Abstract
In permissioned blockchain systems, participants are admitted to the network by receiving a credential from a certification authority. Each transaction processed by the network is required to be authorized by a valid participant who authenticates via her credential. Use case settings where privacy is a concern thus require proper privacy-preserving authentication and authorization mechanisms.
Anonymous credential schemes allow a user to authenticate while showing only those attributes necessary in a given setting. This makes them a great tool for authorizing transactions in permissioned blockchain systems based on the user’s attributes. In most setups, there is one distinct certification authority for each organization in the network. Consequently, the use of plain anonymous credential schemes still leaks the association of a user to the organization that issued her credentials. Camenisch, Drijvers and Dubovitskaya (CCS 2017) therefore suggest the use of a delegatable anonymous credential scheme to also hide that remaining piece of information.
In this paper, we propose the revocation and auditability—two functionalities that are necessary for real-world adoption—and integrate them into the scheme. We present a complete protocol, its security definition and the proof, and provide its open-source implementation. Our distributed-setting performance measurements show that the integration of the scheme with Hyperledger Fabric, while incurring an overhead in comparison to the less privacy-preserving solutions, is practical for settings with stringent privacy requirements.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Other parties interact with \(\mathcal {F}_{\mathrm {clock}}\) to read the epoch. They technically also provide input to \(\mathcal {F}_{\mathrm {clock}}\), which is required for modeling a synchrony assumption such as epochs in the otherwise asynchronous UC framework [28].
References
Achenbach, D., Kempka, C., Löwe, B., Müller-Quade, J.: Improved coercion-resistant electronic elections through deniable re-voting. In: JETS 2015 (2015)
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the 13th EuroSys Conference, EuroSys 2018, pp. 30:1–30:15 (2018)
Androulaki, E., Cachin, C., De Caro, A., Kokoris-Kogias, E.: Channels: horizontal scaling and confidentiality on permissioned blockchains. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 111–131. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_6
Androulaki, E., Camenisch, J., Caro, A.D., Dubovitskaya, M., Elkhiyaoui, K., Tackmann, B.: Privacy-preserving auditable token payments in a permissioned blockchain system. Cryptology ePrint Report 2019/1058 (November 2019)
Au, M.H., Susilo, W., Mu, Y.: Constant-size dynamic k-TAA. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 111–125. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_8
Baldimtsi, F., et al.: Accumulators with applications to anonymity-preserving revocation. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 301–315 (2017)
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_22
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014)
Benhamouda, F., et al.: Initial public offering (IPO) on permissioned blockchain using secure multiparty computation. In: IEEE Blockchain. IEEE (2019)
Blömer, J., Bobolz, J.: Delegatable attribute-based anonymous credentials from dynamically malleable signatures. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 221–239. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_12
Bogatov, D.: Delegatable anonymous credentials library (2021). https://github.com/dbogatov/dac-lib
Bogatov, D.: Fabric network and crypto simulator (2021). https://github.com/dbogatov/fabric-simulator
Bogatov, D., Caro, A.D., Elkhiyaoui, K., Tackmann, B.: Anonymous transactions with revocation and auditing in hyperledger fabric. Cryptology ePrint Archive, Report 2019/1097 (2019). https://ia.cr/2019/1097
Camenisch, J., Drijvers, M., Dubovitskaya, M.: Practical UC-secure delegatable credentials with attributes and their application to blockchain. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 683–699. ACM (2017)
Camenisch, J., Drijvers, M., Lehmann, A.: Anonymous attestation using the strong Diffie Hellman assumption revisited. In: Franz, M., Papadimitratos, P. (eds.) Trust 2016. LNCS, vol. 9824, pp. 1–20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45572-3_1
Camenisch, J., van Heerweeghen, E.: Design and implementation of the idemix anonymous credential system. In: ACM Conference on Computer and Communication Security, pp. 21–30. ACM (2002)
Castro, M., Liskov, B.: Practical Byzantine fault tolerance. In: 3rd Symposium on Operating Systems Design and Implementation (1999)
Chen, J., Micali, S.: Algorand: a secure and efficient distributed ledger. Theoret. Comput. Sci. 777, 155–183 (2019)
Crites, E.C., Lysyanskaya, A.: Delegatable anonymous credentials from mercurial signatures. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 535–555. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_27
Drijvers, M.: Composable anonymous credentials from global random oracles. Ph.D. thesis, ETH Zürich, Zürich, Switzerland (2018)
Dziembowski, S., Eckey, L., Faust, S., Hesse, J., Hostáková, K.: Multi-party virtual state channels. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 625–656. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_21
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)
Garman, C., Green, M., Miers, I.: Decentralized anonymous credentials. In: NDSS. Internet Society (2014)
