Keywords

1 Introduction

Using cryptographic credentials, users can anonymously prove the ownership of their personal attributes, such as age, nationality, sex or ticket validity. In the recent two decades, many proposals for anonymous credential schemes have been published. Starting with the fundamental works of Chaum [23], Brands [10], Camenish and Lysyanskaya [17], until recent schemes [1, 3, 22, 27, 34], researchers try to find a scheme that fulfills all requirements on privacy, is provably secure and is so efficient that it can be implemented on constrained devices. While there are schemes that fulfill all the requirements and can be implemented on PC and smartphone platforms, existing schemes deployed on smart cards are still not sufficiently fast for many applications, such as e-ticketing and eIDs. Yet, smart cards are the most appropriate platform for storing and proving personal attributes in everyday life, due to their size, security and reliability.

There are two major reasons why we lack practical implementations of anonymous credentials on smart cards. First, the complexity of asymmetric cryptographic algorithms used in anonymous credentials is quite high even for modern smart cards. Second, modern cryptographic schemes, including anonymous credentials, are mostly based on operations over an elliptic curve, while most available smart cards do not provide API for these operations. Particularly, the very popular operation of bilinear maps is still unsupported on this platform and simple operations, such as EC point scalar multiplication and addition, are significantly restricted.

In this paper, we address both these concerns: First, we propose a novel keyed-verification anonymous credential scheme that is designed to allow for smart card implementations. Our scheme has the most efficient proving algorithm to date and requires only operations that are available on existing off-the-shelf smart cards. Second, we present the implementation of our anonymous credential scheme that is 44%–72% faster than the current state-of-the-art implementation, while even providing a higher security level.

1.1 Related Work

Cryptographic anonymous credential schemes were first defined by the seminal works of Chaum [23], Brands [10] and Camenisch and Lysyanskaya [17]. The schemes were gradually improved by adding revocation protocols [15, 18], using more efficient algebraic structures [19, 34] and developing security models and formal proofs [16]. Idemix [21] and U-Prove [32] are the examples of the most evolved schemes aiming for a practical use. Recently, a new approach to obtain more efficient anonymous credential schemes was proposed. Chase et al. [22] argue that in many scenarios where anonymous credentials could be deployed, the issuer of the credential will also serve as the verifier. This means that the verifier possesses the issuer key, which can be leveraged to obtain more efficient anonymous credential schemes tailored to setting. They formally define these so-called Keyed-Verification Anonymous Credentials (KVAC) and propose two instantiations. Barki et al. [2] propose a new KVAC scheme which is currently the most efficient: Proving possession of a credential with u hidden attributes costs \(u+12\) exponentiations. Couteau and Reichle [24] construct a KVAC scheme with presentation cost \(2u+3\) exponentiations in a 2048-bit group, which is less efficient, but works in the standard model. Some of the new constructions were already implemented on the PC platform with promising results [28, 34]. Yet, the implementations on the smart card platform are available only for the former schemes that are based on traditional, rather inefficient modular structures [6, 30, 33, 38]. Furthermore, most implementations use only 1024-bit RSA groups that are considered insufficient by today’s standards [37]. Implementations with higher security parameters [1,2,3,4] either need distribution of computation to another device (usually a mobile phone) or use a non-standard proprietary API for EC operations and rely on pre-computations (which is impossible in crucial applications like e-ticketing and eID where the card is inactive and starts only for the attribute presentation). Regarding speed, the best-performing implementation of Idemix by the IRMA project [38] is able to compute the unlinkable attribute proof in at least 0,9 s, which is not convenient for time-critical applications where the proof should be presented in less than 500 ms. Currently, there is no cryptographic proposal and its implementation that would realize unlinkable anonymous credentials on the smart card platform with performance and security parameters necessary for a practical deployment.

