Pros and Cons of using Accumulators • Advantages • Costs to generate and verify unrevoked credential proofs do not depend on the blacklist’s size. • It works for both whitelisting (membership proofs) and blacklisting (non-membership proofs). • Anonymous and unlinkable credentials. Disadvantages • Witness update is expensive. • More complex.

  14. Accumulator-Based Revocation Scheme U-Prove integration is based on non-membership proof Demo Scenario • Both User A and User P are issued U-Prove tokens. • User A is blacklisted, so A fails to update NM Witness • ⇒ User A can not generate anonymous proofs. • User P succeeds to update its NM Witness. • ⇒ User P can generate valid anonymous proofs.

  15. U-Prove Revocation Scenario

  16. Setup and Issuing Use a revocation attribute (rv) to the U-Prove token. Issuer • Public key: • Private key: User • Token: • Private key: • Commitment

  17. Revocation and Presentation Blacklist Authority • Public key private key , and revocation table User uses the table to update ’s accumulator witness from the revocation table Presentation • Normal U-Prove Presentation • Prove that is not accumulated (Non-Membership proof)

  18. Outline Accumulators • Definitionsand Security • Anonymous Revocation • New scheme U-Prove • Overview • Revocation methods • Revocation with the new accumulator Implementation and Performance

  19. Software Design AnonProof U-Prove Idemix Application Revocation API Revocation Accumulator API Proof List Method AccuFS AccuGS Others

  20. Software Design • Abstraction: Single definition of Revocation API (for all revoking methods), Single definition of Accumulator API (for all accumulators). • No Redundancy: Single implementation of Revocation using Accumulators. • Extendibility: Easy to add new Accumulators or Applications. • Changeability: Easy to switch among Accumulators or Revocation methods.

  21. Performance Compared with the only previous universal accumulator scheme ATSM

  22. Thanks and Questions

More Related