Garman, C., Green, M., Miers, I.: Accountable privacy for decentralized anonymous payments. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 81–98. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_5
Golan-Gueta, G., et al.: SBFT: a scalable and decentralized trust infrastructure. In: DSN, pp. 568–580 (2019)
Harchandani, L.: Delegatable anonymous credentials in rust (September 2019). https://github.com/lovesh/signature-schemes/tree/delegatable/delg_cred_cdd
Harris, O.: Quorum (2020). https://www.goquorum.com/
Katz, J., Maurer, U., Tackmann, B., Zikas, V.: Universally composable synchronous computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 477–498. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_27
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Micali, S., Rabin, M., Kilian, J.: Zero-knowledge sets. In: 44th Annual IEEE Symposium on Foundations of Computer Science, pp. 80–91 (10 2003)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009)
National Institute of Standards and Technology: FIPS PUB 186-4: Digital Signature Standard. National Institute for Standards and Technology (July 2013)
Poelstra, A., Back, A., Friedenbach, M., Maxwell, G., Wuille, P.: Confidential assets. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 43–63. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_4
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Scott, M.: The Apache Milagro Crypto Library
Stathakopoulou, C., David, T., Vukolić, M.: Mir-BFT: high-throughput BFT for blockchains. arXiv:1906.05552 (June 2019)
Windley, P.J.: Sovrin (2020). https://sovrin.org/
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2020)
Wüst, K., Kostiainen, K., Capkun, V., Capkun, S.: PRCash: fast, private and regulated transactions for digital currencies. Cryptology archive: 2018/412 (May 2018)
Acknowledgments
This work has been supported in part by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 780477 PRIViLEDGE. We thank the authors of [14] for giving us access to their source code. We also thank the program committees of CANS 2021 for the thorough reviews. Finally, we thank George Kollios, Leonid Reyzin, Daria Bogatova and Oleksandr Narykov for their early feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Security Analysis
Extended credentials functionality \(\mathcal {F}_{\mathrm {dac+}}\) (restated Fig. 1)
Our theorem proving the security of the extended protocol builds directly on the proof of the core protocol from [14] and extended by [20]. Our extensions that cover revocation and auditability are as follows. (1) We construct the scheme as a combination of standard signatures and NIZK, instead of sibling signatures and NIZK as used in [14, 20]. This is possible as we restrict ourselves to the case where the length of each delegation chain is fixed. (2) We need the NIZK to be non-malleable, as otherwise \(\mathcal {F}_{\mathrm {dac+}}\) cannot identify the correct credential owner during an auditing query. This, however, is already implied by simulation-sound extractability. (3) We use a clock functionality [28] to model the advancement of epochs for the revocation scheme. We skip the parts of the description of the protocol \(\Pi _{\mathrm {dac+}}\) and the proof that are identical to [14], and only discuss the differences that appear due to the revocation and auditing features (Fig. 4).
Setup. In addition to root authority \(\mathcal {R}\), auditor \(\mathcal {AU}\) creates a Diffie-Hellman key pair and registers the public key. The auditor also registers a proof-of-knowledge of the private key like root authority \(\mathcal {R}\), at functionality \(\mathcal {F}_{\mathrm {ca}}\). We use the same scheme for \(\mathcal {AU}\) as [14] uses for \(\mathcal {R}\), so that we also achieve online extractability.
Advance. Upon input, the epoch counter \(\mathcal {T}\) provides an input to \(\mathcal {F}_{\mathrm {clock}}\), which advances the epoch.Footnote 1
Delegate. Delegation is almost the same, except for the last delegation step (the one to the end user) where the delegator includes as one attribute the current epoch obtained from \(\mathcal {F}_{\mathrm {clock}}\). In this step, the delegator also deposits the delegate’s public key with \(\mathcal {AU}\).
Present. There are three modifications during presentation. The first is that the user generates a new pseudonym and proves consistency. The second is that a credential proof is only generated if a relevant credential exists for the present epoch, and the attribute that encodes the current epoch is always disclosed. The third one is that, as explained in Sect. 4.3, the user encrypts their public key under the auditor’s public key using AuditEnc and then proves consistent encryption using AuditProve.
Verify. The changes are dual to the above ones. The receiver, in addition to the standard credential validation, checks the consistency of the pseudonym, that the epoch attribute in the credential proof is valid, and the consistency of the auditing proof.
Audit. Given a credential proof, the auditor first checks its validity. If the credential proof is valid, the auditor then extracts the ciphertext that encrypts the user’s key and decrypts it.
Delegatable credentials protocol \(\Pi _{\mathrm {dac+}}\) securely realizes \(\mathcal {F}_{\mathrm {dac+}}\) in the \((\mathcal {F}_{\mathrm {smt}}, \mathcal {F}_{\mathrm {ca}}, \mathcal {F}_{\mathrm {crs}}, \mathcal {F}_{\mathrm {clock}})\)-hybrid model, provided that
-
\(\textsc {SignNym}\) (Algorithm 2) is a strongly unforgeable signature,
-
the auditing encryption is semantically secure,
-
NIZK is a simulation-sound extractable non-interactive zero-knowledge proof.
The proof holds for static corruption of \(\mathcal {AU}\).