1.2 Our Contribution

We propose a novel cryptographic scheme for anonymous attribute-based credentials that is designed primarily for smart cards. It provides all necessary privacy-protection features, i.e., the anonymity, unlinkability, untraceability and selective disclosure of attributes. The scheme is based on our original algebraic MAC that makes its proving protocol very efficient. The computational complexity of our proving protocol is the lowest from related schemes (only \(u+2\) scalar multiplications to present an attribute ownership proof) and we need only basic arithmetic operations that are already provided by existing smart cards’ APIs. We present the results of the full implementation of our proving protocol that is faster by at least 44% than the state-of-the-art implementation. By reaching the time of 366 ms including overhead, which is required for proving personal attributes on a 192-bit EC security level, we argue that the anonymous credentials are finally secure and practical even for time-critical and large-scale applications like eIDs, e-ticketing and mass transportation.

2 Preliminaries

2.1 Notation

We describe (signature) proof of knowledge protocols (SPK) using the efficient notation introduced by Camenisch and Stadler [20]. The protocol for proving the knowledge of discrete logarithm of c with respect to g is denoted as SPK\(\{\alpha : c=g^{\alpha }\}\). The symbol “:” means “such that” and |x| is the bitlength of x. The symbol \(\mathcal {H}\) denotes a secure hash function. We write when a is sampled uniformly at random from A. Let \(\mathsf {GroupSetup}(1^\kappa )\) be an efficient algorithm that generates a group \(\mathbb {G}= \langle g \rangle \) of prime order q, such that \(|q| = \kappa \). Let \(\mathbf{e}\) denote a bilinear map.

2.2 Weak Boneh-Boyen Signature

We recall the weak Boneh-Boyen signature scheme [9], which is existentially unforgeable against a weak (non-adaptive) chosen message attack under the q-SDH assumption.

  • \(\mathsf {Setup}\): On input security parameter \(\tau \), generate a bilinear group \((q,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,\mathbf{e}, g_1,g_2) \leftarrow \mathcal {G}(1^\tau )\). Take , compute \(w=g_2^x\), and output \(sk = x\) as private key and \(pk = (q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, g_1, g_2, \mathbf{e}, w)\) as public key.

  • \(\mathsf {Sign}\): On input message \(m \in \mathbb {Z}_q\) and secret key sk, output \(\sigma =g_1^{\frac{1}{x+m}}\).

  • \(\mathsf {Verify}\): On input the signature \(\sigma \), message m, and public key pk, output 1 iff \(\mathbf{e}(\sigma , w) \cdot \mathbf{e}(\sigma ^m, g_2) = \mathbf{e}(g_1, g_2)\) holds.

2.3 Algebraic MACs

Compared to traditional Message Authentication Codes (MACs), algebraic MACs can be efficiently combined with zero knowledge proofs. In terms of security, algebraic MACs [22] are no different from traditional MACs. A MAC scheme consists of algorithms \((\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {MAC}, \mathsf {Verify})\). \(\mathsf {Setup}\) sets up the system parameters \(\textit{par}\) that are given as implicit input to the other algorithms. \(\mathsf {KeyGen}\) creates a new secret key, \(\mathsf {MAC}(sk, m)\) computes a MAC on message m, and \(\mathsf {Verify}\) is used to verify MACs. We recall the security definitions due to Dodis et al. [25] and slightly strengthened by Chase et al. [22], and require completeness and unforgeability under chosen message and verification attack (uf-cmva).

Definition 1

A MAC scheme \((\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {MAC}, \mathsf {Verify})\) is complete if the following probability is negligible in \(\kappa \) for all messages m:

Definition 2

A MAC scheme \((\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {MAC}, \mathsf {Verify})\) is \((t, \epsilon , q_\mathsf {MAC}, q_\mathsf {Verify})\)-unforgeable under chosen message and verification attack if there exists no adversary \(\mathcal {A} \) running in time t making at most \(q_\mathsf {MAC}\) \(\mathsf {MAC}\) queries and at most \(q_\mathsf {Verify}\) \(\mathsf {Verify}\) queries, for which the following probability is at least \(\epsilon \):

3 Our Algebraic MAC

This section describes our novel algebraic MAC scheme \(\mathsf {MAC}_{\mathsf {wBB}} \), which is based on the weak Boneh-Boyen signature. It works in a prime order group and can MAC vectors of n messages , with \(m_i \in \mathbb {Z}_q^*\), using the technique due to Camenisch et al. [13] to extend the Boneh-Boyen signature to multiple messages. The scheme is composed of the following algorithms.

