Abstract
An anonymous credential system allows a user to convince a service provider anonymously that he/she owns certified attributes. Previously, a system to prove AND and OR relations simultaneously by CNF formulas was proposed. To achieve a constant-size proof of the formula, this system adopts an accumulator that compresses multiple attributes into a single value. However, this system has a problem: the proof generation requires a large computational time in case of lots of OR literals in the formula. One of the example formulas consists of lots of birthdate attributes to prove age. This greatly increases the public parameters correspondent to attributes, which causes a large delay in the accumulator computation due to multiplications of lots of parameters. In this paper, we propose an anonymous credential system with constant-size proofs for monotone formulas on attributes, in order to obtain more efficiency in the proof generation. The monotone formula is a logic formula that contains any combination of AND and OR relations. Our approach to prove the monotone formula is that the accumulator is extended to be adapted to the tree expressing the monotone formula. Since the use of monotone formulas increases the expression capability of the attribute proof, the number of public parameters multiplied in the accumulator is greatly decreased, which impacts the reduction of the proof generation time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)
Abe, M., Haralambiev, K., Ohkubo, M.: Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archieve, Report 2010/133 (2010)
Begum, N., Nakanishi, T., Funabiki, N.: Efficient proofs for CNF formulas on attributes in pairing-based anonymous credential system. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 495–509. Springer, Heidelberg (2013)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
Camenisch, J., Groß, T.: Efficient attributes for anonymous credentials. In: Proceedings of the ACM Conference on Computer and Communications Security 2008 (ACM-CCS 2008), pp. 345–356 (2008)
Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009)
Camenisch, J.L., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002)
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)
Izabachène, M., Libert, B., Vergnaud, D.: Block-wise P-signatures and non-interactive anonymous credentials with efficient attributes. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 431–450. Springer, Heidelberg (2011)
Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012)
Sudarsono, A., Nakanishi, T., Funabiki, N.: Efficient proofs of attributes in pairing-based anonymous credential system. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 246–263. Springer, Heidelberg (2011)
Acknowledgments
his work was partially supported by JSPS KAKENHI Grant Number 25330153.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security Model of Anonymous Credential System
A Security Model of Anonymous Credential System
This security model is similar to the previos work [3].
1.1 A.1 Misauthentication Resistance
Consider the following misauthentication resistance game.
-
Misauthentication Resistance Game: The challenger runs IssuerKeyGen, and obtains ipk and isk. He provides \(\mathcal{A}\) with ipk, and run \(\mathcal{A}\). He sets CU with empty, where CU denotes the set of IDs of users corrupted by \(\mathcal{A}\). In the run, \(\mathcal{A}\) can query the challenger about the following issuing query:
-
C-Issuing: \(\mathcal{A}\) can request the certificates on attribute set \(U^{(\mathsf {i})}\) of user \(\mathsf {i}\). Then, \(\mathcal{A}\) as the user executes CertObtain protocol with the challenger as the issuer.
Finally, \(\mathcal{A}\) outputs a monotone formula \(\mathcal {M}^*\), and a proof \(\sigma ^*\).
-
Then, \(\mathcal{A}\) wins if
-
1.
\(\mathbf{Verify}(ipk, \sigma ^*, \mathcal {M}^*) = \mathrm{valid}\), and
-
2.
for all \(\mathsf {i}\in CU\), \(U^{(\mathsf {i})}\) does not satisfy \(\mathcal {M}^*\).
Misauthentication resistance requires that for all PPT \(\mathcal {A}\), the probability that \(\mathcal{A}\) wins the misauthentication resistance game is negligible.
1.2 A.2 Anonymity
Consider the following anonymity game.
-
Anonymity Game: The challenger runs \(\mathbf{IssuerKeyGen}\), and obtains ipk, isk. He provides \(\mathcal{A}\) with ipk, isk, and run \(\mathcal{A}\). He sets HU with empty. In the run, \(\mathcal{A}\) can query the challenger, as follows.
-
H-Issuing: \(\mathcal{A}\) can request the certificates on attribute set \(U^{(\mathsf {i})}\) of user \(\mathsf {i}\). Then, \(\mathcal{A}\) as the issuer executes CertObtain protocol with the challenger as the user. The challenger adds this user to HU.
-
Proving: \(\mathcal{A}\) can request the user \(\mathsf {i}\)’s proof on formula \(\mathcal {M}\). Then, the challenger responds the proof on \(\mathcal {M}\) of the user \(\mathsf {i}\), if the user is in HU.
During the run, as the challenge, \(\mathcal{A}\) outputs a formula \(\mathcal {M}\), and two users \(\mathsf {i}_0\) and \(\mathsf {i}_1\), such that both \(U^{(\mathsf {i}_0)}\) and \(U^{(\mathsf {i}_1)}\) satisfy \({\mathcal {M}}^*\). If \(\mathsf {i}_0\in HU\) and \(\mathsf {i}_1\in HU\), the challenger chooses \(\phi \in _R \{0,1\}\), and responds the proof on \({\mathcal {M}}^*\) of user \(\mathsf {i}_{\phi }\). After that, similarly, \(\mathcal {A}\) can make the queries.
Finally, \(\mathcal {A}\) outputs a bit \(\phi '\) indicating its guess of \(\phi \).
-
If \(\phi '=\phi \), \(\mathcal {A}\) wins. We define the advantage of \(\mathcal {A}\) as \(|\mathrm{Pr}[\phi '=\phi ]-1/2|\).
Anonymity requires that for all PPT \(\mathcal {A}\), the advantage of \(\mathcal{A}\) on the anonymity game is negligible.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Sadiah, S., Nakanishi, T., Funabiki, N. (2015). Anonymous Credential System with Efficient Proofs for Monotone Formulas on Attributes. In: Tanaka, K., Suga, Y. (eds) Advances in Information and Computer Security. IWSEC 2015. Lecture Notes in Computer Science(), vol 9241. Springer, Cham. https://doi.org/10.1007/978-3-319-22425-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-22425-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22424-4
Online ISBN: 978-3-319-22425-1
eBook Packages: Computer ScienceComputer Science (R0)