Proof
We extend the proof of [14] to the functionality we added to the scheme. In Setup, the additional setup phase of auditor \(\mathcal {AU}\) is proved analogously to that of the root authority. This includes the extraction of the private key if \(\mathcal {AU}\) is corrupt; in that case the simulator sets \( pp \) to include the auditor’s public key as well as public keys for all parties. If \(\mathcal {AU}\) is honest, algorithm \(\mathsf {Param}\) provides a fresh random key. Advance in \(\mathcal {F}_{\mathrm {dac+}}\) means that all issued credential proofs become invalid, and that the last-level delegations are deleted from \(\mathcal {L}_{\mathrm {de}}\). The same effect appears in the protocol, where the epoch advanced and inputs with old credential proofs to \(\mathsf {VERIFY}\) will fail, as will the presentation of credentials that have been issued in an earlier epoch. Delegate behaves the same as before.
In the presentation phase, the credential proof \(\mathfrak {p} \) returned by the functionality contains multiple additional elements (which in \(\mathcal {F}_{\mathrm {dac+}}\) are generated by the algorithm \(\mathsf {Present} \)). The first two are \(\mathsf {pk}_{\mathsf {nym}}\) and \(\sigma _{\mathsf {nym}}\), the pseudonym generated for this presentation and the signature on m. The next two are \(\mathsf {enc}\) and \(\mathfrak {P}_{\mathsf {audit}}\), the encryption of the user’s public key \(\mathsf {pk}\) under the auditor’s public key \(\mathsf {apk} \), and the NIZK proving the correctness of this encryption. Algorithm \(\mathsf {Present} \) generates the credential proof by building a fresh delegation chain with fresh keys and only the specified attributes; the only exception is that if \(\mathcal {AU}\) is corrupt, then the correct user’s public key, as indicated by the additional argument to \(\mathsf {Present}\), is chosen from \( pp \) and encrypted under the auditor’s key. If \(\mathcal {AU}\) is honest, then \(\mathsf {Present}\) includes an encryption of a random message under the simulated auditor’s public key in \(\mathfrak {p}\). \(\mathsf {Present}\) sets the additional values as follows: \(\mathsf {pk}_{\mathsf {nym}}\) and \(\sigma _{\mathsf {nym}}\) are set to a fresh pseudonym and a signature relative to \(\mathsf {pk}_{\mathsf {nym}}\) and the also fresh user public key. If \(\mathcal {AU}\) is corrupt then the encryption of the user public key under \(\mathsf {apk} \) and the corresponding zero-knowledge proof are computed as in the scheme using the values from \( pp \). If \(\mathcal {AU}\) is honest, then (as discussed) a random encryption is chosen and the proof is simulated. This simulation requires that the encryption scheme is semantically secure and the NIZK is zero-knowledge to ensure that the consistency proof for the encryption is indistinguishable from a real proof, and that as in [14] fresh delegations are indistinguishable from the real world where the same delegations are used for multiple presentations.
In the verification phase, in both the real and the ideal cases, the verification algorithm is used to verify \(\mathfrak {p}\). While in the ideal case with honest auditor the auditing proof is simulated, this will also successfully verify in \(\mathsf {Verify}\). The main difference is that \(\mathcal {F}_{\mathrm {dac+}}\) prevents forgeries ideally whereas the protocol merely relies on the verification of the zero-knowledge proofs. The functionality also ensures that, for credential proofs that are accepted, their holders are known, therefore auditing will succeed. In the ideal world, the simulator knows the private key of \(\mathcal {AU}\) (since it is chosen by the simulator if \(\mathcal {AU}\) is honest, or extracted if \(\mathcal {AU}\) is corrupt), and can therefore obtain the public key of the credential holder. This difference is indistinguishable by the simulation-sound extractability of the zero-knowledge proofs and the unforgeability of the signature scheme. Note that, in contrast with [14], we allow verification to succeed only for credential proofs \(\mathfrak {p}\) that have either been generated by \(\mathcal {F}_{\mathrm {dac+}}\) or are valid for corrupt parties. This in particular means that credential proofs are non-malleable, but non-malleability is already implied by simulation-sound extractability.
When honest \(\mathcal {AU}\) inputs a credential proof \(\mathfrak {p}\), the embedded ciphertext is decrypted. For credential proofs generated by an honest \(\mathcal {P}_{i}\) this will always succeed. For those not generated by an honest \(\mathcal {P}_{i}\), the functionality lets the adversary decide on the identity of the holder; the adversary can choose any corrupted party. The simulator can decrypt the auditing field of the credential proofs using the secret key of the auditor (which in case of a dishonest auditor has been extracted during setup). Indistinguishability again follows by the zero-knowledge property of the NIZK.
B Algorithms
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Bogatov, D., De Caro, A., Elkhiyaoui, K., Tackmann, B. (2021). Anonymous Transactions with Revocation and Auditing in Hyperledger Fabric. In: Conti, M., Stevens, M., Krenn, S. (eds) Cryptology and Network Security. CANS 2021. Lecture Notes in Computer Science(), vol 13099. Springer, Cham. https://doi.org/10.1007/978-3-030-92548-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-92548-2_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92547-5
Online ISBN: 978-3-030-92548-2
eBook Packages: Computer ScienceComputer Science (R0)