  • \(\mathsf {Setup}(1^\kappa )\): Output \(\textit{par}= (\mathbb {G}, g, q) \leftarrow \mathsf {GroupSetup}(1^\kappa )\).

  • \(\mathsf {KeyGen}(\textit{par})\): Choose for \(i = (0, \ldots , n)\). Output secret key \(sk = (x_0, \ldots , x_n)\) and public issuer parameters \(\textit{ipar}\leftarrow (X_0, \ldots , X_n)\) with \(X_i = g^{x_i}\).

  • : Let \(sk = (x_0, \ldots , x_n)\) and . Compute \(\sigma = g^{\frac{1}{x_0 + \sum _{i=1}^n m_i x_i}}\) and auxiliary information \(\sigma _{x_i} \leftarrow \sigma ^{x_i}\) for \(i = (1, \ldots , n)\).Footnote 1 Output the authentication code \((\sigma , \sigma _{x_1}, \ldots , \sigma _{x_n})\).

  • : Let \(sk = (x_0, \ldots , x_n)\) and . Output 1 iff \(g = \sigma ^{x_0 + \sum _{i = 1}^n m_i x_i}\).

Unforgeability of our MAC scheme holds under the SCDHI assumption, which is a variation of the SDDHI assumption [14].

Theorem 1

Our MAC scheme is unforgeable, as defined in Definition 2, under the SCDHI assumption. More precisely, if n-SCDHI is \((t, \epsilon )\)-hard, then our MAC scheme is \((t, \epsilon )\)-unforgeable.

We introduce the SCDHI problem, prove its hardness in generic groups and formally prove Theorem 1 in the full manuscript [11].

4 Keyed-Verification Anonymous Credential Scheme

We construct our keyed-verification anonymous credential (KVAC) scheme using the algebraic MAC scheme presented in Sect. 3 above. Unlike traditional anonymous attribute-based credential schemes (ABCs), the verifier needs to know the secret keys to be able to verify user’s attributes in keyed-verification anonymous credential schemes. This feature is particularly convenient for scenarios where attribute issuers are the same entities as attribute verifiers. The mass transportation settings is an example of such a scenario because the transportation authority both issues and checks the tickets and passes. The KVAC scheme supports all the standard privacy-enhancing features of ABC schemes, such as anonymity, unlinkability, untraceability, and selective disclosure of attributes, and is compatible with major credential schemes [21, 32] and standard revocation schemes [12, 17].

4.1 Definition of Keyed-Verification Anonymous Credential Schemes

A KVAC scheme consists of algorithms \((\mathsf {Setup}, \mathsf {CredKeygen}, \mathsf {Issue}, \mathsf {Obtain}, \mathsf {Show}, \mathsf {ShowVerify})\)Footnote 2 that are executed by users and an issuer who also serves as a verifier.

  • \(\mathsf {Setup}(1^k)\) takes as input the security parameter and outputs the system parameters \(\textit{par}\). We assume that \(\textit{par}\) is given as implicit input to all algorithms.

  • \(\mathsf {CredKeygen}(\textit{par})\) outputs a issuer secret key \( sk \) and issuer parameters \(\textit{ipar}\).

  • \(\mathsf {Issue}( sk , (m_1, \ldots , m_n))\) takes as input the issuer secret key and attribute values \((m_1, \ldots , m_n)\) and outputs a credential \(\textit{cred}\). The issuance of attributes must be done over a secure channel (as the attributes and private AMAC are sent between the user and issuer) and the credential should be stored on a tamper-proof device (we use a smart-card).

  • \(\mathsf {Obtain}(\textit{ipar}, \textit{cred}, (m_1, \ldots , m_n))\) lets a user verify a credential by giving as input the public issuer parameters, the credential and the attribute values.

  • \(\mathsf {Show}(\textit{ipar}, \textit{cred}, (m_1, \ldots , m_n), \phi ) \leftrightarrow \mathsf {ShowVerify}( sk , \phi )\) is an interactive algorithm. The user runs \(\mathsf {Show}\) on input the public issuer parameters, the credential, the attribute values and attribute predicate, and the verifier runs \(\mathsf {ShowVerify}\) on input the issuer secret key and the attribute predicate, which will output 1 iff it accepts the credential presentation.

Fig. 1.
figure 1

Definition of the \(\mathsf {Show}\) and \(\mathsf {ShowVerify}\) algorithms of our KVAC scheme.

Full size image

4.2 Our KVAC Scheme Based on \(\mathsf {MAC}_{\mathsf {wBB}} \)

In this section, we present our novel KVAC scheme that uses \(\mathsf {MAC}_{\mathsf {wBB}} \) as introduced in Sect. 3. Our scheme certifies attributes in \(\mathbb {Z}_q^*\) and is parametrized by n, the amount of attributes in a credential. We describe our scheme using selective disclosure as attribute predicates, i.e., a predicate \(\phi \) can be seen as a set \(D \subseteq \{1, \ldots , n\}\) containing the indices of the disclosed attributes and the attribute values of the disclosed attributes \(\langle m_i \rangle _{i \in D}\). On a high level, we follow the approach from Chase et al. [22] and build our KVAC scheme from our algebraic MAC presented in Sect. 3 and zero knowledge proofs. One novel trick allows us to strongly improve the efficiency of our scheme. Instead of computing a standard noninteractive Schnorr-type proof of knowledge, we use the fact that the verifier knows the secret key. This allows us to omit elements that the verifier can compute by itself and saves the prover a lot of work.

We note that our \(\mathsf {Issue}\) algorithm does not support the efficient issuance of committed attributes, i.e., the blind issuance. This feature is useful in applications where a user needs to transfer his attributes among credentials or needs to get issued attributes that are only private to him. However, we consider these scenarios rare in targeted applications such as e-ticketing, mass transportation and loyalty cards. Furthermore, if the issuance of committed attributes is necessary, it can be done by employing Paillier encryption [31], as is shown in [5].

  • \(\mathsf {Setup}(1^k)\): Output \(\textit{par}= (\mathbb {G}, g, q) \leftarrow \mathsf {GroupSetup}(1^\kappa )\).

  • \(\mathsf {CredKeygen}(\textit{par})\): Run \(( sk , \textit{ipar}) \leftarrow \mathsf {MAC}_{\mathsf {wBB}}.\mathsf {KeyGen}(\textit{par})\) and output \( sk \) and \(\textit{ipar}\).

  • \(\mathsf {Issue}( sk , (m_1, \ldots , m_n))\): Run \((\sigma , \langle \sigma _{x_i} \rangle _{i = 0}^n) \leftarrow \mathsf {MAC}_{\mathsf {wBB}}.\mathsf {MAC}( sk , (m_1, \ldots , m_n))\). Next, provide a proof that allows a user to verify the validity of the credential: \(\pi \leftarrow SPK \{(x_0, \ldots , x_n): \bigwedge _{i = 0}^n \sigma _{x_i} = \sigma ^{x_i} \wedge X_i = g^{x_i}\}\). Output credential \(\textit{cred}\leftarrow (\sigma , \langle \sigma _{x_i} \rangle _{i = 0}^n, \pi )\).

  • \(\mathsf {Obtain}(\textit{ipar}, \textit{cred}, (m_1, \ldots , m_n))\): Parse \(\textit{ipar}\) as \((X_0, \ldots , X_n)\) and parse \(\textit{cred}\) as \((\sigma , \langle \sigma _{x_i} \rangle _{i = 0}^n, \pi )\). Check that \(\sigma _{x_0} \cdot \prod _{i = 1}^n \sigma _{x_i}^{m_i} = g\) and verify \(\pi \) with respect to \(\textit{ipar}\) and \(\sigma \).

  • \(\mathsf {Show}(\textit{ipar}, \textit{cred}, (m_1, \ldots , m_n), (D, \langle m_i \rangle _{i \in D}))\): In credential presentation, we want to let the user prove possession of a valid credential with the desired attributes. On a high level, we want to prove knowledge of a weak Boneh-Boyen signature, so we can apply the efficient proof due to Arfaoui et al. [1] and Camenisch et al. [12], by extending it to support a vector of messages: Take a random and let \(\hat{\sigma } \leftarrow \sigma ^r\) and \(\hat{\sigma }_{x_i} \leftarrow \sigma _{x_i}^{\ r}\) for \(i = 0, \ldots , n\), and prove

    $$\begin{aligned} SPK \{(\langle m_i \rangle _{i \not \in D}, r):\hat{\sigma }_{x_0} \prod _{i\in D}\hat{\sigma }_{x_i}^{\ m_i} = g^r \prod _{i\not \in D}\hat{\sigma }_{x_i}^{-m_i}\}. \end{aligned}$$

    The verifier simply checks that the \(\hat{\sigma }_{x_i}\) values are correctly formed and verifies the proof.

    While this approach is secure and conceptually simple, it is not very efficient. We now present how we can construct a similar proof in a much more efficient manner. The key observation is that the user does not have to compute anything that the verifier, who is in possession of the issuer secret key \( sk \), can compute. This means we can omit the computation of the \(\hat{\sigma }_{x_i}\) values and define \(\mathsf {Show}\) as follows. Randomize the credential by taking a random \(r \leftarrow \mathbb {Z}_q^*\) and setting \(\hat{\sigma } \leftarrow \sigma ^r\). Take and compute

    $$\begin{aligned} t = \prod _{i\not \in D}\sigma _{x_{i}}^{\rho _{m_{i}} \cdot r} g^{\rho _r}, \quad c \leftarrow \mathcal {H}(D, \langle m_i \rangle _{i \in D}), t, \hat{\sigma }, \textit{par}, \textit{ipar}, nonce), \end{aligned}$$

    and let \(s_r=\rho _r+cr, \langle s_{m_{i}}=\rho _{m_{i}}-cm_{i}\rangle _{i \not \in D}\). Send \((\hat{\sigma }, t, s_r, \langle s_{m_i} \rangle _{i \not \in D})\) to the verifier.

  • \(\mathsf {ShowVerify}( sk , (D, \langle m_i \rangle _{i \in D}))\): The verifier running \(\mathsf {ShowVerify}\) will receive \((\hat{\sigma }, t, s_r, \langle s_{m_i} \rangle _{i \not \in D})\) from the user. It recomputes

    $$\begin{aligned} c\leftarrow \mathcal {H}((m_1, \ldots , m_n), (D, \langle m_i \rangle _{i \in D}), t, \hat{\sigma }, \textit{par}, \textit{ipar}, nonce) \end{aligned}$$

    and checks

    $$\begin{aligned} t {\mathop {=}\limits ^{?}} g^{s_r} \cdot \hat{\sigma }^{-c \cdot x_0 + \sum _{i \not \in D} (x_i \cdot s_{m_i}) - \sum _{i \in D} (x_i \cdot m_i \cdot c)}. \end{aligned}$$

    Output 1 if valid and 0 otherwise. The \(\mathsf {Show}\) and \(\mathsf {ShowVerify}\) algorithms are depicted in Fig. 1.

Theorem 2

Our keyed-verification credential scheme is secure following the definition by Chase et al. [22] (ommitting the blind issuance), under the n-SCDHI assumption in the random oracle model.

We formally prove Theorem 2 in the full manuscript [11].

4.3 Efficiency

Our \(\mathsf {Show}\) and \(\mathsf {ShowVerify}\) algorithms were designed to be efficient enough to run on smart cards. We avoided computing bilinear pairings due to their computational cost and the lack of support on existing smart cards. The use of the second most expensive operation, the exponentiation (or scalar multiplication of EC points respectively), is reduced to a minimum. Our proving algorithm, the part of the protocol we envision being executed on a smart card, only requires \(u+2\) exponentiations, where u is the number of undisclosed attributes.

Table 1 compares the efficiency of our \(\mathsf {Show}\) protocol to existing KVAC schemes [3, 22], well-known anonymous credential schemes U-Prove [32] and Identity Mixer [21], and a recent scheme by Ringers et al. [34]. Idemix takes place in the RSA group, meaning that the exponentiations are much more expensive than exponentiations in a prime order group. U-Prove lacks the unlinkability property. Compared to \(\mathsf {MAC}_{\mathsf {BB}}\), our scheme requires only 2 exponentiations without hidden attributes, whereas \(\mathsf {MAC}_{\mathsf {BB}}\) requires 12, showing that especially for a small number of undisclosed attributes, our scheme is significantly faster than \(\mathsf {MAC}_{\mathsf {BB}}\).

Table 1. Comparison of presentation protocols of credential schemes.
Full size table
Fig. 2.
figure 2

Speed of our proving protocol compared to Vullers and Alpár (VA) implementation [38]. Blue - our algorithm time, orange - our total time with overhead, verticals - VA algorithm time and horizontals - VA total time with overhead. (Color figure online)

Full size image

5 Implementation Results

There are many cryptographic schemes for anonymous attribute-based credentials available. Nevertheless, the smart card implementations are only very few [26, 30, 38] and not practically usable as they use only small insecure security parameters to be able to achieve reasonable speed. Particularly, only 1024-bit RSA or DSA groups are used. That is considered insecure for any practical deployment today.

The Show and ShowVerify algorithms of our scheme were implemented using a standard NIST P-192 curve [29] on the Multos ML3 smart card. Only standard Multos API and free public development environment (Eclipse IDE for C/C++ Developers, SmartDeck 3.0.1, MUtil 2.8) were used. For terminal application, Java BigInteger class and BouncyCastle API were used. We compare our results (blue and orange) with the state-of-the-art results of Vullers and Alpár (VA) [38] (black and white) for different numbers of attributes stored and disclosed in Fig. 2. We note that our implementation uses significantly higher security parameters (1024-bit used by Vullers and Alpár vs. 1776-bit DSA group equivalent according to [37] used by us). The algorithm time (blue) tells the time necessary to compute all algorithms on the card. The overhead time (orange) adds time necessary to do all the supporting actions, mainly establishing the communication with a reader connected to PC and transferring APDUs. All results are arithmetic means of 10 measurements in milliseconds. Compared to VA’s implementation of Idemix, our implementation of all proving protocol algorithms on the card is at least 44% faster in all cases, see Fig. 2 for details.

In the case of only 2 attributes stored on the card, our scheme is by 72% faster than VA’s implementation. The card needs only 211 ms to compute the ownership proof for disclosed attributes. The total time of around 360 ms necessary for the whole proof generation on the card including communication with and computations on a terminal (standard PC, Core i7 2.4 GHz, 8 GB RAM) makes the implementation suitable also for time-critical applications like public transportation and ticketing. We also evaluated our scheme using an embedded device (Raspberry Pi 3) instead of the PC as a terminal. Even in that case the total time including overhead was below 450 ms. Based on our benchmarks, we expect that increasing security parameters to the 256-bit EC level would cost acceptable 15%–20% in performance.

Our implementation is artificially limited to 10 attributes per a user, but the smart card’s available memory resources (approx. 1.75 KB RAM and 7.5 KB usable EEPROM) would allow storing upto 50 attributes on a single card.

6 Conclusion

Practical anonymous credential schemes are only very few, with implementations on smart cards either too slow or providing insufficient security levels. Our approach to address this problem was twofold: (1) to propose a novel cryptographic scheme that is more efficient than all comparable schemes and formally prove its security; and (2) to develop a software implementation that is significantly faster than existing implementations, although they use lower security parameters. By achieving these results, we hope that we get privacy-enhanced authentication closer to practical applications.

Our future steps, besides further optimization, are the integration with a suitable revocation scheme (e.g., [12]) and implementation and benchmarks on higher security levels, hopefully on a wider range of smart cards, if they become available on the market.